IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Scheduling a daily report containing all the active offenses in qRadar

    Posted Wed January 04, 2023 08:18 AM
    Dear Community members,

    I am new to the qRadar and community.

    Has anyone been able to schedule a daily report containing all the active offenses on the system?

    On the report page what I could see report can be scheduled for new offenses created daily, weekly or monthly. There is also option for manual for a specific period but this can't be scheduled but has to be manually executed. I have also tried to save a search and use them in daily schedule but it doesn't give me all the active offenses which I want to see in the report. 

    I have also tried to use this KB QRadar: Creating a search for a report to show Offense Data but it just gives the offense data and not its status whether it is closed or active.

    If any one could help and feed some pointers which can help me achieving above would be helpful.



    ------------------------------
    Sanosh Kumar
    ------------------------------


  • 2.  RE: Scheduling a daily report containing all the active offenses in qRadar

    Posted Fri January 06, 2023 05:55 AM

    Sanosh 
    basically you got two options. The approach using your own search does work even for scheduling.
    just use AQL search over your last period asking for open or closed Offenses.
    second option is to use Rest API. However you may have to parse output with some kind of python script to get results converted.
    Creating a script to convert JSON to CSV is relatively easy. 

    regards
    Karl



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 3.  RE: Scheduling a daily report containing all the active offenses in qRadar

    Posted Sat January 14, 2023 02:00 AM
    Hi Karl, 

    Thank you for your response, but I didn't find any way to form a AQL query which I can execute in Log Activity to fetch the require offense data with its status.

    Would be able to help sharing a sample AQL for the same which I can execute from LogActivity tab?

    Offense tab I can create search query but that can't be used to schedule in a report. That is why I came to forum looking for help.

    Thanks
    Santosh

    ------------------------------
    Santosh Shukla
    ------------------------------

    Original Message


  • 4.  RE: Scheduling a daily report containing all the active offenses in qRadar

    Posted Wed January 25, 2023 10:15 AM
    Santosh,

    I used this query which is a modification of a standard search. Show AQL will give you all the options you need. Store it using your own name to use it in your report.
    SELECT "userName" AS 'Username', UniqueCount("CRE Name") AS 'CRE Name (custom) (Unique Count)', UniqueCount(qid) AS 'Event Name (Unique Count)', UniqueCount(category) AS 'Low Level Category (Unique Count)', UniqueCount("sourceIP") AS 'Source IP (Unique Count)', UniqueCount("destinationIP") AS 'Destination IP (Unique Count)', UniqueCount("destinationPort") AS 'Destination Port (Unique Count)', MIN("magnitude") AS 'Magnitude (Minimum)', SUM("eventCount") AS 'Event Count (Sum)', COUNT(*) AS 'Count' from events where ( ( "deviceType"='18' AND "hasOffense"='true' ) AND "userName" != 'null' ) GROUP BY "userName" order by "Event Count (Sum)" desc last 30 days

    BR Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 5.  RE: Scheduling a daily report containing all the active offenses in qRadar

    Posted Mon June 19, 2023 08:51 AM
    Edited by İsmail Kaya Mon June 19, 2023 08:53 AM

    Hi,

    Is there a way to see Rule id, Rule Name, Offense ID and CRE Name together? Because if I check Offense created logs, I see just rule id and offense id. If I search associated with offense count shows how many events are related to the offense description(actually as event name) but it doesn't show how many unique offenses are generated. If I try this search(Mr Jaeger shared above), it doesn't show how many offense created.

    At this point, is there different databases that store different values about events or offenses and is there a way to combine them.

    Also, what is the meaning of Device Type=18? I looked at but I didn't see anything and also when I try to add Device Type filter from "Add filter", there is no property as names Device Type.

    Thanks,



    ------------------------------
    İsmail Kaya
    ------------------------------

    Original Message