XQL Query: Hunting for git related activity not related to Github

PV_Byrd — Thu, 04 May 2023 14:49:56 GMT

Good Day,

I am fairly new to Cortex but have been looking to detect git related activity not associated to Github. I believe I have a decent grasp on the volume as well as the observed destinations. I am running into issues differentiating what initiated these flows (HTTP/S, SSH, Etc.). The only remote port that shows in the network story is DNS(53).

I am wondering if I need to join another dataset and how would I go about doing so? Or if there is a better way to get this result set outside of network story

Below is what I have so far, any help would be greatly appreciated:

config case_sensitive = false
| preset = network_story
| filter (dns_resolutions != null)
| arrayexpand dns_resolutions
| alter Resolution_Value = dns_resolutions -> value{}, Resolution_Name = dns_resolutions -> name{}
| fields agent_hostname , actor_process_image_name , actor_process_image_name , actor_process_command_line , Resolution_Name , Resolution_Value , dns_query_type , dns_resolutions , dns_query_name , dns_reply_code, user_id , actor_effective_username , action_local_port , action_remote_port
| filter Resolution_Name not contains "github" and actor_process_command_line contains "http" and actor_process_command_line contains "git"
| sort desc actor_process_command_line
| dedup actor_process_command_line

Re: XQL Query: Hunting for git related activity not related to Github

mavraham — Sun, 07 May 2023 23:42:06 GMT

Hi @PV_Byrd, thank you for writing to Live Community.

Please allow me some time to figure out an answer.

topic Re: XQL Query: Hunting for git related activity not related to Github in Cortex XDR Discussions

XQL Query: Hunting for git related activity not related to Github

Re: XQL Query: Hunting for git related activity not related to Github