Input Logs
In the running status, the host detection input sends its log to QRadar over Syslog.
Use the following AQL in Log Activity > Advance Search to see Input Logs.
For FIM Events and FIM Ignored Events
This AQL has all the fields that the app parses.
AQL:
SELECT AQL: select "Absolute File Path" , "Absolute Process Path" , "Action" , "Agent Version" , "Asset Interfaces" , "Asset Name" , "Asset Tags" , "Attribute New" , "Attribute Old" , "Category Name" , "Event Alert" , "Event Type" , "Event UUID", "File Certificate Hash" , "File Reputation Status" , "File Trust Status", "Monitoring Profile" , "New Content" , "New Registry Value Content" , "New Registry Value Type","Old Content", "New Registry Value Content", "New Registry Value Type" , "Platform","Process Id", "Process Name", "Qradar Event Type", "Registry Name", "Registry Path", "Rules ID" , "Rule Name", "Section ID", "Section Name", "Severity Level", "Source Host Name" , "User ID", DATEFORMAT(devicetime,'yyyy-MM- dd h:m:ss:SSS z')as "Log Source Time" FROM events WHERE LOGSOURCENAME(logsourceid) = 'QualysFimMultiline'
To fetch FIM Events specific data, add this option at the end of the AQL:
AND "Qradar Event Type"= 'FIM_EVENTS'
To fetch FIM Ignored Events specific data, add this option at the end of the AQL:
AND "Qradar Event Type"= 'FIM_IGNORED_EVENTS'
For FIM Incidents and Incident Events
This AQL has all the fields that the app parses.
SELECT "Incident ID" , "Incident Name" , "Incident Status" , "Incident Type" , "Incident Approval Type", "Incident Approval Status" , "Incident Assignee" , "Incident Change Type" , "Incident Correlation Rule ID" , "Incident Correlation Rule Name" , "Incident Disposition Category" from events where LOGSOURCENAME(logsourceid) = 'QualysFimIncidents' and "Qradar Data Type"='FIM_INCIDENTS'
SELECT "Absolute File Path" , "Absolute Process Path" , "Action" , "Agent Version" , "Asset Interfaces" , "Asset Name" , "Asset Tags" , "Attribute New" , "Attribute Old" , "Category Name" , "Event Alert" , "Event Type" , "Event UUID" , "File Certificate Hash" , "File Hash" , "File Reputation Status" , "File Trust Status" , "Monitoring Profile" , "New Content" , "New Registry Value Content" , "New Registry Value Type" , "Old Content" , "Old Registry Value Content" , "Old Registry Value Type" , "Platform" , "Process Id", "Process Name" , "Qradar Event Type", "Registry Name" , "Registry Path","Rules ID", "Rules Name", "Section ID", "Section Name", "Severity Level", "Source Host Name", "User ID", DATEFORMAT(devicetime,'yyyy-MM- dd h:m:ss:SSS z')as "Log Source Time" FROM events WHERE LOGSOURCENAME(logsourceid) = 'QualysFimMultiline' AND "Qradar Event Type"= 'FIM_INCIDENT_EVENTS'