How To
Summary
This guide provides an overview of how to build QRadar AQL queries that use LIKE correlations between two different properties dynamically.
Steps
1. Log in to QRadar User Interface
2. Open Log Activity Page
3. In order to perform dynamic
LIKE
correlations between two different properties, ensure property values are enclosed by a percent sign wildcard (%
). This functionality can be achieved by leveraging the CONCAT
function.Here is an AQL sample showcasing a real example of this technique:
SELECT LOGSOURCENAME(logsourceid) as "Log Source", "Hostname" FROM events WHERE "Log Source" ILIKE CONCAT('%', "Hostname", '%')
Substitute "Log Source" and "Hostname" values from this query with the properties required
4. Run the resulting query in the Log Activity to see results.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"},{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
14 February 2023
UID
ibm16843859