topic Shorten returned values in query in Cortex XSOAR Discussions

Shorten returned values in query

barnettml — Wed, 20 Sep 2023 14:55:55 GMT

I'm creating a widget so I can have a report run returning certain Managment Audit log information. One of the fields, "Management_Auditing_type" has values that are quite long that I would like to truncate. For example, have "MANAGEMENT_AUDIT_ACTION_CENTER" changed to "Action Center", and "Management_Audit_Policy_Profiles" changed to just "Policy Profiles". The same goes for the fields for the results and severity. They all start with "Management_Audit_......".

I've been able to change the field names but I can't figure out how to change the values that get returned.

-------------------------------------------------------------------------------------------------------------------------------------------------

dataset = management_auditing
|Fields timestamp, user_name as username, management_auditing_type as type, subtype, management_auditing_result as result, management_auditing_severity as severity, description

| filter (type in (MANAGEMENT_AUDIT_ACTION_CENTER, MANAGEMENT_AUDIT_AGENT_EXCEPTION_RULES, MANAGEMENT_AUDIT_ENDPOINT_ADMINISTRATION, MANAGEMENT_AUDIT_LICENSING, MANAGEMENT_AUDIT_POLICY_PROFILES, MANAGEMENT_AUDIT_RESPONSE))

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thanks in advance!

Re: Shorten returned values in query

amenendez — Thu, 28 Sep 2023 21:09:47 GMT

Hi Barnettml,

Happy to assist! I'm trying to replicate your issue, but I'm trying to understand what widget type you are editing to use that filter. Additionally, if you could provide all the steps you've taken so far to try and accomplish this so I can follow your flow better.

My understanding is that you have data in the Management Audit Log that you are trying to expose in a report using a custom widget. Knowing the widget type in the report that you are using and the field you're inputing those filters into would help as well. Lastly, I'm assuming you are using XSOAR 8 since you're using the Management Audit Log.

Thanks and have a great day!

Re: Shorten returned values in query

jfernandes1 — Fri, 29 Sep 2023 04:08:39 GMT

Hi @barnettml, That might not be possible through the basic widget. You will need to build your own script based widget, modify the data as required then return the data is widget type format.

Refer - https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.12/Cortex-XSOAR-Administrator-Guide/Create-a-Custom-Widget-Using-an-Automation-Script for more information.

Re: Shorten returned values in query

barnettml — Fri, 29 Sep 2023 10:40:07 GMT

o I had initially put this under "General Discussion".....not sure how it ended up under XSOAR but I am in Cortex XDR.....we do not have XSOAR......yet...... As far as how it was created I simply went to create a custom XQL widget and created the code shown above. The problem is that I'm not sure how in XQL to change how VALUES appear. You can see in the screenshot here that the data in the results is quite large.

I know this information in the data can be shortened because I see it when

I go to settings -->management audit logs as seen to the right.

My reasoning for creating this widget is so that I can have it on my dashboard as well as I've created a weekly report based off of the widget but it is truncated because these values are so big.

I hope this explanation helps. I just need help getting the XQL right