Forum Discussion
KQL Queries
Hi Team,
Please help us to write KQL. We have created rule with help of "SecurityAlert" table. but due to last its not working. We dont want particular command line alert. how it will excluded from alert.
| where commandline !contains "f:\abc\xyz\comhost.exe"
SecurityAlert
| extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray
| extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type)
| where Entitytype in~ ("host","process")
| extend hostname = EntitiesDynamicArray.HostName
| extend commandline = EntitiesDynamicArray.CommandLine
| where commandline !contains "f:\abc\xyz\comhost.exe"
Please help us to resolve last line.
- The "\" is a special character - just add two, example:
| where commandline !contains "f:\\abc\\xyz\\comhost.exe"
3 Replies
- The "\" is a special character - just add two, example:
| where commandline !contains "f:\\abc\\xyz\\comhost.exe"- | where commandline != "C:\Windows\system32\cmd.exe /c ""D:\Scripts_Migration\ABC_DEF_services_Migration.bat" start "auto" ""
still facing issue for above line. please help me to rewrite so it will include in kql.You are still using a single "\" not "\\". You can also use a combination of a single quote vs. double - " ' " and "" to define a string within a string, I'd write your line as:
| where commandline !contains ' C:\\Windows\\system32\\cmd.exe /c "D:\\Scripts_Migration\\ABC_DEF_services_Migration.bat" start "auto" '
