Hi Karl,
Thank you for your response.
I would like to clarify here that in rule test you only need the apply the query which is coming after
where, that is why i have mentioned the half query.
Also the query written by me works fine in Log Activity Advance search but it does not work on rule test.
Can you please run the query in rule test and let me know if i am making any mistake.
------------------------------
Manzar Alam
------------------------------
Original Message:
Sent: Wed June 16, 2021 05:26 AM
From: Karl Jaeger
Subject: Rule Logic to get the sum of ByteSent by a user within one hour
Hi,
the restrictions of SUM function usage in your incomplete AQL sample is not dependent on 7.3.3 release, but depends on the context of function usage being restricted in general.
Please use type ahead function in AQL to see what is allowed in your specific release environment. That is part of our QA process as QRadar consultants. If not you receive strange parse errors as shown. If your context usage is correct it will work for you as shown in my sample, which BTW is a demo search for your use case. Unfortunately I have no historic flow usecase available using SUM and flows. Tested on 7.3.3 and 7.4.3. Unfortunately there is no guarantee that AQL functions used in customer use cases will work forever :-)
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
Original Message:
Sent: Tue June 15, 2021 06:25 AM
From: Manzar Alam
Subject: Rule Logic to get the sum of ByteSent by a user within one hour
Hi All,
I am not able to use the below AQL query in rule test. I am using QRadar 7.4.0 and earlier I was able to do so in QRadar 7.3.3
SUM("BytesSent") > 1111111111 group by sourceip
Desc: I am trying to get the sourceips which are sending more than 100 MB of data.
Please let me know how can achieve the same using some alternate method.
------------------------------
Manzar Alam
------------------------------