topic Re: Event_Sub_Type Failed to run in Cortex XDR Discussions

Event_Sub_Type Failed to run

NathanBradley — Tue, 02 Aug 2022 16:51:20 GMT

When running this XQL query if I add event_sub_type to the filter it fails to run

I can run the query without any filters, and then add the event_sub_type column without issues

dataset = xdr_data
| filter event_type = ENUM.FILE and (event_sub_type = ENUM.FILE_CREATE_NEW or event_sub_type = ENUM.FILE_WRITE or event_sub_type = enum.FILE_OPEN )
| filter agent_ip_addresses = "x.x.x.x"
| filter action_file_path contains "Path"
| filter action_file_name not contains "$"
| filter action_file_extension != "tmp"
| fields agent_hostname, agent_ip_addresses, actor_effective_username, action_file_name, action_file_path, action_file_extension, event_sub_type

Re: Event_Sub_Type Failed to run

afurze — Tue, 02 Aug 2022 18:17:12 GMT

Hi NathanBradley,

This is definitely a strange behavior, I'm honestly not sure why this query is failing. I was able to get the following query to work successfully

dataset = xdr_data | filter event_type = ENUM.FILE | filter event_sub_type in (ENUM.FILE_OPEN, ENUM.FILE_CREATE_NEW, ENUM.FILE_WRITE) | filter agent_ip_addresses = “x.x.x.x” | filter action_file_path contains “Path” | filter action_file_name not contains “$” | filter action_file_extension != “tmp” | alter file_action = if(event_sub_type = 1, replace(to_string(event_sub_type), “1”, “CREATE”), if(event_sub_type = 6, replace(to_string(event_sub_type), “6”, “WRITE”), if(event_sub_type = 2, replace(to_string(event_sub_type), “2”, “OPEN”)))) | fields agent_hostname, agent_ip_addresses, actor_effective_username, action_file_name, action_file_path, action_file_extension, file_action

Re: Event_Sub_Type Failed to run

NathanBradley — Tue, 02 Aug 2022 18:42:42 GMT

Thanks, It does get what im needing

But it didnt replace the numerical value

Also where did you get the numerical values for event_sub_type

Re: Event_Sub_Type Failed to run

afurze — Wed, 03 Aug 2022 14:20:18 GMT

Hmm, for some reason the XQL query does not like to be copied and pasted. I had to remove the "1", "CREATE", "2", "OPEN", "6", "WRITE", and then type them in again before it would properly replace. It doesn't appear that these values have public documentation, I was able to reference some internal documentation.

Re: Event_Sub_Type Failed to run

NathanBradley — Wed, 03 Aug 2022 14:29:48 GMT

Thanks, did that and it worked

Can the other numerical values for the other event sub types be shared?

Re: Event_Sub_Type Failed to run

afurze — Wed, 03 Aug 2022 14:36:42 GMT

create_new

open

rename

link

remove

write

set_attribute

dir_create

dir_open

dir_rename

dir_link

dir_remove

dir_write

dir_set_attr

reparse

set_sec

dir_set_sec

change_mode

dir_change_mode

change_owner

dir_change_owner

dir_query