Querying Event and Flow Data to Find Specific Offenses
Search for specific event and flow data by creating Ariel Query Language (AQL) searches in the QRadar Analyst Workflow Query Builder.
Create searches by using search history or entering keywords directly into the Query Builder. This information populates a query template that you can further customize to suit your needs, or manually create your own searches.
To build a query without using AQL, try the Visual Query Builder.
-
From the navigation menu, click Search and select the Advanced builder tab.
-
Type one of the following keywords in the Query Builder to start a query:
-
IP address
-
URL
-
MD5/SHA-1/SHA-256 hash
-
-
Select one of the predefined searches from the list that appears as you enter a keyword.
-
Review and edit the query template to refine your search, and then click Run query.
Tip:-
Syntax tokens are color-coded based on token class.
-
For a syntactically correct AQL string, paired parentheses are underscored when the cursor is placed between them.
(startTime, 'MMM dd hh:mm a')
-
-
Click Filter to further refine your search results and then select an offense to view more details.
-
To run an existing search result, select the query in the Last Search field to add it to the Query Builder, and then click Run query.
-
Optional: Expand the Training and resources section to learn more about AQL queries.
The following is an example of an AQL query.
SELECT sourceip, destinationip, username FROM events WHERE username = 'test name' GROUP by sourceip, destinationip ORDER BY sourceip DESC LIMIT 10 LAST 2 DAYS