$ stix-shifter translate qradar query {} "([ipv4-addr:value = '192.168.1.2'] OR [url:value LIKE '%.example.com']) START t'2020-09-11T13:00:52.000Z' STOP t'2020-09-11T13:59:04.000Z'" {}
{
"queries": [
"SELECT QIDNAME(qid) as qidname, qid, CATEGORYNAME(category) as categoryname, category as categoryid, CATEGORYNAME(highlevelcategory) as high_level_category_name, highlevelcategory as high_level_category_id, logsourceid, devicetype, LOGSOURCETYPENAME(devicetype) as logsourcetypename, LOGSOURCENAME(logsourceid) as logsourcename, starttime, endtime, devicetime, sourceaddress as sourceip, sourceport, sourcemac, destinationaddress as destinationip, destinationport, destinationmac, username, eventdirection as direction, identityip, identityhostname, eventcount, PROTOCOLNAME(protocolid) as protocol, UTF8(payload) as eventpayload, URL as url, magnitude, Filename as filename, \"File Hash\" as filehash, \"File Path\" as filepath, severity, credibility, relevance, geographiclocation as geographic, \"CRE Name\" as crename, \"CRE Description\" as credescription, creeventlist, rulename(creeventlist) as rulenames, domainid, DOMAINNAME(domainid) as domainname FROM events WHERE url LIKE '%%.example.com%' limit 10000 START 1599829252000 STOP 1599832744000",
"SELECT QIDNAME(qid) as qidname, qid, CATEGORYNAME(category) as categoryname, category as categoryid, CATEGORYNAME(highlevelcategory) as high_level_category_name, highlevelcategory as high_level_category_id, logsourceid, devicetype, LOGSOURCETYPENAME(devicetype) as logsourcetypename, LOGSOURCENAME(logsourceid) as logsourcename, starttime, endtime, devicetime, sourceaddress as sourceip, sourceport, sourcemac, destinationaddress as destinationip, destinationport, destinationmac, username, eventdirection as direction, identityip, identityhostname, eventcount, PROTOCOLNAME(protocolid) as protocol, UTF8(payload) as eventpayload, URL as url, magnitude, Filename as filename, \"File Hash\" as filehash, \"File Path\" as filepath, severity, credibility, relevance, geographiclocation as geographic, \"CRE Name\" as crename, \"CRE Description\" as credescription, creeventlist, rulename(creeventlist) as rulenames, domainid, DOMAINNAME(domainid) as domainname FROM events WHERE (sourceip = '192.168.1.2' OR destinationip = '192.168.1.2' OR identityip = '192.168.1.2') OR limit 10000 last 5 minutes",
"SELECT applicationid, APPLICATIONNAME(applicationid) as applicationname, CATEGORYNAME(category) as categoryname, credibility, destinationasn, destinationbytes, destinationdscp, destinationflags, destinationip, destinationifindex, destinationpackets, destinationport, destinationprecedence, destinationv6, domainid, fullmatchlist, firstpackettime, flowbias, flowdirection as direction, flowinterfaceid, flowsource, flowtype, geographic, hasoffense, icmpcode, icmptype, flowinterface, intervalid, isduplicate, lastpackettime, partialmatchlist, PROTOCOLNAME(protocolid) as protocol, QIDNAME(qid) as qidname, qid, processorid, relevance, retentionbucket, severity, sourceasn, sourcebytes, sourcedscp, sourceflags, sourceip, sourceifindex, sourcepackets, sourceport, sourceprecedence, sourcev6, starttime, endtime, UTF8(sourcepayload) as flowsourcepayload, UTF8(destinationpayload) as flowdestinationpayload FROM flows WHERE (sourceip = '192.168.1.2' OR destinationip = '192.168.1.2') limit 10000 START 1599829252000 STOP 1599832744000"
]
}
Three queries are produced; one for the ipv4-addr from events, one for the url from events, and one for the ipv4-addr from flows. The query for the ipv4-addr from events is not using the qualifier; it instead is using the default "last 5 minutes". Also, it seems to have a stray OR
before the limit clause, though I am not an AQL expert.