Heya,
Thanks for that! - I did look at the timestamp_diff reference page but could not understand it in the context of what I'm trying to do.
Your lines definitely return a valid query but don't actually seem to filter anything. I have the same number of results and the instance of what I wish to filter out is still there. For example in the screenshot below the first line is the PanGPS.exe process being stopped, and the second line is the OS being restarted. They appear within 2 minutes of each other so I wish to filter them out.
Here is the complete query I am using:
dataset = xdr_data
| filter (event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_STOP and actor_process_image_name = "PanGPS.exe") or (action_evtlog_event_id = 1074 and action_evtlog_message contains "has initiated the restart of computer")
| alter CurrentTime = current_time()
| alter Timediff_M = timestamp_diff(CurrentTime , _time, "MINUTE")
| filter Timediff_M > 2
As current_time() is relative the number will always be greater than 2 so I thought about extracting the time based on day+hour+minute+second then converting that string to a number. This all works but I don't know where to go from there to filter it so that it looks at the value of ROW 1, compares it to the value of ROW 2 and filters both of them out if they are within x
dataset = xdr_data
| filter (event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_STOP and actor_process_image_name = "PanGPS.exe") or (action_evtlog_event_id = 1074 and action_evtlog_message contains "has initiated the restart of computer")
| alter time_string = concat(to_string(extract_time(_time, "DAY")) + to_string(extract_time(_time, "HOUR")) + to_string(extract_time(_time, "MINUTE")) + to_string(extract_time(_time, "SECOND")))
| fields time_string
| alter time_num = to_number(time_string)
| fields time_num
One other thought I had was to use dedupe with the above (e.g. concat day+hour+minute and dedupe everything) this would create duplicate entries where they share the same minute (close enough to what I want) and remove all duplicates, but would still leave one entry which is not what we want. Maybe there is a way to filter out any records that have been de-duped? or use something with dedupe to remove all entries and not just all-1?
It also feels like I'm missing the logic to do this sensibly. XQL queries are a bit above my pay grade 😉
Interestingly this does partially work:
dataset = xdr_data
| filter (event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_STOP and actor_process_image_name = "PanGPS.exe") or (action_evtlog_event_id = 1074 and action_evtlog_message contains "has initiated the restart of computer")
| alter time_string = concat(to_string(extract_time(_time, "DAY")) + to_string(extract_time(_time, "HOUR")) + to_string(extract_time(_time, "MINUTE"))) //+ to_string(extract_time(_time, "SECOND")))
//| fields time_string
| alter time_num = to_number(time_string)
//| fields time_num
| comp var(time_num) as testx by time_num
| filter testx != 0
It seems to give testx a value of 0 for all records where time_num is a duplicate so its easy to filter out.
Unfortunately the "comp" function also seems to strip out all other fields/columns except those called in the function itself so the result is accurate, but only shows the "testx" and "time_num" fields instead of all the other info like hostname/ip/user etc.
Maybe it is easier to work with this and somehow get the fields back instead of working on a different logic?
