02-13-2023 11:13 AM - edited 02-13-2023 11:20 AM
In the Cortex XDR console I am trying to setup a new Endpoint Group using the AWS 'Cloud Info' values as the filter. That info is presented as JSON with various nested values and it looks straight-forward to use, i.e., I can specify the "Cloud Info" field, then provide a key:value pair. But it only works for 'top-level' key:value pairs, e.g. "cloud_provider:AWS". If I try to specify something more granular, it's not found.
The primary example is the VPC ID, i.e., to identify the agents in each AWS network. That key:value is nested, e.g.
"cloud_provider": "AWS",
"network": {
"interfaces": {
"macs": {
"06:d4:90:12:34:56": {
"mac": "06:d4:90:12:34:56",
"vpc-id": "vpc-abc12345",
Simply entering, "vpc-id:vpc-abc12345", doesn't work. So I assume I need to specify the full-path somehow? Or, maybe it's simply not supported?
P.S. I've tried various uses of 'contains' instead of the default "=", as well as wildcards in both the 'key' and the 'value', to no avail ...
02-13-2023 03:01 PM
You're correct that wildcards don't appear to be supported within keys. Unfortunately, your specific use case might not be possible to accomplish using a dynamic endpoint group in the way you envisioned since the MAC addresses are going to vary.
Not a perfect solution by any means - but alternatively, you might instead opt to make the endpoint group dynamic based on a tag that you apply to these endpoints with the matching VPC ID. You could identify the endpoints easily via XQL:
dataset = endpoints
| filter cloud_info contains "vpc-abc12345"
| fields endpoint_name
Then after you have applied tags to the appropriate endpoints, you could occasionally run another query (or schedule it to run automatically) to identify any endpoints with the VPC ID that don't have the tag (if anything is returned, you know to assign the tag to those endpoints):
dataset = endpoints
| filter cloud_info contains "vpc-abc12345"
| filter tags not contains "vpc-abc12345"
| fields endpoint_name
Just an idea, this wouldn't be completely automated but would at least reduce some of the manual effort in maintaining the group.
02-13-2023 01:14 PM
Hi @Tony2Tovar,
You can specify nested keys in the filter using dot notation directly in the 'key' field.
In your case, you could enter network.interfaces.macs.06:d4:90:12:34:56.vpc-id as your key, and vpc-abc12345 as your value.
Here is an example of a group I created using similar logic for endpoints within a specific Azure resource group:
I hope that helps.
Regards,
Tim
02-13-2023 01:49 PM - edited 02-13-2023 02:25 PM
Thank you! That worked. Actually, I also had to include "raw." at the very beginning. That was always part of the full JSON path but for some reason I didn't need to include it when specifying one of the 'top' key:value pairs. (edit: Ha! I just spotted "raw" in your screenshot example, too. So you already knew about that...)
Unfortunately, now I have a follow-up issue: It's not accepting a wildcard for the MAC Address. Since every VM has a unique MAC I either need the use of wildcard or I would have to hard-code all the MACs (defeating the purpose of a Dynamic Group). For instance, it works if I specify the full MAC but it does not work for:
key = raw.network.interfaces.macs.*.vpc-id
It appears that the wildcard is only usable in the 'value' field?
I also double-checked and the VPC ID is only specific under that MAC-specific path.
02-13-2023 03:01 PM
You're correct that wildcards don't appear to be supported within keys. Unfortunately, your specific use case might not be possible to accomplish using a dynamic endpoint group in the way you envisioned since the MAC addresses are going to vary.
Not a perfect solution by any means - but alternatively, you might instead opt to make the endpoint group dynamic based on a tag that you apply to these endpoints with the matching VPC ID. You could identify the endpoints easily via XQL:
dataset = endpoints
| filter cloud_info contains "vpc-abc12345"
| fields endpoint_name
Then after you have applied tags to the appropriate endpoints, you could occasionally run another query (or schedule it to run automatically) to identify any endpoints with the VPC ID that don't have the tag (if anything is returned, you know to assign the tag to those endpoints):
dataset = endpoints
| filter cloud_info contains "vpc-abc12345"
| filter tags not contains "vpc-abc12345"
| fields endpoint_name
Just an idea, this wouldn't be completely automated but would at least reduce some of the manual effort in maintaining the group.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
