我尝试使用此查询时收到错误消息。它适用于日志活动中的高级搜索选项卡。但是当我将其写入规则向导AQL过滤器查询区域时,它会提示 AQL no viable alternative at input SELECT 警告。我从Sigma Translater btw获得了这个查询。
SELECT UTF8(payload) as search_payload from events where (((LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log')) and ((("EventID"='1' and search_payload ilike 'C:\Windows\SysWOW64\cmd.exe' and search_payload ilike '%\Windows\Caches\NavShExt.dll %')) or (("EventID"='1' and search_payload ilike '%\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'))))
答案 0 :(得分:0)
在基于AQL的QRadar中创建规则时,您只将WHERE之后的语句放在
您的情况:
(((LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log')) and ((("EventID"='1' and search_payload ilike 'C:\Windows\SysWOW64\cmd.exe' and search_payload ilike '%\Windows\Caches\NavShExt.dll %')) or (("EventID"='1' and search_payload ilike '%\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'))))
然后它将针对日志运行该语句并触发攻击。