IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Filter Time in Pulse with Data Source Offense

    Posted Mon April 01, 2024 12:59 PM

    How to filter time in pulse with data source Offense?

    In data source AQL, we can filter time with "last 1 days" or etc. How about data source Offense? 



    ------------------------------
    Aditya Cesario Saputra
    ------------------------------


  • 2.  RE: Filter Time in Pulse with Data Source Offense

    Posted Thu May 16, 2024 08:18 AM

    Hello, 

    Can you add a bit more context/detail around this query?

    In the pulse app, you can use the 'Configure Dashboard' button to create new widgets to add or select from ones already created.

    This document describes 'Creating widgets from an offense data source':
    https://www.ibm.com/docs/en/qradar-common?topic=widgets-creating-from-offense-data-source

    Regards,



    ------------------------------
    Comghall Morgan
    QRadar Support Architect
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Filter Time in Pulse with Data Source Offense

    Posted Thu October 24, 2024 03:35 AM
    Edited by Aditya Cesario Saputra Thu October 24, 2024 03:37 AM

    I want create pulse dashboard with data source = offense.

    I want to create how many offense open today and how many offense close today

    How I can filter for offense open today?



    ------------------------------
    Aditya Cesario Saputra
    ------------------------------

    Original Message


  • 4.  RE: Filter Time in Pulse with Data Source Offense

    Posted Fri October 25, 2024 10:17 AM
    Edited by Dusan VIDOVIC Fri October 25, 2024 10:17 AM

    There are events generated by SIM Audit log source (category SIM User Action)  that you might consider to use; i.e. QIDs are

    28250369    Offense created

    28250021    Offense closed

    28250180    Offense Assigned

    28250151    Note Added

    28250391   Follow Up Offense

    28250392   Protect Offense

    28250022   Offense Hidden

    28250020    All Offenses closed

    So, an AQL search like 

    SELECT DATEFORMAT(starttime, 'yyyy-MM-dd') as Time, qidname(qid) as Event, count() as NumberOpen FROM EVENTS WHERE qid = 28250369 GROUP BY Time LAST 7 DAYS 

    should provide the info. 

    ...and in your AQL search in Pulse you can also use parameters like 

    START '{STARTDATE}' STOP  '{STOPDATE}

    so you can enter in the fields the desired date/timestamps for the period you are looking into (e.g. enter 2024-10-18 00:00 for STARTDATE and 2024-10-25 00:00 for STOPDATE)



    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message


  • 5.  RE: Filter Time in Pulse with Data Source Offense

    Posted Mon October 28, 2024 11:37 PM

    Thanks Dusan for your insight.

    But I want to create pulse dashboard to show how many offense today and show category offense by domain id because my qradar using multitanency.

    In SIM Audit Log Source, I cant find category and domain ID



    ------------------------------
    Aditya Cesario Saputra
    ------------------------------

    Original Message


Related Content