IBM QRadar

Hello all,

I am reposting my Reddit discussion here.

There is an issue with the new function Offense_Time where the AQL query is not returning any events or the number of returned events does not equal the number of events associated with the offense.

SELECT * FROM events WHERE INOFFENSE(1) times OFFENSE_TIME(1)

I have investigated this issue further and noticed that when using the new function, the AQL query does not return events with a Start Time within the exact minute of the offense's Start Date.

I'm able to use the AQL function with accurate search results with the below query:

SELECT * FROM events WHERE InOffense(1) START SUBSTRING(OFFENSE_TIME(1), 1, 14) STOP SUBSTRING(OFFENSE_TIME(1), 15, 28)

The above query works by extracting the required Start Time and End Time from the Offense_Time returned string.

Offense_Time(1) returned string example: [1685403797769,1685404379262]

For your support and input.

Thanks!

Has this issue been fixed in 7.5.0 UpdatePackage 6 (Build 20230519190832)
   with interim fix IF01 applied ?

Hello all,

I am reposting my Reddit discussion here.

There is an issue with the new function Offense_Time where the AQL query is not returning any events or the number of returned events does not equal the number of events associated with the offense.

SELECT * FROM events WHERE INOFFENSE(1) times OFFENSE_TIME(1)

I have investigated this issue further and noticed that when using the new function, the AQL query does not return events with a Start Time within the exact minute of the offense's Start Date.

I'm able to use the AQL function with accurate search results with the below query:

SELECT * FROM events WHERE InOffense(1) START SUBSTRING(OFFENSE_TIME(1), 1, 14) STOP SUBSTRING(OFFENSE_TIME(1), 15, 28)

The above query works by extracting the required Start Time and End Time from the Offense_Time returned string.

Offense_Time(1) returned string example: [1685403797769,1685404379262]

For your support and input.

Thanks!

I'm updating both threads here and in Reddit (https://www.reddit.com/r/QRadar/comments/13wq85v/qradar_750_offense_time_function_issue_workaround/) where this issue was first posted. There is a hotfix for this issue availale for users on 7.5.0 UP4 I know, but an official fix is planned for QRadar 7.5.0 Update Package 7. 

There is not a fix committed for 7.5.0 Update Package 6 IF1 or IF2 that I'm aware of, but a future release for 7.5.0 Update Package 7 does contain a fix for this issue. 

Has this issue been fixed in 7.5.0 UpdatePackage 6 (Build 20230519190832)
   with interim fix IF01 applied ?

Hello all,

I am reposting my Reddit discussion here.

There is an issue with the new function Offense_Time where the AQL query is not returning any events or the number of returned events does not equal the number of events associated with the offense.

SELECT * FROM events WHERE INOFFENSE(1) times OFFENSE_TIME(1)

I have investigated this issue further and noticed that when using the new function, the AQL query does not return events with a Start Time within the exact minute of the offense's Start Date.

I'm able to use the AQL function with accurate search results with the below query:

SELECT * FROM events WHERE InOffense(1) START SUBSTRING(OFFENSE_TIME(1), 1, 14) STOP SUBSTRING(OFFENSE_TIME(1), 15, 28)

The above query works by extracting the required Start Time and End Time from the Offense_Time returned string.

Offense_Time(1) returned string example: [1685403797769,1685404379262]

For your support and input.

Thanks!