What Changed

Two behavioral changes in Tools/QRadarMigration/qradar_collector.py (bumped to v0.4.1):

1. Summary row injection

After all rule rows are written, a new row is appended with:

  • Rule name and Rule ID set to ALL_ACTIVE_DATA_SOURCES (the marker sentinel)
  • Log Source Types populated with all active Log Source Type names consolidated from the enrichment context
  • Flags Is rule, Rule enabled, Rule installed set to FALSE

This row is intended for the SIEM migration backend to identify the complete active data-source inventory without a separate query. Consumers of the CSV must filter on Rule name != “ALL_ACTIVE_DATA_SOURCES” to exclude it from rule counts.

2. Bracket-list delimiter change

format_bracket_list() and format_sorted_bracket_list() now use pipe (|) separators instead of comma-space (, ). This is a global output-format change affecting every column that uses these functions (notably Log Source Types). Any downstream tooling or automation that splits on “, " to parse bracket lists will break silently.

Metric correction: total_rules in the summary statistics now counts rows (original rule count) rather than processed_rows (which now includes the appended summary row), preventing the percentage calculation from being skewed by the injected sentinel row.

Affected Files

Tools/QRadarMigration/qradar_collector.py