IBM Security QRadar

 View Only
Expand all | Collapse all

Need help in creating a rule in QRadar

  • 1.  Need help in creating a rule in QRadar

    Posted Mon March 25, 2024 05:57 AM

    Hi, I have created/tuned a AQL query to observe total bytes sent from 1 source IP to 1 or more destination IP's. While the AQL query is working as expected, I would like to convert that into a rule, but unable to do with the predefined functions. Could some1 guide me please. Below is the AQL query and redacted information is higlighted in RED. Log Source is Cisco FMC.

    SELECT "sourceIP" AS 'Source IP', IF UniqueCount("destinationIP") > 1.0 THEN CONCAT('Multiple (', LONG(UniqueCount("destinationIP")), ')') ELSE STR("destinationIP") AS 'Destination IP (Unique Count)', IF UniqueCount("destinationPort") > 1.0 THEN CONCAT('Multiple (', LONG(UniqueCount("destinationPort")), ')') ELSE STR("destinationPort") AS 'Destination Port (Unique Count)', IF UniqueCount(QIDNAME(qid)) > 1.0 THEN CONCAT('Multiple (', LONG(UniqueCount(QIDNAME(qid))), ')') ELSE STR(QIDNAME(qid)) AS 'Event Name (Unique Count)', IF UniqueCount(logsourcename(logSourceId)) > 1.0 THEN CONCAT('Multiple (', LONG(UniqueCount(logsourcename(logSourceId))), ')') ELSE STR(logsourcename(logSourceId)) AS 'This Log Source (Unique Count)', IF UniqueCount(categoryname(category)) > 1.0 THEN CONCAT('Multiple (', LONG(UniqueCount(categoryname(category))), ')') ELSE STR(categoryname(category)) AS 'Low Level Category (Unique Count)', IF UniqueCount("protocolId") > 1.0 THEN CONCAT('Multiple (', LONG(UniqueCount("protocolId")), ')') ELSE STR("protocolId") AS 'Protocol (Unique Count)', SUM("eventCount")  AS 'Event Count (Sum)', COUNT(*) AS 'Count', SUM("Bytes Sent")  AS 'Sent Bytes(Sum)' FROM events WHERE (("domainId" = 'XXX') AND ("deviceGroupList" = 'XXXXX(firewall)') AND ((INCIDR('10.0.0.0/8', "sourceIP")) OR (INCIDR('172.16.0.0/12', "sourceIP")) OR (INCIDR('192.168.0.0/16', "sourceIP"))) AND ((NOT INCIDR('10.0.0.0/8', "destinationIP")) AND (NOT INCIDR('172.16.0.0/12', "destinationIP")) AND (NOT INCIDR('192.168.0.0/16', "destinationIP"))) AND (FULLNETWORKNAME(DestinationIP, DomainID) != 'XXXXXXXX') AND (NOT REFERENCESETCONTAINS('XXXXXXX', DestinationIP, DomainID))) AND "Event Name (Unique Count)" = 'CONNECTION_STATISTICS - Allow' GROUP BY "sourceIP" HAVING "Sent Bytes(Sum)" > 1000000000



    ------------------------------
    krishna Tarun Mallareddy
    ------------------------------