IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

AQL Query OR Use Case

1. AQL Query OR Use Case

Like
Arunkumar R
Posted Thu October 27, 2022 09:54 AM

Reply
Hi,
We have integrated SentinelOne, I have queries to write use case to alert if a file name/Hash value is detected as malicious, and it should not be actioned (mitigated/Quarantined/Deleted) within a few min (ex.: 5min).

SELECT "File Hash","Filename","Action","Hostname",DATEFORMAT(starttime,'DD-MM-yyy hh:mm') AS 'Start Time' FROM events WHERE "File Hash" IS NOT NULL AND ACTION!='mitigated' AND ACTION!='deleted'

Thanks
Arunkumar

------------------------------
Arunkumar R
------------------------------

IBM QRadar

AQL Query OR Use Case

1. AQL Query OR Use Case

Additional
Resources

Office

Quick Links

IBM QRadar

AQL Query OR Use Case

1. AQL Query OR Use Case

Related Content

SentinelOne Connector App Integration

Endpoint monitoring essentials for QRadar

Microsoft Exchange RCE vulnerabilities - Sept 2022

Detection of Log4Shell (CVE-2021-44228) using QRadar

DNS Analyzer automatically detect malicious domains

Additional Resources

Office

Quick Links

Additional
Resources