topic Re: XQL Query to Help Create Correlations Rules in Cortex XDR Discussions

XQL Query to Help Create Correlations Rules

Fadli_T — Thu, 28 Mar 2024 04:37:31 GMT

Hello i'm trying to do query for the specific fields in the datasets, im trying to do regextract to filter out some specific value in the fields then i use alter to move it to the new fields. But the problem is the value of the fields that im trying to query is appear in the different event. Here's the query that i already make:

DATASET 1: create dataset named “verdict” to store new field named MID and Verdict

DATASET2: create dataset named “src” to store a new field named source

dataset = unknown_unknown_raw | sort desc _raw_log | filter _raw_log contains "ICID" and _raw_log contains "From" and _raw_log contains "@" | alter source = regextract(_raw_log, "From:\s<([^>]+)>")

DATASET3: create dataset named “dst” to store a new field named destination

dataset = unknown_unknown_raw | sort desc _raw_log | filter _raw_log contains "ICID" and _raw_log contains "To" and _raw_log contains "@" and _raw_log not contains "From" | alter destination = regextract(_raw_log, "To:\s<([^>]+)>") | target type = dataset dst

Then after making all the fields, i try to query the new dataset which contains the fields i need that i already regex with this command:

dataset in (verdict, src, dst) | filter verdict != null or MID != null or source != null or destination != null

But it only return only 2 fields with value, like:
- MID & verdict

- MID & source

- MID & destination

It happens because verdict, source and destination are in the different event but they can have same MID. But i want to do correlations for that 4 fields. My main goals to make a correlation rules to correlate verdict, source and destination with same MID.

Is there any best practice to solve this?

Re: XQL Query to Help Create Correlations Rules

nsinghvirk — Mon, 01 Apr 2024 15:37:45 GMT

Hello @Fadli_T

Thanks for reaching out on LiveCommunity!

This is happening because in your final query the filter is getting checked against individual datasets not a combination of 3. In order to combine datasets you need to use 'join' stage. But it can join two datasets at a time. Below is the reference document for join stage.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Join

By the way why are you creating four different datasets since all are made from same dataset.

Re: XQL Query to Help Create Correlations Rules

Fadli_T — Fri, 05 Apr 2024 09:17:32 GMT

Hello @nsinghvirk ,

Thank you for your reply, i already solve this last query with join as you advised. I do the join for the verdict and src dataset then target it to the new dataset, then merge that new dataset with the dst dataset and finally i can make them in 1 row with the same MID. For the refferences this is my last query:

JOIN 1: MID + VERDICT + SOURCE

dataset = verdict | limit 1 | join type = left (dataset = src) as vs (true = true) | sort asc _time | target type = dataset vs

JOIN 2: MID + VERDICT + SOURCE + DESTINATION

dataset = vs | limit 1 | join type = left (dataset = dst) as sd (true = true) | sort asc _time | target type = dataset result

QUERY RESULT: Query new dataset named “result” with 4 fields that i desire in 1 row

dataset = result | fields MID, Verdict, source , destination