Input Logs
In the running status, the host detection input sends its log to QRadar over Syslog.
Use the following AQL in Log Activity > Advance Search to see Input Logs.
For FIM Events and FIM Ignored Events
This AQL has all the fields that the app parses.
As per IBM QRadar's upgrade to QRadar® 7.4.3, some custom event properties are renamed and merged with default custom properties.
Refer to Alias properties created for custom properties
Use the following query if your QRadar version is 7.4.3 and above QRadar family:
AQL:
SELECT select "Absolute File Path" , "Absolute Process Path" , "Action" , "Agent Version" , "Asset Interfaces" , "Asset Name" , "Asset Tags" ,
"Attribute New" , "Attribute Old" , "Category Name" , "Event Alert" , "Event Type" , "Event UUID", "File Certificate Hash" ,
"File Hash", "File Reputation Status" , "File Trust Status", "Monitoring Profile" , "New Content" , "New Registry Value Content" ,
"New Registry Value Type", "Old Content", "Old Registry Value Content", "Old Registry Value Type", "Platform", "Process Id",
"Process Name", "Qradar Event Type", "Registry Name", "Registry Path", "Rules ID" , "Rules Name", "Section ID", "Section Name",
"Severity Level", "Source Hostname" , "User ID", DATEFORMAT(devicetime,'yyyy-MM- dd h:m:ss:SSS z')as
"Log Source Time" FROM events WHERE LOGSOURCENAME(logsourceid) = 'QualysFimMultiline'
Use the following query if your QRadar Version is 7.3.3 QRadar family:
AQL:
SELECT select "Absolute File Path" , "Absolute Process Path" , "Action" , "Agent Version" , "Asset Interfaces" , "Asset Name" , "Asset Tags" ,"Attribute New" , "Attribute Old" , "Category Name" , "Event Alert" , "Event Type" , "Event UUID", "File Certificate Hash" ,
"File Hash", "File Reputation Status" , "File Trust Status", "Monitoring Profile" , "New Content" , "New Registry Value Content" ,
"New Registry Value Type", "Old Content", "Old Registry Value Content", "Old Registry Value Type", "Platform", "Process Id",
"Process Name", "Qradar Event Type", "Registry Name", "Registry Path", "Rules ID" , "Rules Name", "Section ID", "Section Name",
"Severity Level", "Source Host Name" , "User ID", DATEFORMAT(devicetime,'yyyy-MM- dd h:m:ss:SSS z')as
"Log Source Time" FROM events WHERE LOGSOURCENAME(logsourceid) = 'QualysFimMultiline'
To fetch FIM Events specific data, add this option at the end of the AQL:
AND "Qradar Event Type"= 'FIM_EVENTS'
To fetch FIM Ignored Events specific data, add this option at the end of the AQL:
AND "Qradar Event Type"= 'FIM_IGNORED_EVENTS'
For FIM Incidents and Incident Events
This AQL has all the fields that the app parses.
SELECT "Incident ID" , "Incident Name" , "Incident Status" , "Incident Type" , "Incident Approval Type", "Incident Approval Status" , "Incident Assignee" , "Incident Change Type" , "Incident Correlation Rule ID" , "Incident Correlation Rule Name" , "Incident Disposition Category" from events where LOGSOURCENAME(logsourceid) = 'QualysFimIncidents' and "Qradar Data Type"='FIM_INCIDENTS'
As per IBM QRadar's upgrade to QRadar® 7.4.3, some Custom Event Properties are renamed and merged with the default custom property.
Refer to Alias properties created for custom properties
Use the following query if your QRadar version is 7.4.3 and above QRadar family:
SELECT "Absolute File Path" , "Absolute Process Path" , "Action" , "Agent
Version" , "Asset Interfaces" , "Asset Name" , "Asset Tags" , "Attribute New"
, "Attribute Old" , "Category Name" , "Event Alert" , "Event Type" , "Event
UUID" , "File Certificate Hash" , "File Hash" , "File Reputation Status" ,
"File Trust Status" , "Monitoring Profile" , "New Content" , "New Registry
Value Content" , "New Registry Value Type" , "Old Content" , "Old Registry
Value Content" , "Old Registry Value Type" , "Platform" , "Process Id",
"Process Name" , "Qradar Event Type", "Registry Name" , "Registry
Path","Rules ID", "Rules Name", "Section ID", "Section Name", "Severity
Level", "Source Hostname", "User ID", DATEFORMAT(devicetime,'yyyy-MM- dd
h:m:ss:SSS z')as "Log Source Time" FROM events WHERE
LOGSOURCENAME(logsourceid) = 'QualysFimMultiline' AND "Qradar Event Type"=
'FIM_INCIDENT_EVENTS'
Use the following query if your QRadar version is 7.3.3 QRadar family:
SELECT "Absolute File Path" , "Absolute Process Path" , "Action" , "Agent Version" , "Asset Interfaces" , "Asset Name" , "Asset Tags" , "Attribute New"
, "Attribute Old" , "Category Name" , "Event Alert" , "Event Type" , "Event
UUID" , "File Certificate Hash" , "File Hash" , "File Reputation Status" ,
"File Trust Status" , "Monitoring Profile" , "New Content" , "New Registry
Value Content" , "New Registry Value Type" , "Old Content" , "Old Registry
Value Content" , "Old Registry Value Type" , "Platform" , "Process Id",
"Process Name" , "Qradar Event Type", "Registry Name" , "Registry
Path","Rules ID", "Rules Name", "Section ID", "Section Name", "Severity
Level", "Source Host Name", "User ID", DATEFORMAT(devicetime,'yyyy-MM- dd
h:m:ss:SSS z')as "Log Source Time" FROM events WHERE
LOGSOURCENAME(logsourceid) = 'QualysFimMultiline' AND "Qradar Event Type"=
'FIM_INCIDENT_EVENTS'