基础查询
-- 查询所有事件(最近1小时)
SELECT * FROM events LAST 1 HOURS
-- 查询所有 Flow(最近5分钟)
SELECT * FROM flows LAST 5 MINUTES
-- 按字段筛选
SELECT * FROM events WHERE sourceip = '10.0.0.1' LAST 24 HOURS
-- 多条件筛选
SELECT * FROM events WHERE sourceip = '10.0.0.1' AND destinationport = 443 LAST 24 HOURS常用函数
| 函数 | 用途 | 示例 |
|---|---|---|
QIDNAME(qid) | 事件名称 | QIDNAME(qid) = 'Failed Login' |
LOGSOURCENAME(id) | 日志源名称 | LOGSOURCENAME(logsourceid) |
CATEGORYNAME(category) | 类别名称 | CATEGORYNAME(category) |
INSUBNET(ip, 'CIDR') | IP 网段判断 | INSUBNET(sourceip, '10.0.0.0/8') |
REFERENCESET('name') | 引用集 | sourceip IN REFERENCESET('BadIPs') |
ASSETUSER(ip) | 资产用户 | ASSETUSER(sourceip) |
ASSETVALUE(ip) | 资产重要性 | ASSETVALUE(sourceip) |
CONCAT(a, b) | 字符串拼接 | CONCAT(username, '@', domain) |
LENGTH(str) | 字符串长度 | LENGTH(username) |
LOWER/UPPER(str) | 大小写转换 | LOWER(username) |
聚合查询
-- 统计 Top 10 源 IP
SELECT sourceip, COUNT(*) as count FROM events GROUP BY sourceip ORDER BY count DESC LIMIT 10 LAST 24 HOURS
-- 按时间分组统计
SELECT starttime(5 MINUTES), COUNT(*) FROM events GROUP BY starttime(5 MINUTES) LAST 1 HOURS
-- Flow 流量统计
SELECT sourceip, destinationip, SUM(sourcebytes) FROM flows GROUP BY sourceip, destinationip LAST 1 HOURS联合查询
-- 关联引用集
SELECT * FROM events WHERE sourceip IN REFERENCESET('ThreatIntel') LAST 24 HOURS
-- 关联资产属性
SELECT sourceip, ASSETPROPERTY('Department', sourceip) FROM events LAST 1 HOURS时间范围
| 语法 | 含义 |
|---|---|
LAST 5 MINUTES | 最近5分钟 |
LAST 1 HOURS | 最近1小时 |
LAST 24 HOURS | 最近24小时 |
LAST 7 DAYS | 最近7天 |
START '2024-06-01 00:00:00' STOP '2024-06-02 00:00:00' | 指定时间段 |