topic Re: How to search for multiple of the same file hashes across multiple field types? in Cortex XDR Discussions

How to search for multiple of the same file hashes across multiple field types?

DannyKing — Wed, 19 Apr 2023 23:15:06 GMT

Hello Everyone,

I am trying to find a way to search for multiple of the same file hashes across multiple field types, but can't seem to figure it out. I was thinking it could be something like:

dataset = xdr_data | filter where action_file_sha256 or actor_process_image_sha256 or action_module_sha256 in ("hash1", "hash2")

...but that's not working. I do know that the below type of query works, but it doesn't scale well when you account for the fact that there are many other "sha256" field types:

dataset = xdr_data | filter action_file_sha256 in ("hash1", "hash2") or action_module_sha256 in ("hash1", "hash2") or action_process_image_sha256 in ("hash1", "hash2")

Any help would be greatly appreciated. Thanks!

Re: How to search for multiple of the same file hashes across multiple field types?

PiyushKohli — Thu, 20 Apr 2023 09:17:58 GMT

Hi @DannyKing

Thank you for writing to live community!

Based on your Use Case wherein you would like to search for same hash across different field types, while there could be different ways. One way for example you may try is Union stage.

Query for example:

config case_sensitive = false | preset = xdr_process | filter action_process_image_sha256 = "8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233"
| union (preset = xdr_file | filter action_file_sha256 = "8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233")
| union (preset = xdr_image_load | filter action_module_sha256 = "8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233")

Hope this helps!

Please mark the response as "Accept as Solution" if it answers your query.

Regards.