Virtual functions/Variables - Creating anomaly based detection rules - XQL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Virtual functions/Variables - Creating anomaly based detection rules - XQL

Hello Everyone,

 

Cortex XDR has the functionality does allows you to use XQL queries to create lookups or datasets.

The problem is that these are static and cannot be dynamically updated for detection rules.

The use case I had in mind is that I have two XQL queries the first one looks at events occurring from 30 to 1 day ago.

The second query looks for events happening in the current day that have not been seen in the first query which is the last 29 days.

What would be the best way to achieve this goal?

 

1 REPLY 1

Hello,

Right, so I had an idea:

 

config timeframe between "30d" and "1d" 
| dataset = xdr_data
| filter event_type = ENUM.SYSTEM_CALL
| comp values(actor_process_image_name) as Base
| join type= inner (
config timeframe between "1d" and "now"
| dataset = xdr_data
| filter event_type = ENUM.SYSTEM_CALL ) as Rare rare.actor_process_image_name not in(Base)

This should create an array of strings of the original actor processes and look the new data against it and show stuff that in not in the original.

 

The issue that i am facing for this is that for some reason the in() operator does not take array strings which is super weird.

 

Do you know how can I match against an array using in?

 

The query language has so many restrictions 😞

  • 529 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!