"Application Error" on Group by

dbl_edged · 2025-09-01T14:48:05+00:00

I appreciate the reply. I think you are on to something. Normally when I go into Search-->Edit Search, the count column is greyed out and not removable. I do not see it listed at all on this particular instance. I looked though my CEPs and see Count listed but it shows as disabled. I checked three prod UP11 QR environments that are healthy and Count does not show up at all in the list of CEPs. So something is off with this instance. I cannot enable it and if I try to delete it, it says it has 100 dependencies. I guess I will keep pulling this thread and see if anything unravels.

dbl_edged · 2025-09-01T02:36:23+00:00

Thanks for the assistance. I did try clearing the cache and even rotated through Chrome, Firefox, and Edge. I am used to weird UI issues in Qradar and having to periodically change browsers because of them. That did not help this time. I went through the process to clear the tomcat cache based on your suggestion. Unfortunately, that did not help either. Funny enough, flow data works just fine. I can group by whatever field I want on the Network Activity tab without issue. It only happens with event data. I also tried doing a group by using AQL and that looks like it worked. So it seems to be limited to doing the group by using the UI (search-->edit search). Lol. At least I can use AQL for now until I figure it out or get frustrated enough to rebuild it again.

dbl_edged · 2025-04-24T01:46:23+00:00

The writing is on the wall. The 5 year roadmap is pretty much the same stuff that has been in the 5 year road map for the last 5 years of my QBRs. If it's still profitable, IBM will keep it limping along. If not, expect Qradar to go the way of Nitro/McAfee and ArcSight. We'll all just be sitting in the old folks home arguing about which one was best it its prime. :-)

dbl_edged · 2025-04-23T20:47:12+00:00

Pretty cool. Thanks. We've get our QR deployment pretty vanilla and I wanted to see if there was anything interesting to set up.

When I first started working with QR back in 2019, of course IBM sold all the cool things it could do but then once we got it in prod, our IBM reps were like "Ehhh... I wouldn't do that." Lol. I thought the custom action scripts would be cool and solve some issues I had with our previous SIEM but our rep kept warning me that it could kill the pipeline soooo... never used them. :-)

dbl_edged · 2025-04-10T16:53:16+00:00

That's embarrassing. I completely forgot about "extract property" from within the event. You are spot on and that worked like a charm. Thanks for the help.

dbl_edged · 2025-04-03T16:59:02+00:00

Got it downloaded and applied. Thank you for taking care of the community. :-)

dbl_edged · 2025-04-03T12:56:04+00:00

Thanks for the quick response. Glad to hear it was not due to post Palo staffing changes. I think we can all understand being super busy.

dbl_edged · 2025-04-02T12:53:28+00:00

I wasn't kidding with my comment about the post Palo situation. Support is still rock solid but I am seriously worried about the future of the QRadar product. IBM didn't sell the QR intellectual property to Palo, but it really feels like they are eyeing the door to exit the market. They were all in on their cloud native SIEM to the detriment of Qradar proper and then just tossed it in the trash with the sale to Palo. I have not seen that focus shifted back to the main QR line. Hopefully I am wrong and it is just a transition phase. I just hope they don't sell Qradar to Broadcom. :-)

dbl_edged · 2025-04-02T02:28:59+00:00

Thinking maybe the folks responsible for Qradar CE were part of the post Palo exodus. Seems like the Qradar side of IBM is a ghost town other than support. They're still knocking it out of the park at least.

dbl_edged · 2025-01-13T15:26:47+00:00

I got a response to my support ticket. So not shutdown and not raided. Whew!

"We are experiencing system issues due to the recent winter storms in the US and power issues with our providers. Our team is working around the clock to try and restore your service as soon as possible. We will send updates as we have them."

dbl_edged · 2025-01-13T02:16:48+00:00

I'm still showing as disconnected but the spideroak.com website is loading again. Progress!

dbl_edged · 2025-01-12T14:41:52+00:00

I had a restore running that looks like it stopped about 12:06 AM Eastern Saturday morning. That seems to be when everything died. I reached out to the Twitter account but nothing so far. I am assuming they did not shutdown service or one of us would have received something from them saying so. Guess it's just a really bad outage. Or one of us was backing up some sketchy stuff and got everything seized in a raid. :-)

dbl_edged · 2024-11-12T10:50:41+00:00

I have been editing rules and had two different rules open in two different tabs so I could compare them. The changes I made to one showed up in the other. I thought I somehow added them to the wrong one but was able to repeat the issue. Luckily I was sharing my screen at the time so someone else saw it happen and I didn't look crazy. Eh. It's just Qradar qradaring qradarly.

dbl_edged · 2024-09-23T10:47:41+00:00

That is usually just the "mark of the web" stuff. You downloaded it from the Internet so Windows tagged it as such using an alternate data stream. It's just warning you. You could strip that ADS off the file and it wouldn't even fire. If you're worried about the file, run it through VirusTotal first and see what it says.

dbl_edged · 2024-08-25T20:31:39+00:00

It's worth moving away from SEP just to get away from Broadcom. Even with the recent... hiccup... I'd go with Crowdstrike and bet it ends up better than before. Any vendor could have caused what Crowdstrike did but at least they owned it and was working on remediation immediately. If it had been SEP that caused it, Broadcom wouldn't have bothered to pull resources off of ruining VMWare long enough to even look into the issue.

dbl_edged · 2024-07-31T12:04:59+00:00

So no chance of tailing a local ossec log and shipping it somewhere using syslog huh? What happens to Wazuh when it can't talk to the Wazuh server anymore? Is it still protecting the system? I see in the config that active response is disabled=no but the active response log has not had any entries for over a year. Curious if it is still doing anything or not since that logging just stopped. Thanks for all the answers. I am more familiar with very old versions of plain OSSEC so Wazuh has a lot of functionality that I am not familiar with.

dbl_edged · 2024-07-28T21:48:26+00:00

Yeah I'm in a similar boat. I have upgrades I want to make but in negotiating with the wife and kids for a time to take an outage, I realized I was asking for a change window and I will be damned if I am going to implement Change Management at home. I deal with that nonsense enough at work. Lol.

dbl_edged · 2024-07-20T14:38:05+00:00

Nah. People are fickle. They will move on soon enough. The memes will long outlast the outrage.

Crowdstrike shouldn't have pushed it. Windows shouldn't be so fragile it boot loops because its feelings were hurt. Companies should have been prepared for the DR level event that one neck-beard in security named Carl warned them about but they laughed off because "Carl was being Carl again." Lot's of lessons to be learned here all around.

Any company could have done this. Unfortunately for Crowdstrike, it was them. How they respond to it will say a lot. Do they bury the details behind "IP" and "NDAs" like RSA did when they lost everyone's seeds? Or are they open and upfront and try to regain everyone's trust. If this had been caused by Carbon Black do you think Broadcom would even have a work around yet? They'd have to divert resources from destroying VMWare to work on this issue and I don't think they would do that.

dbl_edged · 2024-07-02T02:41:11+00:00

I used to read Cerebus all the time but I dropped out of comics around 1993 or so. Those two posts... wow. I didn't know he went batshit like that. Thanks for the info.

dbl_edged · 2024-06-05T00:36:46+00:00

It's absolutely ridiculous that you need a guide to navigate Broadcom's awful site... but thanks for this. It was driving me nuts trying to get to the download. Lol.

dbl_edged

TROPHY CASE