Troubleshooting
Problem
Anomaly Rules are based on saved searches and trigger new events on matches. If the link between the rule and the saved search is broken, these events may trigger repeatedly.
Diagnosing The Problem
Anomaly rules are executed in the anomaly detection engine (ADE).
- SSH to QRadar as the root user.
- Enter PostgreSQL by running the following command:
psql -U qradar
- Run the following query:
psql -Uqradar -c "select gv_id, records.record_id from (select record_id from global_views where record_id not in (select trim(both '\"' from (xpath('//persistMapBackedProperty[@key=\"sentryId\"]/text()',rule_data::text::xml))[1]::text)::int from custom_rule where rule_data::text ~* 'sentryId' and rule_type in (6,7,8) and rule_data::text ~* 'enabled=\"true\"') and data_type = 'SENTRY' and not deleted) records join (select unnest(xpath('//globalView/@id',a.gv))::text as gv_id, unnest(string_to_array(unnest(xpath('//globalView//*/@sentries',gv))::text,',')) as sentryid from (select unnest(xpath('//globalView',xml_data::text::xml)) as gv from global_views where data_type != 'SENTRY') a where xpath_exists('//globalView[.//*/@sentries]',gv)) gvs on gvs.sentryid::int = records.record_id;"
Result
The output for the command shows the id of any anomaly detection engine that runs without a rule to catch the data.
Resolving The Problem
- SSH to QRadar as the root user.
- Run the following command to ensure a backup folder exists:
mkdir -p /store/IBM_Support
- Run the following command to backup the global_views table:
pg_dump -U qradar -t global_views > /store/IBM_Support/global_views.sql
- Run the following query to get the id's of the anomaly detection engines that are running without a rule, note the id's:
psql -Uqradar -c "select gv_id, records.record_id from (select record_id from global_views where record_id not in (select trim(both '\"' from (xpath('//persistMapBackedProperty[@key=\"sentryId\"]/text()',rule_data::text::xml))[1]::text)::int from custom_rule where rule_data::text ~* 'sentryId' and rule_type in (6,7,8) and rule_data::text ~* 'enabled=\"true\"') and data_type = 'SENTRY' and not deleted) records join (select unnest(xpath('//globalView/@id',a.gv))::text as gv_id, unnest(string_to_array(unnest(xpath('//globalView//*/@sentries',gv))::text,',')) as sentryid from (select unnest(xpath('//globalView',xml_data::text::xml)) as gv from global_views where data_type != 'SENTRY') a where xpath_exists('//globalView[.//*/@sentries]',gv)) gvs on gvs.sentryid::int = records.record_id;"
Sample output:gv_id | record_id -------+----------- 10084 | 2 (1 rows)
- Run the following command to disable the "sentry" records:
psql -Uqradar -c "UPDATE global_views set deleted = true where not record_id in (select trim(both '\"' from (xpath('//persistMapBackedProperty[@key=\"sentryId\"]/text()',rule_data::text::xml))[1]::text)::int from custom_rule where rule_data::text ~* 'sentryId' and rule_type in (6,7,8) and rule_data::text ~* 'enabled=\"true\"') and data_type = 'SENTRY' and not deleted;"
UPDATE 1
- In the GUI, open Admin > Aggregated Data Management.
- In the Display drop-down menu, select Aggregated Data View.
- In the Quick Search box, enter the number of one of the GVs
- Doubleclick on the entry for the Aggregated Data Id matching your GV.
- In the Content Dependencies view, check the Search Details column.
- If the column shows "n/a", click cancel, then select the entry for your GV and click Delete View. Click OK from the Confirm Deletion page.
- If the column does not show "n/a". There are dependencies that need to be resolved. Contact Support for further assistance
- If there were multiple GVs listed in the psql output, repeat the previous steps to search for, view, and delete the associated GVs.
- Wait 5 minutes and then review the incoming ADE event volume. At this point, the excess events should have stopped.
- If the excess events are still coming in, push a Full Deploy, and then Restart Web Services from the Admin tab.
Result
The ADE events should stop firing in the deployment.
If excessive ADE events are still arriving after completing these steps, please contact Support for further assistance.
The ADE events should stop firing in the deployment.
If excessive ADE events are still arriving after completing these steps, please contact Support for further assistance.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 May 2024
UID
ibm17091618