stix-shifter icon indicating copy to clipboard operation
stix-shifter copied to clipboard
verified publisher icon opencybersecurityalliance

Conversion of ISSUPERET operator to AQL query is not supported

Open mdazam1942 opened this issue 7 years ago • 0 comments

STIX Pattern:

ipv4-addr:value ISSUPERET '1.1.1.0/24' Expected AQL query is:

SELECT * FROM events WHERE INCIDR(sourceip, '1.1.1.0/24') OR INCIDR(destinationip, '1.1.1.0/24') OR INCIDR(identityip, '1.1.1.0/24')

But running above AQL query throws error because AQL built in function INCIDR() doesn't validate CIDR in the second column/parameter which is INCIDR(sourceip, '1.1.1.0/24').

A bug has been logged for the QRadar AQL team. Once that is fixed, this support should be added in QRadar module.

mdazam1942 avatar Sep 17 '18 15:09 mdazam1942