This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cortex XSIAM XQL Query Issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cortex XSIAM XQL Query Issue

Mohitparashar
L1 Bithead

‎03-13-2024 08:27 AM

Hi Team,

I was searching some logs and I found the query I was running initially was just different from the later (2nd) query, however, I was not getting any results for first time but got the results by 2nd query. I moto here just to understand what was the difference using contains or in or "=" for the message or event log fiels while filter out the data. Please find the queries below.

1st Query: (failed to give any results)

config case_sensitive = false timeframe = 2d
| dataset = microsoft_windows_raw
| filter event_id in (4729, 4733, 4735) and message = "*hide for privacy*"

*****************************************************************************************

 

2nd Query: (Provided the exact event results)

config case_sensitive = false timeframe = 2d
| dataset = microsoft_windows_raw
| filter event_id in (4729, 4733, 4735) and message contains "*hide for privacy*"

Any help or right explaination for this will be appreciated  🙂

Cortex XSIAM @jtalton  Cortex XDR 

Cortex XSIAM
Thumbnail of Cortex XSIAM
Palo Alto Networks
Cortex XSIAM
Security Operations
View on Product Page
Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
3 REPLIES 3

afurze
L4 Transporter

‎03-15-2024 07:40 AM

Hi Mohitparashar,

 

The '=' operator is an exact match operator, it does not accept wildcards as you are trying to use them.  Also, since contains is already a substring search, you needn't include the wildcards in your search.

0 Likes Likes

Mohitparashar
L1 Bithead
In response to afurze

‎03-17-2024 02:54 AM

Hi @afurze

Appreciate you reply, could you please confirm the difference between Message "contains" and Message "In". Sometimes using "In" operator give me the exact results I'm looking for but there was situations the operator return 0 value without giving me any error.

 

 

0 Likes Likes

jorandall
L0 Member
In response to Mohitparashar

‎03-18-2024 09:35 AM

@Mohitparashar the in operator supports wildcards and can function identically to contains. For example, these two queries are essentially the same:

jorandall_1-1710779721314.png

 

jorandall_0-1710779652789.png

 

Link to the docs: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-XQL-Language-Reference/Supporte...

0 Likes Likes
  • 644 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks