https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-query/m-p/509912#M2390 <P>Hi Guys,</P> <P>&nbsp;</P> <P>Sort of new to XDR does anyone have any good xql queries for detecting assets without cortex agents installed and if the cyserver service has stopped working?</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Tue, 26 Jul 2022 14:19:42 GMT KarlHalpin 2022-07-26T14:19:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-query/m-p/509912#M2390 <P>Hi Guys,</P> <P>&nbsp;</P> <P>Sort of new to XDR does anyone have any good xql queries for detecting assets without cortex agents installed and if the cyserver service has stopped working?</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Tue, 26 Jul 2022 14:19:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-query/m-p/509912#M2390 KarlHalpin 2022-07-26T14:19:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-query/m-p/509981#M2391 <P data-unlink="true">Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/211922">@KarlHalpin</a>&nbsp;The Agent Service is captured in the <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/monitoring/monitor-agent-activity" target="_self">Agent Audit Logs</A>. The agent audit logs are not currently exposed as a dataset in ordered to be queried utilizing XQL. The agent audit logs are able to be exported to file or you may to <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/create-notifications#ida889bdb8-1bb5-4133-b6c4-e39d02a3d67b" target="_self">configure notification forwarding</A> to support your monitoring needs.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">From an XQL enablement standpoint, there is a new feature to <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/response-actions/pause-endpoint-protection#:~:text=Prevent%20Administrator%E2%80%99s%20Guide-,Pause%20Endpoint%20Protection,-PREVIOUS" target="_self">Pause Endpoint Protection</A> that requires the Cortex XDR agent 7.7 and above, which is apart of the Endpoints dataset; therefore, you can leverage XQL. Please reference the following example query:&nbsp;</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">dataset = endpoints |filter manual_protection_pause = "PROTECTION_PAUSED"</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">The results from this XQL query will display only endpoints that are configured with the XDR agent and have the endpoint protection manually paused.&nbsp;</P> Tue, 26 Jul 2022 21:00:07 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-query/m-p/509981#M2391 WSeldenIII 2022-07-26T21:00:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-query/m-p/510021#M2392 <P>To add onto what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/130343">@WSeldenIII</a>&nbsp;stated for endpoints without XDR, you can achieeve the same with <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/activate-the-network-mapper" target="_blank">Network Mapper</A>.</P> <P>Alternately, you can look at integrating <A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/get-started-with-the-cloud-identity-engine/learn-about-the-cloud-identity-engine" target="_blank">Cloud Identity Engine</A> and compare the assets with endpoints dataset and identify the assets that do not appear in both datasets with XQL.&nbsp;</P> Wed, 27 Jul 2022 06:59:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-query/m-p/510021#M2392 bbarmanroy 2022-07-27T06:59:42Z