Troubleshooting
Problem
Creating a search for a report to show Offense Data.
Resolving The Problem
Procedure to create a search to report Offense Data
- From the QRadar web user interface, go to the Log Activity tab. Click Search > Edit Search.
- Under Search Parameters
- Select Associated With Offense Equal True.
- Select Log Source Type is Custom Rule Engine.
- Click Filter to do a search.
- When the results come back, open one of the events and select Extract Property.
- Enter a name in New Property for example NewCustom.
In the RegEx, use
(.+?)\t
- Add a Log Source Type and select a Category of High Level Category Any and Low Level Category Any to pull the exact property, otherwise it will be locked down to just one QID.
- Go back to your saved search.
- Under Column Definitions, use this new Custom Event Property and put this in Group By. Also put Source IP in Group By. You can also select any additional columns by putting these in Columns.
Results: You can now save this as a Saved Search and run Reports against it.
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Offense Manager","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Historical Number
1212
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21622340