Event categories

Event categories are used to group incoming events for processing by IBM® QRadar®. The event categories are searchable and help you monitor your network.

Events that occur on your network are aggregated into high-level and low-level categories. Each high-level category contains low-level categories and an associated severity level and ID number.

You can review the severity levels that are assigned to events and adjust them to suit your corporate policy needs.

You can run an AQL query by using high-level and low-level event category IDs. The category IDs for the associated category names can be retrieved from the event category tables.

For example, if you are developing applications on QRadar, you can run an AQL search similar to the following query from the command line, to gather data from Ariel:

select qidname(qid) as 'Event', username as 'Username', devicetime as 'Time' from events where '<high-level category ID>' and '<Low-level category ID>' and LOGSOURCENAME(logsourceid) like "%Low-level category name%" last 3 days