Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI...
  6. Manual
Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE Manual

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE Manual

Aql event and flow query cli guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Enlarged version
Security Threat Response Manager
AQL Event and Flow Query CLI Guide
Release 2008.2
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-xxxxxx-01, Beta Draft

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE

Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE

  • Page 1 Security Threat Response Manager AQL Event and Flow Query CLI Guide Release 2008.2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-xxxxxx-01, Beta Draft...
  • Page 2 Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

  • Page 3: Table Of Contents

    ONTENTS BOUT UIDE Conventions Technical Documentation Documentation Feedback Requesting Support AQL Q SING THE UERY About the AQL Query CLI Accessing the AQL Query CLI Using a Select Statement Using Where Clauses Using the Group By Clause Using the Order By Clause Using the Count(*) Clause Using the Distinct Clause Using the Count (Distinct ...) Clause...

  • Page 5: About This Guide

    Information that alerts you to potential personal injury. Technical You can access technical documentation, technical notes, and release notes Documentation directly from the Juniper networks Support Web site at http:// www.juniper.net/support Documentation We encourage you to provide feedback, comments, and suggestions so that we Feedback can improve the documentation.

  • Page 6: Requesting Support

    BOUT UIDE Requesting • Open a support case using the Case Management link at Support or call 1-888-314-JTAC (from the United States, http://www.juniper.net/support/ Canada, or Mexico) or 1-408-745-9500 (from elsewhere). AQL Event and Flow Query CLI Guide...

  • Page 7: Using The Aql Query Cli

    AQL Q SING THE UERY You can use the AQL Event and Flow Query Command Line Interface (CLI) to access flows and events stored in the Ariel database. This document provides information on accessing and using the AQL query CLI including: About the AQL Query CLI •...

  • Page 8: Accessing The Aql Query Cli

    AQL Q SING THE UERY The non-interactive mode does not include a prompt allowing you to redirect the output to a file with a regular UNIX pipe syntax. By default, the results are sent to a standard output. Accessing the AQL To access the AQL query CLI: Query CLI Log in to STRM, as root.

  • Page 9: Using A Select Statement

    Using a Select Statement For example: If you wish to enter a command in interactive mode: /opt/qradar/bin/arielClient -start 2007/08/11-01:15:00 -end 2007/08/11-01:17:00 -exectime 60 /opt/qradar/bin/arielClient /opt/qradar/bin/arielClient -start 2007/08/11-01:15:00 -end 2007/08/11-01:17:00 -f csv If you wish to enter a command in non-interactive mode: /opt/qradar/bin/arielClient -start 2007/08/11-01:15:00 -end 2007/08/11-01:17:00 -exectime 60 -execute "select * from flows where sourceIP = '231.12.37.17' and protocol != 'TCP.tcp_ip'"...
  • Page 10 AQL Q SING THE UERY Table 1-2 Supported Fields (continued) Table Supported Statement geographic icmpType interface intervalId lastPacketTime packetsOut protocol remoteNet remoteServices sourceASN sourceBytes sourceByteRatio sourceDSCP sourceFlags sourceIP sourceIfIndex sourceNetwork sourcePackets sourcePacketRatio sourcePort sourcePrecedence sourcePayload sourceTOS totalBytes Events category credibility creEventList destinationIP destinationMAC...
  • Page 11 Using a Select Statement Table 1-2 Supported Fields (continued) Table Supported Statement eventCount eventDirection hasOffense highLevelCategory magnitude payload postNatDestinationIP postNatDestinationPort postNatSourceIP postNatSourcePort preNatDestinationIP preNatDestinationPort preNatSourceIP preNatSourcePort protocol relevance severity sourceIP sourceMAC sourceNetwork sourcePort startTime token unparsed userName For example: select sourceIP, destinationIP, application from flows where protocol = ‘TCP.tcp_ip’...

  • Page 12: Using Where Clauses

    AQL Q SING THE UERY select <query item> from <flows|events> where <sourceCIDR|destinationCIDR> = ‘<CIDR Range>’ For example: select * from flows where sourceCIDR = '10.100.100/24' This command returns all flows coming from the 10.100.100 subnet. To capture flows coming from and into the subnet use the regular OR expression as follows: select * from events where sourceCIDR = '10.100.100/24' OR destinationCIDR = '10.100.100/24' Using Where...

  • Page 13: Using The Order By Clause

    Using the Order By Clause The output includes: ---------------------------------- | sourceIP | SUM_sourceBytes | ---------------------------------- | 64.124.201.151 | 4282590.0 | 10.105.2.10 | 4902509.0 | 10.103.70.243 | 2802715.0 | 10.103.77.143 | 3313370.0 | 10.105.32.29 | 2467183.0 | 10.105.96.148 | 8325356.0 | 10.103.73.206 | 1629768.0 ---------------------------------- However, if you compare this information to a non-aggregate query, the output...

  • Page 14: Using The Count(*) Clause

    AQL Q SING THE UERY For example: select sourceBytes, sourceIP from flows where sourceBytes > 1000000 order by sourceBytes Or, if you wish to display results in ascending order: select sourceBytes, sourceIP from flows where sourceBytes > 1000000 order by sourceBytes asc Combing the and the clauses in a single query is useful for...

  • Page 15: Using The Materialize View Clause

    Using the Materialize View Clause Using the clause allows you to produce query results as a static materialize view Materialize View view and run subsequent queries against the view. You can also specify the period Clause of time that the is accessible.

  • Page 16: Using The Describe Statement

    AQL Q SING THE UERY For example: If you wish to match names such as, Joe, Joanne, Joseph, or any other name beginning with Jo, enter the following clause: select * from events where userName like ‘jo%’ If you wish to match names beginning with Jo that are three characters long, such as, Joe or Jon, enter the following clause: select * from events where userName like ‘jo_’...
  • Page 17 Using the Describe Statement flowSource (TEXT) interface (TEXT) flowDirection (NUMERIC) geographic (TEXT) sourcePrecedence (NUMERIC) destinationPrecedence (NUMERIC) AQL Event and Flow Query CLI Guide...

This manual is also suitable for:

Security threat response manager

Table of Contents