topic Re: Sharing various xql queries in Cortex XDR Discussions

Sharing various xql queries

NathanBradley — Fri, 12 May 2023 14:38:06 GMT

This returns dns queries filtered by the domain name given in the variable.

config case_sensitive = false
| preset = network_story
| filter (dns_resolutions != null)
| arrayexpand dns_resolutions
| alter Resolution_Value = dns_resolutions -> value{}, Resolution_Name = dns_resolutions -> name{}
| fields agent_hostname, actor_process_image_name, actor_process_image_path, actor_process_command_line, Resolution_Name, Resolution_Value, dns_query_type, dns_resolutions
| filter Resolution_Name contains $domain
| sort desc _time

Re: Sharing various xql queries

NathanBradley — Fri, 12 May 2023 14:40:09 GMT

New Service creation on server devices, makes a good BIOC

Filter out reoccurring services

dataset = xdr_data
| filter action_evtlog_event_id = 7045
| alter ServiceName = arrayindex(regextract(action_evtlog_message , "Service Name:(\s\s.*)"),0)
| alter ServiceFileName = arrayindex(regextract(action_evtlog_message , "Service File Name:(\s\s.*)"),0)
| alter ServiceType = arrayindex(regextract(action_evtlog_message , "Service Type:(\s\s.*)"),0)
| alter ServiceStartType = arrayindex(regextract(action_evtlog_message , "Service Start Type:(\s\s.*)"),0)
| alter ServiceAccount = arrayindex(regextract(action_evtlog_message , "Service Account:(\s\s.*)"),0)
| fields agent_hostname, ServiceName, ServiceName, ServiceStartType, ServiceAccount, ServiceType, ServiceFileName, action_evtlog_message, agent_ip_addresses, action_evtlog_username, action_evtlog_description, action_evtlog_data_fields,agent_os_type, agent_os_sub_type
| filter agent_os_sub_type contains "Server"

Re: Sharing various xql queries

NathanBradley — Fri, 12 May 2023 14:42:30 GMT

Files created on USB mass storage

dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
| alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
| filter drive_type = "2"
| fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number

Re: Sharing various xql queries

NathanBradley — Fri, 12 May 2023 14:47:25 GMT

Applications, filter by name needed

config case_sensitive = false timeframe=1d
| dataset = host_inventory
| filter applications != null
| arrayexpand applications
| alter applicationname=json_extract(applications, "$.application_name")
| alter applicationversion=json_extract(applications, "$.version")
| alter appvendor=json_extract(applications, "$.vendor")
| alter installdate=json_extract(applications, "$.install_date")
| filter applicationname contains "Edge"
| fields host_name, applicationname, applicationversion, appvendor, installdate, system_type, product_type, ip_addresses

Re: Sharing various xql queries

NathanBradley — Fri, 12 May 2023 14:49:41 GMT

Bioc for when a new usb mass storage device is connected to an endpoint

preset = xdr_registry
| filter (action_registry_key_name contains "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBSTOR\Enum" and event_sub_type = REGISTRY_CREATE_KEY)