https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-correlation-between-xdr-agent-and-palo-alto-url/m-p/532383#M3717 <P>Hi Fabio,&nbsp;</P> <P>&nbsp;</P> <P>If you have&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-Your-Network-Devices" target="_self">Configured Your Network Devices</A>&nbsp;to send PAN NGFW logs to the Cortex Data Lake, you can create an XQL query to search for the correlation.&nbsp;<BR /><BR /></P> <P>For example, the below query uses the Network Story preset, which&nbsp;groups xdr_data fields that are useful for analyzing specific areas of network and endpoint activity; this query displays any connections done by the specified browser(s) processes for an IP configured in the PANW NGFW logs:</P> <LI-CODE lang="markup">preset = network_story // Using XDR network story preset | filter action_remote_ip = "ipaddress" and lowercase(actor_process_image_name) in ("chrome.exe", "msedge.exe","opera.exe", "firefox.exe", "iexplore.exe") // "ipaddress" enter the ipaddress associated with the event. Enter the browser process name | fields agent_hostname, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname, actor_process_image_path, actor_process_image_sha256, actor_process_command_line // selecting the relevant fields | dedup agent_hostname, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname, actor_process_image_path, actor_process_image_sha256, actor_process_command_line by asc _time // dedupping to only show the first time it happened | sort desc _time // sorting in desc order</LI-CODE> <P>&nbsp;</P> <P>The network story preset also entails:</P> <TABLE dir="ltr" border="1" cellspacing="0" cellpadding="0"><COLGROUP><COL width="100" /><COL width="100" /><COL width="100" /></COLGROUP> <TBODY> <TR> <TD width="110.594px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;network_story&quot;}">network_story</TD> <TD width="134.641px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;dns_query_name&quot;}">dns_query_name</TD> <TD width="100px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;string&quot;}">string</TD> </TR> <TR> <TD width="110.594px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;network_story&quot;}">network_story</TD> <TD width="134.641px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;dns_query_type&quot;}">dns_query_type</TD> <TD width="100px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;string&quot;}">string</TD> </TR> <TR> <TD width="110.594px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;network_story&quot;}">network_story</TD> <TD width="134.641px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;dns_resolutions&quot;}">dns_resolutions</TD> <TD width="100px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;json&quot;}">json</TD> </TR> <TR> <TD width="110.594px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;network_story&quot;}">network_story</TD> <TD width="134.641px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;dns_reply_code&quot;}">dns_reply_code</TD> <TD width="100px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;string&quot;}">string</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Thank you</P> Mon, 27 Feb 2023 20:51:46 GMT jtalton 2023-02-27T20:51:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-correlation-between-xdr-agent-and-palo-alto-url/m-p/532359#M3713 <P>Hi,</P> <P>&nbsp;</P> <P>I need to get the correlation between url that are being access and found through url filtering in PA FW and xdr agent that shows me which machine are accessing this url.</P> <P>In Cortex XDR I can see the the log from PA Firewall, source ip it is our internal DNS and destination the malicious URL, and I need to know who is doing this query, which user and client IP.</P> Mon, 27 Feb 2023 15:43:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-correlation-between-xdr-agent-and-palo-alto-url/m-p/532359#M3713 FabioFerreira 2023-02-27T15:43:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-correlation-between-xdr-agent-and-palo-alto-url/m-p/532383#M3717 <P>Hi Fabio,&nbsp;</P> <P>&nbsp;</P> <P>If you have&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-Your-Network-Devices" target="_self">Configured Your Network Devices</A>&nbsp;to send PAN NGFW logs to the Cortex Data Lake, you can create an XQL query to search for the correlation.&nbsp;<BR /><BR /></P> <P>For example, the below query uses the Network Story preset, which&nbsp;groups xdr_data fields that are useful for analyzing specific areas of network and endpoint activity; this query displays any connections done by the specified browser(s) processes for an IP configured in the PANW NGFW logs:</P> <LI-CODE lang="markup">preset = network_story // Using XDR network story preset | filter action_remote_ip = "ipaddress" and lowercase(actor_process_image_name) in ("chrome.exe", "msedge.exe","opera.exe", "firefox.exe", "iexplore.exe") // "ipaddress" enter the ipaddress associated with the event. Enter the browser process name | fields agent_hostname, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname, actor_process_image_path, actor_process_image_sha256, actor_process_command_line // selecting the relevant fields | dedup agent_hostname, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname, actor_process_image_path, actor_process_image_sha256, actor_process_command_line by asc _time // dedupping to only show the first time it happened | sort desc _time // sorting in desc order</LI-CODE> <P>&nbsp;</P> <P>The network story preset also entails:</P> <TABLE dir="ltr" border="1" cellspacing="0" cellpadding="0"><COLGROUP><COL width="100" /><COL width="100" /><COL width="100" /></COLGROUP> <TBODY> <TR> <TD width="110.594px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;network_story&quot;}">network_story</TD> <TD width="134.641px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;dns_query_name&quot;}">dns_query_name</TD> <TD width="100px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;string&quot;}">string</TD> </TR> <TR> <TD width="110.594px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;network_story&quot;}">network_story</TD> <TD width="134.641px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;dns_query_type&quot;}">dns_query_type</TD> <TD width="100px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;string&quot;}">string</TD> </TR> <TR> <TD width="110.594px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;network_story&quot;}">network_story</TD> <TD width="134.641px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;dns_resolutions&quot;}">dns_resolutions</TD> <TD width="100px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;json&quot;}">json</TD> </TR> <TR> <TD width="110.594px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;network_story&quot;}">network_story</TD> <TD width="134.641px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;dns_reply_code&quot;}">dns_reply_code</TD> <TD width="100px" height="30px" data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;string&quot;}">string</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Thank you</P> Mon, 27 Feb 2023 20:51:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-correlation-between-xdr-agent-and-palo-alto-url/m-p/532383#M3717 jtalton 2023-02-27T20:51:46Z