IBM QRadar

Hello,

Is there a way I can write an AQL to be used in a rule which will do the following:
Alert when a unique number of hosts are enumerated with Event ID 5140 during a timeframe of 5 minutes?

So for example, 10 different hosts are seen logging the Event ID 5140 within 5 minutes, alert.
I do not want to be alerted when Event ID 5140 is seen 9 times on 1 host and 1 time on another host, making it only 2 unique hosts.

I have tried using HAVING "unique number of hosts" > 10, but seem to be getting a lot of false positives and also not sure how to tell the AQL query to only look in 5 minutes intervals.
Is this possible to create with maybe an anomaly rule? If so, how? 

You should be able to do this without using AQL in your rules and make the solution more simple using the "Function - Counter" tests.

For example a construction something like:

and when the event QID is one of the following (6761378) 16830: SMB: SMB Protocol Communication Attempt
and when at least 10 events are seen with the same Source Address, Event ID in 5 minutes

I just picked any old QID. This test will keep state per source IP (host) + Event ID, and should only trigger on 10 events from a single source. The first test just makes sure that we're only tracking state for the specific Event ID, otherwise we'd blow up on all events.

AQL statements in rules cannot retain any state and so they aren't good for counting across events.

Hello,

Is there a way I can write an AQL to be used in a rule which will do the following:
Alert when a unique number of hosts are enumerated with Event ID 5140 during a timeframe of 5 minutes?

So for example, 10 different hosts are seen logging the Event ID 5140 within 5 minutes, alert.
I do not want to be alerted when Event ID 5140 is seen 9 times on 1 host and 1 time on another host, making it only 2 unique hosts.

I have tried using HAVING "unique number of hosts" > 10, but seem to be getting a lot of false positives and also not sure how to tell the AQL query to only look in 5 minutes intervals.
Is this possible to create with maybe an anomaly rule? If so, how? 

Since the ask was for 10 different hosts rather than the same host, I think we'd actually want to use this test:

when at least this many events are seen with the same event properties and different event properties in this many minutes

Where for the "same" properties you would use Event ID (or the corresponding QID, which for Windows event ID 5140 is 5001108) and for the "different" properties you'd use Source IP. This ensures only events with the same Event ID/QID but different Source IPs are tracked. But aside from that detail, Rory is absolutely correct, the stateful rule tests are what you want to use here, rather than the AQL test, which can't keep track of any counters/state and also having the stateless test first in the stack is also critical to ensure we're only considering the second test for events which have the Event ID/QID of interest

You should be able to do this without using AQL in your rules and make the solution more simple using the "Function - Counter" tests.

For example a construction something like:

and when the event QID is one of the following (6761378) 16830: SMB: SMB Protocol Communication Attempt
and when at least 10 events are seen with the same Source Address, Event ID in 5 minutes

I just picked any old QID. This test will keep state per source IP (host) + Event ID, and should only trigger on 10 events from a single source. The first test just makes sure that we're only tracking state for the specific Event ID, otherwise we'd blow up on all events.

AQL statements in rules cannot retain any state and so they aren't good for counting across events.

Hello,

Is there a way I can write an AQL to be used in a rule which will do the following:
Alert when a unique number of hosts are enumerated with Event ID 5140 during a timeframe of 5 minutes?

So for example, 10 different hosts are seen logging the Event ID 5140 within 5 minutes, alert.
I do not want to be alerted when Event ID 5140 is seen 9 times on 1 host and 1 time on another host, making it only 2 unique hosts.

I have tried using HAVING "unique number of hosts" > 10, but seem to be getting a lot of false positives and also not sure how to tell the AQL query to only look in 5 minutes intervals.
Is this possible to create with maybe an anomaly rule? If so, how? 

Wouldn't this though make it so a host can generate 9 events and another host generate 1 event, which would fulfill the requirements of 10 events, but only 2 hosts generated the traffic, not 10 unique hosts.

Anyways, I built a building block with my QID and some other values and then used the ...BUILDING BLOCK RULE with the same source IP more than 1 times, across more than 10 destination IP within 5 minutes


So if a source IP logs the QID more than 1 time to 10 different unique destionations, generate an offense.
I believe this would work, have not tried it in my lab but the logic seems fine to me.

Since the ask was for 10 different hosts rather than the same host, I think we'd actually want to use this test:

when at least this many events are seen with the same event properties and different event properties in this many minutes

Where for the "same" properties you would use Event ID (or the corresponding QID, which for Windows event ID 5140 is 5001108) and for the "different" properties you'd use Source IP. This ensures only events with the same Event ID/QID but different Source IPs are tracked. But aside from that detail, Rory is absolutely correct, the stateful rule tests are what you want to use here, rather than the AQL test, which can't keep track of any counters/state and also having the stateless test first in the stack is also critical to ensure we're only considering the second test for events which have the Event ID/QID of interest

You should be able to do this without using AQL in your rules and make the solution more simple using the "Function - Counter" tests.

For example a construction something like:

and when the event QID is one of the following (6761378) 16830: SMB: SMB Protocol Communication Attempt
and when at least 10 events are seen with the same Source Address, Event ID in 5 minutes

I just picked any old QID. This test will keep state per source IP (host) + Event ID, and should only trigger on 10 events from a single source. The first test just makes sure that we're only tracking state for the specific Event ID, otherwise we'd blow up on all events.

AQL statements in rules cannot retain any state and so they aren't good for counting across events.

Hello,

Is there a way I can write an AQL to be used in a rule which will do the following:
Alert when a unique number of hosts are enumerated with Event ID 5140 during a timeframe of 5 minutes?

So for example, 10 different hosts are seen logging the Event ID 5140 within 5 minutes, alert.
I do not want to be alerted when Event ID 5140 is seen 9 times on 1 host and 1 time on another host, making it only 2 unique hosts.

I have tried using HAVING "unique number of hosts" > 10, but seem to be getting a lot of false positives and also not sure how to tell the AQL query to only look in 5 minutes intervals.
Is this possible to create with maybe an anomaly rule? If so, how? 

Since the ask was for 10 different hosts rather than the same host, I think we'd actually want to use this test:

when at least this many events are seen with the same event properties and different event properties in this many minutes

Where for the "same" properties you would use Event ID (or the corresponding QID, which for Windows event ID 5140 is 5001108) and for the "different" properties you'd use Source IP. This ensures only events with the same Event ID/QID but different Source IPs are tracked. But aside from that detail, Rory is absolutely correct, the stateful rule tests are what you want to use here, rather than the AQL test, which can't keep track of any counters/state and also having the stateless test first in the stack is also critical to ensure we're only considering the second test for events which have the Event ID/QID of interest

You should be able to do this without using AQL in your rules and make the solution more simple using the "Function - Counter" tests.

For example a construction something like:

and when the event QID is one of the following (6761378) 16830: SMB: SMB Protocol Communication Attempt
and when at least 10 events are seen with the same Source Address, Event ID in 5 minutes

I just picked any old QID. This test will keep state per source IP (host) + Event ID, and should only trigger on 10 events from a single source. The first test just makes sure that we're only tracking state for the specific Event ID, otherwise we'd blow up on all events.

AQL statements in rules cannot retain any state and so they aren't good for counting across events.

Hello,

Is there a way I can write an AQL to be used in a rule which will do the following:
Alert when a unique number of hosts are enumerated with Event ID 5140 during a timeframe of 5 minutes?

So for example, 10 different hosts are seen logging the Event ID 5140 within 5 minutes, alert.
I do not want to be alerted when Event ID 5140 is seen 9 times on 1 host and 1 time on another host, making it only 2 unique hosts.

I have tried using HAVING "unique number of hosts" > 10, but seem to be getting a lot of false positives and also not sure how to tell the AQL query to only look in 5 minutes intervals.
Is this possible to create with maybe an anomaly rule? If so, how? 

You should be able to do this without using AQL in your rules and make the solution more simple using the "Function - Counter" tests.

For example a construction something like:

and when the event QID is one of the following (6761378) 16830: SMB: SMB Protocol Communication Attempt
and when at least 10 events are seen with the same Source Address, Event ID in 5 minutes

I just picked any old QID. This test will keep state per source IP (host) + Event ID, and should only trigger on 10 events from a single source. The first test just makes sure that we're only tracking state for the specific Event ID, otherwise we'd blow up on all events.

AQL statements in rules cannot retain any state and so they aren't good for counting across events.

Hello,

Is there a way I can write an AQL to be used in a rule which will do the following:
Alert when a unique number of hosts are enumerated with Event ID 5140 during a timeframe of 5 minutes?

So for example, 10 different hosts are seen logging the Event ID 5140 within 5 minutes, alert.
I do not want to be alerted when Event ID 5140 is seen 9 times on 1 host and 1 time on another host, making it only 2 unique hosts.

I have tried using HAVING "unique number of hosts" > 10, but seem to be getting a lot of false positives and also not sure how to tell the AQL query to only look in 5 minutes intervals.
Is this possible to create with maybe an anomaly rule? If so, how?