08-02-2022 09:51 AM
When running this XQL query if I add event_sub_type to the filter it fails to run
I can run the query without any filters, and then add the event_sub_type column without issues
dataset = xdr_data
| filter event_type = ENUM.FILE and (event_sub_type = ENUM.FILE_CREATE_NEW or event_sub_type = ENUM.FILE_WRITE or event_sub_type = enum.FILE_OPEN )
| filter agent_ip_addresses = "x.x.x.x"
| filter action_file_path contains "Path"
| filter action_file_name not contains "$"
| filter action_file_extension != "tmp"
| fields agent_hostname, agent_ip_addresses, actor_effective_username, action_file_name, action_file_path, action_file_extension, event_sub_type
08-03-2022 07:20 AM
Hmm, for some reason the XQL query does not like to be copied and pasted. I had to remove the "1", "CREATE", "2", "OPEN", "6", "WRITE", and then type them in again before it would properly replace. It doesn't appear that these values have public documentation, I was able to reference some internal documentation.
08-02-2022 11:17 AM
Hi NathanBradley,
This is definitely a strange behavior, I'm honestly not sure why this query is failing. I was able to get the following query to work successfully
dataset = xdr_data
| filter event_type = ENUM.FILE
| filter event_sub_type in (ENUM.FILE_OPEN, ENUM.FILE_CREATE_NEW, ENUM.FILE_WRITE)
| filter agent_ip_addresses = “x.x.x.x”
| filter action_file_path contains “Path”
| filter action_file_name not contains “$”
| filter action_file_extension != “tmp”
| alter file_action = if(event_sub_type = 1, replace(to_string(event_sub_type), “1”, “CREATE”), if(event_sub_type = 6, replace(to_string(event_sub_type), “6”, “WRITE”), if(event_sub_type = 2, replace(to_string(event_sub_type), “2”, “OPEN”))))
| fields agent_hostname, agent_ip_addresses, actor_effective_username, action_file_name, action_file_path, action_file_extension, file_action08-02-2022 11:42 AM
Thanks, It does get what im needing
But it didnt replace the numerical value
Also where did you get the numerical values for event_sub_type
08-03-2022 07:20 AM
Hmm, for some reason the XQL query does not like to be copied and pasted. I had to remove the "1", "CREATE", "2", "OPEN", "6", "WRITE", and then type them in again before it would properly replace. It doesn't appear that these values have public documentation, I was able to reference some internal documentation.
08-03-2022 07:29 AM
Thanks, did that and it worked
Can the other numerical values for the other event sub types be shared?
08-03-2022 07:36 AM
| 1 | create_new | 2 | open | 3 | rename | 4 | link | 5 | remove | 6 | write | 7 | set_attribute | 8 | dir_create | 9 | dir_open | 10 | dir_rename | 11 | dir_link | 12 | dir_remove | 13 | dir_write | 14 | dir_set_attr | 15 | reparse | 16 | set_sec | 17 | dir_set_sec | 18 | change_mode | 19 | dir_change_mode | 20 | change_owner | 21 | dir_change_owner | 22 | dir_query |
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
