[英]QRAdar - AQL no viable alternative at input SELECT
I'm getting an error when I try to use this query. 尝试使用此查询时出现错误。 It works in advanced search tab in log activity.
它在日志活动中的“高级搜索”选项卡中起作用。 But when I write it into the rule wizard AQL filter query area, it prompts
AQL no viable alternative at input SELECT
warning . 但是,当我将其写入规则向导AQL过滤器查询区域时,它会
AQL no viable alternative at input SELECT
warning时提示AQL no viable alternative at input SELECT
。 I got this query from Sigma Translater btw. 我从Sigma Translater btw得到了这个查询。
SELECT UTF8(payload) as search_payload from events where (((LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log')) and ((("EventID"='1' and search_payload ilike 'C:\Windows\SysWOW64\cmd.exe' and search_payload ilike '%\Windows\Caches\NavShExt.dll %')) or (("EventID"='1' and search_payload ilike '%\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'))))
When creating rules in QRadar based on AQL you only put the statements that come after the WHERE 在基于AQL的QRadar中创建规则时,仅将WHERE之后的语句放在
In your case: 在您的情况下:
(((LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log')) and ((("EventID"='1' and search_payload ilike 'C:\\Windows\\SysWOW64\\cmd.exe' and search_payload ilike '%\\Windows\\Caches\\NavShExt.dll %')) or (("EventID"='1' and search_payload ilike '%\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting'))))
It will then run that statement against the logs and trigger offenses. 然后,它将针对日志运行该语句并触发攻击。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.