IBM Support

QRadar: Creating a search for a report to show Offense Data

Troubleshooting


Problem

Creating a search for a report to show Offense Data.

Resolving The Problem

Procedure to create a search to report Offense Data

  1. From the QRadar web user interface, go to the Log Activity tab. Click Search > Edit Search.
  2. Under Search Parameters
    1. Select Associated With Offense Equal True.
    2. Select Log Source Type is Custom Rule Engine.


  3. Click Filter to do a search.
  4. When the results come back, open one of the events and select Extract Property.
  5. Enter a name in New Property for example NewCustom.
    In the RegEx, use
    (.+?)\t
  6. Add a Log Source Type and select a Category of High Level Category Any and Low Level Category Any to pull the exact property, otherwise it will be locked down to just one QID.

  7. Go back to your saved search.
  8. Under Column Definitions, use this new Custom Event Property and put this in Group By. Also put Source IP in Group By. You can also select any additional columns by putting these in Columns.




Results: You can now save this as a Saved Search and run Reports against it.


Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Offense Manager","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Historical Number

1212

Document Information

Modified date:
16 June 2018

UID

swg21622340

Page Feedback