topic XQL Search- to get the source of the file in Cortex XDR Discussions

XQL Search- to get the source of the file

Seth_Sakshi — Tue, 04 Apr 2023 07:28:25 GMT

I want to know the XQL query or filters which helps in the analysis of alerts & to know the source of file where it is coming into our system.

For example- whether user downloaded the file from browser or someone sent through outlook, from portable device, etc.

Re: XQL Search- to get the source of the file

zarnous — Thu, 06 Apr 2023 23:11:39 GMT

Hello Seth_Sakshi

1- For the incident and alert data, they are not currently exposed to any XDR dataset , hence you cannot directly query incident and alerts but this is subject to change in the future.
However, leads and data that is collected by the XDR agent they are exposed to XQL by using the dataset = xdr_data.

To query file actions for example, you can use in your search either of the below as your data source :
dataset = xdr_data
OR
preset = xdr_file

Then you can consult eh schema buy navigating to the "Schema" tab to see what fields are there that you can use to build your filter based on your use case such as
action_file_name
action_file_path
action_file_previous_file_path

And more.

Please note, downloading a file doesnt trigger an event that is exposed to XQL since it is not a type of event that is natively collected by the XDR agent unlike executions events like file actions and process executions, such as File write and File create, ...

Example below for a query that looks for Binary file dropped to Public user folder:

preset = xdr_file // Using the XDR file preset
| filter lowercase(action_file_path) ~= "c:\\users\\public\\.*?.(exe|dll|sys|scr|msi)" and event_sub_type = ENUM.FILE_WRITE and action_file_sha256 != null //Filtering for binary files created under c:\users\public with a sha256 value
| fields action_file_path as file_path, action_file_sha256 as file_sha256, actor_process_image_path as process_path, actor_process_command_line as process_cmd, causality_actor_process_image_path as cgo_path, causality_actor_process_command_line as cgo_cmd // Selecting the relevant fields
| dedup file_path, file_sha256, process_path, process_cmd, cgo_path, cgo_cmd by asc _time // Dedupping values to only show the first time a file was written

Hope that was helpful and shed some light!

Re: XQL Search- to get the source of the file

Seth_Sakshi — Fri, 07 Apr 2023 05:08:03 GMT

Hello Zarnous,

Thanks for your input.

I have some more queries regarding this-

Can we get the logs of a file which is not executed but only detected during the weekly malware scan? I want to know by when and where this file comes into the system.

Thanks in advance.

Regards,

Sakshi Seth

Re: XQL Search- to get the source of the file

zarnous — Fri, 07 Apr 2023 14:38:42 GMT

as long as this information was captured by the agent then yes for sure, you can start with something as simple as looking for a file name or a part of the file name/ extension:

For example, i am looking for file that have ".json"
preset = xdr_file
| filter (action_file_name contains """.json""")

Then you can define the Event sub type you are looking for, such as
FILE_CREATE_NEW
FILE_REMOVE
FILE_RENAME

Or you can just leave it with no specific sub event type to see all actions taken on that specific file , like in the below screenshot that looks for all files with ".json" with no specific sub event type specified

Then lets say you want to filter on more actions / field, you can do that by simply filter on the field you would like to look for then you can easily export the grid filter up toe the XQ-Filed as seen below

This way you can build your filters to apply to the use case you are looking for

Hope that helps!