IBM QRadar

Dear Team,

Suppose we have two log source namely LogSource A and LogSource B. The LogSourceA has custom property sourceip, and username and LogSourceB has custom property sourceip and URL. Is there any way to merge LogSourceA and LogSourceB based on sourceip so that the output would be in log activity as sourceip, username,URL. 

Any help is appreciated.

------------------------------
ishwor shrestha
------------------------------

Ishwor,

the brief answer is to use AQL to show this in either log activity or dashboard or even pulse.

There is a long dicsussion entry at https://community.ibm.com/community/user/security/discussion/concat-two-custom-prorties-against-only-one-event-type

talking about concat, please see the many examples in the AQL guide.

------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]
[cnag]
[Siegen] [Germany]
------------------------------

Original Message:
Sent: Tue September 24, 2024 01:02 AM
From: ishwor shrestha
Subject: Join two device event custom property based on some common paramters

Dear Team,

Suppose we have two log source namely LogSource A and LogSource B. The LogSourceA has custom property sourceip, and username and LogSourceB has custom property sourceip and URL. Is there any way to merge LogSourceA and LogSourceB based on sourceip so that the output would be in log activity as sourceip, username,URL. 

Any help is appreciated.

------------------------------
ishwor shrestha
------------------------------

Hi Karl,

The link that you have shared is about concatenating two properties within the single device's custom properties but in our case, we need to display multiple custom properties from two different devices on a single row by joining on some common property. For example, 

log source	source ip	username	URL
device A	192.168.10.2	root	null
device B	192.168.10.2	null	example.com

Now we have common sourceip in both device A and device B and if we can join two device's custom properties based on sourceip then the output would be :

log source	source ip	deviceA.username	deviceB.URL
device A or device B (based on need)	192.168.10.2	root	example.com

How can we achieve these kinds of use cases?  Jose has posted a video to join two tables i.e. event and flows and if similar kind of joining can be done within the table in multiple devices then it would be really helpful.

The link is: https://www.youtube.com/watch?v=bf7ljLZUzrw&pp=ygURam9pbiB0YWJsZSBxcmFkYXI%3D

I think these kinds of use cases would be helpful for everyone.

Best Regards,

Ishwor Shrestha

------------------------------
ishwor shrestha
------------------------------

Original Message:
Sent: Tue September 24, 2024 12:34 PM
From: Karl Jaeger
Subject: Join two device event custom property based on some common paramters

Ishwor,

the brief answer is to use AQL to show this in either log activity or dashboard or even pulse.

There is a long dicsussion entry at https://community.ibm.com/community/user/security/discussion/concat-two-custom-prorties-against-only-one-event-type

talking about concat, please see the many examples in the AQL guide.

------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]
[cnag]
[Siegen] [Germany]

Original Message:
Sent: Tue September 24, 2024 01:02 AM
From: ishwor shrestha
Subject: Join two device event custom property based on some common paramters

Dear Team,

Suppose we have two log source namely LogSource A and LogSource B. The LogSourceA has custom property sourceip, and username and LogSourceB has custom property sourceip and URL. Is there any way to merge LogSourceA and LogSourceB based on sourceip so that the output would be in log activity as sourceip, username,URL. 

Any help is appreciated.

------------------------------
ishwor shrestha
------------------------------