Hey guys,

I would like some help, I would like to know how many EPS a network sends to qRadar, but I would just like to know how many mps this particular network sends.

For example, I have the 1010.0.x/24 network, but I couldn't generate a query that brings the average EPS correctly.

Thanks already for the help.

My regards.

André

This one should give you an overview for the last 6h grouped by SourceNetwork

SELECT FULLNETWORKNAME(SourceIP, DomainID) as 'SourceNetwork',  
UniqueCount("logsourceid") AS 'LogSources (Unique Count)', 
UniqueCount(qid) AS 'Event Name (Unique Count)', 
UniqueCount(category) AS 'Low Level Category (Unique Count)', 
UniqueCount("sourceIP") AS 'Source IP (Unique Count)', 
UniqueCount("destinationIP") AS 'Destination IP (Unique Count)', 
UniqueCount("destinationPort") AS 'Destination Port (Unique Count)', 
UniqueCount("userName") AS 'Username (Unique Count)', 
MAX("magnitude") AS 'Magnitude (Maximum)', 
SUM("eventCount") AS 'Event Count (Sum)', 
SUM("eventCount") / (6*60*60) as "EPS" 
from events 
GROUP BY SourceNetwork
order by "Event Count (Sum)" 
desc last 6 hours

Hey guys,

I would like some help, I would like to know how many EPS a network sends to qRadar, but I would just like to know how many mps this particular network sends.

For example, I have the 1010.0.x/24 network, but I couldn't generate a query that brings the average EPS correctly.

Thanks already for the help.

My regards.

André