Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

What's New for Users in JSA 2014.4

 

Ariel Query Language (AQL) V1 and V2 are deprecated.

The command-line script, /opt/qradar/bin/arielClient is deprecated. The following warning message is displayed both before and after the results are returned:

WARNING: AQL V1 and V2 will be deprecated in the future. For information about using AQL V3, see the product documentation.

During your migration to AQL V3, you can suppress the warning message by typing: /opt/qradar/bin/arielClient | grep -v WARNING

The Python client and the Advanced search option use AQL V3.

AQL Fields Changed in AQL V3

Ariel Query Language (AQL) V2 is deprecated in JSA 2014.4 and later. Some Ariel database fields were changed or removed in AQL V3. If you have queries that use these fields, you must replace them.

Table 1: Fields That Were Replaced in AQL V3

Field name (AQL V2)

Replacement function name (AQL V3)

destinationAssetName

AssetHostname

deviceGroup

LogSourceGroupName

sourceAssetName

AssetHostname

eventDescription

QidName

destinationNetwork

NetworkName

endDate

DateFormat

endDateFormatted

DateFormat

eventProcessor

Processorname

identityUsername

AssetUser

identityMAC

AssetProperty

identityHostName

AssetHostname

identityNetBiosName

AssetHostname

identityGroupName

AssetProperty

identityExtendedField

AssetProperty

deviceDate

DateFormat

payloadHex

UTF8

protocol

ProtocolName

sourceNetwork

NetworkName

startDate

DateFormat

startDateFormatted

DateFormat

destinationAssetName

AssetHostname

sourceAssetName

AssetHostname

destinationNetwork

NetworkName

sourceNetwork

NetworkName

application

ApplicationName

destinationPayloadHex

UTF8

firstPacketDate

DateFormat

eventProcessorId

ProcessorName

This following Ariel database fields were removed.

  • qidNumber

  • token

  • destinationHost

  • destinationIPSearch

  • destinationPortNA

  • sourceHost

  • sourceIPSearch

  • sourcePortNA

  • destinationDscpOnly

  • anyDestinationFlag

  • smallDestinationPayload

  • smallDestinationPayloadHex

  • destinationPrecedanceOnly

  • lastPacketDate

  • localHost

  • remoteHost

  • sourceDscpOnly

  • anySourceFlag

  • sourcePayloadHex

  • smallSourcePayload

  • smallSourcePayloadHex

  • sourcePrecedanceOnly

  • sourceHostString

  • destinationHostString

  • destinationNetwork

  • application

  • sourceNetwork

  • smallPayload

  • smallPayloadHex

  • quickSearchMatches

  • bitsPerSecond

  • srcBitsPerSecond

  • dstBitsPerSecond

  • bytesPerSecond

  • bytesPerPacket

  • srcBytesPerPacket

  • dstBytesPerPacket

  • destinationByteRatio

  • destinationPacketRatio

  • packetsPerSecond

  • sourceByteRatio

  • sourcePacketRatio

  • totalBytes

  • totalPackets

  • retentionBucket

  • properLastPacketTime

  • properLastPacketDate

Related Documentation