IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

AQL query to display more details inside offenses

  • 1.  AQL query to display more details inside offenses

    Posted Sat May 22, 2021 03:51 AM

    Hey guys,

    I would like to know if there is an option to customize AQL query inside an offense which edit the current offense result query and add it more details.

    Example:

    What I mean is incase whenever as part of investigation about WAF / IPS activity is to check Actions results for each offense.

    I'd like to know if there is a way to save time instead :

    1. Search > Edit search
    2. Column Definition : get Action Result parameter outside to columns view
    3. 'Search'

    Just edit some AQL query to search the exact same query as however just get to outside view the phrased ActionResult parameter.

    This would be great to know the same query for GroupBy

    Thanks !



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: AQL query to display more details inside offenses

    Posted Tue May 25, 2021 02:31 PM

    I think what you are looking for is AQL Custom Functions. You can do a lot of fancy things inside of a AQL Custom Function, like convert dates, do look-ups, run calculations, aggregate data in to a single column, etc.

    There are examples in the docs, but I think this is what you want to review as custom functions in AQL has a lot of functionality that you cannot do in normal AQL: https://www.ibm.com/docs/en/qradar-common?topic=1-custom-aql-functions



    #QRadar
    #Support
    #SupportMigration


Related Content