topic Re: Use Cortex XDR to find host with ports 80,443 open in Cortex XDR Discussions

Use Cortex XDR to find host with ports 80,443 open

JonathanYang_RX — Sun, 12 Dec 2021 22:10:28 GMT

Hello -

I'm totally new to Cortex XDR and its XQL - though I need to find machines in our environment that have ports 80/433 open. Is this possible via XQL?

I started with these lines to see which column/s I could use for what I want to accomplish and I think it did not have it:

dataset = xdr_data | limit 10

Please help! Thank you

Re: Use Cortex XDR to find host with ports 80,443 open

bbarmanroy — Mon, 13 Dec 2021 10:21:13 GMT

Hi @JonathanYang_RX the data is not available, IIRC.
If your intention is to leverage XDR, you can write a Python script and execute it via Action Center, and parse the data for your needs.

Re: Use Cortex XDR to find host with ports 80,443 open

etugriceri — Mon, 13 Dec 2021 15:34:30 GMT

Dear Jonathon,

You cannot query active network state of hosts. Best way is doing this, as @bbarmanroy mentioned, Action Center.
You can write python script or you can execute command (netstat, ss etc) for the check current state of ports.

with XQL, you can only query historical data. that might be either process data or firewall data.

for process, you can use

dataset = xdr_data | field action_local_port = "80" or field action_local_port = "443"

for windows firewall, (if enabled)

dataset = host_firewall_events
| filter local_port = 443 or local_port = 80

in case of a made a connection towards to ports, you should have telemetry data.

Re: Use Cortex XDR to find host with ports 80,443 open

eluis — Mon, 13 Dec 2021 22:09:35 GMT

Dears,

contributing with my 5 cents.

for the command to run

nmap -p 80,443 192.168.1.0/24

or also

nmap -p 80,443 192.168.1.*

Will scan your 80,443 ports on the whole 192.168.1.X network with /24 network mask, you will be able to see which ones are open from the output of that command and if on top of that you can see the traffic on the defender fw as @etugriceri shown on his XQL query, you could check also which ones had traffic (even due to your nmap) on the mentioned ports.

Take into account that with this commands you will see if the ports are open (not if there was traffic previous to the nmap command)

KR,

Luis

Re: Use Cortex XDR to find host with ports 80,443 open

JonathanYang_RX — Thu, 23 Dec 2021 10:50:43 GMT

Hello -

Apologies for late response. Once the script runs, will the result be available in xdr_data dataset or it will be locally available on each target machine?

Re: Use Cortex XDR to find host with ports 80,443 open

JonathanYang_RX — Thu, 23 Dec 2021 10:53:03 GMT

Hello Emre -

Thank you for these suggestions, though I could not see action_local_port = "80" or field action_local_port = "443".

Tried using Firewall data and I think it's easier, though unfortunately we haven't deployed/enabled the firewall feature across our estate.

Re: Use Cortex XDR to find host with ports 80,443 open

etugriceri — Fri, 24 Dec 2021 14:04:23 GMT

Dear Jonathan,

Scripts which is located in Action Center is not updating xdr_data. You can only search data from that dataset, if an application establish TCP connection via that ports. (not listen).

Thats why you can use execute_command script with "netstat -a"

or you can develop your own python script for getting that information from remote systems.