- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-20-2024 11:46 AM
I want to create an alert and to do this, my understanding is to create a XQL query in the Correlations, to create the alert. I then can use the Automation to create the Email and text alert.
My struggle is I'm not that good with creating XQL stuff. I figured out how to look for the Host and if it has an IP, but now I need to add one more line to look for it have and IP after todays date.
02-23-2024 09:01 AM
I think this is what you want.
dataset = endpoints
| filter endpoint_status = ENUM.CONNECTION_LOST
| fields endpoint_name, ip_address, last_seen
| filter ip_address != null and timestamp_diff(current_time(),last_seen, "DAY") < 1
| alter alert_message = "Endpoint " + endpoint_name + " with IP address " + to_string(ip_address) + " came back online at " + last_seen
| fields alert_message
02-20-2024 10:43 PM - edited 02-21-2024 08:09 PM
Hello, Dog Likes Best
XQL is a query language that enables you to analyze the data ingested into Cortex XDR and perform various security operations. Here are some sources that I found:
Cortex XDR - XQL Query Engine | Cortex XSOAR: This is a documentation page that explains how to configure and use the Cortex XDR - XQL Query Engine integration on Cortex XSOAR, which is a security orchestration, automation, and response platform. You can use this integration to run XQL queries on Cortex XDR and get the results as a table, a file, or a context output.
XDR Best Practices: 5 Tips For Better XQL Queries: This is a blog post that provides some key tips and best practices for utilizing XQL more effectively, optimizing query performance, and leveraging its powerful features to streamline your data analysis workflows. You can learn how to use query templates and translations, format your stages, be granular with your queries, avoid repetitive logical operators, and use time functions and variables.
Please share your useful XQL queries! - LIVEcommunity: This is a forum thread where users share and discuss their useful and interesting XQL queries for various use cases and scenarios. You can find some examples of queries that search for CVEs, scan errors, rundll32 running HTML applications, and more. You can also ask questions and get feedback from other users and experts.
Based on these sources, I think you can create an alert when a lost endpoint device comes back online by using a query like this:
dataset = endpoints
| filter endpoint_status = "LOST"
| fields endpoint_name, ip_address, last_seen
| filter ip_address != null and last_seen > now() - 1d
| alter alert_message = "Endpoint " + endpoint_name + " with IP address " + ip_address + " came back online at " + last_seen
| fields alert_message
This query will filter the endpoints dataset for devices that have a status of “LOST”, and then select the endpoint name, IP address, and last seen time. It will then filter for devices that have an IP address and were seen in the last day, indicating that they came back online. It will then create an alert message for each device with the relevant information, and display the alert messages as the output.
You can then use the Automation feature to create an email and text alert based on the query output. You can follow the steps in this document to configure the Automation settings and actions.
I hope this helps you create the alert that you want.
02-21-2024 05:41 AM
It doesnt like the now ()1d
Am i to put something in the brackets?
02-23-2024 09:01 AM
I think this is what you want.
dataset = endpoints
| filter endpoint_status = ENUM.CONNECTION_LOST
| fields endpoint_name, ip_address, last_seen
| filter ip_address != null and timestamp_diff(current_time(),last_seen, "DAY") < 1
| alter alert_message = "Endpoint " + endpoint_name + " with IP address " + to_string(ip_address) + " came back online at " + last_seen
| fields alert_message
03-27-2024 03:10 AM
Hello,
Thank you for the detailed response. I also tried this and created an scheduled query. The query executed and returned two results in my case but no alert generated. Is there a way to generate an alert from within a XQL query?
03-27-2024 05:49 AM
Put the query in a Custom BIOC rule.
From the XDR Portal:
Detection Rules > Correlation Rules > + Add Correlation
Paste the query in the Correlation Rule and make it a medium level alert.
This is not available in the Prevent license though.
03-27-2024 07:30 AM
Problem with BIOC rule is, we don't have access to "dataset = endpoints" there. How can we find field "last_seen" in xdr_data?
03-27-2024 07:33 AM
I wrote it wrong in the title. Did you try BIOC or correlation?
Try it in correlation.
04-02-2024 02:35 AM
I didn't find any reason why these specific alerts don't show up in Automation rules, but I just found a workaround for it through Cortex Settings -> Configuration -> Notification. It works and generated alerts appear here and I was able to send Emails via this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!