iOA 零信任安全管理系统威胁狩猎-操作指南（SaaS 版）-文档中心-腾讯云

条件查询模式
1. 登录 iOA 零信任管理平台控制台，在左侧导航栏，选择高级威胁检测与响应 > 威胁狩猎。
2. 区分查询模式：用户进入页面之后可以按照查询习惯自行选择查询方式，支持条件查询，SQL 查询模式，默认用户进入后选择条件查询。
﻿
3. 在选择条件查询之后，支持用户选择时间范围（默认为7天）、系统平台（默认为 Windows 和 Mac）以及数据库表。
4. 单击添加筛选条件，展示所有字段弹框，可以按照字段分类选择目标字段，之后可以选择该字段的逻辑关系（等于、不等于...）选择关系后，可以指定具体的检索值，若当前选择字段有枚举值，则会自动展示枚举值可选择，若没有枚举值，则需要手动输入目标检索内容。
﻿
5. 多个字段组合检索：可以添加字段或者添加条件组，默认关系为且，整体逻辑与规则运营中添加告警条件保持一致。
﻿
﻿
﻿
6. 检索后页面会展示以日为维度的统计图，支持进行拖拽。检索结果分为全部、告警、探针，以当前日志命中的规则类型进行分类，支持切换 Tab 进行区分。
﻿
7. 左侧会展示检索结果的所有字段信息，展示字段会在右侧列表进行展示。
﻿
﻿
﻿
8. 单击
﻿
隐藏字段，隐藏字段不在右侧列表进行展示。
﻿
9. 支持自定义，将鼠标悬停在特定字段上时，会展示该字段下所有数值信息的统计Top10，单击更多统计可弹出展示对应抽屉，可以统计目标值的统计数据。
﻿
10. 数据栏展示具体的事件信息：每一条日志单击
﻿
都可以展示详情信息。
﻿
﻿
﻿
支持以 tab 和 JSON 的形式进行展示。其中，每一个字段的数值都可以进行进一步的筛选。单击
﻿
可以筛选出包含该目标值的日志信息，单击
﻿
可以排除所有包含目标值的日志信息。
﻿
﻿
﻿
11. 在搜索框最右侧单击
﻿
，输入名称以及上级目录可以保存该查询条件。
﻿
12. 在搜索框最右侧单击查询历史，可查看历史条件信息。
﻿
13. 历史查询支持检索、保存、删除。
﻿
﻿
﻿
SQL 查询模式
1. 登录 iOA 零信任管理平台控制台，在左侧导航栏，选择高级威胁检测与响应 > 威胁狩猎。
2. 区分查询模式：用户进入页面之后可以按照查询习惯自行选择查询方式，支持条件查询，SQL 查询模式，默认用户进入后选择条件查询。
﻿
3. 在选择 SQL 查询模式之后，支持基于 SQL 的高级搜索模式，协助安全运营人员主动且快速地进行未知威胁的发现和识别。
﻿
﻿
﻿
4. 重点图标说明：①查询历史、②展开数据库、③下载查询数据。
﻿
常用 SQL 语句说明
分组名称
语句名称
SQL 语句
运行检查
﻿
查询事件动作列表
SELECT Action.Name FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Action.Name
﻿
统计所有事件总数
SELECT COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents
﻿
统计终端维度所有动作总数排序
SELECT Common.Mid,Environment.HostName,COUNT(uuid) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Common.Mid,Environment.HostName ORDER BY COUNT(uuid) DESC
﻿
统计动作维度事件总数排序
SELECT Action.Name, COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Action.Name ORDER BY COUNT(uuid) DESC
﻿
统计有事件上报的终端总数
SELECT COUNT(DISTINCT Common.Mid) from ProcEvents
性能分析
﻿
统计进程维度文件动作总数排序
SELECT Parent.FileName,Action.Name,COUNT(uuid) FROM FileEvents GROUP BY Parent.FileName,Action.Name ORDER BY COUNT(uuid) DESC
﻿
统计进程维度所有动作总数排序
SELECT Parent.FileName, COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Parent.FileName ORDER BY COUNT(uuid) DESC
﻿
查询指定终端进程的文件动作
SELECT Action.Name, Parent.FileName, Child.FilePath FROM FileEvents WHERE Common.Mid = 'FAA210E266DEFB880E23A3504315945B61EEAF0B' AND Parent.FileName = 'QQMusic.exe'
﻿
统计指定终端动作总数排序
SELECT Action.Name, COUNT(uuid) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Common.Mid = 'F72A41F496988F89B0CA6936939D04A86257CFB8' GROUP BY Action.Name ORDER BY COUNT(uuid) DESC
﻿
统计终端维度所有事件上报量
SELECT Common.Mid,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Common.Mid
安全运营
﻿
查询指定终端和文件名的进程创建事件
SELECT * FROM ProcEvents WHERE Common.Mid = '2F2DE5496C00F0522C974FABCE7000A862761B98' AND Parent.FileName LIKE 'cmd.exe' and Child.FileName LIKE 'notepad.exe'
﻿
查询指定终端进程文件信息收集
 SELECT * FROM ProcFileInfoEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定文件操作事件
SELECT * FROM FileEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端模块事件
SELECT * FROM ModuleEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端注册表事件
SELECT * FROM RegEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端网络事件
SELECT * FROM NetworkEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端WMI事件
SELECT * FROM WMIEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端系统变更事件
SELECT * FROM LoginEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终特权操作事件
SELECT * FROM PrivilegeEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端计划任务事件
SELECT * FROM ScheduleTaskEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端用户账户事件
SELECT * FROM AccountEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端网络共享事件
SELECT * FROM NetShareEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端加密事件
SELECT * FROM CryptEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端远程注入事件
SELECT * FROM RemoteInjectEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端提权事件
SELECT * FROM PrivilegeEscalationEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端用户凭据事件
SELECT * FROM CredentialsEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端服务器探测事件
SELECT * FROM ServerDetectEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端网络访问事件
 SELECT * FROM InternetEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端系统信息收集
 SELECT * FROM SystemInfoEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端信息窃取
 SELECT * FROM InfoTheftEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端脚本事件
 SELECT * FROM ScriptEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端文件统计事件
 SELECT * FROM FileStaticsEvents WHERE Environment.HostName = 'kael-pc'
﻿
查询指定终端注入采集统计
SELECT * FROM AgentInjectHookStatics WHERE Common.HostName = 'kael-pc'
﻿
查询进程事件中命中规则名称包含powershell的事件
 SELECT * FROM ProcEvents WHERE Alert.RuleName LIKE '%powershell%'
﻿
查询文件事件中命中规则为12604的事件
SELECT * FROM FileEvents WHERE Alert.RuleId = '12604'
﻿
安全运营-查询powershell模块加载事件
SELECT * FROM ModuleEvents WHERE Parent.FileName = 'powershell.exe'
﻿
查询设置注册表键值包含systemroot的事件
SELECT * FROM RegEvents WHERE Action.Name = 'RegSetValue' and Child.RegValData LIKE '%systemroot%'
﻿
查询访问192.168.0.4的事件
SELECT * FROM NetworkEvents  WHERE Child.DstIp = '192.168.0.4'
﻿
查询指定主机利用wmi调用Win32_Process的事件
SELECT * FROM WMIEvents WHERE Child.ClientMachine = 'DC01' AND Child.Operation LIKE '%Win32_Process%'
﻿
查询清除日志事件
SELECT * FROM ThreatEvents WHERE Action.Name = 'ClearEventLogW'
﻿
查询枚举域控名称事件
﻿
SELECT * FROM ServerDetectEvents WHERE Action.Name = 'DsGetDcNameW'
﻿
查询powershell遍历文件事件
﻿
SELECT * FROM ProcFileInfoEvents WHERE Action.Name = 'FindFirstFileW' AND Parent.FileName = 'powershell.exe'
﻿
查询powershell修改注册表事件
SELECT * FROM RegEvents WHERE Parent.FileName = 'powershell.exe'
文件审计
﻿
某文件全网首次出现时间
 SELECT min(@collection) FROM FileEvents  WHERE Child.FileName = 'xx'
﻿
某文件全网机器覆盖量
SELECT Environment.HostName FROM FileEvents WHERE Child.FileName = 'xx' GROUP BY Environment.HostName
﻿
全网新入文件

SELECT @collection,Child.FileName FROM FileEvents ORDER BY @collection DESC
网络审计
﻿
xx 网络请求全网首次出现时间
SELECT min(@collection) FROM NetworkEvents  WHERE Child.DstIp = 'xx'
﻿
xx 网络请求全网访问量
SELECT count(Child.DstIp) FROM NetworkEvents WHERE Child.DstIp = 'xx'
探针规则统计
﻿
全网探针规则命中的事件量排序
SELECT Alert.RuleName,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleNature = '0' GROUP BY Alert.RuleName ORDER BY COUNT(1) DESC
﻿
全网探针规则命中的Top事件
SELECT Alert.RuleName,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleNature = '0' GROUP BY Alert.RuleName ORDER BY COUNT(1) DESC LIMIT 10
告警统计
﻿
查询探针总数
SELECT COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleName != ''
﻿
全网告警、探针命中Top--按规则名排序
SELECT Alert.RuleName,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleId > 0 GROUP BY Alert.RuleName ORDER BY COUNT(1) DESC
﻿
查询指定探针数据
SELECT Parent.FilePath,Parent.ProcPid,Action.Name,Alert.RuleName,Alert.RuleId FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleName != ''

分组名称	语句名称	SQL 语句
运行检查	查询事件动作列表	SELECT Action.Name FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Action.Name
		统计所有事件总数	SELECT COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents
		统计终端维度所有动作总数排序	SELECT Common.Mid,Environment.HostName,COUNT(uuid) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Common.Mid,Environment.HostName ORDER BY COUNT(uuid) DESC
		统计动作维度事件总数排序	SELECT Action.Name, COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Action.Name ORDER BY COUNT(uuid) DESC
		统计有事件上报的终端总数	SELECT COUNT(DISTINCT Common.Mid) from ProcEvents
性能分析	统计进程维度文件动作总数排序	SELECT Parent.FileName,Action.Name,COUNT(uuid) FROM FileEvents GROUP BY Parent.FileName,Action.Name ORDER BY COUNT(uuid) DESC
		统计进程维度所有动作总数排序	SELECT Parent.FileName, COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Parent.FileName ORDER BY COUNT(uuid) DESC
		查询指定终端进程的文件动作	SELECT Action.Name, Parent.FileName, Child.FilePath FROM FileEvents WHERE Common.Mid = 'FAA210E266DEFB880E23A3504315945B61EEAF0B' AND Parent.FileName = 'QQMusic.exe'
		统计指定终端动作总数排序	SELECT Action.Name, COUNT(uuid) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Common.Mid = 'F72A41F496988F89B0CA6936939D04A86257CFB8' GROUP BY Action.Name ORDER BY COUNT(uuid) DESC
		统计终端维度所有事件上报量	SELECT Common.Mid,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents GROUP BY Common.Mid
安全运营	查询指定终端和文件名的进程创建事件	SELECT * FROM ProcEvents WHERE Common.Mid = '2F2DE5496C00F0522C974FABCE7000A862761B98' AND Parent.FileName LIKE 'cmd.exe' and Child.FileName LIKE 'notepad.exe'
		查询指定终端进程文件信息收集	SELECT * FROM ProcFileInfoEvents WHERE Environment.HostName = 'kael-pc'
		查询指定文件操作事件	SELECT * FROM FileEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端模块事件	SELECT * FROM ModuleEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端注册表事件	SELECT * FROM RegEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端网络事件	SELECT * FROM NetworkEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端WMI事件	SELECT * FROM WMIEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端系统变更事件	SELECT * FROM LoginEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终特权操作事件	SELECT * FROM PrivilegeEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端计划任务事件	SELECT * FROM ScheduleTaskEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端用户账户事件	SELECT * FROM AccountEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端网络共享事件	SELECT * FROM NetShareEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端加密事件	SELECT * FROM CryptEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端远程注入事件	SELECT * FROM RemoteInjectEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端提权事件	SELECT * FROM PrivilegeEscalationEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端用户凭据事件	SELECT * FROM CredentialsEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端服务器探测事件	SELECT * FROM ServerDetectEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端网络访问事件	SELECT * FROM InternetEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端系统信息收集	SELECT * FROM SystemInfoEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端信息窃取	SELECT * FROM InfoTheftEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端脚本事件	SELECT * FROM ScriptEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端文件统计事件	SELECT * FROM FileStaticsEvents WHERE Environment.HostName = 'kael-pc'
		查询指定终端注入采集统计	SELECT * FROM AgentInjectHookStatics WHERE Common.HostName = 'kael-pc'
		查询进程事件中命中规则名称包含powershell的事件	SELECT * FROM ProcEvents WHERE Alert.RuleName LIKE '%powershell%'
		查询文件事件中命中规则为12604的事件	SELECT * FROM FileEvents WHERE Alert.RuleId = '12604'
		安全运营-查询powershell模块加载事件	SELECT * FROM ModuleEvents WHERE Parent.FileName = 'powershell.exe'
		查询设置注册表键值包含systemroot的事件	SELECT * FROM RegEvents WHERE Action.Name = 'RegSetValue' and Child.RegValData LIKE '%systemroot%'
		查询访问192.168.0.4的事件	SELECT * FROM NetworkEvents WHERE Child.DstIp = '192.168.0.4'
		查询指定主机利用wmi调用Win32_Process的事件	SELECT * FROM WMIEvents WHERE Child.ClientMachine = 'DC01' AND Child.Operation LIKE '%Win32_Process%'
		查询清除日志事件	SELECT * FROM ThreatEvents WHERE Action.Name = 'ClearEventLogW'
		查询枚举域控名称事件	SELECT * FROM ServerDetectEvents WHERE Action.Name = 'DsGetDcNameW'
		查询powershell遍历文件事件	SELECT * FROM ProcFileInfoEvents WHERE Action.Name = 'FindFirstFileW' AND Parent.FileName = 'powershell.exe'
		查询powershell修改注册表事件	SELECT * FROM RegEvents WHERE Parent.FileName = 'powershell.exe'
文件审计	某文件全网首次出现时间	SELECT min(@collection) FROM FileEvents WHERE Child.FileName = 'xx'
		某文件全网机器覆盖量	SELECT Environment.HostName FROM FileEvents WHERE Child.FileName = 'xx' GROUP BY Environment.HostName
		全网新入文件	SELECT @collection,Child.FileName FROM FileEvents ORDER BY @collection DESC
网络审计	xx 网络请求全网首次出现时间	SELECT min(@collection) FROM NetworkEvents WHERE Child.DstIp = 'xx'
网络审计		xx 网络请求全网访问量	SELECT count(Child.DstIp) FROM NetworkEvents WHERE Child.DstIp = 'xx'
探针规则统计	全网探针规则命中的事件量排序	SELECT Alert.RuleName,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleNature = '0' GROUP BY Alert.RuleName ORDER BY COUNT(1) DESC
探针规则统计		全网探针规则命中的Top事件	SELECT Alert.RuleName,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleNature = '0' GROUP BY Alert.RuleName ORDER BY COUNT(1) DESC LIMIT 10
告警统计	查询探针总数	SELECT COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleName != ''
		全网告警、探针命中Top--按规则名排序	SELECT Alert.RuleName,COUNT(1) FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleId > 0 GROUP BY Alert.RuleName ORDER BY COUNT(1) DESC
		查询指定探针数据	SELECT Parent.FilePath,Parent.ProcPid,Action.Name,Alert.RuleName,Alert.RuleId FROM ProcEvents,FileEvents,NetworkEvents,RegEvents,ModuleEvents,PrivilegeEvents,LoginEvents,InternetEvents,NetShareEvents,AccountEvents,ProcFileInfoEvents,ScheduleTaskEvents,ThreatEvents,CryptEvents,RemoteInjectEvents,CredentialsEvents,ServerDetectEvents,SystemInfoEvents,InfoTheftEvents,SystemChangeEvents,PrivilegeEscalationEvents,DirOperationEvents,ScriptEvents WHERE Alert.RuleName != ''

威胁狩猎

本页目录：

条件查询模式

SQL 查询模式

常用 SQL 语句说明