QRadar: How to perform dynamic LIKE correlations with AQL

How To

Summary

This guide provides an overview of how to build QRadar AQL queries that use LIKE correlations between two different properties dynamically.

Steps

1. Log in to QRadar User Interface

2. Open Log Activity Page

3. In order to perform dynamic LIKE correlations between two different properties, ensure property values are enclosed by a percent sign wildcard (%). This functionality can be achieved by leveraging the CONCAT function.

Here is an AQL sample showcasing a real example of this technique:

SELECT LOGSOURCENAME(logsourceid) as "Log Source", "Hostname" FROM events WHERE "Log Source" ILIKE CONCAT('%', "Hostname", '%')

Substitute "Log Source" and "Hostname" values from this query with the properties required

4. Run the resulting query in the Log Activity to see results.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"},{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips

QRadar: How to perform dynamic LIKE correlations with AQL

How To

Summary

Steps

Document Location

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?