IBM QRadar

Hi all,

during some testing on my testing environment, I've discovered the unusual "AQL filter query" content in a few Building Blocks (mainly sysmon-related, quite old - 2017 content).

E.g.:
Apply BB:CategoryDefinition: Scheduled Task Creation by a Process on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event QID is one of the following (5001828) Process Create
and when the event matches "Parent Command" IMATCHES 'C\:\\Windows\\system32\\svchost\.exe\s\-k\snetsvcs' AQL filter query
and when the event matches "Process Path" not in ('C:\Windows\System32\taskhost.exe','C:\Windows\System32\consent.exe','C:\Windows\System32\taskhostex.exe','C:\Windows\System32\rundll32.exe','C:\Windows\System32\wbem\WMIADAP.exe','C:\Windows\System32\wermgr.exe','C:\Windows\System32\wsqmcons.exe','C:\Windows\System32\ServerManagerLauncher.exe','C:\Windows\System32\aitagent.exe','C:\Windows\System32\taskeng.exe','C:\Windows\System32\Defrag.exe','C:\Windows\System32\schtasks.exe','C:\Windows\System32\ceipdata.exe', 'C:\Windows\System32\tzsync.exe', 'C:\Windows\System32\lpremove.exe') AQL filter query

Has anyone observed something similar?

Thanks,

wish you all a nice day,

------------------------------
Vedran Zulin
------------------------------

Hello Vedran,

These are not unusual query contents. They are actually valid test conditions which is using AQL. Which seems fine to me and no issue related to those. 
Can you please confirm if any other issue you observed with it?

Hi Vishal,

thank you for the quick reply!

What I find unusual is the fact that these stand quite apart from other BBs visually (in the GUI).

Also to be noted, a few months ago on my testing environment I stumbled upon a rule which has been converted from SIGMA, was stored in the DB and exported via CMT and it was not exactly very well formed.

Hi Vishal,

well the reason I'm asking is that a few months ago I ran across a rule (initially converted from SIGMA) which also had the AQL filter query part and it seemed completely different in formatting than any other rule (with id=-1, conditions being duplicated in various formatting).

(It seems by far better w/ conversion being made right now:

devicetype=12 AND (("Event ID"=4656 AND LOWER("Object Name") LIKE '%\lsass.exe' AND (LOWER("Access Mask") LIKE '%0x40%' OR LOWER("Access Mask") LIKE '%0x1400%' OR LOWER("Access Mask") LIKE '%0x100000%' OR LOWER("Access Mask") LIKE '%0x1410%' OR LOWER("Access Mask") LIKE '%0x1010%' OR LOWER("Access Mask") LIKE '%0x1438%' OR LOWER("Access Mask") LIKE '%0x143a%' OR LOWER("Access Mask") LIKE '%0x1418%' OR LOWER("Access Mask") LIKE '%0x1f0fff%' OR LOWER("Access Mask") LIKE '%0x1f1fff%' OR LOWER("Access Mask") LIKE '%0x1f2fff%' OR LOWER("Access Mask") LIKE '%0x1f3fff%')) OR ("Event ID"=4663 AND LOWER("Object Name") LIKE '%\lsass.exe' AND ("Rule Name" LIKE '%4484%' OR "Rule Name" LIKE '%4416%'))) AND (NOT((((LOWER("Process Name") LIKE '%\csrss.exe' OR LOWER("Process Name") LIKE '%\gamingservices.exe' OR LOWER("Process Name") LIKE '%\lsm.exe' OR LOWER("Process Name") LIKE '%\microsoftedgeupdate.exe' OR LOWER("Process Name") LIKE '%\minionhost.exe' OR LOWER("Process Name") LIKE '%\mrt.exe' OR LOWER("Process Name") LIKE '%\msmpeng.exe' OR LOWER("Process Name") LIKE '%\perfmon.exe' OR LOWER("Process Name") LIKE '%\procexp.exe' OR LOWER("Process Name") LIKE '%\procexp64.exe' OR LOWER("Process Name") LIKE '%\svchost.exe' OR LOWER("Process Name") LIKE '%\taskmgr.exe' OR LOWER("Process Name") LIKE '%\thor.exe' OR LOWER("Process Name") LIKE '%\thor64.exe' OR LOWER("Process Name") LIKE '%\vmtoolsd.exe' OR LOWER("Process Name") LIKE '%\vstskmgr.exe' OR LOWER("Process Name") LIKE '%\wininit.exe' OR LOWER("Process Name") LIKE '%\wmiprvse.exe' OR LOWER("Process Name") LIKE '%rtkauduservice64') AND (LOWER("Process Name") LIKE '%:\program files (x86)\%' OR LOWER("Process Name") LIKE '%:\program files\%' OR LOWER("Process Name") LIKE '%:\programdata\microsoft\windows defender\platform\%' OR LOWER("Process Name") LIKE '%:\windows\sysnative\%' OR LOWER("Process Name") LIKE '%:\windows\system32\%' OR LOWER("Process Name") LIKE '%:\windows\syswow64\%' OR LOWER("Process Name") LIKE '%:\windows\temp\asgard2-agent\%')) OR LOWER("Process Name") LIKE '%:\program files%' OR (LOWER("Process Name") LIKE '%:\windows\system32\taskhostw.exe' OR LOWER("Process Name") LIKE '%:\windows\system32\msiexec.exe' OR LOWER("Process Name") LIKE '%:\windows\ccm\ccmexec.exe') OR (LOWER("Process Name") LIKE '%:\windows\sysmon64.exe' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\temp\asgard2-agent-sc\aurora\%' AND LOWER("Process Name") LIKE '%\aurora-agent-64.exe' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%\x64\scenarioengine.exe' AND "Rule Name" LIKE '%%%4484%') OR ((LOWER("Process Name") LIKE '%:\users\%' AND LOWER("Process Name") LIKE '%\appdata\local\temp\is-%') AND LOWER("Process Name") LIKE '%\avira_system_speedup.tmp' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\temp\%' AND LOWER("Process Name") LIKE '%\avira_speedup_setup_update.tmp' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\system32\snmp.exe' AND "Rule Name" LIKE '%%%4484%') OR (LOWER("Process Name") LIKE '%:\windows\systemtemp\%' AND LOWER("Process Name") LIKE '%\googleupdate.exe' AND "Rule Name" LIKE '%%%4484%')))) AND (NOT(((LOWER("Process Name") LIKE '%\procmon64.exe' OR LOWER("Process Name") LIKE '%\procmon.exe') AND "Rule Name" LIKE '%%%4484%')))

)

Was there some kind of a glitch back at the time?
Kind regards,

------------------------------
Vedran Zulin
------------------------------