IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

AQL to search for users that have 24x7 events

  • 1.  AQL to search for users that have 24x7 events

    Posted Thu November 11, 2021 07:52 PM

    We have users who routinely show increased risk due to 24x7 authentication activity, and I'm wanting to build a search to show just how many users this affects (so I can try and get people to address the problem).

    Is this something that can be done w/AQL?



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: AQL to search for users that have 24x7 events

    Posted Fri November 12, 2021 06:45 AM

    It may be better to use a refernce set instead of a search. Use a rule to put the username on a ref set with a time to live of 24 or 168 hours when he authenticates and delete him when he deauthenticates. You will see a log entry when a user is deleted from the list after the time to live (authenticated for too long) and you can react on that event (eg. raise an alarm or send a mail)



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: AQL to search for users that have 24x7 events

    Posted Fri November 12, 2021 04:05 PM

    This is an interesting idea, but I don't believe works in my case.


    The issue is that the users logon and off continuously for days at a time ... The likely reason is not signing out of RDP sessions, or in rarer circumstances using their personal account for a service account type function.



    #QRadar
    #Support
    #SupportMigration


Related Content