IBM Security QRadar

 View Only
  • 1.  Best possible way to detect EPS Spikes and Average EPS based on Log sources and Collectors/Processors Seperately

    Posted Mon March 20, 2023 07:02 AM

    Hello,

    We have used few IBM links to determine our EPS spikes and EPS averages, these links started to be confusing from one architecture to another.
    (These were: https://www.ibm.com/support/pages/qradar-determining-events-second-rate-each-log-source-qradar & https://www.ibm.com/support/pages/node/6406002

    What we need most:


    1 - EPS spikes & average EPS for "24 hours" according to event collector or event processor:

    P.S. EPS values must be without health metrics etc.(QRadar's own logs)


    2 - EPS spikes & average EPS for v according to event collector or event processor grouped by every log source (on selected event collector or event processor)

    P.S. EPS values must be without health metrics etc.(QRadar's own logs)

    3- How to see 1 & 2 (indicated above) with QRadar own metrics (again "24 hours")

    We can use AQL queries.


    May I know the must recommended and useful methods to be able to clearly see required results above?  

    Thanks,
    Best regards,



    ------------------------------
    Onur Tufan
    ------------------------------


  • 2.  RE: Best possible way to detect EPS Spikes and Average EPS based on Log sources and Collectors/Processors Seperately

    IBM Champion
    Posted Fri April 14, 2023 12:20 PM

    Hi,
    you need to combine your AQL searches into a dashboard using either saved searches or widgets for the new UI to combine all values you are looking for. The samples are useful. Pls follow the guidelines and use grouping and filtering to meet your specification.  Different architectures may produce different results. Where is the confusion? Here is my standard test result. Modify this using AQL expressions like SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of Events in Interval", SUM(eventcount) / 300 AS "EPS in Interval" FROM events WHERE "Log Source" <> 'Anomaly Detection Engine-2 :: qradar' AND "Log Source" <> 'Health Metrics-2 :: qradar' GROUP BY "Log Source" ORDER BY "EPS in Interval" DESC LAST 24 HOURS

    aql


    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 3.  RE: Best possible way to detect EPS Spikes and Average EPS based on Log sources and Collectors/Processors Seperately

    Posted Mon April 17, 2023 01:50 AM

    Hello Karl,

    Thank you for the answer. Is this expression (" <> ") excludes that log sources?

    Thanks!
    Best regards,

    Onur



    ------------------------------
    Onur Tufan
    ------------------------------



  • 4.  RE: Best possible way to detect EPS Spikes and Average EPS based on Log sources and Collectors/Processors Seperately

    IBM Champion
    Posted Mon April 17, 2023 06:23 AM

    Onur,
    Correct. Expression " < > " Object Name " with double quotes does not equal 'specific name' using single quotes - exclude internal logsource in this case.
    Beware of quotation rules which can be tricky!



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 5.  RE: Best possible way to detect EPS Spikes and Average EPS based on Log sources and Collectors/Processors Seperately

    Posted Tue April 18, 2023 05:10 AM

    (Just a side note - if I'm not mistaken) the periods appear to be out-of-sync in the sample query : I'd assume either SUM(eventcount) / 300 and LAST 5 MINUTES in the end or SUM(eventcount) / (24*60*60) and LAST 24 HOURS in the end.



    ------------------------------
    Dusan VIDOVIC
    ------------------------------