topic Finding if a URL was visited using XQL in Cortex in Cortex XDR Discussions

Finding if a URL was visited using XQL in Cortex

KErickson1 — Mon, 20 Mar 2023 18:21:35 GMT

We wanted to see if we could use XQL to query for if a URL was visited in our environment. Is there a way to structure a working query for this using XQL? We've tried unsuccessfully so far, so we are turning to you, the community.

Thank you for any assistance.

Re: Finding if a URL was visited using XQL in Cortex

timurphy — Mon, 20 Mar 2023 19:49:59 GMT

Hi @KErickson1,

There are a few ways you could go about forming this type of query via XQL. If the forensics add-on is in use, you can query the various forensics_<browser>_history datasets.

Another option could be investigating DNS queries from clients with the XDR agent installed using the network_story preset. Of course, this won't be as detailed as entries in a browser history database (will not be able to determine if a specific URL was visited), but can still be useful in an investigation. Here is a query to help get started with this:

config case_sensitive = false | preset = network_story | filter (dns_resolutions != null) | arrayexpand dns_resolutions | alter Resolution_Value = dns_resolutions -> value{}, Resolution_Name = dns_resolutions -> name{} | fields agent_hostname, actor_process_image_name, actor_process_image_path, actor_process_command_line, Resolution_Name, Resolution_Value, dns_query_type, dns_resolutions | filter Resolution_Name contains $domain | sort desc _time

If you save it to the query library, you can input a particular domain name you are interested in, or simply replace $domain in line 7 with your target domain directly in the query (e.g. "example.com") :

I hope this helps!

Regards,

Tim

Re: Finding if a URL was visited using XQL in Cortex

KErickson1 — Mon, 20 Mar 2023 22:22:40 GMT

Thanks Tim for getting back to us so quickly, this worked brilliantly first run!

Re: Finding if a URL was visited using XQL in Cortex

Rashik — Fri, 18 Oct 2024 18:41:35 GMT

What if you need to search 50 domains at one? Is there an efficient way?

Re: Finding if a URL was visited using XQL in Cortex

C.Uppin — Sun, 20 Oct 2024 16:53:31 GMT

This below query may also help you

preset = network_story
| filter dst_action_external_hostname in ("google.com", "telegram.com")
| fields _time, agent_hostname , agent_ip_addresses , actor_effective_username , agent_os_type , action_remote_ip, action_remote_port , actor_remote_ip , actor_remote_port, dst_action_external_hostname , action_external_hostname, action_total_upload