QRAdar-AQL在输入SELECT处没有可行的选择

Question

I'm getting an error when I try to use this query. It works in advanced search tab in log activity. But when I write it into the rule wizard AQL filter query area, it prompts AQL no viable alternative at input SELECT warning . I got this query from Sigma Translater btw.

SELECT UTF8(payload) as search_payload from events where (((LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log')) and ((("EventID"='1' and search_payload ilike 'C:\Windows\SysWOW64\cmd.exe' and search_payload ilike '%\Windows\Caches\NavShExt.dll %')) or (("EventID"='1' and search_payload ilike '%\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'))))

Answer 1

When creating rules in QRadar based on AQL you only put the statements that come after the WHERE

In your case:

 (((LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log')) and ((("EventID"='1' and search_payload ilike 'C:\\Windows\\SysWOW64\\cmd.exe' and search_payload ilike '%\\Windows\\Caches\\NavShExt.dll %')) or (("EventID"='1' and search_payload ilike '%\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting')))) 

It will then run that statement against the logs and trigger offenses.