IBM QRadar

Hello,

I read this documentation Event filtering but I didn't find the answer how to combine multiple conditions in a filter.

For example, we want to exclude some event ids :

-(7000,7022-7026,7031-7034,7045)

And we want also exclude a pair of an event id associated with a specific message :

-(EventIDCode == 4702 AND Message =~ 'test')

But how to combine them in a single line ?
When I do that I have errors in the wincollect logs as it is invalid. The expected filter would look like :

-(eventid1 or eventid2 or eventid3 or (eventid4 and messageX))

Thank you so much for your help.

Can you confirm your WinCollect version? There was an issue logged against WinCollect 10.0.2, which was fixed in WinCollect 10.1.3 to resolve issues related to filtering for OR conditions as APAR IJ44662. 

That being said,the filtering in WinCollect 10.1.4 and earlier are limited at the moment. I had a quick discussion with the dev team on your question and do not support combined filtering using parentheses like in your example. 

You can use parentheses to filter for:

1. Event IDs to filter ranges or specific values. The docs refers to these as Implicit filtering, such as -(7000,7022-7026,7031-7034,7045).
2. Event ID and source or message values. The docs refer to these as Explicit filtering, such as EventIDCode <= 7045 AND Message ~ bankingapp.exe
   
3. More complex filtering for source and IDs for Forwarded event logs. The docs refers to this type as Forwarded Events filtering. This is closer to what you want, but at this time only works on Forwarded events, such as Application(200-256,4097,34);Security(1) which is equivalent to (channel=Application AND (200-256, 4097, 34)) OR (channel=Security AND 1) and much closer to what you want per your example. However, this is only available with Forwarded events. Be aware, in this example of the translated filter, the AND condition is evaluated first, followed by OR conditions. 

At this time, you cannot combine implicit and explicit filter types together like your example and nested parentheses are not supported at this time. And unless you are using Forwarded events, you cannot use the filter you are looking to create. There are discussions going on as to how to improve filtering for examples like you listed, but at this time it is not possible. We usually have users look at creating an XPath query as it can do some of the more complex filtering. 

If you have suggestions as to the type of filtering you want to see going forward, it might not be a bad idea to open an IBM Idea to contribute to some specific filtering needs you might want in the future. 

Hello,

I read this documentation Event filtering but I didn't find the answer how to combine multiple conditions in a filter.

For example, we want to exclude some event ids :

-(7000,7022-7026,7031-7034,7045)

And we want also exclude a pair of an event id associated with a specific message :

-(EventIDCode == 4702 AND Message =~ 'test')

But how to combine them in a single line ?
When I do that I have errors in the wincollect logs as it is invalid. The expected filter would look like :

-(eventid1 or eventid2 or eventid3 or (eventid4 and messageX))

Thank you so much for your help.

Hi Jonathan,

Finally I used XPath to collect my Security logs, and applies <Suppress> filters in the Query!

Thank you

Can you confirm your WinCollect version? There was an issue logged against WinCollect 10.0.2, which was fixed in WinCollect 10.1.3 to resolve issues related to filtering for OR conditions as APAR IJ44662. 

That being said,the filtering in WinCollect 10.1.4 and earlier are limited at the moment. I had a quick discussion with the dev team on your question and do not support combined filtering using parentheses like in your example. 

You can use parentheses to filter for:

1. Event IDs to filter ranges or specific values. The docs refers to these as Implicit filtering, such as -(7000,7022-7026,7031-7034,7045).
2. Event ID and source or message values. The docs refer to these as Explicit filtering, such as EventIDCode <= 7045 AND Message ~ bankingapp.exe
   
3. More complex filtering for source and IDs for Forwarded event logs. The docs refers to this type as Forwarded Events filtering. This is closer to what you want, but at this time only works on Forwarded events, such as Application(200-256,4097,34);Security(1) which is equivalent to (channel=Application AND (200-256, 4097, 34)) OR (channel=Security AND 1) and much closer to what you want per your example. However, this is only available with Forwarded events. Be aware, in this example of the translated filter, the AND condition is evaluated first, followed by OR conditions. 

At this time, you cannot combine implicit and explicit filter types together like your example and nested parentheses are not supported at this time. And unless you are using Forwarded events, you cannot use the filter you are looking to create. There are discussions going on as to how to improve filtering for examples like you listed, but at this time it is not possible. We usually have users look at creating an XPath query as it can do some of the more complex filtering. 

If you have suggestions as to the type of filtering you want to see going forward, it might not be a bad idea to open an IBM Idea to contribute to some specific filtering needs you might want in the future. 

Hello,

I read this documentation Event filtering but I didn't find the answer how to combine multiple conditions in a filter.

For example, we want to exclude some event ids :

-(7000,7022-7026,7031-7034,7045)

And we want also exclude a pair of an event id associated with a specific message :

-(EventIDCode == 4702 AND Message =~ 'test')

But how to combine them in a single line ?
When I do that I have errors in the wincollect logs as it is invalid. The expected filter would look like :

-(eventid1 or eventid2 or eventid3 or (eventid4 and messageX))

Thank you so much for your help.