10-01-2022 02:58 PM
Hello dear community!
is there a way to merge the german and english variants in XQL? The action_evtlog_message is sometimes german and more often english. But how do I get the results from both in one
//Account Locked https://github.com/busterix76/Cortex_XDR_XQL_Queries/commit/8a2eee205cb16c1d36599cbdedd8808301652cfa
preset = xdr_event_log
| filter action_evtlog_event_id = 4740
|alter Domain_Name_GER =arrayindex(regextract(action_evtlog_message ,"Kontodomäne:.*?(\w.*)\r\n"),0)
|alter Domain_Name_ENG =arrayindex(regextract(action_evtlog_message ,"Account Domain:.*?(\w.*)\r\n"),0)
| alter Locked_Account_ENG =arrayindex(regextract(action_evtlog_message, "Account That Was Locked Out:\r\n.*\r\n.*Account Name:.*?(\w.*)\r\n"),0)
| alter Locked_Account_GER =arrayindex(regextract(action_evtlog_message, "Gesperrtes Konto:\r\n.*\r\n.*Kontoname:.*?(\w.*)\r\n"),0)
| fields action_evtlog_description,action_evtlog_message ,agent_hostname,agent_ip_addresses , Domain_Name_ENG,Domain_Name_GER, Locked_Account_GER,Locked_Account_ENG
BR
Rob
10-02-2022 11:24 PM
Hello Rob
We had the same issue. Usually we use coalesce to merge German and English into one field.
Based on your query you could do the following:
|alter Domain_Name = coalesce (Domain_Name_GER, Domain_Name_ENG)
Coalesce takes the first value which is not NULL. But usually only GER or ENG has a value and not both.
Hope this helps. If you find a better solution I'm interested how you solved it.
Michael
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
