IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Eps generated by a network in siem qradar

    Posted Tue February 14, 2023 11:42 AM

    Hey guys,

    I would like some help, I would like to know how many EPS a network sends to qRadar, but I would just like to know how many mps this particular network sends.

    For example, I have the 1010.0.x/24 network, but I couldn't generate a query that brings the average EPS correctly.

    Thanks already for the help.

    My regards.

    André



    ------------------------------
    André Dombrosque
    Service IT Security
    São Paulo
    ------------------------------


  • 2.  RE: Eps generated by a network in siem qradar

    Posted Wed February 15, 2023 05:30 AM

    This one should give you an overview for the last 6h grouped by SourceNetwork

    SELECT FULLNETWORKNAME(SourceIP, DomainID) as 'SourceNetwork',  
    UniqueCount("logsourceid") AS 'LogSources (Unique Count)', 
    UniqueCount(qid) AS 'Event Name (Unique Count)', 
    UniqueCount(category) AS 'Low Level Category (Unique Count)', 
    UniqueCount("sourceIP") AS 'Source IP (Unique Count)', 
    UniqueCount("destinationIP") AS 'Destination IP (Unique Count)', 
    UniqueCount("destinationPort") AS 'Destination Port (Unique Count)', 
    UniqueCount("userName") AS 'Username (Unique Count)', 
    MAX("magnitude") AS 'Magnitude (Maximum)', 
    SUM("eventCount") AS 'Event Count (Sum)', 
    SUM("eventCount") / (6*60*60) as "EPS" 
    from events 
    GROUP BY SourceNetwork
    order by "Event Count (Sum)" 
    desc last 6 hours



    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message


Related Content