topic Re: xdr_data dataset only returns nulls in Cortex XDR Discussions

xdr_data dataset only returns nulls

IanRedden — Mon, 30 Jan 2023 18:38:56 GMT

Any idea why this might be happening?

I am expecting to see data from my Cisco ASA firewalls, XDR Agents and hopefully some causality/actor information. I only get Nulls.

Re: xdr_data dataset only returns nulls

aleksandar.astardzhiev — Mon, 30 Jan 2023 21:58:35 GMT

Hi @IanRedden ,

Your filter is very broad, you only limit the last 100 entries, but

- You haven't specified any event type, nor sorted by anything

- So the 100 events that you have received show all empty values, because the fields that are shown by default are not relevant for this event.

- If you tell the query to show all available fields and then tell the GUI to show all those fields in the return table you should see at least something

dataset = xdr_data | fields * | limit 100

Above should return all fields of xdr_data dataset, but you still need to tell the GUI to show them in the return table

Click on the three dots and there you select all fields.

You query is still very broad so it is better to know what you are looking for and apply some better filters before showing the last 100 events.

Re: xdr_data dataset only returns nulls

IanRedden — Wed, 01 Feb 2023 14:29:11 GMT

What does XDR_Data include? Everything? Including syslogs forwarded from the Broker VM?

Re: xdr_data dataset only returns nulls

IanRedden — Wed, 01 Feb 2023 14:43:32 GMT

Here is an example...

In my test environment, we ran AttackIQ to generate alerts.

I am looking for the above data from an XQL query searching on an indicator. For example, show me XDR events from "DESKTOP-E0AMMSK".

This query:

config case_sensitive = false
| preset = network_story
| fields *
| filter agent_hostname = "DESKTOP-E0AMMSK"

Returns no results for a 1M period.