https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/policy-scoping-by-partial-endpoint-name-gt-endpoint-group/m-p/1231452#M8401 <P>We are doing a pretty rushed XDR rollout, and I need to be able to scope my policies fairly specifically. First idea is to use the 4th character of the endpoint_name (hostname) which is P for Prod, T for Test. But I cannot see a way to use the Endpt Grp filters "wildcard" syntax to do this. I have found some community posts and docs referencing XDR's ability to use regex or regex-ish functionality but I have not got that to work in that filter field.</P> <P>&nbsp;</P> <P>The other idea which might work is to use an XQL query to get a list, and then *perhaps* use that list to add tags, since tags are available as a way to filter Endpoint Groups. Right now I can spell XQL if you spot me a couple letters, so that seems like a longer path. And one thing I'm short of is 'long'.</P> <P>&nbsp;</P> <P>Any suggestion and help are appreciated!</P> Tue, 10 Jun 2025 19:30:18 GMT ptrivino1 2025-06-10T19:30:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/policy-scoping-by-partial-endpoint-name-gt-endpoint-group/m-p/1231452#M8401 <P>We are doing a pretty rushed XDR rollout, and I need to be able to scope my policies fairly specifically. First idea is to use the 4th character of the endpoint_name (hostname) which is P for Prod, T for Test. But I cannot see a way to use the Endpt Grp filters "wildcard" syntax to do this. I have found some community posts and docs referencing XDR's ability to use regex or regex-ish functionality but I have not got that to work in that filter field.</P> <P>&nbsp;</P> <P>The other idea which might work is to use an XQL query to get a list, and then *perhaps* use that list to add tags, since tags are available as a way to filter Endpoint Groups. Right now I can spell XQL if you spot me a couple letters, so that seems like a longer path. And one thing I'm short of is 'long'.</P> <P>&nbsp;</P> <P>Any suggestion and help are appreciated!</P> Tue, 10 Jun 2025 19:30:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/policy-scoping-by-partial-endpoint-name-gt-endpoint-group/m-p/1231452#M8401 ptrivino1 2025-06-10T19:30:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/policy-scoping-by-partial-endpoint-name-gt-endpoint-group/m-p/1231525#M8412 <P>Hi&nbsp;ptrivino1,&nbsp;</P> <P>There is currently no native way to match a character at a specific position (e.g., 4th character) in endpoint_name using just the endpoints dataset filter. Considering only operators available are contains, not contains, = , !=<BR />You need to export complete list of endpoints and use filter in Excel sheet</P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</SPAN></P> <P><SPAN>Luis</SPAN></P> Wed, 11 Jun 2025 11:01:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/policy-scoping-by-partial-endpoint-name-gt-endpoint-group/m-p/1231525#M8412 eluis 2025-06-11T11:01:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/policy-scoping-by-partial-endpoint-name-gt-endpoint-group/m-p/1231531#M8414 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/239623">@ptrivino1</a>&nbsp;,</P> <P>&nbsp;</P> <P>Here is a simple query to extract the fourth character while ignoring dashes if found, also added another field "Group Status" for more convenient classification&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="python">dataset = xdr_data | filter agent_hostname != null | fields agent_hostname | alter fouth_letter_array = regextract(agent_hostname , "(?i)(?:[^A-Za-z]*[A-Za-z]){3}[^A-Za-z]*([A-Za-z])") | alter fourth_letter = arrayindex(fouth_letter_array,0) | alter Group_Status = if(fourth_letter ="P", "Prod", fourth_letter ="T", "Test", // add more fourth_letter) // return as is if no match | fields agent_hostname, Group_Status </LI-CODE> <P>&nbsp;</P> Wed, 11 Jun 2025 15:14:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/policy-scoping-by-partial-endpoint-name-gt-endpoint-group/m-p/1231531#M8414 A.Elzedy 2025-06-11T15:14:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/policy-scoping-by-partial-endpoint-name-gt-endpoint-group/m-p/1231535#M8416 <P>also you might want to consider leveraging api capabilities, depending on how critical is grouping for you organization&nbsp;</P> <P>&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM-REST-API/Make-your-first-API-call" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM-REST-API/Make-your-first-API-call</A>&nbsp; &nbsp;</P> Wed, 11 Jun 2025 15:57:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/policy-scoping-by-partial-endpoint-name-gt-endpoint-group/m-p/1231535#M8416 A.Elzedy 2025-06-11T15:57:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/policy-scoping-by-partial-endpoint-name-gt-endpoint-group/m-p/1231675#M8424 <P>Thank you, that's what I ended up doing.</P> Fri, 13 Jun 2025 03:04:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/policy-scoping-by-partial-endpoint-name-gt-endpoint-group/m-p/1231675#M8424 ptrivino1 2025-06-13T03:04:58Z