0

尝试使用此查询时出现错误。它适用于日志活动的高级搜索选项卡。但是当我将它写入规则向导AQL过滤器查询区域时,它会提示警告。顺便说一句,我从 Sigma Translator 得到了这个查询。AQL no viable alternative at input SELECT 

SELECT UTF8(payload) as search_payload from events where (((LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log')) and ((("EventID"='1' and search_payload ilike 'C:\Windows\SysWOW64\cmd.exe' and search_payload ilike '%\Windows\Caches\NavShExt.dll %')) or (("EventID"='1' and search_payload ilike '%\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'))))
4

1 回答 1

0

在基于 AQL 的 QRadar 中创建规则时,您只需将语句放在 WHERE 之后

在你的情况下:

(((LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log')) and ((("EventID"='1' and search_payload ilike 'C:\Windows\SysWOW64\cmd.exe' and search_payload ilike '%\Windows\Caches\NavShExt.dll %')) or (("EventID"='1' and search_payload ilike '%\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'))))

然后它将针对日志运行该语句并触发攻击。

于 2018-10-22T18:14:05.020 回答