IBM QRadar

 View Only
  • 1.  Offense Query

    Posted Wed May 29, 2024 10:54 AM

    Hi everyone:

    i'm trying to make a dashboard item with offense data, i would like create query, but a cant find the id offense, someone know the name of the field id_offense to use in query, I wold like some like this

    This is my query
    SELECT QIDNAME(qid) as evento,DATEFORMAT(starttime, 'dd-MM-YYY HH:MM:SS') as "Date"
    FROM events
    where domainid =2 and logsourceid = 163 and evento ILIKE 'LATAM%%'
    ORDER BY date DESC
    LAST {time_span}
    Thans in advnace


    ------------------------------
    Luis Enrique Rodriguez Martinez
    ------------------------------


  • 2.  RE: Offense Query

    Posted Wed July 17, 2024 01:49 PM
    Edited by Karl Jaeger Wed July 17, 2024 01:57 PM

    Luis

    I think you are mixing multiple problems here. Thx for the screenshot that helped indeed!

    1. offense id is described in the API , pls check 2nd picture. The name is "offense_id" and you have to check table for offenses rather than for events cause its different! Of ourse there is a relationship between those two tables but only if the event has assigned an offense!
    2. I have modified your query and created a pulse widget which can be used to create a new dashboard. I believe that what you want is a new pulse dashboard although there are other dashboards as well. Pls be a little bit more espedific when posting questions cause your enquiry will have zero replies for a long time. 
    3. my simple AQL for events being related to events is SELECT 'offense_id' as offenseid FROM events where hasoffense = 1 ORDER BY offenseid DESC LAST 100 HOURS
    4. pls test your queries in log activity first before creating new widgets and dashboards in pulse. first Picture has dashboard widget
    dash
    api



    ------------------------------
    [Karl] [Jaeger] [#ibmchampion]
    [QRadar Specialist]
    [cnag]
    [Siegen] [Germany]
    ------------------------------



  • 3.  RE: Offense Query

    Posted Wed July 24, 2024 06:24 AM

    Hi Luis,

    i'm not sure, if you are aware about this. Maybe you should try out this... Just apply the IBM QRadar Security Analytics Self Monitoring Content Package: 

    https://exchange.xforce.ibmcloud.com/hub/extension/0be9613a768a5a05ea102535b7bce76a

    With this out-of-the-box dashboards come along in Pulse dealing with your request :)

    Pulse Offense Dashboard out-of-the-box - QRadar Selfmonitoring Content Packages

    Hope this helps you dealing with your requests...

    Regards,

    Ralph



    ------------------------------
    Ralph Belfiore
    Managing Consultant | Senior SIEM Expert
    connecT SYSTEMHAUS AG
    Siegen
    +491726365525
    ------------------------------