IBM Security QRadar

 View Only
Expand all | Collapse all

Concat two custom prorties against only one event type

  • 1.  Concat two custom prorties against only one event type

    Posted Mon June 10, 2019 09:05 AM
    Hi,

    I am trying to use the (CONCAT) function to stick (customproperty1,customproperty2) together using an AQL custom property.

    Using CONCAT(customproperty1,customproperty2) works however the custom property appears on every event in the QRadar.

    I am trying to make the custom property only apply to events from devicetype 103 (Bluecoat SG Appliance) and the following search works however I cannot make it work as an AQL custom property

    select CONCAT(example,example2) FROM events WHERE "devicetype" = '103'

    Anyone aware of how to make this work?

    Regards,
    Jake



    ------------------------------
    Jake Addison
    ------------------------------


  • 2.  RE: Concat two custom prorties against only one event type

    Posted Wed June 12, 2019 09:44 AM
    I do not believe there is a way to limit an AQL Custom Property to just one Type. I have about 7 AQL Custom Properties and they show up on all events.

    ------------------------------
    Patrick Barnes
    ------------------------------

    Original Message


  • 3.  RE: Concat two custom prorties against only one event type

    Posted Thu June 13, 2019 06:24 AM
    How about something like

    IF "devicetype" = '103'
    THEN CONCAT(example,example2) 
    ELSE NULL AS mynewaqlproperty

    ------------------------------
    Christopher Meenan
    ------------------------------

    Original Message


  • 4.  RE: Concat two custom prorties against only one event type

    Posted Thu June 13, 2019 06:48 AM
    ​Hi Christopher,

    Just tried this and no luck, still showing 'Invalid AQL Property'

    Have tested with custom and default properties along with different devicetypes, any other ideas?

    Kind Regards,
    Jake




    ------------------------------
    Jake Addison
    ------------------------------

    Original Message


  • 5.  RE: Concat two custom prorties against only one event type

    Posted Thu June 13, 2019 11:37 AM
    I got it to work ! The Aql was wrong

    I created a custom prop called 'aqlproptest'

    IF devicetype = 41 THEN CONCAT(sourceip,destinationip)  ELSE NULL

    then did this in the log viewer and it worked :)


    select devicetype,"aqlproptest" from events last 1 MINUTES

    ------------------------------
    Christopher Meenan
    ------------------------------

    Original Message


  • 6.  RE: Concat two custom prorties against only one event type

    Posted Fri June 14, 2019 06:00 AM
    Hi Christopher,

    Cheers again, however this still doesn't solve my problem.

    Yes, the AQL works BUT "aqlproptest" will still show up in every event in the QRadar, but just show NULL.

    I need to make it so that the AQL doesn't run at all against other events.

    If this isn't possible, is there another way of getting a bluecoat domain and URI to stick together? I haven't had any luck so far.

    Kind Regards,
    Jake​

    ------------------------------
    Jake Addison
    ------------------------------

    Original Message


  • 7.  RE: Concat two custom prorties against only one event type

    Posted Sun June 16, 2019 09:59 PM
    I see the problem now :/ I need to ask a couple of people about this....

    ------------------------------
    Christopher Meenan
    ------------------------------

    Original Message


  • 8.  RE: Concat two custom prorties against only one event type

    Posted Tue June 18, 2019 12:10 PM
    Hi,

    Have also tried the following things without any luck :

    Override default property with new regex and custom string - doesnt seem to be any valid default properties to use in Bluecoat SG Appliance events
    AQL Filter as part of a rule - this search works, but as it contains "SELECT" etc I cant use it as a filter query as part of a rule - select CONCAT(URL,urlpath) from(select "url" as 'URL (custom)',"urlpath" as 'urlpath (custom)' from events where referencesetcontains('test', "URL", "DomainID"))
    AQL custom property - not working as discussion above.

    Is the only way to make this work getting the team in charge of the bluecoat SG appliance to try and edit the log format coming in? Maybe I am missing something?

    ------------------------------
    Jake Addison
    ------------------------------

    Original Message


  • 9.  RE: Concat two custom prorties against only one event type

    Posted Tue June 18, 2019 01:11 PM
      |   view attached
    HI Jake,

    I asked someone here and they said go with the AQL custom property as I outlined above, and then use that in in a rule. In the rule add a test for the BlueCoat log source e.g.


    ------------------------------
    Christopher Meenan
    ------------------------------

    Original Message


  • 10.  RE: Concat two custom prorties against only one event type

    Posted Tue June 18, 2019 01:14 PM
    I know its annoying that the property will appear next to every event in event details... But its displayed as N/A an is only a visual thing. We need to get that worked on..

    ------------------------------
    Christopher Meenan
    ------------------------------

    Original Message


  • 11.  RE: Concat two custom prorties against only one event type

    Posted Fri July 12, 2019 12:52 AM
    Hi,

    you should use the dsm editor.

    Select your log source type.
    find the property you want to extract, or if it's not there, create a new one;
    select the property, and check the box override system behavior;
    enter your regex in the expression section;
    then concat your captured fields in the format string box.

    For better results, use a log sample in the dsm editor, so you'll be able to validate your regex immediatly.
    This way, you're sure that your property will only be visible for this log source type.

    Regards,

    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------

    Original Message


  • 12.  RE: Concat two custom prorties against only one event type

    Posted Fri July 12, 2019 05:32 AM
    Hi Anthony,

    Tried this route and sadly it doesn't work. You can only override default properties, you cant create a custom one and then override it. With the type of event I was doing it against, there were no free default properties.

    Tried every single possible option within the DSM editor and sadly for Bluecoat SG events it simply does not work, so I used the AQL as above and we just have to put up with the property showing up in other events, hope IBM sorts this soon.

    Kind Regards,
    Jake

    ------------------------------
    Jake Addison
    ------------------------------

    Original Message


  • 13.  RE: Concat two custom prorties against only one event type

    Posted Fri July 12, 2019 01:52 PM
    Hi Jake,

    you might be running an older version of Qradar. Here's how you do in 7.3.1 and +.

    In DSM editor:

    Create New

    Configure your new property

    Select you new property

    Configure your parsing

    DONE!
    That the way it should be done in my opinion. This property will only be extracted for this type of log source.
    Now, if your system is running an outdated version, you'll have to consider upgrading your system to embrace all the new features that are beeing added year after year ;)

    Regards,

    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------

    Original Message