Professional Documents
Culture Documents
Qradar Test Cheat Sheet
Qradar Test Cheat Sheet
Fast tests
Building Blocks
Normalized Properties
Identity Information
Identity username
Identity IP
Identity Host Name
Identity MAC
Identity Group Name
Identity Extended Field
Identity NetBios Name
Additional Information
Protocol
Log Source
Event Information
Event Name
Username
Relevance
Severity
Credibility
Event Category
Log Source Time
Source and Destination Information
Source IP
Destination IP
Source Port
Destination Port
Source MAC
Destination MAC
Source IPv6
Destination IPv6
Pre NAT Source IP
Pre NAT Source Port
Post NAT Source Port
Post NAT Source IP
Pre NAT Destination IP
Pre NAT Destination Port
Post NAT Destination IP
Post NAT Destination Port
Custom Properties
Numerical tests are faster than all the others.
Boolean
Equality
Greater-than
Less-than
Then come the alphanumerical comparisons
Equality
Subset
Medium tests
Medium test are not good or bad per se, they depend on the context of utilization.
An AQL function can be very fast if you are testing a source IP, can be very bad if you are
using the Lookup function with no additional filtering before.
Reference Data can be very cheap tests, if the scope is limited either in the amount of data
tested by the rule or the amount included in the reference data.
AQL tests
Reference Data
Example of efficient tests:
qid=65465477
username='Unicorn'
MyFavoriteCounterCP>69
Example of inefficient tests:
STR(username) ilike 'Unicorn' -> ilike instead of a simple comparison
LONG(SUBSTRING(UTF8(payload),12, 18, ))>69 -> parsing in AQL filter instead of using
a Custom Property
Slow tests
Payload contains
Match (regular expression)
If you are interested in reading more about QRadar Security Content, you can find the
complete list of blog entries here.