IBM Security QRadar

 View Only

  • 1.  Reporting on Open offenses with magnitude greater than 7

    Posted Thu June 23, 2022 02:19 PM
    Does anyone have a search or an aql statement I can use to report on open offenses with a magnitude greater than 7? The best I can do is to report on rules that have a magnitude greater than 7.

    ------------------------------
    LUIS LATAS
    ------------------------------


  • 2.  RE: Reporting on Open offenses with magnitude greater than 7

    IBM Champion
    Posted Tue July 12, 2022 11:38 AM
    Hello @LUIS LATAS,

    Hope you are well :)

    Guess is more simple to do it with API or psql statement.

    Sure Its not the right answer, but if i have to do so i will start near that if you have to do this via a search on events  :

    SELECT "CRE Name", MIN("magnitude"), SUM("eventCount") AS 'Event Count (Sum)', COUNT(*) AS 'Count' from events where ( "deviceType"='18' AND "hasOffense"='true' and magnitude >7 ) GROUP BY "CRE Name" order by "Count" desc last 6 hours

    Hope this helps,

    Regards,

    @zoldax​

    ------------------------------
    @zoldax

    https://www.youracclaim.com/users/pascal-weber.029e134d/badges
    ------------------------------

    Original Message


  • 3.  RE: Reporting on Open offenses with magnitude greater than 7

    Posted Thu July 14, 2022 09:55 AM
    Thanks.

    ------------------------------
    LUIS LATAS
    ------------------------------

    Original Message