If you need an example of useful XQL queries, you could click on Query Builder and then click on XQL Search which will open an IDE for XQL, in the bottom you will have 4 tabs out of which select Query Library and take a look at the XQL query example. Lets say in your in-built XQL library there is query for "Rundll32 running HTML application via script"
Query from XQL Library:
preset = xdr_process // Using the XDR process execution preset
| filter lowercase(action_process_image_name) = "rundll32.exe" and lowercase(action_process_image_command_line) ~= ".*script.*?mshtml.dll\,runhtmlapplication.*" // Filtering for cases where rundll32 is being called to load an html application
| fields action_process_image_command_line as cmd, actor_process_image_path as parent_path, actor_process_command_line as parent_cmd, causality_actor_process_image_path as cgo, causality_actor_process_command_line as cgo_cmd // Selectnig the relevant fields
Description (According to me):
This query is useful in monitoring of html/hta file execution via rundll32.exe. Generally mshta.exe is used for execution of malicious html/hta files but rundll32.exe can also be used hence the query hunt.
Searches for any process name which executed with an image name of rundll32.exe where the command line of the process matches a regex patterns which could match a command line such as below:
This Query search for CVEs CVE-2022-0025 and CVE-2022-0026
dataset = endpoints
| fields endpoint_name , endpoint_type , ip_address , endpoint_status, last_seen, agent_version , content_version , last_content_update_time
|alter content_version = to_integer(replex(content_version, "-", "" ))
| filter content_version < 33000000 or (agent_version ~= "7.7.0" and content_version < 50000000)
Below is the query for scan errors for all endpoints
|fields endpoint_name as hostname , endpoint_status , last_seen , install_date as Installationdate, agent_version, scan_status , agent_license_type , installation_type , ip_address, last_successful_scan as LastScan
|filter endpoint_status = ENUM.CONNECTED or endpoint_status = ENUM.DISCONNECTED
|filter scan_status = ABORTED or scan_status = CANCELED or scan_status = SCAN_ERROR
|sort desc last_seen
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!