Help with fine tuning a query using $arguments and enclosing them in "quotes"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Help with fine tuning a query using $arguments and enclosing them in "quotes"

L2 Linker

I have the below query, and my issue is at the end, when the user puts in the argument for $Serial it needs to have quotes around it. I think it's because the JSON object it is looking at comes in "quotes" and that's how it filters. In other queries when I use $user it put quotes in the query for me. If I write "$Serial" it doesn't allow the argument. My users of Cortex won't know to add the serial in "quotes" in the search request when they use the query from the library.

Any XQL coders out there have a suggestion to make this work without manually adding in the "quotes" around the serial every time?
Cortex XDR  

 

Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.

 

dataset = xdr_data
 | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
 | alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
 | filter drive_type = "2"
 | fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
 | filter Device_Serial_Number contains $Serial
1 accepted solution

Accepted Solutions

This command does not execute with the argument/parameters window and searches for "$serial" as typed, this happens while using contains or = in the line (see images). By enclosing $serial in quotes, it removes the ability to put in an argument/parameters. I was hoping there was a way to redefine the JSON parameter to remove the need of quotes or add them in while still using $serial for input of data. I just don't know how to do it.

Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.

 

Update Solution: changing the last line to string resolved the issue | filter Device_Serial_Number contains to_string($Serial)

 

dataset = xdr_data
 | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
 | alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
 | filter drive_type = "2"
 | fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
 | filter Device_Serial_Number contains to_string($Serial) 

 

View solution in original post

2 REPLIES 2

L6 Presenter

Hello @J.Suter ,

 

In Cortex XDR's XQL, when using parameters like $Serial in your queries, it's essential to ensure that the parameter value is interpreted correctly, especially when dealing with string comparisons. The issue you're encountering arises because the contains operator expects a string value, and if $Serial isn't enclosed in quotes, the query may not function as intended.

 

dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
| alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"),
Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"),
Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"),
Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
| filter drive_type = "2"
| fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
| filter Device_Serial_Number contains "$Serial"

 

 

By enclosing $Serial in double quotes within the query, you ensure that the parameter is treated as a string, aligning with the expectations of the contains operator.

 

Ashutosh Patil

This command does not execute with the argument/parameters window and searches for "$serial" as typed, this happens while using contains or = in the line (see images). By enclosing $serial in quotes, it removes the ability to put in an argument/parameters. I was hoping there was a way to redefine the JSON parameter to remove the need of quotes or add them in while still using $serial for input of data. I just don't know how to do it.

Update: This only Happens when the serial is all numbers EG: 23456 Will not have quotes while 234S6 will have quotes.

 

Update Solution: changing the last line to string resolved the issue | filter Device_Serial_Number contains to_string($Serial)

 

dataset = xdr_data
 | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW
 | alter Drive_Type = json_extract(to_json_string(action_file_device_info),"$.storage_device_drive_type"), Filesystem = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_filesystem"), Drive_Letter = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_mount_point"), Device_Serial_Number = json_extract_scalar(to_json_string(action_file_device_info),"$.storage_device_serial_number")
 | filter drive_type = "2"
 | fields action_file_path as File_Path, actor_effective_username as Username, Filesystem, Drive_Letter, Device_Serial_Number
 | filter Device_Serial_Number contains to_string($Serial) 

 

  • 1 accepted solution
  • 495 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!