IBM QRadar

大家好，

有人遇過這個問題嗎？

使用此 AQL 時，我收到錯誤「『檢索 X-Force 分類分數時發生錯誤』」。

Hello, 

Can I ask what verison of QRadar you are using?

We had an issue with scaserver threads but this was resolved in 750UP2.

Also have you checked the ariel component on all hosts.

Console:

systemctl status ariel_proxy_server

Managed Host (EP/EPFP/DN)

systemctl status ariel_query_server

You may wish to restart the above services and retest.

Next follow this technote to ensure there are no bad AQL files 

https://www.ibm.com/support/pages/node/6619599

If these verification steps all pass. PLease rasie a support case

Regards

------------------------------
Comghall Morgan
QRadar Support Architect
IBM
------------------------------

Original Message:
Sent: Thu February 22, 2024 03:08 AM
From: Sam Wang
Subject: "AQL an error: Error retrieving X-Force categorization's score."

大家好，

有人遇過這個問題嗎？

使用此 AQL 時，我收到錯誤「『檢索 X-Force 分類分數時發生錯誤』」。

Hello,

I am using QRadar version 7.5.0 UP7.

I have attempted to restart the ariel_proxy_server, but the same issue persists.
 Additionally, I've noticed that using the following other AQL does not result in an error: "Error retrieving X-Force categorization's score".

AQL：
SELECT destinationip as 'Destination IP',
XFORCE_IP_CONFIDENCE('Bots',destinationip) as 'XFE Bots Score',
XFORCE_IP_CONFIDENCE('Malware',destinationip) as 'XFE Malware Score',
XFORCE_IP_CONFIDENCE('Botnet Command and Control Server',destinationip) as 'XFE C&C Score',
XFORCE_IP_CONFIDENCE('Anonymization Services',destinationip) as 'XFE Anonymization Services Score',
XFORCE_IP_CONFIDENCE('Spam',destinationip) as 'XFE Spam Score',
XFORCE_IP_CONFIDENCE('Scanning IPs',destinationip) as 'XFE Scanning IPs Score',
XFORCE_IP_CONFIDENCE('Dynamic IPs',destinationip) as 'XFE Dynamic IPs Score',
("XFE Bots Score" + "XFE Malware Score" + "XFE C&C Score" + "XFE Anonymization Services Score" + 
 "XFE Spam Score" ) as 'Overall Score'
FROM events 
WHERE INOFFENSE(100) 
GROUP BY destinationip 
ORDER BY "Overall Score" DESC
START PARSETIMESTAMP('yyyy-MM-dd HH:mm', '2024-02-22 16:52')
STOP PARSETIMESTAMP('yyyy-MM-dd HH:mm', '2024-02-23 12:36')

However, once I remove the WHERE INOFFENSE(100), the error "Error retrieving X-Force categorization's score" appears.

Could you suggest what might be causing this issue or propose any solutions?

------------------------------
Sam Wang
------------------------------

Original Message:
Sent: Thu February 22, 2024 04:07 AM
From: Comghall Morgan
Subject: "AQL an error: Error retrieving X-Force categorization's score."

Hello, 

Can I ask what verison of QRadar you are using?

We had an issue with scaserver threads but this was resolved in 750UP2.

Also have you checked the ariel component on all hosts.

Console:

systemctl status ariel_proxy_server

Managed Host (EP/EPFP/DN)

systemctl status ariel_query_server

You may wish to restart the above services and retest.

Next follow this technote to ensure there are no bad AQL files 

https://www.ibm.com/support/pages/node/6619599

If these verification steps all pass. PLease rasie a support case

Regards

------------------------------
Comghall Morgan
QRadar Support Architect
IBM

Original Message:
Sent: Thu February 22, 2024 03:08 AM
From: Sam Wang
Subject: "AQL an error: Error retrieving X-Force categorization's score."

大家好，

有人遇過這個問題嗎？

使用此 AQL 時，我收到錯誤「『檢索 X-Force 分類分數時發生錯誤』」。