IBM Support

QRadar: How to properly create an AQL Search for a Threshold Rule

Troubleshooting


Problem

When making a AQL Search for a Threshold Rule, the following error is seen: The saved search "Test Threshold" is not a grouped search. You must specify at least one column in the Group By list to create a rule of this type. Edit the saved search and try again.

Cause

There is a COUNT lacking within the AQL Search

Resolving The Problem

   A saved AQL Search with a Group By is not honored when trying to use within a Threshold Rule:

  1. Log in to the QRadar UI
  2. Click Log Activity tab
  3. Use the following AQL Query in Advanced Search:
    select sourceip, destinationip, logsourceid, starttime, category, qid FROM events GROUP BY starttime last 15 MINUTES
  4. Click Search and View the Results.
  5. Click Save Criteria.
  6. Use the Name "Test Threshold" for 5-minute interval, Include in my Quick Searches, Share with Everyone.


  7. Click OK.
  8. Click Rules > Add Threshold Rule


  9. The saved search "Test Threshold" is not a grouped search. You must specify at least one column in the Group By list to create a rule of this type. Edit the saved search and try again.



To fix the problem, the issue is related to a lack of an aggregate field. To fix this problem the following AQL Search can be used (as an example, to include the COUNT):
  1. Repeat step 3 above using this AQL Query in Advanced Search
    select sourceip, destinationip, logsourceid, COUNT(starttime) as starttime_count, starttime, category, qid FROM events GROUP BY starttime last 15 MINUTES
  2. Click Search and View the Results.
  3. Click Save Criteria.
  4. Use the Name "Test Threshold" for 5-minute interval, Include in my Quick Searches, Share with Everyone.

  5. Click OK.
  6. Click Rules > Add Threshold Rule
  7. Click Next.



    Results: You can now create a Threshold Rule.


Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22007019

Page Feedback