Forum Discussion
akshay250692
Apr 12, 2023Brass Contributor
KQL Queries
Hi Team, Please help us to write KQL. We have created rule with help of "SecurityAlert" table. but due to last its not working. We dont want particular command line alert. how it will excluded...
- Apr 12, 2023The "\" is a special character - just add two, example:
| where commandline !contains "f:\\abc\\xyz\\comhost.exe"
Clive_Watson
Apr 12, 2023Bronze Contributor
The "\" is a special character - just add two, example:
| where commandline !contains "f:\\abc\\xyz\\comhost.exe"
| where commandline !contains "f:\\abc\\xyz\\comhost.exe"
akshay250692
Apr 13, 2023Brass Contributor
| where commandline != "C:\Windows\system32\cmd.exe /c ""D:\Scripts_Migration\ABC_DEF_services_Migration.bat" start "auto" ""
still facing issue for above line. please help me to rewrite so it will include in kql.
still facing issue for above line. please help me to rewrite so it will include in kql.
- Clive_WatsonApr 13, 2023Bronze Contributor
You are still using a single "\" not "\\". You can also use a combination of a single quote vs. double - " ' " and "" to define a string within a string, I'd write your line as:
| where commandline !contains ' C:\\Windows\\system32\\cmd.exe /c "D:\\Scripts_Migration\\ABC_DEF_services_Migration.bat" start "auto" '