09-16-2022 08:30 AM
Hi,
I am creating a custom query where I will need to re-use certain fields.
Ex.: I want to search for:
-action_local_ip and action_remote_ip
-action_file_sha256 and action_module_sha256
-dst_agent_hostname, dst_action_external_hostname and http_server
I think I already saw a way to do this using a user-defined variable, but I cannot find the information on how to do this.
Something like:
dataset = xdr_data
$QueryIP="192.168.1.1"
|filter action_local_ip = $QueryIP or action_remote_ip = $QueryIP
Can someone help? Is that even possible?
Also, taking this question to the next level: Can my variable be an array?!
$QueryIP="192.168.1.1", "192.168.1.2", "192.168.1.3"
|filter action_local_ip in ($QueryIP) or action_remote_ip in ($QueryIP)
Thanks,
Alex.
09-16-2022 01:05 PM
Hi @Alexandre_Jodoin ,
Thank you for writing to live community!
There are some XQL structures and language functions for array which can be used to input, count, compare etc different array fields within the query. Arrayexpand and array_field is one of them. You might want to explore the functions for the same. Please follow the XQL language reference guide and you should be able to find the syntax for the same.
Hope that answers your question.
09-16-2022 01:16 PM
Hi Neelrohit,
Let me explain what is my use case here. I am working with huge list of IOCs and I am trying to create a clean query.
So instead of this:
|filter action_local_ip in ("192.168.1.1", "192.168.1.2", "192.168.1.3") or action_remote_ip in ("192.168.1.1", "192.168.1.2", "192.168.1.3") ect...
I would like to define my array once, and then use it in my filter on various field names.
Best example would be a broad sweep for a list of sha256 hashes, containing 1000s of entry. It could be for file written on disk, file executed, file called as a child process, ect... I would like to do that on every *_sha256 field names without having to list the 1000s IOCs for each field names used in the query.
Let me know if this is not clear, I am not quite sure how to formulate...
09-17-2022 01:00 AM
Hey Alexandre!
So the XQL query would hold the IOC entries in an array?
Isn't that a little bit confusing?
So if your plan is really to compare your data with an IOC list, I would check if the lookups are not the better option to get a better overview.
Here is an example of a join from data:
It helped me a lot with translation from IDs to text.
BR
Rob
09-19-2022 06:00 AM
Hi Rob,
Thanks for the suggestion. I do use join in various queries I have, and it has been proven useful in various scenarios.
But not for this issue.
Let me explain a bit more. I do get 1000s of IOCs on a weekly basis, in batch, once per week.
I do have a crude script that takes the list and generate a query based on a template I made.
But yeah, to build the query I need to "repeat" the values in various fields.
A rough example would be:
|dataset = xdr_data
|filter
action_file_sha256 in (
"SHA256"
)
or
(
actor_remote_host in(
"DOMAIN"
)
or
action_local_ip in(
"Local IP"
)
or
action_remote_ip in(
"Remote IP"
)
)
My scripts takes the IOC list, and files the various fields,"SHA256","DOMAIN","Local IP" and "Remote IP".
So in this example "Local IP" and "Remote IP" would contains the same array.
Now let's pretend that I want to expand from this and looks at SHA256 values for more than just "action_file_sha256"...
Since the IOC list I am working with is dynamic in nature and change every week, using a custom dataset and update/replace the values every weeks is a pain versus having my script doing all the leg works...
I figure it would be easier to define a custom field and refer to it in my query instead of repeating the same values over and over again...
If that is not possible then fine. But if it is it would make my life much easier... 🙂
Thanks,
Alex.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
