Querying event and flow data to find specific offenses

Search for specific event and flow data by creating Ariel Query Language (AQL) searches in the QRadar Analyst Workflow Query Builder.

About this task

Create searches by using search history or entering keywords directly into the Query Builder. This information populates a query template that you can further customize to suit your needs, or manually create your own searches.

Tip: To build a query without using AQL, try the Visual query builder.

Procedure

From the navigation menu (), click Search, and select the Advanced builder tab.
Type one of the following keywords in the Query Builder to start a query:
- IP address
- URL
- MD5/SHA-1/SHA-256 hash
Select one of the predefined searches from the list that appears as you enter a keyword.
Review and edit the query template to refine your search, and then click Run query.
Tip:
- Syntax tokens are color-coded based on token class.
- For a syntactically correct AQL string, paired parentheses are underscored when the cursor is placed between them.
```
(startTime, 'MMM dd hh:mm a')
```
Click Filter to further refine your search results and then select an offense to view more details.
To run an existing search result, select the query in the Last Search field to add it to the Query Builder, and then click Run query.
Optional: Expand the Training and resources section to learn more about AQL queries.

Example

The following is an example of an AQL query.

SELECT sourceip, destinationip, username 
FROM events 
WHERE username = 'test name' 
GROUP by sourceip, destinationip 
ORDER BY sourceip DESC 
LIMIT 10 
LAST 2 DAYS

For more information about creating queries in QRadar Analyst Workflow, see this video walkthrough about the Search feature.

For more information about AQL queries, see these documentation and training resources: