IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Rules fired count with in one month

    Posted Mon February 03, 2020 01:31 PM
    I need to determine if there is any AQL query or any alternative way to find list of rules fired in one month with count(number of times each rule fired) in one month.

    ------------------------------
    Abdul Qudoos
    ------------------------------


  • 2.  RE: Rules fired count with in one month

    Posted Mon February 03, 2020 11:05 PM

    Offenses are accessible via offense API, not in AQL. With AQL you can check if a log source contributed to that offense by its  offense ID within a certain time frame. You can get information on who closed a specific offense as that generates an Audit event in QRadar that can be found via AQL.

    The best method to determine your answer would be to query from the interactive API using the /siem/offenses endpoint. Be aware, you must be using QRadar 7.3.2 to leverage this API field. There was a fairly recently subreddit discussion on this same question here for more details: https://www.reddit.com/r/QRadar/comments/e5ivxz/aql_query/



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


  • 3.  RE: Rules fired count with in one month

    Posted Wed February 05, 2020 08:16 AM
    Thanks for reply...Actually I want total number of rules with their names which has been fired in 30 days ??The above discussion on reddit explained the offenses closed by users which didn't correspond to my question.

    ------------------------------
    Abdul Qudoos
    ------------------------------

    Original Message


  • 4.  RE: Rules fired count with in one month

    Posted Wed February 05, 2020 10:13 AM
    ​Hi Abdul,

    Not clear what version you're using, but a quick search shows there is something more like what you want here:

    https://developer.ibm.com/answers/questions/456339/count-of-offenses-createdclosed/

    Do a bit of AQL experimenting and search for something like "CRE Rule" (not Offense in your case) - then tune the required payload from there.

    ------------------------------
    Darren H.
    ------------------------------

    Original Message


  • 5.  RE: Rules fired count with in one month

    Posted Wed February 05, 2020 04:46 PM
    I added an example from a case that seemed similar in the support forum post that @Darren H. mentioned as I was going to link to this oost as well. Support forums are moving to a new platform in 2020, so I want to make sure this content gets migrated to the new forums, which is why I updated the support forum post.


    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message