https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/question-about-xql-to-make-a-bioc/m-p/561900#M5353 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/322469">@EnriqueSanz</a>&nbsp;,</P> <P>&nbsp;</P> <P>For better search, please bookmark below link for XDR admin guide and in future search within it for your queries.</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Overview" target="_blank" rel="noopener">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Overview</A></P> <P>&nbsp;</P> <P>Regarding the query, please ensure that you are using same time period in your XQL query and in the interface.</P> Mon, 16 Oct 2023 16:30:15 GMT nsinghvirk 2023-10-16T16:30:15Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/question-about-xql-to-make-a-bioc/m-p/561618#M5347 <P>Hello,</P> <P>&nbsp;</P> <P>I'm trying to make a BIOC to inform when a SSH conection is made in some critical assets, but I'm not able to do it in XQL, I have done it using the interface.</P> <P>&nbsp;</P> <P>Network Connections AND Destination [ Remote port = 22 ] AND Host [ Host Name = &lt;name&gt; ]</P> <P>&nbsp;</P> <P>The link to the XQL documentation is broken and I'm not able to find how to do it. I prefere to make it in XQL due to I want to make some exclusions and in the interface builder I can only make one exclusion...</P> <P>&nbsp;</P> <P>Can you please help me?</P> <P>&nbsp;</P> <P>Best regards</P> Fri, 13 Oct 2023 09:22:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/question-about-xql-to-make-a-bioc/m-p/561618#M5347 EnriqueSanz 2023-10-13T09:22:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/question-about-xql-to-make-a-bioc/m-p/561867#M5348 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/322469">@EnriqueSanz</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>Please take reference from below XQL query to create your BIOC rule. This query simply detect remote port 22 on a particular host.&nbsp;</P> <P>dataset = xdr_data <BR />| filter event_type = NETWORK and action_remote_port = 22 and agent_hostname = "&lt;hostname&gt;"</P> <P>&nbsp;</P> <P>You can add your use case requirements to it.</P> <P>Below are the links to XQL and BIOC guides.</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-with-XQL" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-with-XQL</A></P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Working-with-BIOCs" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Working-with-BIOCs</A></P> <P>&nbsp;</P> <P>Please let us know which documentation links are broken so that we can repair them or provide you updated ones.</P> Mon, 16 Oct 2023 12:50:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/question-about-xql-to-make-a-bioc/m-p/561867#M5348 nsinghvirk 2023-10-16T12:50:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/question-about-xql-to-make-a-bioc/m-p/561886#M5352 <P>&nbsp;</P> <P data-unlink="true">Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/256101">@nsinghvirk</a>,</P> <P data-unlink="true">&nbsp;</P> <P>First of all, thanks for the reply!</P> <P>&nbsp;</P> <P>The URL that is broken is the first one that I get when I search "xql search" on Google, <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/search-queries/query-builder/xql-search" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/search-queries/query-builder/xql-search</A></P> <P>&nbsp;</P> <P>On the other hand, I don't get any result when I use the suggested querie using the same asset that the interface search gives me 7 results... I don't know if the problem is in the configuration...</P> Mon, 16 Oct 2023 13:54:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/question-about-xql-to-make-a-bioc/m-p/561886#M5352 EnriqueSanz 2023-10-16T13:54:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/question-about-xql-to-make-a-bioc/m-p/561900#M5353 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/322469">@EnriqueSanz</a>&nbsp;,</P> <P>&nbsp;</P> <P>For better search, please bookmark below link for XDR admin guide and in future search within it for your queries.</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Overview" target="_blank" rel="noopener">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Overview</A></P> <P>&nbsp;</P> <P>Regarding the query, please ensure that you are using same time period in your XQL query and in the interface.</P> Mon, 16 Oct 2023 16:30:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/question-about-xql-to-make-a-bioc/m-p/561900#M5353 nsinghvirk 2023-10-16T16:30:15Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/question-about-xql-to-make-a-bioc/m-p/562058#M5358 <P>Hello!</P> <P>&nbsp;</P> <P>Yes, I'm using the same period... It's weird...</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 17 Oct 2023 10:56:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/question-about-xql-to-make-a-bioc/m-p/562058#M5358 EnriqueSanz 2023-10-17T10:56:53Z