Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Free Form Queries for Cortex XDR #113

Merged
merged 8 commits into from
Jul 11, 2023
Merged

Allow Free Form Queries for Cortex XDR #113

merged 8 commits into from
Jul 11, 2023

Conversation

rc-csmith
Copy link
Contributor

Changes

  • Allow users to provide free-form queries (similar to DFE) where the only restriction is that the following fields are present in the output
    • agent_hostname
    • action_process_image_path
    • action_process_username
    • action_process_image_command_line
    • actor_process_image_path
    • actor_primary_username
    • actor_process_command_line
    • event_id
  • Create unit tests for Cortex XDR

Closes #111
Closes #112

To Do Items

  • Update documentation

@rc-csmith rc-csmith self-assigned this Jun 28, 2023
@rc-csmith rc-csmith marked this pull request as ready for review June 28, 2023 22:12
TreWilkinsRC
TreWilkinsRC approved these changes Jul 11, 2023
View reviewed changes
Copy link
Contributor

@TreWilkinsRC TreWilkinsRC left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like everything is functioning as expected. Highlighting a failure scenario in order to document a potential issue for users who might have set up automated surveys without including a dataset in their query. Approving, but perhaps notify users about this change to ensure they're informed? Apart from that, everything looks good.

Success

--query 'dataset=xdr_data | filter action_process_image_name contains "svchost.exe"'

Full query after processing = 'dataset=xdr_data | filter action_process_image_name contains "svchost.exe" | fields agent_hostname, action_process_image_path, action_process_username, action_process_image_command_line, actor_process_image_path, actor_primary_username, actor_process_command_line, event_id'

-->query: 10 results

Fail

--query '| filter action_process_image_name contains "svchost.exe"'

Full query after processing = ' | filter action_process_image_name contains "svchost.exe" | fields agent_hostname, action_process_image_path, action_process_username, action_process_image_command_line, actor_process_image_path, actor_primary_username, actor_process_command_line, event_id'

Caught HTTPError (see log for details): 500 Server Error: Internal Server Error for url: https://{environment}.[xdr.us.paloaltonetworks.com/public_api/v1/xql/start_xql_query/](http://xdr.us.paloaltonetworks.com/public_api/v1/xql/start_xql_query/)

*All tests were configured to limit the number of results to a maximum of 10.

@rc-csmith
Copy link
Contributor Author

Sounds good! I'll update the versioning and put out a new release summarizing the recent changes here. I'll also make sure the corresponding wiki is accurate.

@rc-csmith rc-csmith merged commit 812314d into redcanaryco:master Jul 11, 2023
@rc-csmith rc-csmith deleted the 111_cortex_updates branch July 11, 2023 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TreWilkinsRC TreWilkinsRC TreWilkinsRC approved these changes

@rc-abodkins rc-abodkins Awaiting requested review from rc-abodkins

Assignees

@rc-csmith rc-csmith

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[FR] Unit Tests for Cortex XDR [FR] Cortex Free-Form Query
2 participants
@rc-csmith @TreWilkinsRC