- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-25-2025 11:54 AM - edited 04-28-2025 05:24 AM
I have the below query, and my issue is at the end, when the user puts in the argument for $Serial it needs to have quotes around it. I think it's because the JSON object it is looking at comes in "quotes" and that's how it filters. In other queries when I use $user it put quotes in the query for me. If I write "$Serial" it doesn't allow the argument. My users of Cortex won't know to add the serial in "quotes" in the search request when they use the query from the library.
Any XQL coders out there have a suggestion to make this work without manually adding in the "quotes" around the serial every time?
Cortex XDR
Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.
dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
| alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
| filter drive_type = "2"
| fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
| filter Device_Serial_Number contains $Serial
04-28-2025 05:04 AM - edited 04-28-2025 06:02 AM
This command does not execute with the argument/parameters window and searches for "$serial" as typed, this happens while using contains or = in the line (see images). By enclosing $serial in quotes, it removes the ability to put in an argument/parameters. I was hoping there was a way to redefine the JSON parameter to remove the need of quotes or add them in while still using $serial for input of data. I just don't know how to do it.
Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.
Update Solution: changing the last line to string resolved the issue | filter Device_Serial_Number contains to_string($Serial)
dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
| alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
| filter drive_type = "2"
| fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
| filter Device_Serial_Number contains to_string($Serial)
04-28-2025 12:36 AM
Hello @J.Suter ,
In Cortex XDR's XQL, when using parameters like $Serial
in your queries, it's essential to ensure that the parameter value is interpreted correctly, especially when dealing with string comparisons. The issue you're encountering arises because the contains
operator expects a string value, and if $Serial
isn't enclosed in quotes, the query may not function as intended.
dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
| alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"),
Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"),
Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"),
Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
| filter drive_type = "2"
| fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
| filter Device_Serial_Number contains "$Serial"
By enclosing $Serial
in double quotes within the query, you ensure that the parameter is treated as a string, aligning with the expectations of the contains
operator.
04-28-2025 05:04 AM - edited 04-28-2025 06:02 AM
This command does not execute with the argument/parameters window and searches for "$serial" as typed, this happens while using contains or = in the line (see images). By enclosing $serial in quotes, it removes the ability to put in an argument/parameters. I was hoping there was a way to redefine the JSON parameter to remove the need of quotes or add them in while still using $serial for input of data. I just don't know how to do it.
Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.
Update Solution: changing the last line to string resolved the issue | filter Device_Serial_Number contains to_string($Serial)
dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
| alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
| filter drive_type = "2"
| fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
| filter Device_Serial_Number contains to_string($Serial)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!