This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

zarnous
L2 Linker

‎04-07-2023 07:38 AM

as long as this information was captured by the agent then yes for sure, you can start with something as simple as looking for a file name or a part of the file name/ extension:

For example, i am looking for file that have ".json" 
preset = xdr_file
| filter (action_file_name contains """.json""")

Then you can define the Event sub type you are looking for,  such as 
FILE_CREATE_NEW
FILE_REMOVE
FILE_RENAME

Or you can just leave it with no specific sub event type to see all actions taken on that specific file , like in the below screenshot that looks for all files with ".json" with no specific sub event type specified 


zarnous_0-1680877630787.png

 

Then lets say you want to filter on more actions / field, you can do that by simply filter on the field you would like to look for then you can easily export the grid filter up toe the XQ-Filed as seen below

zarnous_2-1680878290403.png


This way you can build your filters to apply to the use case you are looking for

Hope that helps! 

 

Z
(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks