https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/get-info-from-different-dataset-and-compare/m-p/534505#M3843 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/271703">@FabioFerreira</a>,</P> <P>&nbsp;</P> <P>You are on the right track using the <CODE>json_extract</CODE> function, perhaps there was a syntax error. Here is an example building upon the previous query showing how to extract the <CODE>TargetUserName</CODE> property from the JSON object and create a new column with that value using the <CODE>alter</CODE> stage:</P> <P>&nbsp;</P> <LI-CODE lang="markup">preset = xdr_event_log | filter action_evtlog_event_id = 4625 | filter agent_hostname in (dataset = endpoints | filter tags contains "CRITICAL" | fields endpoint_name) | alter TargetUserName = json_extract(action_evtlog_data_fields, "$.TargetUserName")</LI-CODE> <P>&nbsp;</P> <P>The <CODE>TargetUserName</CODE> property displays the username value wrapped in quotation marks, so if you wanted to take this a step further and remove those, you could use the <CODE>trim</CODE> function, using the entire <CODE>json_extract</CODE> function as an input like this:&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| alter TargetUserName = trim(json_extract(action_evtlog_data_fields, "$.TargetUserName"), "\"")</LI-CODE> <P>&nbsp;</P> <P>This will remove the quotation marks and give you a new column with just the username value.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Tim</P> Wed, 15 Mar 2023 17:03:46 GMT timurphy 2023-03-15T17:03:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/get-info-from-different-dataset-and-compare/m-p/534449#M3838 <P>Hi,</P> <P>&nbsp;</P> <P>I need to get failed logins from critical assets.</P> <P>&nbsp;</P> <P>So I was trying to get tag "CRITICAL" in endpoints dataset and if there are any "event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4625 in xdr_data dataset.</P> <P>&nbsp;</P> <P>Could you help pls</P> <P>&nbsp;</P> Wed, 15 Mar 2023 12:48:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/get-info-from-different-dataset-and-compare/m-p/534449#M3838 FabioFerreira 2023-03-15T12:48:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/get-info-from-different-dataset-and-compare/m-p/534459#M3840 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/271703">@FabioFerreira</a>,</P> <P>&nbsp;</P> <P>This can be accomplished by using a nested query (wrapped in parenthesis) in a <CODE>filter</CODE> stage. Here is an example of such a query to help you get started:</P> <P>&nbsp;</P> <LI-CODE lang="markup">preset = xdr_event_log | filter action_evtlog_event_id = 4625 | filter agent_hostname in (dataset = endpoints | filter tags contains "CRITICAL" | fields endpoint_name) </LI-CODE> <P>&nbsp;</P> <P>&nbsp;I hope this helps!</P> <P>&nbsp;</P> <P>Regards,</P> <P>Tim</P> Wed, 15 Mar 2023 14:28:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/get-info-from-different-dataset-and-compare/m-p/534459#M3840 timurphy 2023-03-15T14:28:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/get-info-from-different-dataset-and-compare/m-p/534486#M3842 <P>Thank you Tim!</P> <P>That helped me a lot, now I need to extract TargetUserName from column "action_evtlog_data_fields ", that it is in json format.</P> <P>I was trying to use json_extract without success.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> <P>Fabio</P> Wed, 15 Mar 2023 16:22:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/get-info-from-different-dataset-and-compare/m-p/534486#M3842 FabioFerreira 2023-03-15T16:22:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/get-info-from-different-dataset-and-compare/m-p/534505#M3843 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/271703">@FabioFerreira</a>,</P> <P>&nbsp;</P> <P>You are on the right track using the <CODE>json_extract</CODE> function, perhaps there was a syntax error. Here is an example building upon the previous query showing how to extract the <CODE>TargetUserName</CODE> property from the JSON object and create a new column with that value using the <CODE>alter</CODE> stage:</P> <P>&nbsp;</P> <LI-CODE lang="markup">preset = xdr_event_log | filter action_evtlog_event_id = 4625 | filter agent_hostname in (dataset = endpoints | filter tags contains "CRITICAL" | fields endpoint_name) | alter TargetUserName = json_extract(action_evtlog_data_fields, "$.TargetUserName")</LI-CODE> <P>&nbsp;</P> <P>The <CODE>TargetUserName</CODE> property displays the username value wrapped in quotation marks, so if you wanted to take this a step further and remove those, you could use the <CODE>trim</CODE> function, using the entire <CODE>json_extract</CODE> function as an input like this:&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| alter TargetUserName = trim(json_extract(action_evtlog_data_fields, "$.TargetUserName"), "\"")</LI-CODE> <P>&nbsp;</P> <P>This will remove the quotation marks and give you a new column with just the username value.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Tim</P> Wed, 15 Mar 2023 17:03:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/get-info-from-different-dataset-and-compare/m-p/534505#M3843 timurphy 2023-03-15T17:03:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/get-info-from-different-dataset-and-compare/m-p/534510#M3845 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/231174">@timurphy</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks, that was perfect.</P> <P>&nbsp;</P> <P>I was trying&nbsp;</P> <LI-CODE lang="markup">| alter action_evtlog_data_fields = json_extract(action_evtlog_data_fields, "TargetUserName")</LI-CODE> <P>&nbsp;</P> <P>But your answer solved my problem.</P> <P>&nbsp;</P> <LI-CODE lang="markup">| alter TargetUserName = trim(json_extract(action_evtlog_data_fields, "$.TargetUserName"), "\"")</LI-CODE> <P>&nbsp;</P> <P>Thanks a lot!</P> <P>&nbsp;</P> <P>Regards,</P> <P>Fabio</P> <P>&nbsp;</P> Wed, 15 Mar 2023 17:18:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/get-info-from-different-dataset-and-compare/m-p/534510#M3845 FabioFerreira 2023-03-15T17:18:17Z