Topic
  • 6 replies
  • Latest Post - ‏2016-06-30T06:03:17Z by SunilNishankar
gregorin
gregorin
3 Posts

Pinned topic Cutom Rule Match

‏2015-11-05T16:04:55Z | api aql

Hello guys ,

I am looking for a command in AQL  which will be able to give same result as using "custom rule" , meaning the logs which the CRE found matched .

similar to INoffense command .

 

Thank you

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts
    ACCEPTED ANSWER

    Re: Cutom Rule Match

    ‏2015-11-09T13:57:52Z  

    Hi Gregori,

     

    Using AQL, the 'creeventlist' property will return a set of rule IDs that a given event has matched.

    However, there is currently no supported method of retrieving the rule ID for your rule.

    The RULENAME function allows you to get the rule name for a given ID, but not the other way around.

    I would encourage you to open a Request For Enhancement (RFE) to get this functionality:

    How to open a Request for Enhancement (RFE) for QRadar:
      1. Click the following link to go to the QRadar SIEM RFE page: https://ibm.biz/BdRPx5
      2. Log in to the support portal page.
      3. Click the Submit tab and fill in the required information.

     

    If you knew the ID of the rule you wanted to check against, you could use an AQL query like this:

       SELECT * FROM events WHERE creeventlist = 100343

       There is currently no AQL 'IN' operator, so the above reads as: 100343 IN creeventlist

     

    Taylor Osmun

    Software Engineer
    IBM Security Systems

     

  • gregorin
    gregorin
    3 Posts

    Re: Cutom Rule Match

    ‏2015-11-08T13:59:24Z  

    bumped ,

     

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts

    Re: Cutom Rule Match

    ‏2015-11-09T13:57:52Z  

    Hi Gregori,

     

    Using AQL, the 'creeventlist' property will return a set of rule IDs that a given event has matched.

    However, there is currently no supported method of retrieving the rule ID for your rule.

    The RULENAME function allows you to get the rule name for a given ID, but not the other way around.

    I would encourage you to open a Request For Enhancement (RFE) to get this functionality:

    How to open a Request for Enhancement (RFE) for QRadar:
      1. Click the following link to go to the QRadar SIEM RFE page: https://ibm.biz/BdRPx5
      2. Log in to the support portal page.
      3. Click the Submit tab and fill in the required information.

     

    If you knew the ID of the rule you wanted to check against, you could use an AQL query like this:

       SELECT * FROM events WHERE creeventlist = 100343

       There is currently no AQL 'IN' operator, so the above reads as: 100343 IN creeventlist

     

    Taylor Osmun

    Software Engineer
    IBM Security Systems

     

  • gregorin
    gregorin
    3 Posts

    Re: Cutom Rule Match

    ‏2015-11-09T14:34:00Z  

    Hi Gregori,

     

    Using AQL, the 'creeventlist' property will return a set of rule IDs that a given event has matched.

    However, there is currently no supported method of retrieving the rule ID for your rule.

    The RULENAME function allows you to get the rule name for a given ID, but not the other way around.

    I would encourage you to open a Request For Enhancement (RFE) to get this functionality:

    How to open a Request for Enhancement (RFE) for QRadar:
      1. Click the following link to go to the QRadar SIEM RFE page: https://ibm.biz/BdRPx5
      2. Log in to the support portal page.
      3. Click the Submit tab and fill in the required information.

     

    If you knew the ID of the rule you wanted to check against, you could use an AQL query like this:

       SELECT * FROM events WHERE creeventlist = 100343

       There is currently no AQL 'IN' operator, so the above reads as: 100343 IN creeventlist

     

    Taylor Osmun

    Software Engineer
    IBM Security Systems

     

    Thank you for the help,

    We actually did almost exactly as you described.

    We had usied Inoffense function with CRE NAME ,

    Than used the CRE NAME with RULENAME to get logs Associated with rules.

     

    step I
    SELECT *,"CRE Name","CRE Description" FROM events WHERE logsourceid='63' AND INOFFENSE(191) START '2015-11-08 21:15'
    Step 2 using
    SELECT * FROM events WHERE logsourceid <> 63 AND inoffense(190) START '2015-11-8 21:11'  AND RULENAME(creEventList) ILIKE '%Connection to Internet on Unauthorized Port%'

     

    I still dont get how can you extract a single rule ID i always get Multiple(18) and cant use it .
    My method is based on all in one siem in which CRE will always be 63 , what do i do in a case of more than one EP  ?

    Is there a way to query the CRE log sources .

     

    Thank you

     

     

     

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts

    Re: Cutom Rule Match

    ‏2015-11-09T18:01:00Z  
    • gregorin
    • ‏2015-11-09T14:34:00Z

    Thank you for the help,

    We actually did almost exactly as you described.

    We had usied Inoffense function with CRE NAME ,

    Than used the CRE NAME with RULENAME to get logs Associated with rules.

     

    step I
    SELECT *,"CRE Name","CRE Description" FROM events WHERE logsourceid='63' AND INOFFENSE(191) START '2015-11-08 21:15'
    Step 2 using
    SELECT * FROM events WHERE logsourceid <> 63 AND inoffense(190) START '2015-11-8 21:11'  AND RULENAME(creEventList) ILIKE '%Connection to Internet on Unauthorized Port%'

     

    I still dont get how can you extract a single rule ID i always get Multiple(18) and cant use it .
    My method is based on all in one siem in which CRE will always be 63 , what do i do in a case of more than one EP  ?

    Is there a way to query the CRE log sources .

     

    Thank you

     

     

     

    Hi Gregori,

     

    The UI will only show 'Multiple(X)'. You can retrieve the first 5 results via the API (GET /ariel/searches/{search_id}/results).

    However, there is no way of retrieving the full list in your SELECT statement, either through the UI or API. If you need this functionality, another RFE would be recommended.

     

    As for the logsourceid. Is it possible to narrow down your desired log sources by name? If so, you could perform a query like:

       SELECT * FROM events WHERE LogSourceName(logsourceid) LIKE '%Something%'

     

    Taylor Osmun

    Software Engineer
    IBM Security Systems

  • Sunil.Nishankar
    Sunil.Nishankar
    10 Posts

    Re: Cutom Rule Match

    ‏2016-06-28T06:24:48Z  

    Hi Gregori,

     

    Using AQL, the 'creeventlist' property will return a set of rule IDs that a given event has matched.

    However, there is currently no supported method of retrieving the rule ID for your rule.

    The RULENAME function allows you to get the rule name for a given ID, but not the other way around.

    I would encourage you to open a Request For Enhancement (RFE) to get this functionality:

    How to open a Request for Enhancement (RFE) for QRadar:
      1. Click the following link to go to the QRadar SIEM RFE page: https://ibm.biz/BdRPx5
      2. Log in to the support portal page.
      3. Click the Submit tab and fill in the required information.

     

    If you knew the ID of the rule you wanted to check against, you could use an AQL query like this:

       SELECT * FROM events WHERE creeventlist = 100343

       There is currently no AQL 'IN' operator, so the above reads as: 100343 IN creeventlist

     

    Taylor Osmun

    Software Engineer
    IBM Security Systems

     

    Hey Taylor, 

     

    Is method of retrieving the rule ID for rule updated in latest version of QRadar? 

    Is there any way to fetch the list of rules contributed for an offense through API?

    While getting  creeventlist array through ariel api the complete custom rules matched are not been fetched.Find below sample.

    
    "events": [
        {
          
    "customRulesMatched": 
    "[BB:PortDefinition: DHCP Ports, BB:ProtocolDefinition: Windows Protocols, BB:CategoryDefinition: Suspicious Event Categories, BB:CategoryDefinition: Suspicious Events, Destination Asset Exists, BB:DeviceDefinition: FW / Router / Switch...]"
        }]
    

    The entire custom rules are not shown instead its ended with ... 

    Is there any truncation happening or there is max  size to fetch array type argument?If so how do I fetch the entire array set.

     

    Thanks in advance 

    - Sunil

     

  • SunilNishankar
    SunilNishankar
    1 Post

    Re: Cutom Rule Match

    ‏2016-06-30T06:03:17Z  

    Hey Taylor, 

     

    Is method of retrieving the rule ID for rule updated in latest version of QRadar? 

    Is there any way to fetch the list of rules contributed for an offense through API?

    While getting  creeventlist array through ariel api the complete custom rules matched are not been fetched.Find below sample.

    <pre class="response responseBody" data-dojo-attach-point="respBodyNode" dir="ltr" style="margin-top: -1px; margin-bottom: -1px; margin-left: -1px; padding: 10px 20px; font-size: 13.8px; font-family: Courier, "Courier New"; border: 1px solid silver; white-space: pre-wrap; word-wrap: break-word; line-height: normal; background-color: ghostwhite;"> "events": [ { "customRulesMatched": "[BB:PortDefinition: DHCP Ports, BB:ProtocolDefinition: Windows Protocols, BB:CategoryDefinition: Suspicious Event Categories, BB:CategoryDefinition: Suspicious Events, Destination Asset Exists, BB:DeviceDefinition: FW / Router / Switch...]" }] </pre>

    The entire custom rules are not shown instead its ended with ... 

    Is there any truncation happening or there is max  size to fetch array type argument?If so how do I fetch the entire array set.

     

    Thanks in advance 

    - Sunil

     

    Hello Taylor,

     

    Please help me on below -

     

    Is method of retrieving the rule ID for rule updated in latest version of QRadar? 

    Is there any way to fetch the list of rules contributed for an offense through API?

    While getting  creeventlist array through ariel api the complete custom rules matched are not been fetched.Find below sample.

    
    "events": [
        {
          
    "customRulesMatched": 
    "[BB:PortDefinition: DHCP Ports, BB:ProtocolDefinition: Windows Protocols, BB:CategoryDefinition: Suspicious Event Categories, BB:CategoryDefinition: Suspicious Events, Destination Asset Exists, BB:DeviceDefinition: FW / Router / Switch...]"
        }]
    

    The entire custom rules are not shown instead its ended with ... 

    Is there any truncation happening or there is max  size to fetch array type argument?If so how do I fetch the entire array set.

     

    Thanks in advance 

    - Sunil