Troubleshooting
Problem
When an offense is opened, the fields for the rules that contribute to the offense might display "UNKNOWN RULE NAME", this name can be misleading and impact on the investigation of the offense.
Symptom
The next internal message can be seen in the internal logs:
[WARN] Unable to retrieve rule name for rule id [140999] -
Using [UNKNOWN RULE NAME] as the rule name for offense cre aggregation
Cause
The are two common causes for this issue:
- There can be an issue with the CRE caching that is being made.
Whenever the ecs-ep process is restarted, the CRE loads into its cache the rules that are present in the system. Sometimes, due to many rules, it does not load all of them, resulting in the "UNKNOWN RULE NAME" problem. - The second cause can be related to malformed rules, either they are linked to a nonexistent rule or their XML is badly read.
Resolving The Problem
Follow these steps in order to be able to see the rule's name correctly.
Important: Read first the whole article before these steps are applied on a production environment. If there's any doubt or question, contact Support Assistance .
- Create a backup for the custom_rule table, the first command creates a folder named IBM_Support, run just the second command if this folder already exists:
mkdir /store/IBM_Support pg_dump -U qradar -t custom_rule > custom_rule.sql
- First, search for any malformed rules and delete them.
psql -U qradar -c "select id from custom_rule where not xml_is_well_formed_document(rule_data::text);"
If the output does not return any IDs, proceed with step 4. This capture shows an example of an output where all the rules were deleted: - If the output returns any IDs, then delete the affected rules. Run the following command for each ID to obtain the rule name, replace 1234 with the ID:
psql -U qradar -c "select id, regexp_matches(custom_rule.rule_data::text, '<name>(.*?)<\/name>') as rule_name from custom_rule where id=1234;"
- Run again the command on the second step to confirm all the rules are deleted.
psql -U qradar -c "select id from custom_rule where not xml_is_well_formed_document(rule_data::text);"
- Update any left out rules with link_uuid that don't exist.
Note: Do not edit this command, run it exactly as it is in the next line.psql -U qradar -c "update custom_rule set link_uuid = null where link_uuid not in (select uuid from custom_rule );"
- Restart ecs-ep and Tomcat with the next command in order for the changes to take effect.
Note: The restart of these services affects other functionalities such as access to QRadar by using the graphical interface, correlations, searches, offenses creation, and other functionalities. See QRadar: Core services and the impact of restarting services for more information.systemctl restart ecs-ep && systemctl restart tomcat
Result
The new offenses display the correct information regarding to the rules. Old offenses are not updated by these steps.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS009939665","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
31 August 2022
UID
ibm16607187