10-10-2024 03:05 AM
I'm trying to write a few XQL queries in Cortex XDR, but I’m quite new to it and running into some difficulties. I’d really appreciate any guidance or examples you can provide for any of the following queries:
Thank you very much for your help 🙂
10-10-2024 06:59 AM
Hi @Y.Kiroglu, thanks for reaching us using the Live Community.
Let me try to help you with your questions:
1 & 2 - You can see all those events in Settings - Agent Audit logs, and you can forward those events to get alerted. This is the document you should check.
3- This events are stored in Settings - Management Audit Logs, and you can forward the events in the same way as the Agent Audit logs. Check this doc.
4- Try this XQL query, it may not be complete but can help:
dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4672 // Filtering by windows event log and id 4672
| alter Security_ID =arrayindex(regextract(action_evtlog_message, "Security:\r\n.*\r\n"),0),
Account_Name = arrayindex(regextract(action_evtlog_message, "Account Name:.*?(\w.*)\r\n"),0),
Domain = arrayindex(regextract(action_evtlog_message, "Account Domain:.*?(\w.*?)\r\n"),0),
Privileges = arrayindex(regextract(action_evtlog_message, "Privileges:.*?(\d+\.\d+\.\d+\.\d+)\r\n"),0)
| fields Security_ID, Account_Name, Domain, Privileges // Select all the fields to show them
I saw some other posts with this questions, I'll point them to this topic.
If this post answers your question, please mark it as the solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
