Hi Community,

I was asked a question I could not answer quickly. Is it possible to delete specific events that should not be on QRadar? If an application mistakenly sent an event with credit card numbers, but obfuscation was not configured, I wanted to delete those events. Through the UI there is nothing related to event removal. How about through the CLI?

I know that there is /opt/qradar/bin/runjava.sh com.q1labs.ariel.io.ACP, but I couldn't really delete the events.

I tried to erase some events but it didnt work. I have some events, where the user „alex“ is included.

/opt/qradar/bin/runjava.sh com.q1labs.ariel.io.ACP -n events -b "2018/07/16 15:00:00" -e "2018/07/16 15:28:00" -q "username ilike 'alex'" -u admin -d /store/new_ariel1

I ran the command above and got the following:

AQL criteria: [username ilike 'alex'] User: admin Copying: [events] to /store/new_ariel2 Timeline from Mon Jul 16 15:00:00 CEST 2018 to Mon Jul 16 15:28:00 CEST 2018 Trying to copy dir: /store/ariel/events/records/2018/7/16/15[18-07-16,15:00:00] Reader started ... Processing interval /store/ariel/events/records/2018/7/16/15/events~29_0~cba14a1d01a0418e~864a36edac47ff84~0[18-07-16,15:29:00] […] Reader stopped. Written 3 records, Skipped 398826 records

Completed copying dir: /store/ariel/events/records/2018/7/16/15[18-07-16,15:00:00]

The events were copied to /store/ariel/new_ariel2

I thought that the qradar would move the old events to /store/ariel/new_ariel2 and then filter out „alex“ from the original events at „/store/ariel/ .

If I run:

select username, count(*) as total from events where username ilike 'alex' group by username order by total desc limit 100 last 30 minutes

I am still able to see „alex“ on Qradar. Have I slipped up somewhere?

I also tried to move the content from /store/new_ariel2 to /store/ariel and found out that the events were duplicated. It seems that filtering did not work…

Thank you!

Best Regards,

Bruno