topic Query Network in Cortex XDR Discussions

Query Network

RFeyertag — Fri, 08 Apr 2022 23:39:46 GMT

Hello XDR Community!

when the network (see screenshot) will be depprecated, will it be possible to get all the informations under network connections?

I don't get the same results and not dst_host which would be very usefull.

Here is my Query:

Network [ action type = all AND remote ip = XXX.XXX.XXX.X ] AND Time [ event timestamp in last 24H before Apr 9th 2022 01:03:51 ]

Has anybody of you a future proof XQL version of my query above?

Rob

Betreff: Query Network

Cyber1985 — Sat, 09 Apr 2022 19:19:43 GMT

The two data sources deliver completly other results:

preset = xdr_agent_network | filter action_remote_ip = "185.x.x.x"

preset = network_story | filter action_remote_ip = "185.x.x.x"

Will there be a possibility to move the informations from XDR_AGENT_NETWORK to NETWORK_STORY?

Betreff: Query Network

Cyber1985 — Sat, 09 Apr 2022 21:29:56 GMT

Am I right? PA will take this useful feautre away, because they wan't to sell us a firewall? We allready have a firewall and we just need this information, which is shown in the xdr_agent_network preset.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/features-introduced/features-introduced-in-2021

Network Events Deprecation

(

Starting with the next Cortex XDR release

)

After Cortex XDR introduced network collection events, that are stitched across endpoints and the Palo Alto Networks next-generation firewalls logs, there is no longer need to support raw

Network

events. Starting with the next Cortex XDR release,

Network

events will be deprecated. In light of the upcoming change, Palo Alto Networks encourages you to define BIOC rules and/or searches by using

Network Connections

in the Query Builder. When searching in XQL, you should avoid using the

xdr_agent_network

preset and use the

newtork_story

preset instead.

Re: Query Network

KanwarSingh01 — Wed, 13 Apr 2022 05:18:29 GMT

@RFeyertag

Please see if the below XQL helps your case? Please replace the necessary fields as per your requirements.

config case_sensitive = false | preset = network_story | filter agent_hostname = "you_end_point_name" and action_remote_ip != null and dst_action_external_hostname != null | fields _time as Time, actor_process_os_pid as Pid, actor_process_image_name as Process, action_local_ip as Local_IP, dst_action_external_hostname as External_Hostname, action_remote_ip as Destination_IP, action_remote_port as Destination_Port | sort desc Time

Re: Query Network

RFeyertag — Fri, 15 Apr 2022 12:33:31 GMT

Hello to ALL!

I found the mistake.

It was my fault. I didn't check the period in the top right corner when writing the query *shame on me*

The network_story works like the agent_network_story!

Thanks you very much for the help!

Rob