topic Re: Query Share: XDR/PAN-OS URL Category Stitched Correlation Alert in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-share-xdr-pan-os-url-category-stitched-correlation-alert/m-p/489478#M2024 <P>Thank you for your contribution!&nbsp;</P> Mon, 23 May 2022 05:35:27 GMT rtsedaka 2022-05-23T05:35:27Z Query Share: XDR/PAN-OS URL Category Stitched Correlation Alert https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-share-xdr-pan-os-url-category-stitched-correlation-alert/m-p/487459#M2001 <P>Wanted to share a useful XQL query we have setup as a correlation rule in case anyone else finds it beneficial. This query requires that you have PAN-OS firewall URL logs available within XDR datasets, for example being sent to Cortex Data Lake. The query will return all hits from the firewall on a specific URL category, and then check to see if any local XDR agents have logs which also include the same URL/Source/Destination.</P><P>&nbsp;</P><P>If it detects there's local agent logs to match the firewall URL data, the correlation alert will be created which includes the source process which initiated that traffic (i.e. chrome.exe). If no agent data is found which matches the firewall URL category hit, for example if it's an IoT device with no agent installed, an alert will still be generated due to it being a right join statement:</P><P>&nbsp;</P><P>dataset=xdr_data | fields action_remote_ip as Destination, action_local_ip as Source, user_id, actor_process_image_name, action_external_hostname as Domain, _time as XDRTime, actor_process_image_command_line, actor_process_image_sha256, user_id, agent_hostname, action_external_port, actor_process_image_path<BR />|join type = right<BR />(dataset = panw_ngfw_url_raw | filter url_category contains "command-and-control" | fields _time as Time, url_category as Category, source_ip as Source, users as Username, uri as NGFWURL, referer as Referer, technology_of_app as App, user_agent as UserAgent, dest_ip as Destination, url_domain as Domain) as corellation Source = corellation.Source and Destination = corellation.Destination and Domain = corellation.Domain<BR />| dedup Source, NGFWURL</P> Mon, 16 May 2022 14:05:16 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-share-xdr-pan-os-url-category-stitched-correlation-alert/m-p/487459#M2001 ZachIvins 2022-05-16T14:05:16Z Re: Query Share: XDR/PAN-OS URL Category Stitched Correlation Alert https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-share-xdr-pan-os-url-category-stitched-correlation-alert/m-p/489478#M2024 <P>Thank you for your contribution!&nbsp;</P> Mon, 23 May 2022 05:35:27 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-share-xdr-pan-os-url-category-stitched-correlation-alert/m-p/489478#M2024 rtsedaka 2022-05-23T05:35:27Z