IBM Security QRadar

 View Only
  • 1.  How to extract offense generated based of log source groups?

    Posted Thu July 11, 2019 11:17 AM
    Greetings All,
    We have multiple(~11-12) log source groups created based on locations. for eg, Dubai, Spain, US, etc. The ask is to track (on a monthly base) the number of offenses generated per market(log source group).

    I tried to get the count from Offenses tab under "By Network" but that doesn't provide a working solution.

    Wondering if someone is aware of any AQL search or any other way which can be used to get this info?

    Thanks,

    ------------------------------
    kh
    ------------------------------


  • 2.  RE: How to extract offense generated based of log source groups?

    Posted Fri July 12, 2019 12:12 AM
    Hi Hemant,

    Log source groups are only good for offenses of event type. If you have flow offenses, then your filter by log source group will not work.

    I suggest you create your network hierarchy, and then create an offense report monthly based on your network hierarchy. This way, you'll catch both event and flow offenses in the same report. Also, you can set your report to run each month automatically without any effort ;)

    I hope this helps.

    Regards,

    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------



  • 3.  RE: How to extract offense generated based of log source groups?

    Posted Fri July 12, 2019 12:57 AM
    Thanks Anthony.
    We have network hierarchy in place. Could you provide some guidance on how to run the offense report against NH?
    thanks,



    ------------------------------
    Hemant Kumar
    ------------------------------