Mohamed,
this is a wonderful example of what my collegue Ralph in his blog entries calls the "expectation gap". It comes from the differnese between your expectations and what QRadar really does. The screenshot you provided for your saved quick search shows no time value but from the AQL export we see last 24 hours parameter. This is dangerous, as every time interval you query the ariel database will be calculated based on your wall time. So you will see different event counts for each search unless you ask for a specific search result in manage search results. Even then you will see a difference in results if you do not ask for a specific interval using start and end time.
In order to illustrate what I mean I have run four searches. This one is quick search 1:
Count is 1,425,270. Now we do export AQL and run the query again 2 minutes later using the clipboard based search string:
Event count is 1425600 now, a difference of 330 events! Why is that? Cause we are talking to an indexed database an time interval 24h now is different than two minutes ago!
Now we do the same using a fixed time interval from 12h to 12h over 3 days.
Event count is 1,230,409. Using the corresponding AQL export we get this result:
Gotcha! Event count is the same as correctly expected by you in the 1st place.
Conclusion: big data is big work. Pls refer to my LinkedIn Profile :-)
BR Karl
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------
Original Message:
Sent: Mon March 15, 2021 09:01 PM
From: Mohamed Abdel Wahab
Subject: AQL doesn't retrieve the same data
Hello,
I have saved a quick search and then exported AQL for that search.
When using the AQL it doesn't produce the same results as the quick seach
select "sourceIP" as 'Source IP',QIDNAME(qid) as 'Event Name',"adlsa-pa-action" as 'adlsa-pa-action (custom)',"destinationIP" as 'Destination IP',"destinationPort" as 'Destination Port',"Application" as 'Application (custom)',"startTime" as 'Start Time' from events where ( ( ( ( ( category != '7024' AND (logSourceId='2316') or (logSourceId='2317') ) AND ((category - category % 1000)='5000') or ((category - category % 1000)='7000') or ((category - category % 1000)='13000') ) AND qid != '53502999' ) AND (FULLNETWORKNAME(SourceIP, DomainID)<'QCERTDrill') or (FULLNETWORKNAME(SourceIP, DomainID)>'QCERTDrill' and FULLNETWORKNAME(SourceIP, DomainID)<'QCERTDrill.') or (FULLNETWORKNAME(SourceIP, DomainID)>'QCERTDrill/') ) AND ("sourceaddress"<'10.0.0.0') or ("sourceaddress">'10.255.255.255' and "sourceaddress"<'172.16.0.0') or ("sourceaddress">'172.31.255.255' and "sourceaddress"<'192.168.0.0') or ("sourceaddress">'192.168.255.255') ) order by "startTime" desc LIMIT 1000 last 24 hours
This AQL is exported from search editor
Any help is really appreciated
------------------------------
Mohamed Abdel Wahab
------------------------------