IBM Security QRadar

 View Only

  • 1.  How to create Daily reports based on the current day

    Posted Fri March 19, 2021 04:51 PM
      |   view attached
    Hello everyone

    I am looking for a way to generate Daily reports on QRadar based on the data of the current day
    Unfortunately QRadar appears to be based on data from the previous day and not the current day. Do you have an idea of workaround?

    ------------------------------
    Famara Bodian
    ------------------------------


  • 2.  RE: How to create Daily reports based on the current day

    IBM Champion
    Posted Mon March 22, 2021 02:08 PM
    Famara,

    you are right about scheduled reports, which will not allow you to be run successfully before midnight is over, as shown in your screenshot. The reason is that the corresponding metadata are not yet written to the database. However a little trick may help you. If you create your report using manual schedule, you have more options available covering the start and end time of the current day:
    in your case you could specify the whole year as start and end date and select the data time frame you want your report to cover in the targeted data option specifying each day of the week to be covered. The difference to the scheduled report definition shown above is, that this data selection is using the standard index from the database instead of the metadata used for the daily schedule created by a background task inside qradar. The standard data is written each hour to the ariel database rather than once a day at midnight.
    Remaining problem is that the report isnt scheduled yet. The easiest way to achieve that is to duplicate it, change schedule option on 1st page and save the result. You can do this trick on the original report as well but pls make sure not to change container definition details.
    Some more tips on custom reports.
    • use your own search criteria and test result in log activity first
    • export your search as AQL, save it and select it as saved search inside report wizard
    • use chart type events/logs for using your AQL serach and select table as graph type
    Happy reporting!

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 3.  RE: How to create Daily reports based on the current day

    Posted Mon March 22, 2021 05:19 PM
    Hello @Karl Jaeger
    Thank you for your time. I took your advice, but after I changed the schedule option to Daily, QRadar continued to rerun data from the previous day.
    Did I miss something ?​

    ------------------------------
    Famara Bodian
    ------------------------------

    Original Message


  • 4.  RE: How to create Daily reports based on the current day

    IBM Champion
    Posted Tue March 23, 2021 12:45 PM
    Famara,
    did you follow my advice regarding creating a custom AQL search, using chart type events/logs and select table as graph type?
    Moreover your graph data should cover a larger time frame and target data selection cover your current day time window. In addition to that I have used the last 6 hours operator in my AQL search example.
    The AQL Operator should not conflict with your target data selection. Test your AQL in log activity 1st and then manually run your report. After changing it to daily schedule result should be the same.
    Unfortunately I cannot guarantee that your custom report does work cause there are too many options to go wrong I guess. However it worked for me. If you provide more details on your report and AQL search I can have a look at it in my lab if you like.
    BR
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message