XQL Query: Event Sub Type causing issues in Query

KanwarSingh01 — Tue, 28 Feb 2023 03:35:53 GMT

We have written a query to get certain files types being downloaded from browser process and get its parent process details etc. When we try to add the field event_sub_type we start receiving and error. If we exclude the field from the query we get proper results. If you run the below queries you will be able to produce the error.

Please try the below query: (Status == Success)

config case_sensitive = false | preset = xdr_process | filter action_process_image_name in ("chrome.exe","firefox.exe","msedge.exe","brave.exe","iexplorer.exe") | fields agent_hostname as Host, action_process_image_name as Process, action_process_os_pid as PID, action_process_image_command_line as Command, actor_process_image_name as Parent_Process, actor_process_os_pid as PPID, actor_process_command_line as Parent_Command | join (preset = xdr_file) as PF pf.actor_process_image_name = Process and pf.actor_process_os_pid = PID and pf.agent_hostname = Host | filter event_sub_type in (ENUM.FILE_CREATE_NEW, ENUM.FILE_RENAME, ENUM.FILE_WRITE) | filter action_file_name ~= ".*exe|.*dll|.*zip|.*rar|.*msi|.*vbs|.*one|.*html" | filter action_file_name not contains "zone.identifier" | filter action_file_path contains "Desktop" or action_file_path contains "Downloads" or action_file_path contains "Documents" | fields Host, action_file_name as Filename, action_file_path as FilePath, Process, PID, Command, Parent_Process, PPID, Parent_Command

Now, please try the below query: (Status == Fail)

config case_sensitive = false | preset = xdr_process | filter action_process_image_name in ("chrome.exe","firefox.exe","msedge.exe","brave.exe","iexplorer.exe") | fields agent_hostname as Host, action_process_image_name as Process, action_process_os_pid as PID, action_process_image_command_line as Command, actor_process_image_name as Parent_Process, actor_process_os_pid as PPID, actor_process_command_line as Parent_Command | join (preset = xdr_file) as PF pf.actor_process_image_name = Process and pf.actor_process_os_pid = PID and pf.agent_hostname = Host | filter event_sub_type in (ENUM.FILE_CREATE_NEW, ENUM.FILE_RENAME, ENUM.FILE_WRITE) | filter action_file_name ~= ".*exe|.*dll|.*zip|.*rar|.*msi|.*vbs|.*one|.*html" | filter action_file_name not contains "zone.identifier" | filter action_file_path contains "Desktop" or action_file_path contains "Downloads" or action_file_path contains "Documents" | fields Host, event_sub_type, action_file_name as Filename, action_file_path as FilePath, Process, PID, Command, Parent_Process, PPID, Parent_Command

Notice the last line entry contains event_sub_type field, whereas in the first one we do not have this entry and the query succeeds.

Is anyone else facing this issue? Would we good to know and can we please get this sorted?

Re: XQL Query: Event Sub Type causing issues in Query

bbucao — Tue, 28 Feb 2023 14:39:50 GMT

Hi KanwarSingh01,

When defining 'event_sub_type' as part of the fields stage you must also include the 'event_type' field. Simply add 'event_type' to your fields stage and I think you will find the issue is resolved.

Thanks,
Ben

Re: XQL Query: Event Sub Type causing issues in Query

KanwarSingh01 — Tue, 28 Feb 2023 20:56:17 GMT

Thank you for the response. Yes that fixes the issue.

topic Re: XQL Query: Event Sub Type causing issues in Query in Cortex XDR Discussions

XQL Query: Event Sub Type causing issues in Query

Re: XQL Query: Event Sub Type causing issues in Query

Re: XQL Query: Event Sub Type causing issues in Query