IBM QRadar

Hello, 

------------------------------
Nelba Sanchez
------------------------------

Hello Nelba,

Could you please help me with the  exact file which need to be modified ?

Regards,

Madesh

------------------------------
Madesh Waran
------------------------------

Original Message:
Sent: Tue July 11, 2023 05:40 PM
From: Nelba Sanchez
Subject: Enable automatically disabled CEP

Hello, 

CEP is randomly disabled daily in our Qradar (CEP have been tuned and we known that they to be disabled due to performance issues). 

IBM support cannot review/do developments, so if someone has developed something similar please give us some advice. 

I have identified the postgres's tables that store the CEP and I think it would be to update the modification date and status from 'f' to 't' for those CEP's that are disabled during the day, for that we would have to orchestrate a process that runs periodically every 5 or 10 minutes. 

We should also see the dependencies of those tables in the data model to avoid problems.

Postgres's Tables:

 

-ariel_property_expression

-ariel_property_json_expres

-ariel_property_leef_expres

-ariel_property_cef_express

-ariel_property_aql_express

 

Columns to update:

Columnas:  enabled = 'f' y editdate = now()

Thank you in advance

 

Regards 

------------------------------
Nelba Sanchez
------------------------------

The custom properties can be re-enabled from the Admin tab. There is no need to modify the database tables when you receive the system notification. I would recommend that you contact support, if you are experiencing issues with custom properties being disabled. We likely want to review this appliance to confirm which properties need tuning. 

------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com
------------------------------

Original Message:
Sent: Mon March 11, 2024 07:08 AM
From: Madesh Waran
Subject: Enable automatically disabled CEP

Hello Nelba,

Could you please help me with the  exact file which need to be modified ?

Regards,

Madesh

------------------------------
Madesh Waran

Original Message:
Sent: Tue July 11, 2023 05:40 PM
From: Nelba Sanchez
Subject: Enable automatically disabled CEP

Hello, 

CEP is randomly disabled daily in our Qradar (CEP have been tuned and we known that they to be disabled due to performance issues). 

IBM support cannot review/do developments, so if someone has developed something similar please give us some advice. 

I have identified the postgres's tables that store the CEP and I think it would be to update the modification date and status from 'f' to 't' for those CEP's that are disabled during the day, for that we would have to orchestrate a process that runs periodically every 5 or 10 minutes. 

We should also see the dependencies of those tables in the data model to avoid problems.

Postgres's Tables:

 

-ariel_property_expression

-ariel_property_json_expres

-ariel_property_leef_expres

-ariel_property_cef_express

-ariel_property_aql_express

 

Columns to update:

Columnas:  enabled = 'f' y editdate = now()

Thank you in advance

 

Regards 

------------------------------
Nelba Sanchez
------------------------------

Thanks Madesh and Jonathan,

Finally, we use APIs to enable CEP that are continually disabled due to performance issues.

------------------------------
Nelba Sanchez
------------------------------

Original Message:
Sent: Mon March 11, 2024 09:11 AM
From: Jonathan Pechta
Subject: Enable automatically disabled CEP

The custom properties can be re-enabled from the Admin tab. There is no need to modify the database tables when you receive the system notification. I would recommend that you contact support, if you are experiencing issues with custom properties being disabled. We likely want to review this appliance to confirm which properties need tuning. 

------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com

Original Message:
Sent: Mon March 11, 2024 07:08 AM
From: Madesh Waran
Subject: Enable automatically disabled CEP

Hello Nelba,

Could you please help me with the  exact file which need to be modified ?

Regards,

Madesh

------------------------------
Madesh Waran

Original Message:
Sent: Tue July 11, 2023 05:40 PM
From: Nelba Sanchez
Subject: Enable automatically disabled CEP

Hello, 

CEP is randomly disabled daily in our Qradar (CEP have been tuned and we known that they to be disabled due to performance issues). 

IBM support cannot review/do developments, so if someone has developed something similar please give us some advice. 

I have identified the postgres's tables that store the CEP and I think it would be to update the modification date and status from 'f' to 't' for those CEP's that are disabled during the day, for that we would have to orchestrate a process that runs periodically every 5 or 10 minutes. 

We should also see the dependencies of those tables in the data model to avoid problems.

Postgres's Tables:

 

-ariel_property_expression

-ariel_property_json_expres

-ariel_property_leef_expres

-ariel_property_cef_express

-ariel_property_aql_express

 

Columns to update:

Columnas:  enabled = 'f' y editdate = now()

Thank you in advance

 

Regards 

------------------------------
Nelba Sanchez
------------------------------