SELECT Action.Name FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Action.Name
统计所有事件总数
SELECT COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents
统计终端维度所有动作总数排序
SELECT Common.Mid,Environment.HostName,COUNT(uuid) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Common.Mid,Environment.HostName ORDER BY COUNT(uuid) DESC
统计动作维度事件总数排序
SELECT Action.Name, COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Action.Name ORDER BY COUNT(uuid) DESC
统计有事件上报的终端总数
SELECT COUNT(DISTINCT Common.Mid) from ProcEvents
性能分析
统计进程维度文件动作总数排序
SELECT Parent.FileName,Action.Name,COUNT(uuid) FROM FileEvents GROUP BY Parent.FileName,Action.Name ORDER BY COUNT(uuid) DESC
统计进程维度所有动作总数排序
SELECT Parent.FileName, COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Parent.FileName ORDER BY COUNT(uuid) DESC
查询指定终端进程的文件动作
SELECT Action.Name, Parent.FileName, Child.FilePath FROM FileEvents WHERE Common.Mid = 'FAA210E266DEFB880E23A3504315945B61EEAF0B' AND Parent.FileName = 'QQMusic.exe'
统计指定终端动作总数排序
SELECT Action.Name, COUNT(uuid) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Common.Mid = 'F72A41F496988F89B0CA6936939D04A86257CFB8' GROUP BY Action.Name ORDER BY COUNT(uuid) DESC
统计终端维度所有事件上报量
SELECT Common.Mid,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Common.Mid
安全运营
查询指定终端和文件名的进程创建事件
SELECT * FROM ProcEvents WHERE Common.Mid = '2F2DE5496C00F0522C974FABCE7000A862761B98' AND Parent.FileName LIKE 'cmd.exe' and Child.FileName LIKE 'notepad.exe'
查询指定终端进程文件信息收集
SELECT * FROM ProcFileInfoEvents WHERE Environment.HostName = 'kael-pc'
查询指定文件操作事件
SELECT * FROM FileEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端模块事件
SELECT * FROM ModuleEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端注册表事件
SELECT * FROM RegEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端网络事件
SELECT * FROM NetworkEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端WMI事件
SELECT * FROM WMIEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端系统变更事件
SELECT * FROM LoginEvents WHERE Environment.HostName = 'kael-pc'
查询指定终特权操作事件
SELECT * FROM PrivilegeEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端计划任务事件
SELECT * FROM ScheduleTaskEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端用户账户事件
SELECT * FROM AccountEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端网络共享事件
SELECT * FROM NetShareEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端加密事件
SELECT * FROM CryptEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端远程注入事件
SELECT * FROM RemoteInjectEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端提权事件
SELECT * FROM PrivilegeEscalationEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端用户凭据事件
SELECT * FROM CredentialsEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端服务器探测事件
SELECT * FROM ServerDetectEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端网络访问事件
SELECT * FROM InternetEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端系统信息收集
SELECT * FROM SystemInfoEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端信息窃取
SELECT * FROM InfoTheftEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端脚本事件
SELECT * FROM ScriptEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端文件统计事件
SELECT * FROM FileStaticsEvents WHERE Environment.HostName = 'kael-pc'
查询指定终端注入采集统计
SELECT * FROM AgentInjectHookStatics WHERE Common.HostName = 'kael-pc'
查询进程事件中命中规则名称包含powershell的事件
SELECT * FROM ProcEvents WHERE Alert.RuleName LIKE '%powershell%'
查询文件事件中命中规则为12604的事件
SELECT * FROM FileEvents WHERE Alert.RuleId = '12604'
安全运营-查询powershell模块加载事件
SELECT * FROM ModuleEvents WHERE Parent.FileName = 'powershell.exe'
查询设置注册表键值包含systemroot的事件
SELECT * FROM RegEvents WHERE Action.Name = 'RegSetValue' and Child.RegValData LIKE '%systemroot%'
查询访问192.168.0.4的事件
SELECT * FROM NetworkEvents WHERE Child.DstIp = '192.168.0.4'
查询指定主机利用wmi调用Win32_Process的事件
SELECT * FROM WMIEvents WHERE Child.ClientMachine = 'DC01' AND Child.Operation LIKE '%Win32_Process%'
查询清除日志事件
SELECT * FROM ThreatEvents WHERE Action.Name = 'ClearEventLogW'
查询枚举域控名称事件
SELECT * FROM ServerDetectEvents WHERE Action.Name = 'DsGetDcNameW'
查询powershell遍历文件事件
SELECT * FROM ProcFileInfoEvents WHERE Action.Name = 'FindFirstFileW' AND Parent.FileName = 'powershell.exe'
查询powershell修改注册表事件
SELECT * FROM RegEvents WHERE Parent.FileName = 'powershell.exe'
文件审计
某文件全网首次出现时间
SELECT min(@collection) FROM FileEvents WHERE Child.FileName = 'xx'
某文件全网机器覆盖量
SELECT Environment.HostName FROM FileEvents WHERE Child.FileName = 'xx' GROUP BY Environment.HostName
全网新入文件
SELECT @collection,Child.FileName FROM FileEvents ORDER BY @collection DESC
网络审计
xx 网络请求全网首次出现时间
SELECT min(@collection) FROM NetworkEvents WHERE Child.DstIp = 'xx'
xx 网络请求全网访问量
SELECT count(Child.DstIp) FROM NetworkEvents WHERE Child.DstIp = 'xx'
探针规则统计
全网探针规则命中的事件量排序
SELECT Alert.RuleName,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleNature = '0' GROUP BY Alert.RuleName ORDER BY COUNT(1) DESC
全网探针规则命中的Top事件
SELECT Alert.RuleName,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleNature = '0' GROUP BY Alert.RuleName ORDER BY COUNT(1) DESC LIMIT 10
告警统计
查询探针总数
SELECT COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleName != ''
全网告警、探针命中Top--按规则名排序
SELECT Alert.RuleName,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleId > 0 GROUP BY Alert.RuleName ORDER BY COUNT(1) DESC
查询指定探针数据
SELECT Parent.FilePath,Parent.ProcPid,Action.Name,Alert.RuleName,Alert.RuleId FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleName != ''