Forum Discussion

akshay250692's avatar
akshay250692
Brass Contributor
Apr 12, 2023
Solved

KQL Queries

  Hi Team,   Please help us to write KQL. We have created rule with help of "SecurityAlert" table. but due to last its not working. We dont want particular command line alert. how it will excluded...
alerts
KQL
  • Clive_Watson's avatar
    Clive_Watson
    Apr 12, 2023
    The "\" is a special character - just add two, example:

    | where commandline !contains "f:\\abc\\xyz\\comhost.exe"
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Apr 12, 2023
The "\" is a special character - just add two, example:

| where commandline !contains "f:\\abc\\xyz\\comhost.exe"
akshay250692's avatar
akshay250692
Brass Contributor
Apr 13, 2023
| where commandline != "C:\Windows\system32\cmd.exe /c ""D:\Scripts_Migration\ABC_DEF_services_Migration.bat" start "auto" ""
still facing issue for above line. please help me to rewrite so it will include in kql.
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Apr 13, 2023

    akshay250692 

    You are still using a single "\" not  "\\".  You can also use a combination of a single quote vs. double -  " ' " and "" to define a string within a string, I'd write your line as:

    | where commandline !contains ' C:\\Windows\\system32\\cmd.exe /c "D:\\Scripts_Migration\\ABC_DEF_services_Migration.bat" start "auto" '