This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Help with fine tuning a query using $arguments and enclosing them in "quotes"

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Help with fine tuning a query using $arguments and enclosing them in "quotes"

Go to solution
J.Suter
L2 Linker

‎04-25-2025 11:54 AM - edited ‎04-28-2025 05:24 AM

I have the below query, and my issue is at the end, when the user puts in the argument for $Serial it needs to have quotes around it. I think it's because the JSON object it is looking at comes in "quotes" and that's how it filters. In other queries when I use $user it put quotes in the query for me. If I write "$Serial" it doesn't allow the argument. My users of Cortex won't know to add the serial in "quotes" in the search request when they use the query from the library.

Any XQL coders out there have a suggestion to make this work without manually adding in the "quotes" around the serial every time?
Cortex XDR 

 

Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.

 

dataset = xdr_data
 | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
 | alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
 | filter drive_type = "2"
 | fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
 | filter Device_Serial_Number contains $Serial
Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
J.Suter
L2 Linker
In response to aspatil

‎04-28-2025 05:04 AM - edited ‎04-28-2025 06:02 AM

This command does not execute with the argument/parameters window and searches for "$serial" as typed, this happens while using contains or = in the line (see images). By enclosing $serial in quotes, it removes the ability to put in an argument/parameters. I was hoping there was a way to redefine the JSON parameter to remove the need of quotes or add them in while still using $serial for input of data. I just don't know how to do it.

Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.

 

Update Solution: changing the last line to string resolved the issue | filter Device_Serial_Number contains to_string($Serial)

 

dataset = xdr_data
 | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
 | alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
 | filter drive_type = "2"
 | fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
 | filter Device_Serial_Number contains to_string($Serial)

 

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
aspatil
L6 Presenter

‎04-28-2025 12:36 AM

Hello @J.Suter ,

 

In Cortex XDR's XQL, when using parameters like $Serial in your queries, it's essential to ensure that the parameter value is interpreted correctly, especially when dealing with string comparisons. The issue you're encountering arises because the contains operator expects a string value, and if $Serial isn't enclosed in quotes, the query may not function as intended.

 

dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
| alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"),
Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"),
Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"),
Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
| filter drive_type = "2"
| fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
| filter Device_Serial_Number contains "$Serial"

 

 

By enclosing $Serial in double quotes within the query, you ensure that the parameter is treated as a string, aligning with the expectations of the contains operator.

 

Ashutosh Patil
0 Likes Likes

Go to solution
J.Suter
L2 Linker
In response to aspatil

‎04-28-2025 05:04 AM - edited ‎04-28-2025 06:02 AM

This command does not execute with the argument/parameters window and searches for "$serial" as typed, this happens while using contains or = in the line (see images). By enclosing $serial in quotes, it removes the ability to put in an argument/parameters. I was hoping there was a way to redefine the JSON parameter to remove the need of quotes or add them in while still using $serial for input of data. I just don't know how to do it.

Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.

 

Update Solution: changing the last line to string resolved the issue | filter Device_Serial_Number contains to_string($Serial)

 

dataset = xdr_data
 | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
 | alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
 | filter drive_type = "2"
 | fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
 | filter Device_Serial_Number contains to_string($Serial)

 

0 Likes Likes
  • 1 accepted solution
  • 497 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks