IBM QRadar

We are working on a QRadar integration. In this app, we are collecting IOCs via API and ingesting events into QRadar. Also, the information of the IOCs gets updated like IOC severity, last updated time, etc. Hence there will be multiple events for a single IOC value. As part of the use case, we want to fetch the latest IOC information. To achieve this, we are using Group by clause in AQL to get a unique event by IOC value. We observed that QRadar does not return the latest event every time. We also tried using aggregation functions like "FIRST", "LAST" to get the latest event, but it is giving intermittent results. i.e It does not return always the latest event. https://www.ibm.com/docs/en/qsip/7.4?topic=language-aql-data-aggregation-functions

Is there any way to fetch the latest events from Log Activity?

I talked to development briefly about your question and they suggested that you try a query like the following:

This doesn't work Support Member

I agree with Raj.

If I ingest an event with sourceip=1.2.3.4 and a property prop_1='1'. After some time, if I ingest event with sourceip=1.2.3.4 and prop_1='2'.

Then, on running following AQL query:

SELECT prop_1 from events GROUP BY sourceip

will return prop_1 = 1 and sometimes 2 which is incorrect.

Other SIEM platforms like Splunk and ELK always shows latest event. Due to this we have to take headache of processing all the events on server side which causes performance issues with the app!!