QRadar: AQL Tutorial Part 1. Documentation and basic syntax.

Показать описание

Special Thanks to Mutaz Alsallal (IBM Poland) for the material shown here.
Here are some of the AQL commands so you can copy/paste:
select * from events START '2016-06-07 10:29:00' STOP '2016-06-07 13:53:00'
SELECT * FROM events WHERE magnitude BETWEEN 1 AND 5
SELECT * FROM events WHERE sourceip = '192.168.60.56' and destinationip != '64.4.44.76' START '2016-06-07 10:29:00' STOP '2016-06-07 13:53:00'
select * from events where not INCIDR('9.128.28.0/24',sourceip)
SELECT qidname(qid), * FROM events WHERE qidname(qid) ILIKE '%logon%' START '2016-06-07 10:29:00' STOP '2016-06-07 13:53:00'

Рекомендации по теме

Комментарии

wow I learnt too fast from your video thank you

anamariedevera

Hum, I do not think there is a way of adding comments in AQL and I do not see how practical that would be., unless you run them from a script or API call in which case you can documented as part of the script or python call. Please excuse me if I did not understand you question.

jbravovideos

Is there a way to suppress output columns?
For example if I want to do a sub-query that uses an aggregator, (eg. UNIQUECOUNT) I don't want the count column in the subquery.
eg. if this was the query how do I suppress the dcount column?
select computer, UNIQUECOUNT(signature) as dcount from events where signature is not null group by computer having dcount > 5 last 10 days.

simple-security

Is there a way to add comments to your AQL? or to comment out some of the lines?
eg.
select * from events
// where bob = "bob" // this line is commented out
// this is a comment //

simple-security

Hi Josh, I want help from you. I want to make a report of system health using AQL in which columns are elements, hostname, metricID (DiskSpaceUsed) and ('DiskSpaceTotal).
Following is the Query, I have an issue in that query it return actual data but return 2 rows of same columns, group by not working, kindly help me please

SELECT "Hostname", element AS Partiton_Name, MAX(value/(1024*1024*1024)) AS 'DiskUsedInGB', max(value/(1024*1024*1024)) AS 'DiskTotalSpace'
FROM events
WHERE LOGSOURCENAME(logsourceid)
ILIKE '%%health%%' AND "Metric ID"='DiskSpaceUsed' OR "Metric ID"='DiskSpaceTotal' GROUP BY element, "Metric ID"
LAST 2 MINUTES

Let me know if have any question
Thanks

umerahmed

Hi Jose!
How can I query through whole events(not just 5 minutes or a fixed period of time)?

lenashynkarenko

QRadar: AQL Tutorial Part 1. Documentation and basic syntax.

QRadar: AQL Tutorial Part 1. Documentation and basic syntax.

QRadar: Performing AQL searches Part 1

IBM QRadar AQL for IR - Part 1

QRadar Application Example with AQL via REST API Part 1

QRadar Flow Tutorial. Part One

QRadar: AQL Tutorial Part 2. Very useful AQL functions:

QRadar DSM Tutorial Part One

QRadar Tutorial Part 1 Offenses 1025, 885 and 953

Show QRadar in 30 minutes, no power no point, Part 1

QRadar Detecting Sophisticated Attacks on Windows Part One

Simple Tricks To Improve your QRadar Part One

Advanced Searches in QRadar. Part 1: Introduction

Mapping Flows to Applications in QRadar, Part 1

QRadar basics and Big Data

QRadar AQL Tutorial Part 4. Investigating APTs using AQL

QRadar AQL Tutorial Part 3. Leveraging the X-Force calls:

Searching in QRadar Part One: Ariel Searches

Qradar AQL Tutorial Part 6 Custom Functions

QRadar: Mainframe logs in real time Part One

Section 14 - Working with the API - Lecture 1: QRadar API Basics

QRadar UBA version 1 2

QRadar Searches in Six Minutes

QRadar AQL Tutorial Part 5. Nested IF/ELSE and CASE statements

Tutorial: QRadar CE SIEM - Installation and Configuration (Complete Steps)