IBM Security QRadar

Hello everyone,

Because i am new on this forum and i am still a beginner in qradar but i understand the basics i must ask you some things.

I am making an advanced search in log activity in order to make a quick search from it and than an offence if this happens to send email notification to my email address..

The problem i face is that i can not input a particular country in my search (i mean i don't get any results). I want to see just results from my country and not others.. how do i input a country? do i have to have a particular code for my country or?

I wrote this aql and like this i get results but not when i put country in the 'geographiclocation'.

The query is the following one:

SELECT * FROM events WHERE qid=26750054 AND NOT INCIDR('192.168.0.0/16', sourceip) AND geographiclocation = 'other'

When i input for example 'Macedonia' or 'United States' or anything else but 'other' i don't get any results..

Can you please help me?

Thank you in advance!

------------------------------
Slavcho Andreevski
------------------------------

Hi,

use:
SELECT * FROM events WHERE qid=26750054 AND NOT INCIDR('192.168.0.0/16', sourceip) AND sourcegeographiclocation = 'other'

------------------------------
Sebastian Pinau
------------------------------

Original Message:
Sent: Thu December 02, 2021 05:21 AM
From: Slavcho Andreevski
Subject: AQL search by country

Hello everyone,

Because i am new on this forum and i am still a beginner in qradar but i understand the basics i must ask you some things.

I am making an advanced search in log activity in order to make a quick search from it and than an offence if this happens to send email notification to my email address..

The problem i face is that i can not input a particular country in my search (i mean i don't get any results). I want to see just results from my country and not others.. how do i input a country? do i have to have a particular code for my country or?

I wrote this aql and like this i get results but not when i put country in the 'geographiclocation'.

The query is the following one:

SELECT * FROM events WHERE qid=26750054 AND NOT INCIDR('192.168.0.0/16', sourceip) AND geographiclocation = 'other'

When i input for example 'Macedonia' or 'United States' or anything else but 'other' i don't get any results..

Can you please help me?

Thank you in advance!

------------------------------
Slavcho Andreevski
------------------------------

Hi, You can use:

​SELECT sourceip, sourcegeographiclocation,destinationip FROM events WHERE qid=26750054 AND NOT INCIDR('192.168.0.0/16', sourceip) AND sourcegeographiclocation = 'Europe.Macedonia'


SELECT sourceip, sourcegeographiclocation,destinationip FROM events WHERE qid=26750054 AND NOT INCIDR('192.168.0.0/16', sourceip) ​

------------------------------
Sebastian Pinau
------------------------------

Original Message:
Sent: Thu December 02, 2021 05:21 AM
From: Slavcho Andreevski
Subject: AQL search by country

Hello everyone,

Because i am new on this forum and i am still a beginner in qradar but i understand the basics i must ask you some things.

I am making an advanced search in log activity in order to make a quick search from it and than an offence if this happens to send email notification to my email address..

The problem i face is that i can not input a particular country in my search (i mean i don't get any results). I want to see just results from my country and not others.. how do i input a country? do i have to have a particular code for my country or?

I wrote this aql and like this i get results but not when i put country in the 'geographiclocation'.

The query is the following one:

SELECT * FROM events WHERE qid=26750054 AND NOT INCIDR('192.168.0.0/16', sourceip) AND geographiclocation = 'other'

When i input for example 'Macedonia' or 'United States' or anything else but 'other' i don't get any results..

Can you please help me?

Thank you in advance!

------------------------------
Slavcho Andreevski
------------------------------