topic Re: Query Builder to XQL in Cortex XDR Discussions

Query Builder to XQL

NathanBradley — Fri, 24 Sep 2021 19:06:12 GMT

I have built queries within builder that I cannot replicate in a xql query

Is there a way to convert them quickly?

The example below was built with the builder, a search for files within removable media for the previous 24 hours

I need it in xql syntax in order to create widgets...etc

File [ action type = all AND device type = removable media ] AND Time [ event timestamp in last 24H before Sep 24th 2021 01:00:00 ]

Re: Query Builder to XQL

Luc_Desaulniers — Mon, 27 Sep 2021 14:06:35 GMT

Hi Nathan,

I haven't seen a way to convert queries from query builder to XQL as a feature in the product right now.

But from XQL query library you can use the one named:

Users creating more than 100 files on a removable device

It should give you a good starting point for what you're trying to do.

Good luck.

Luc

Re: Query Builder to XQL

malalade — Mon, 27 Sep 2021 16:15:08 GMT

dataset = xdr_data
| fields action_file_device_info as drive_info
| alter device_type = json_extract(to_json_string(drive_info), "$.storage_device_drive_type")
| filter drive_info != null
| filter device_type = "2"

==========================
Note: Device type could be
==========================
Unknown = 0,
Fixed = 1,
Removable = 2,
Cdrom = 3,
Network = 4,
Ramdisk = 5
The "storage_device_drive_type" field is taken from this enum (json):

Re: Query Builder to XQL

NathanBradley — Mon, 27 Sep 2021 16:45:56 GMT

Thanks I ended up with the following as i needed to include the user, file path, and file name

Now i just need the report to print all data in the PDF rather than a subset

dataset = xdr_data
| filter event_type = FILE and event_sub_type = FILE_CREATE_NEW
| alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type")
| filter drive_type = "2"
| fields action_file_path as File_Path, actor_effective_username as Username, action_file_name