https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/virtual-functions-variables-creating-anomaly-based-detection/m-p/590484#M6855 <P>Hello,<BR /><BR />Right, so I had an idea:</P> <P>&nbsp;</P> <PRE>config timeframe between "30d" and "1d" <BR />| dataset = xdr_data <BR />| filter event_type = ENUM.SYSTEM_CALL <BR />| comp values(actor_process_image_name) as Base <BR />| join type= inner ( <BR />config timeframe between "1d" and "now" <BR />| dataset = xdr_data <BR />| filter event_type = ENUM.SYSTEM_CALL ) as Rare rare.actor_process_image_name not in(Base)</PRE> <P>This should create an array of strings of the original actor processes and look the new data against it and show stuff that in not in the original.</P> <P>&nbsp;</P> <P>The issue that i am facing for this is that for some reason the in() operator does not take array strings which is super weird.</P> <P>&nbsp;</P> <P>Do you know how can I match against an array using in?</P> <P>&nbsp;</P> <P>The query language has so many restrictions <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 26 Jun 2024 13:50:36 GMT AvesterFahimipour 2024-06-26T13:50:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/virtual-functions-variables-creating-anomaly-based-detection/m-p/590443#M6850 <P>Hello Everyone,</P> <P>&nbsp;</P> <P>Cortex XDR has the functionality does allows you to use XQL queries to create lookups or datasets.</P> <P>The problem is that these are static and cannot be dynamically updated for detection rules.<BR /><BR />The use case I had in mind is that I have two XQL queries the first one looks at events occurring from 30 to 1 day ago.</P> <P>The second query looks for events happening in the current day that have not been seen in the first query which is the last 29 days.<BR /><BR />What would be the best way to achieve this goal?</P> <P>&nbsp;</P> Wed, 26 Jun 2024 13:41:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/virtual-functions-variables-creating-anomaly-based-detection/m-p/590443#M6850 AvesterFahimipour 2024-06-26T13:41:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/virtual-functions-variables-creating-anomaly-based-detection/m-p/590484#M6855 <P>Hello,<BR /><BR />Right, so I had an idea:</P> <P>&nbsp;</P> <PRE>config timeframe between "30d" and "1d" <BR />| dataset = xdr_data <BR />| filter event_type = ENUM.SYSTEM_CALL <BR />| comp values(actor_process_image_name) as Base <BR />| join type= inner ( <BR />config timeframe between "1d" and "now" <BR />| dataset = xdr_data <BR />| filter event_type = ENUM.SYSTEM_CALL ) as Rare rare.actor_process_image_name not in(Base)</PRE> <P>This should create an array of strings of the original actor processes and look the new data against it and show stuff that in not in the original.</P> <P>&nbsp;</P> <P>The issue that i am facing for this is that for some reason the in() operator does not take array strings which is super weird.</P> <P>&nbsp;</P> <P>Do you know how can I match against an array using in?</P> <P>&nbsp;</P> <P>The query language has so many restrictions <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 26 Jun 2024 13:50:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/virtual-functions-variables-creating-anomaly-based-detection/m-p/590484#M6855 AvesterFahimipour 2024-06-26T13:50:36Z