IBM Security QRadar

For some strange reason, all my attempts to get the Event ID field from AQL are failing.  I've tried every combination of spaces and upper/lower case I can think of, but just get "N/A".  It works fine when I build a search with the GUI.  It shows up on the GUI display of the event.

This is for a custom DSM for a syslog LEEF log source.  So, I used the DSM editor to just have a LEEF expression of $eventid$.  It maps events just fine.

I.e., everything is fine except for AQL.  How do I get the Event ID with AQL?

Also, there's no mention of Event ID at Event, flow, and simarc fields for AQL queries - IBM Documentation

------------------------------
Dan Zerkle
------------------------------

The field I want is named "qideventid".  This is not documented anywhere.  I've asked IBM to document it.

------------------------------
Dan Zerkle
------------------------------

Original Message:
Sent: Mon February 28, 2022 09:27 PM
From: Dan Zerkle
Subject: How to fetch Event ID from AQL?

For some strange reason, all my attempts to get the Event ID field from AQL are failing.  I've tried every combination of spaces and upper/lower case I can think of, but just get "N/A".  It works fine when I build a search with the GUI.  It shows up on the GUI display of the event.

This is for a custom DSM for a syslog LEEF log source.  So, I used the DSM editor to just have a LEEF expression of $eventid$.  It maps events just fine.

I.e., everything is fine except for AQL.  How do I get the Event ID with AQL?

Also, there's no mention of Event ID at Event, flow, and simarc fields for AQL queries - IBM Documentation

------------------------------
Dan Zerkle
------------------------------

"qidname(qid)" this returns event name, altrough it is documented as "event description", but it is eventID tested.

example:
List event names for last 1000 events
select qidname(qid)
from events
limit 1000



------------------------------
Miroslav Matijević
Information Security Engineer
Petrol d.d
Ljubljana
------------------------------

Original Message:
Sent: Tue March 01, 2022 08:48 PM
From: Dan Zerkle
Subject: How to fetch Event ID from AQL?

The field I want is named "qideventid".  This is not documented anywhere.  I've asked IBM to document it.

------------------------------
Dan Zerkle

Original Message:
Sent: Mon February 28, 2022 09:27 PM
From: Dan Zerkle
Subject: How to fetch Event ID from AQL?

For some strange reason, all my attempts to get the Event ID field from AQL are failing.  I've tried every combination of spaces and upper/lower case I can think of, but just get "N/A".  It works fine when I build a search with the GUI.  It shows up on the GUI display of the event.

This is for a custom DSM for a syslog LEEF log source.  So, I used the DSM editor to just have a LEEF expression of $eventid$.  It maps events just fine.

I.e., everything is fine except for AQL.  How do I get the Event ID with AQL?

Also, there's no mention of Event ID at Event, flow, and simarc fields for AQL queries - IBM Documentation

------------------------------
Dan Zerkle
------------------------------

Miroslav:  This is useful and correct, but beside the point.  The Event ID is not the same as the QID or Event Name.  The Event ID is a special field used by a DSM to map an event to a QID.

------------------------------
Dan Zerkle
------------------------------

Original Message:
Sent: Wed March 02, 2022 02:39 AM
From: Miroslav Matijević
Subject: How to fetch Event ID from AQL?

"qidname(qid)" this returns event name, altrough it is documented as "event description", but it is eventID tested.

example:
List event names for last 1000 events
select qidname(qid)
from events
limit 1000



------------------------------
Miroslav Matijević
Information Security Engineer
Petrol d.d
Ljubljana

Original Message:
Sent: Tue March 01, 2022 08:48 PM
From: Dan Zerkle
Subject: How to fetch Event ID from AQL?

The field I want is named "qideventid".  This is not documented anywhere.  I've asked IBM to document it.

------------------------------
Dan Zerkle

Original Message:
Sent: Mon February 28, 2022 09:27 PM
From: Dan Zerkle
Subject: How to fetch Event ID from AQL?

For some strange reason, all my attempts to get the Event ID field from AQL are failing.  I've tried every combination of spaces and upper/lower case I can think of, but just get "N/A".  It works fine when I build a search with the GUI.  It shows up on the GUI display of the event.

This is for a custom DSM for a syslog LEEF log source.  So, I used the DSM editor to just have a LEEF expression of $eventid$.  It maps events just fine.

I.e., everything is fine except for AQL.  How do I get the Event ID with AQL?

Also, there's no mention of Event ID at Event, flow, and simarc fields for AQL queries - IBM Documentation

------------------------------
Dan Zerkle
------------------------------

Try using below as reference:

select "collectorId" as 'Event Collector ID',"qidEventId" as 'Event ID',QIDNAME(qid) as 'Event Name',logsourcename(logSourceId) as 'Log Source',"eventCount" as 'Event Count',"startTime" as 'Start Time',categoryname(category) as 'Low Level Category',"sourceIP" as 'Source IP',"sourcePort" as 'Source Port',"destinationIP" as 'Destination IP',"destinationPort" as 'Destination Port',"userName" as 'Username',"magnitude" as 'Magnitude' from events

To get the event ID: "qidEventId" as 'Event ID'

------------------------------
Namit Maurya
------------------------------

Original Message:
Sent: Mon February 28, 2022 09:27 PM
From: Dan Zerkle
Subject: How to fetch Event ID from AQL?

For some strange reason, all my attempts to get the Event ID field from AQL are failing.  I've tried every combination of spaces and upper/lower case I can think of, but just get "N/A".  It works fine when I build a search with the GUI.  It shows up on the GUI display of the event.

This is for a custom DSM for a syslog LEEF log source.  So, I used the DSM editor to just have a LEEF expression of $eventid$.  It maps events just fine.

I.e., everything is fine except for AQL.  How do I get the Event ID with AQL?

Also, there's no mention of Event ID at Event, flow, and simarc fields for AQL queries - IBM Documentation

------------------------------
Dan Zerkle
------------------------------

Namit-

Yes, the correct answer to my problem is "qideventid".  This was very difficult to find, because the field is not documented.

------------------------------
Dan Zerkle
------------------------------

Original Message:
Sent: Mon April 25, 2022 02:20 AM
From: Namit Maurya
Subject: How to fetch Event ID from AQL?

Try using below as reference:

select "collectorId" as 'Event Collector ID',"qidEventId" as 'Event ID',QIDNAME(qid) as 'Event Name',logsourcename(logSourceId) as 'Log Source',"eventCount" as 'Event Count',"startTime" as 'Start Time',categoryname(category) as 'Low Level Category',"sourceIP" as 'Source IP',"sourcePort" as 'Source Port',"destinationIP" as 'Destination IP',"destinationPort" as 'Destination Port',"userName" as 'Username',"magnitude" as 'Magnitude' from events

To get the event ID: "qidEventId" as 'Event ID'

------------------------------
Namit Maurya

Original Message:
Sent: Mon February 28, 2022 09:27 PM
From: Dan Zerkle
Subject: How to fetch Event ID from AQL?

For some strange reason, all my attempts to get the Event ID field from AQL are failing.  I've tried every combination of spaces and upper/lower case I can think of, but just get "N/A".  It works fine when I build a search with the GUI.  It shows up on the GUI display of the event.

This is for a custom DSM for a syslog LEEF log source.  So, I used the DSM editor to just have a LEEF expression of $eventid$.  It maps events just fine.

I.e., everything is fine except for AQL.  How do I get the Event ID with AQL?

Also, there's no mention of Event ID at Event, flow, and simarc fields for AQL queries - IBM Documentation

------------------------------
Dan Zerkle
------------------------------