IBM Security QRadar SOAR

HI all,

I am trying to create a threshold rule using an AQL saved search, the saved search is retrieving the data as its supposed, but when I tries to create a threshold rule I receive the following error on the rule finish page:

"The accumulated data view cannot be created because your saved search contains HAVING clause."

The query looks like this:

SELECT "userName" AS 'Username', logsourcename(logSourceId) AS 'Log Source', COUNT(*) AS 'Count'
from events where ( "creEventList"='100063' AND Username IS NOT NULL)
GROUP BY "userName", logSourceId
HAVING COUNT(*) > '9.0' order by "Count"

Appreciate your help,

------------------------------
Haitham Aletiewi
------------------------------

Hi Haitham,

Since this is QRadar AQL you might get a better response posting it in the QRadar community rather than the SOAR community.

------------------------------
BEN WILLIAMS
------------------------------

Original Message:
Sent: Wed January 25, 2023 03:36 AM
From: Haitham Aletiewi
Subject: AQL Threshold rule using the HAVING clause not working

HI all,

I am trying to create a threshold rule using an AQL saved search, the saved search is retrieving the data as its supposed, but when I tries to create a threshold rule I receive the following error on the rule finish page:

"The accumulated data view cannot be created because your saved search contains HAVING clause."

The query looks like this:

SELECT "userName" AS 'Username', logsourcename(logSourceId) AS 'Log Source', COUNT(*) AS 'Count'
from events where ( "creEventList"='100063' AND Username IS NOT NULL)
GROUP BY "userName", logSourceId
HAVING COUNT(*) > '9.0' order by "Count"

Appreciate your help,

------------------------------
Haitham Aletiewi
------------------------------