Help with fine tuning a query using $arguments and enclosing them in "quotes"

J.Suter · ‎04-25-2025

I have the below query, and my issue is at the end, when the user puts in the argument for $Serial it needs to have quotes around it. I think it's because the JSON object it is looking at comes in "quotes" and that's how it filters. In other queries when I use $user it put quotes in the query for me. If I write "$Serial" it doesn't allow the argument. My users of Cortex won't know to add the serial in "quotes" in the search request when they use the query from the library.

Any XQL coders out there have a suggestion to make this work without manually adding in the "quotes" around the serial every time?
Cortex XDR

Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.

dataset = xdr_data
 | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
 | alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
 | filter drive_type = "2"
 | fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
 | filter Device_Serial_Number contains $Serial

J.Suter · ‎04-28-2025

This command does not execute with the argument/parameters window and searches for "$serial" as typed, this happens while using contains or = in the line (see images). By enclosing $serial in quotes, it removes the ability to put in an argument/parameters. I was hoping there was a way to redefine the JSON parameter to remove the need of quotes or add them in while still using $serial for input of data. I just don't know how to do it.

Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.

Update Solution: changing the last line to string resolved the issue | filter Device_Serial_Number contains to_string($Serial)

dataset = xdr_data
 | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
 | alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
 | filter drive_type = "2"
 | fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
 | filter Device_Serial_Number contains to_string($Serial)

View solution in original post

aspatil · ‎04-28-2025

Hello @J.Suter ,

In Cortex XDR's XQL, when using parameters like $Serial in your queries, it's essential to ensure that the parameter value is interpreted correctly, especially when dealing with string comparisons. The issue you're encountering arises because the contains operator expects a string value, and if $Serial isn't enclosed in quotes, the query may not function as intended.

dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
| alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"),
Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"),
Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"),
Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
| filter drive_type = "2"
| fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
| filter Device_Serial_Number contains "$Serial"

By enclosing $Serial in double quotes within the query, you ensure that the parameter is treated as a string, aligning with the expectations of the contains operator.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

Ashutosh Patil

J.Suter · ‎04-28-2025

This command does not execute with the argument/parameters window and searches for "$serial" as typed, this happens while using contains or = in the line (see images). By enclosing $serial in quotes, it removes the ability to put in an argument/parameters. I was hoping there was a way to redefine the JSON parameter to remove the need of quotes or add them in while still using $serial for input of data. I just don't know how to do it.

Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.

Update Solution: changing the last line to string resolved the issue | filter Device_Serial_Number contains to_string($Serial)

dataset = xdr_data
 | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
 | alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
 | filter drive_type = "2"
 | fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
 | filter Device_Serial_Number contains to_string($Serial)

Help with fine tuning a query using $arguments and enclosing them in "quotes"