XQL Query Help

Y.Kiroglu — Thu, 10 Oct 2024 10:05:25 GMT

I'm trying to write a few XQL queries in Cortex XDR, but I’m quite new to it and running into some difficulties. I’d really appreciate any guidance or examples you can provide for any of the following queries:

To detect when the Cortex XDR Agent is uninstalled,
To trigger an alert for Tamper Detection,
To monitor if a live terminal session is initiated on any machine,
To identify Domain Admin logon events occurring between 19:30 and 07:30 (I believe Event ID 4672 can be used here).

Thank you very much for your help 🙂

Re: XQL Query Help

jmazzeo — Thu, 10 Oct 2024 13:59:33 GMT

Hi @Y.Kiroglu, thanks for reaching us using the Live Community.

Let me try to help you with your questions:

1 & 2 - You can see all those events in Settings - Agent Audit logs, and you can forward those events to get alerted. This is the document you should check.

3- This events are stored in Settings - Management Audit Logs, and you can forward the events in the same way as the Agent Audit logs. Check this doc.

4- Try this XQL query, it may not be complete but can help:

dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4672 // Filtering by windows event log and id 4672
| alter Security_ID =arrayindex(regextract(action_evtlog_message, "Security:\r\n.*\r\n"),0),
Account_Name = arrayindex(regextract(action_evtlog_message, "Account Name:.*?(\w.*)\r\n"),0),
Domain = arrayindex(regextract(action_evtlog_message, "Account Domain:.*?(\w.*?)\r\n"),0),
Privileges = arrayindex(regextract(action_evtlog_message, "Privileges:.*?(\d+\.\d+\.\d+\.\d+)\r\n"),0)

| fields Security_ID, Account_Name, Domain, Privileges // Select all the fields to show them

I saw some other posts with this questions, I'll point them to this topic.

If this post answers your question, please mark it as the solution.

topic XQL Query Help in Cortex XDR Discussions

XQL Query Help

Re: XQL Query Help