topic XQL Filter out specific combination in Cortex XDR Discussions

XQL Filter out specific combination

MBTNA — Mon, 06 Jun 2022 08:09:48 GMT

Hello

i am trying to create XQL filter to filter out all known connections, so it only returns me connections that should not happen.

So i create separate line for each of those knows connections, like:

filter (action_local_ip != "10.130.130.34" and action_local_port != 445)

but that doesn't work, it filters out all 445 source ports from report, and does not show rest of connections from 10.130.130.34.

How to create that kind of filter that filters out only ip and port combination ?

Re: XQL Filter out specific combination

afurze — Mon, 06 Jun 2022 14:55:39 GMT

Hi Mbaltalksnis,

Your query is filtering out 10.130.130.34 (action_local_ip != 10.130.130.34) which is why you're not seeing any additional traffic for that host. If you wanted to see traffic from that host where the local port is not 445, you just need to drop the '!' from the action_local_ip portion of the query, as follows:

data_set = xdr_data | filter event_type = ENUM.NETWORK | filter action_local_ip = 10.130.130.34 and action_local_port != 445

Re: XQL Filter out specific combination

MBTNA — Tue, 07 Jun 2022 07:48:20 GMT

In that filter that you provided in results i only get rest of the ports from 10.130.130.34, and there are no other local IPs in output.

Re: XQL Filter out specific combination

afurze — Tue, 07 Jun 2022 13:40:01 GMT

You can add an OR to the filter and use parenthesis to group your operators, like so:

| filter (action_local_ip = "10.130.130.34" and action_local_port != 445) or action_local_ip != "10.130.130.34"

This selects either logs where the local IP is 10.130.130.34 and the source port is not 445, or logs where the local IP is not 10.130.130.34.

Re: XQL Filter out specific combination

MBTNA — Wed, 08 Jun 2022 14:37:04 GMT

Thanks, that solution looks like is working, will try to work with that.