06-10-2025 12:30 PM
We are doing a pretty rushed XDR rollout, and I need to be able to scope my policies fairly specifically. First idea is to use the 4th character of the endpoint_name (hostname) which is P for Prod, T for Test. But I cannot see a way to use the Endpt Grp filters "wildcard" syntax to do this. I have found some community posts and docs referencing XDR's ability to use regex or regex-ish functionality but I have not got that to work in that filter field.
The other idea which might work is to use an XQL query to get a list, and then *perhaps* use that list to add tags, since tags are available as a way to filter Endpoint Groups. Right now I can spell XQL if you spot me a couple letters, so that seems like a longer path. And one thing I'm short of is 'long'.
Any suggestion and help are appreciated!
06-11-2025 04:01 AM
Hi ptrivino1,
There is currently no native way to match a character at a specific position (e.g., 4th character) in endpoint_name using just the endpoints dataset filter. Considering only operators available are contains, not contains, = , !=
You need to export complete list of endpoints and use filter in Excel sheet
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
Luis
06-11-2025 04:01 AM
Hi ptrivino1,
There is currently no native way to match a character at a specific position (e.g., 4th character) in endpoint_name using just the endpoints dataset filter. Considering only operators available are contains, not contains, = , !=
You need to export complete list of endpoints and use filter in Excel sheet
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
Luis
06-11-2025 08:14 AM
Hi @ptrivino1 ,
Here is a simple query to extract the fourth character while ignoring dashes if found, also added another field "Group Status" for more convenient classification
dataset = xdr_data
| filter agent_hostname != null
| fields agent_hostname
| alter fouth_letter_array = regextract(agent_hostname , "(?i)(?:[^A-Za-z]*[A-Za-z]){3}[^A-Za-z]*([A-Za-z])")
| alter fourth_letter = arrayindex(fouth_letter_array,0)
| alter Group_Status =
if(fourth_letter ="P", "Prod",
fourth_letter ="T", "Test", // add more
fourth_letter) // return as is if no match
| fields agent_hostname, Group_Status
06-11-2025 08:57 AM
also you might want to consider leveraging api capabilities, depending on how critical is grouping for you organization
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM-REST-API/Make-your-first-API-call
06-12-2025 08:04 PM
Thank you, that's what I ended up doing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
