Building search queries

Build custom queries to get specific results so that you find information that is relevant to you. Create custom queries in Data Explorer to easily find indicators of compromise. Use the query builder to construct and submit STIX-compliant queries to your connected data sources. If you configured IBM® QRadar as a data source, you can also construct and submit Ariel Query Language (AQL) queries.

STIX query

Although STIX2 is gaining recognition as an industry standard, it is not yet widely known to all security professionals. The query builder helps you to create a search query for IBM Prerequisite Scanner, URLs, MD5 hashes, and more.

About this task

To learn more about STIX 2, see Introduction to STIX 2.

To learn more about the STIX 2 language that the query builder supports, see STIX 2 Patterning specifications.

Tip:
  • If you receive the message “The cluster is busy processing other requests and does not respond to your queries,” wait a few minutes and try again.
  • When you use the Visual Builder, you must press Enter after you type the value. You can also press Enter and Shift to add multiple values.

Procedure

  1. Go to Data Explorer > Federated Search, and click the Advanced builder tab.
  2. Click the STIX tab.
  3. In the query text field, enter your query in the following format: OBSERVABLE_TYPE PROPERTY OPERATOR VALUE
    The query builder displays a context helper that provides the following parameters.
    Parameter Description
    Observable type Observables in STIX 2 are the stateful properties or measurable events that relate to the operation of computers and networks. For more information about the different types, see Cyber Observable Objects.
    Property Each observable type has required properties. For more information about the different properties for each type, see Cyber Observable Objects.
    Operator The operator in a query parameter is set to equal by default. Choose the operator that is appropriate for your query parameter. Make sure to add an operator between all query parameters to avoid syntax errors.
    Value The observable value depends on the specified observable type and property.
  4. Group search parameters by using square brackets.
  5. Set one or more timeframes to query.
    Tip: In the STIX language, the time range is shown in Coordinated Universal Time (UTC).
    1. Add a custom START and STOP date and time.
    2. Click to select from the quick ranges supplied with START.
    3. Click to use current date and time with STOP.
  6. Select one or more data sources to query. All data sources are selected by default. Click the data sources menu to update the selection.
  7. Click Run query to retrieve your target data across your selected data sources. The query results vary depending on your connected data sources.

Results

If there is a syntax error in your query, Run query is disabled until you resolve the error. Each syntax error is highlighted with a red underline, a tooltip with syntax error details, and contextual helper with syntax fix suggestions.

When a query is run, an 'active-query' card is added. Each query expires 14 days after it is created.

For sample queries, see STIX queries.

AQL query

The Ariel Query Language (AQL) is a structured query language that you use to query and manipulate event and flow data from the Ariel database in IBM QRadar.

About this task

To learn more about AQL, see Ariel Query Language.

Tip:
  • If you receive the message “The cluster is busy processing other requests and does not respond to your queries,” wait a few minutes and try again.
  • When you use the Visual Builder, you must press Enter after you type the value. You can also press Enter and Shift to add multiple values.

Procedure

  1. Go to Data Explorer > Federated Search, and click the Advanced builder tab.
  2. Click the AQL tab.
  3. In the query text field, start constructing your query in the format of the following example. 
    SELECT magnitude, sourceip, destinationip, destinationport, QIDNAME(qid) 
AS 'Event Name', LOGSOURCENAME(logsourceid) 
AS 'Log Source', CONCAT(CATEGORYNAME(highLevelCategory), '.', CATEGORYNAME(category)) 
AS 'Category Name', DATEFORMAT(startTime, 'MMM dd hh:mm a') 
AS 'Start Time' 
FROM events 
WHERE TEXT SEARCH '127.0.0.1' 
LIMIT 1000 
LAST 2 HOURS
    Important: An error might occur when a LIMIT clause is not included in your statement. Use a LIMIT clause to limit the number of results that are returned to a specific number. For example, LIMIT 20 to limit the output to 20 results.
    You must place the LIMIT clause before the START and STOP clauses, as in the following example.
    SELECT *
FROM events
LIMIT 20
START '2021-01-01 00:00'
STOP '2021-01-01 01:00'

Results

If there is a syntax error in your query, Run query is disabled until you resolve the error. Each syntax error is highlighted with a red underline, a tooltip with syntax error details, and contextual helper with syntax fix suggestions.

When a query is run, an 'active-query' card is added. Each query expires 14 days after it is created.

For sample queries, see AQL queries.

Sample queries

Use the following sample search queries as a guide to refine search results to better meet your needs.

STIX queries

Search for IPv4

If a timeframe is not specified, a default timeframe is applied according to the data source setting.

[ipv4-addr:value = '127.0.0.1']

Search for URL with timeframe

Note that the START and STOP times are outside of the query string brackets ([]).

[url:value = 'www.ibm.com'] START t'2019-03-23T13:53:12.229Z' STOP
              t'2019-03-26T13:53:27.170Z'

Search for Destination Ports other than port 443

Exclude (!=) values to narrow your results.

[network-traffic:dst_port != 443]

Search for the Powershell process that includes Mimikatz in the command line

Use operators such as LIKE and IN. Use % to represent "wild" strings.

[process:name = 'powershell.exe' AND process:command_line LIKE
            '%Mimikatz%']

Search for the process that matches TSTheme.exe and parent process that includes svchost.exe and MD5 hash

Group strings with parentheses ().

([process:name MATCHES 'TSTheme.exe' AND process:parent_ref.name LIKE '%svchost.exe']
              AND [file:hashes.'MD5' = 'C9A51BDEC4B4E0B6EF51B64637677D14'])

For more information, see STIX Patterning, Examples.

AQL queries

Returns all the fields from the events table that were sent in the last 10 minutes.

SELECT * FROM events LAST 10 MINUTES

Returns the sourceip and destinationip from the events table that were sent in the last 24 hours.

SELECT sourceip,destinationip FROM events LAST 24 HOURS

Returns all the fields from the events table during that time interval.

SELECT * FROM events START '2021 01 01 9:00:00' STOP '2021 01 01
            10:20:00'

Returns all the fields in the events table sent in the last 24 hours, sorting the output from highest to lowest magnitude.

SELECT * FROM events ORDER BY magnitude DESC LAST 24 HOURS

Returns all the fields from the events table that have the specified text in the output.

SELECT * FROM events WHERE TEXT SEARCH 'firewall'

For more information, see Sample AQL queries.