QRAdar - AQL no viable alternative at input SELECT

Question

I'm getting an error when I try to use this query. It works in advanced search tab in log activity. But when I write it into the rule wizard AQL filter query area, it prompts AQL no viable alternative at input SELECT warning. I got this query from Sigma Translater btw.

SELECT UTF8(payload) as search_payload from events where (((LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log')) and ((("EventID"='1' and search_payload ilike 'C:\Windows\SysWOW64\cmd.exe' and search_payload ilike '%\Windows\Caches\NavShExt.dll %')) or (("EventID"='1' and search_payload ilike '%\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'))))

When you want to use QRadar AQL statements in a custom rule, you have to use a WHERE clause. It is the part after WHERE statement. — ibtavsan, Dec 10 '18 at 06:45

score 0 · Accepted Answer · answered Oct 22 '18 at 18:14

When creating rules in QRadar based on AQL you only put the statements that come after the WHERE

In your case:

(((LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log')) and ((("EventID"='1' and search_payload ilike 'C:\Windows\SysWOW64\cmd.exe' and search_payload ilike '%\Windows\Caches\NavShExt.dll %')) or (("EventID"='1' and search_payload ilike '%\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'))))

It will then run that statement against the logs and trigger offenses.

QRAdar - AQL no viable alternative at input SELECT

1 Answers1