IBM Security QRadar

Expand all | Collapse all

Offenses Monthly report

  • 1.  Offenses Monthly report

    Posted 7 days ago
    HI team,

    Can anyone provide AQL query to get Monthly offense report like each day how many offenses generated for the customer .I need to show in chart format. I tried but i'm not getting exact data

    ------------------------------
    Abhishek Kakkireni
    ------------------------------


  • 2.  RE: Offenses Monthly report

    Posted 7 days ago
    Dear Abhishek,

    Yes you can. There is an QID related to offense generation in IBM Qradar. You can check it via event name search in log activity. Then you can write AQL and import that in the pulse dashboard as well.

    Regards,
    Abdul Qudoos





  • 3.  RE: Offenses Monthly report

    Posted 6 days ago
    Hi Abhishek,

    maybe this could be an idea or a matrix for your solution:

    SELECT QIDNAME(qid) AS 'Event Name', UniqueCount("sourceIP") AS 'Source IP (Unique Count)', UniqueCount("destinationIP") AS 'Destination IP (Unique Count)', UniqueCount("destinationPort") AS 'Destination Port (Unique Count)', UniqueCount(logSourceId) AS 'Log Source (Unique Count)', UniqueCount(category) AS 'Low Level Category (Unique Count)', UniqueCount("protocolId") AS 'Protocol (Unique Count)', UniqueCount("userName") AS 'Username (Unique Count)', MAX("magnitude") AS 'Magnitude (Maximum)', SUM("eventCount") AS 'Event Count (Sum)', COUNT(*) AS 'Count' from events where qid='28250369' GROUP BY qid order by "Count" desc last 30 DAYS

    Regards,
    Ralph

    ------------------------------
    Ralph Belfiore
    IT Security Senior Consulting
    pro4bizz GmbH
    Karlsruhe
    +49 721 90981720
    ------------------------------



  • 4.  RE: Offenses Monthly report

    Posted 5 days ago
    You can also get the offenses through the API (/siem/offenses). That's how I'm doing my reporting.

    ------------------------------
    Raphaël Langella
    SIEM Architect
    IMS Networks
    ------------------------------