Which AQL query, when run from IBM Security QRadar SIEM V7.2.8, will show EPS broken down by domains?
A.
select DOMAINNAME (domainid) as LogSource, sum(eventcount) / ((max(endTime) min(startTime)) / 1000 ) as EPS from events group by domainid order by EPS desc last 24 hours
B.
select DOMAINNAME (domainqid) as LogSource, sum(eventcount) / ((max(endTime) min(startTime)) / 1000 ) as EPS from events group by domainqid order by FPM desc last 24 hours
C.
select DOMAINNAME (domainid) as LogSource, sum(events) / ((max(endTime) min(startTime)) / 1000 ) as EPS from events group by domainid order by FPM desc last 24 hours
D.
select DOMAINNAME (domainid) as LogSource, sum(events) / ((max(endTime) – min(startTime)) / 1000 ) as EPS from events group by domainid order by
Suggested Answer:A🗳️
You would use single-quotes to define this search string. I believe I had an example in the presentation yesterday I need to fix where I accidently used double- qoutes, which is incorrect. The AQL search below uses quotes correctly: select logsourcename(logsourceid) as LogSource, sum(eventcount) / ( ( max(endTime) - min(startTime) ) / 1000 ) as EPS from events WHERE logsourcename(logsourceid) = 'Windows Auth @ 10.10.10.10' group by logsourceid order by EPS desc last 5 MINUTES
Or to snag multiple log sources, for example Windows events, you could use the following: select logsourcename(logsourceid) as LogSource, sum(eventcount) / ( ( max(endTime) - min(startTime) ) / 1000 ) as EPS from events WHERE logsourcename(logsourceid) is ILIKE '%Windows%' group by logsourceid order by EPS desc last 5 MINUTES
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Comments