cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L5 Sessionator

Hi @JahidAliyev, thanks for reaching us using the Live Community.

 

You can try this XQL as an example, and start working from here:

 

Spoiler
dataset = xdr_data
| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_OPEN
| filter actor_process_image_name in ("chrome.exe","edge.exe","firefox.exe")
| fields agent_hostname, agent_ip_addresses,dst_action_external_hostname, action_file_name, action_file_path, action_file_size

If this post answers your question, please mark it as the solution.

JM
Who rated this post