Most analysts think…
Many QRadar users treat the search bar as a last resort — something you only open when an offense has already fired. That leaves most of the Ariel database untouched and most operational questions unanswered.
AQL is a first-class investigation tool. Write it, save it, pin it to a dashboard, schedule it as a report, and accumulate it for long-term trending. Understanding that four-step pipeline — query → save → visualise → report — is what separates analysts who react to offenses from engineers who proactively hunt across months of data with a few lines of SQL-like syntax.
① Ariel Query Language — the SQL of QRadar
AQL (Ariel Query Language) is a SQL-like language for querying the Ariel database. The two primary tables are events (log data from all sources) and flows (network session data from QFlow sensors). A basic search follows standard SQL structure: SELECT picks columns, FROM names the table, WHERE filters, GROUP BY aggregates, and ORDER BY sorts results.
A simple example: SELECT sourceip, destinationip, eventcount FROM events WHERE category = 5018 LAST 24 HOURS returns all authentication failure events in the last day. The LAST N HOURS/MINUTES/DAYS clause is QRadar-specific and avoids timestamp arithmetic. AQL also supports QIDMAP, CATEGORYMAP and PROTOCOLMAP lookup functions to convert raw numeric IDs into readable names directly inside the query.
Common aggregate patterns: use COUNT(*) with GROUP BY username to count events per user, SUM(eventcount) for totals, and UNIQUE(sourceip) (QRadar extension) to count distinct source IPs. Every AQL column reference is case-insensitive, and QDP (QRadar Data Platform) deployments share the same AQL surface as traditional on-prem deployments.
Raw AQL returns numeric QIDs, categories and protocol codes. Wrap them: QIDMAP(qid) returns the event name, CATEGORYMAP(category) returns the category label, and PROTOCOLMAP(protocolid) returns the protocol name. Add these in your SELECT and your results are immediately readable without a lookup table.
Which AQL time clause avoids manual timestamp arithmetic in a QRadar search?
② Saved searches — your reusable baseline
Once a search returns the results you need, click Save Criteria to persist it under a name visible to you or shared with all users. A saved search stores the full AQL (or GUI filter set), the selected columns, the default time range and the sort order. Shared saved searches are the team's canonical baseline — everyone runs the same query, so counts are comparable across shifts.
Quick filters and column management
On the results page you can apply Quick Filters on top of the saved criteria without rewriting AQL — useful for pivoting on a single IP or username during an investigation. The Add Column option adds QRadar-enriched fields such as asset data, geographic location or custom properties without touching the underlying AQL. Saved searches also drive the search index — marking a search as indexed tells QRadar to pre-compute results on ingest, dramatically speeding up dashboard loads for high-cardinality queries.
Name discipline matters: prefix team searches with a category tag (e.g. [SOC] Failed logins by user) so they sort together. Export saved searches as XML for change management and import them into a new deployment or staging environment.
The columnar time-series store inside QRadar that holds all normalized events and flows. AQL queries target it directly via the events and flows tables.
Ariel Query Language follows SQL: SELECT columns FROM events/flows WHERE filters, plus QRadar extensions like LAST N HOURS, QIDMAP() and UNIQUE().
A named, shareable AQL query with column config and time range. The foundation for dashboards, scheduled reports and data accumulation.
A scheduled aggregation job that writes rolled-up event counts to a separate store, keeping trend data alive long after raw events roll off the retention window.
What is the main benefit of marking a saved search as indexed in QRadar?
③ Dashboards and time-series visualisations
QRadar dashboards are composed of dashboard items — each item is a saved search, an offense summary, a system health widget or a custom chart. To add a search result as a chart: open the search, click Add to Dashboard, choose a chart type (bar, line, pie, table) and pick a target dashboard. The chart refreshes on the dashboard's configured poll interval.
Time-series items are the most powerful. Instead of a single count, a time-series chart shows how an event count or flow volume changed over time — essential for spotting slow-burn attacks, usage anomalies and baseline drift. Enable time-series on a saved search by choosing a time-grouping (per hour, per day) and an aggregate function. Multiple saved searches on one dashboard give you correlated views: failed logins next to successful logins next to VPN connections on the same time axis tells a story that individual tables cannot.
Role-based dashboard sharing means a CISO dashboard shows executive KPIs while an L1 analyst dashboard shows live offense counts and source-IP heat maps — both drawing from the same saved searches underneath. Keep dashboard item counts reasonable; too many simultaneous refreshes slow the console for everyone.
Every dashboard item fires a search query on its poll interval. If ten analysts each have dashboards with twenty items refreshing every minute, the Ariel query engine is under constant load. Group related searches into fewer items, set realistic poll intervals (five or ten minutes for most charts), and use indexed searches for the highest-traffic widgets.
▶ Watch a failed-login AQL search become a live dashboard chart
Follow how one AQL query goes from the search bar to a pinned time-series chart. Press Play for the healthy path, then Break it to see the classic missed step.
A CISO wants to see failed login counts per hour over the last 30 days on their executive dashboard. What is the right QRadar feature combination?
④ Scheduled reports and data accumulation
Reports in QRadar are scheduled output documents — HTML or PDF — that combine one or more saved searches, charts and text containers. The Report Wizard walks you through: choose a template, add content containers (charts, tables, free text), set a schedule (daily, weekly, monthly, on-demand) and set recipients. Reports can be emailed directly from QRadar or placed in a shared folder. A weekly firewall summary or a monthly executive compliance report is a three-minute setup once your saved searches exist.
Data accumulation — surviving the retention window
Data accumulation is the answer to 'we only keep 90 days of raw events but I need six months of trend data'. You configure an accumulation profile against a saved search: QRadar runs the aggregation query periodically and writes the rolled-up counts to the accumulation store. Trend reports then query the accumulation data, not the raw Ariel tables. This lets you show monthly login-failure trends, quarterly bandwidth summaries or year-over-year security posture metrics without bloating raw storage. Combine accumulation data with a time-series dashboard item and you get a living trend chart that updates automatically.
Priya at a Mumbai fintech faces this
Priya's L1 team runs a manual AQL search every morning to count failed logins by user, copying results into a spreadsheet. There is no visibility into trends, and last month's data is already gone past the 60-day Ariel retention window.
No saved searches, no dashboards and no data accumulation profile are configured — every insight is one-off and ephemeral.
Open QRadar ▸ Log Activity ▸ Advanced Search — the AQL is sound but never saved. Dashboards tab shows only default system items. Report Wizard has not been used.
Log Activity ▸ Save Criteria + Dashboards ▸ Add Item + Admin ▸ Data AccumulationSave the AQL as a shared search, pin it as a time-series dashboard item (grouped per day), schedule a weekly HTML report for the CISO, and create a data accumulation profile so monthly counts persist beyond 60 days.
The dashboard auto-refreshes hourly. The CISO receives the weekly report by email. Six months later, the accumulation store still shows the month-over-month trend even though raw events have long rolled off.
Go to Admin ▸ Data Accumulation ▸ Manage Profiles and verify the Last Run timestamp and status for each profile. A profile that silently failed will show stale results in your trend reports — and by the time you notice, the raw events have already rolled off and cannot be re-accumulated.
QRadar retains raw events for 90 days but management needs a 12-month login-failure trend. What solves this?
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: what is the difference between a QRadar saved search, a dashboard item and a data accumulation profile? Then compare with the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- AQL (Ariel Query Language)
- The SQL-like query language used to search events and flows in the QRadar Ariel database. Supports SELECT, FROM, WHERE, GROUP BY, ORDER BY plus QRadar extensions such as LAST N HOURS, QIDMAP() and UNIQUE().
- Ariel database
- QRadar's internal columnar time-series store for all normalized events and flows. The events and flows tables are the primary AQL targets.
- Saved search
- A named, shareable AQL query with column configuration and time range, stored in QRadar. Shared saved searches give the whole team a consistent baseline.
- Dashboard item
- A widget on a QRadar dashboard that renders a saved search as a chart (bar, line, pie or table) and auto-refreshes on a configured poll interval.
- Time-series chart
- A dashboard item that groups a saved search result by time (per hour, per day) to show how event or flow volumes change over a period.
- Data accumulation
- A QRadar feature that runs a saved search's aggregation on a schedule and writes rolled-up counts to a separate store, preserving trend data beyond the raw Ariel retention window.
- QIDMAP()
- An AQL function that converts a raw numeric QID (event identifier) into its human-readable event name, making query results immediately readable.
- Scheduled report
- A QRadar report that automatically combines saved searches and charts into an HTML or PDF document and emails it to configured recipients on a cron schedule.
📚 Sources
- IBM — QRadar SIEM: Ariel Query Language (AQL) reference guide. ibm.com/docs/en/qradar-siem
- IBM — QRadar: Creating and managing saved searches. ibm.com/docs/en/qradar-siem
- IBM — QRadar: Adding and managing dashboard items and charts. ibm.com/docs/en/qradar-siem
- IBM — QRadar: Creating and scheduling reports. ibm.com/docs/en/qradar-siem
- IBM — QRadar: Configuring data accumulation to preserve trend data. ibm.com/docs/en/qradar-siem
- IBM Security — QRadar SIEM: AQL functions (QIDMAP, CATEGORYMAP, UNIQUE). ibm.com/docs/en/qradar-siem
What's next?
Mastered searches and reports? Next, learn how QRadar offenses are created and managed — how the correlation engine groups related events into a single offense, how to tune offense rules, and how to work a SOC queue end-to-end.