IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Reporting on Open offenses with magnitude greater than 7

    Posted Thu June 23, 2022 02:19 PM
    Does anyone have a search or an aql statement I can use to report on open offenses with a magnitude greater than 7? The best I can do is to report on rules that have a magnitude greater than 7.

    ------------------------------
    LUIS LATAS
    ------------------------------


  • 2.  RE: Reporting on Open offenses with magnitude greater than 7

    Posted Tue July 12, 2022 11:38 AM
    Hello @LUIS LATAS,

    Hope you are well :)

    Guess is more simple to do it with API or psql statement.

    Sure Its not the right answer, but if i have to do so i will start near that if you have to do this via a search on events  :

    SELECT "CRE Name", MIN("magnitude"), SUM("eventCount") AS 'Event Count (Sum)', COUNT(*) AS 'Count' from events where ( "deviceType"='18' AND "hasOffense"='true' and magnitude >7 ) GROUP BY "CRE Name" order by "Count" desc last 6 hours

    Hope this helps,

    Regards,

    @zoldax​

    ------------------------------
    @zoldax

    https://www.youracclaim.com/users/pascal-weber.029e134d/badges
    ------------------------------

    Original Message


  • 3.  RE: Reporting on Open offenses with magnitude greater than 7

    Posted Thu July 14, 2022 09:55 AM
    Thanks.

    ------------------------------
    LUIS LATAS
    ------------------------------

    Original Message