Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

What's New for Users in Ariel Query Language (AQL)

 

JSA 7.3.1 introduces new Ariel Query Language (AQL) functions and enhancements.

PARAMETERS REMOTESERVERS now includes the option to select servers in your search by specifying the ID or name of Event Processors

By using the ARIELSERVERS4EPNAME function with PARAMETERS REMOTESERVERS, you can specify an Event Processor by name in an AQL query; for example, PARAMETERS REMOTESERVERS=ARIELSERVERS4EPNAME(’eventprocessor0’, ’eventprocessor104’)

By using the ARIELSERVERS4EPID function with PARAMETERS REMOTESERVERS; you can specify an Event Processor by ID in an AQL query, for example, PARAMETERS REMOTESERVERS=ARIELSERVERS4EPID(102)

By specifying an Event Processor, or servers that are connected to that Event Processor, you can run AQL queries faster and more efficiently.

When you have multiple servers in your organization and you know where the data that you're looking for is saved, you can fine-tune the search to just the servers, clusters, or specific servers on Event Processors.

In the following example, you search only the servers that are connected to 'eventprocessor104'.

You can significantly reduce the load on your servers, run the query regularly, and get your results faster when you filter your query to search fewer servers.

PARAMETERS EXCLUDESERVERS excludes servers from your AQL search

Avoid having to search all AQL servers by using PARAMETERS EXCLUDESERVERS to exclude specific servers:

  • IP address; for example, PARAMETERS EXCLUDESERVERS=’177.22.123.246:32006,172.11.22.31:32006’

  • Event Processor name; for example, PARAMETERS EXCLUDESERVERS=ARIELSERVERS4EPNAME(’<eventprocessor_name>’)

  • Event Processor ID; for example, PARAMETERS EXCLUDESERVERS=ARIELSERVERS4EPID(<processor_ID>)

Searching only the servers that have the data that you require speeds up searches and uses less server resources.

Refine your query to exclude the servers that don't have the data that you're searching for. In the following example, you exclude servers that are connected to 'eventprocessorABC':

If you refine multiple queries by using PARAMETERS EXCLUDESERVERS, you can reduce the load on your servers and get your results faster.

Specify the Event Processor name in an AQL query by using the ARIELSERVERS4EPNAME function with PARAMETERS REMOTESERVERS or PARAMETERS EXCLUDESERVERS

In an AQL query, you can include or exclude the servers that are connected to an Event Processor by using the ARIELSERVERS4EPNAME function to name an Event Processor in the query. For example, use the ARIELSERVERS4EPNAME function with PARAMETERS REMOTESERVERS to include eventprocessor_ABC in the query.

For example, you might want the search to exclude all servers on a named Event Processor by using the ARIELSERVERS4EPNAME function with PARAMETERS EXCLUDESERVERS. In the following example eventprocessor_XYZ is excluded in the query

Specify the Event Processor ID in an AQL query by using the ARIELSERVERS4EPID function with PARAMETERS REMOTESERVERS or PARAMETERS EXCLUDESERVERS

In an AQL query, you can include or exclude servers connected to an Event Processor by using the ARIELSERVERS4EPID function to specify the ID of an Event Processor in the query.

For example, include servers on the Event Processor that has the ID 101, PARAMETERS

For example, exclude servers on the Event Processor that has the ID 102, PARAMETERS

Filter your search by using the ARIELSERVERS4EPID function with the PARAMETERS REMOTESERVERS or PARAMETERS EXCLUDESERVERS to specify Event Processors by ID and their Ariel servers

You can use the ARIELSERVERS4EPID function with PARAMETERS REMOTESERVERS and PARAMETERS EXCLUDESERVERS to specify Ariel servers that you want to include or exclude from your search.

You can also use the following query to list Ariel servers by Event Processor ID.

Returns Ariel servers that are associated with an Event Processor that is identified by ID.

Here's an example of the output for the query, which shows the ID of the processor and the servers for that processor:

In an AQL query, you can specify Ariel servers that are connected to a named Event Processor by using the ARIELSERVERS4EPNAME function

Use the ARIELSERVERS4EPNAME function with PARAMETERS REMOTESERVERS or PARAMETERS EXCLUDESERVERS to specify Ariel servers that you want to include or exclude from your search.

You can also use the following query to list Ariel servers by Event Processor name.

Here's an example of the output for the query, which shows the name of the processor and the servers:

Use the COMPONENTID function to retrieve the ID for any named QRadar component and return data for that component

For example, you can retrieve events for a named Event Processor. In the following example you retrieve events from eventprocessor0:

PARSETIMESTAMP function parses the text representation of date and time and converts it to UNIX epoch time

Do time-based calculations easily in AQL when you convert time in text format to epoch time.

Include time-based calculations in your AQL queries and use the time-based criteria that you specify to return events that helps to enhance the security of your organization by making it easier to monitor user activity. For example, you might want to find out that the difference between user logout and re-login times is less than 30 minutes. If this timing seems suspicious, you can investigate further.

Retrieve information about the location and distance of IP addresses

Use geographical data that is provided by MaxMind to find information about the location and distance between IP addresses in JSA.

The GEO::LOOKUP AQL function returns location data for a selected IP address.

The GEO::DISTANCE AQL function returns the distance, in kilometers, of two IP addresses.

Easily recognize the geographical origin of your data by organizing your data by location such as city or country instead of by IP address, and use the distance between IP addresses to evaluate the relative distance between your JSA locations.

Enhanced support for the AQL subquery

In JSA 2014.8 and 7.3.0, the subquery was accessible only by using API.

The subquery is now available for use in searches from the Log Activity or Network Activity tabs.

Enhanced support for the SESSION BY clause

In JSA 7.3.0 the SESSION BY clause was accessible only by using API.

The SESSION BY clause is now available for use in searches in JSA.