https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-in-which-i-can-know-by-country-how-many-logins-exist/m-p/582954#M6475 <P>Good morning,</P> <P>I am starting this conversation to request your support to create an XQL query for Cortex XDR in which I can know by country how many logins exist.</P> <P>If you help me with the geolocation dashboard it would be great.</P> <P>For example:</P> <P>from the USA there are 56 logins<BR />Russia 15 logins.</P> <P>Is it possible to do this with the XDR information?</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT></P> Mon, 08 Apr 2024 16:40:20 GMT Rolando_Pena 2024-04-08T16:40:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-in-which-i-can-know-by-country-how-many-logins-exist/m-p/582954#M6475 <P>Good morning,</P> <P>I am starting this conversation to request your support to create an XQL query for Cortex XDR in which I can know by country how many logins exist.</P> <P>If you help me with the geolocation dashboard it would be great.</P> <P>For example:</P> <P>from the USA there are 56 logins<BR />Russia 15 logins.</P> <P>Is it possible to do this with the XDR information?</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT></P> Mon, 08 Apr 2024 16:40:20 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-in-which-i-can-know-by-country-how-many-logins-exist/m-p/582954#M6475 Rolando_Pena 2024-04-08T16:40:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-in-which-i-can-know-by-country-how-many-logins-exist/m-p/583100#M6479 <P>Hello Rolando_Pena,</P> <P>&nbsp;</P> <P>The following query provides a geo map of network activity in XDR:</P> <P>&nbsp;</P> <P><FONT face="courier new,courier">preset = network_story </FONT><BR /><FONT face="courier new,courier">| iploc action_remote_ip loc_country</FONT><BR /><FONT face="courier new,courier">| filter loc_country != null</FONT><BR /><FONT face="courier new,courier">| union (preset = network_story| iploc action_local_ip loc_country | filter loc_country != null) </FONT><BR /><FONT face="courier new,courier">| comp count(event_id) as counter by loc_country</FONT><BR /><FONT face="courier new,courier">| view graph type = map xaxis = loc_country yaxis = counter default_limit = `false` seriestitle("counter","Volume")</FONT></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jtalton_0-1712691660082.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/58908iF07E9341C61BEE71/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jtalton_0-1712691660082.png" alt="jtalton_0-1712691660082.png" /></span></P> <P><BR />To create a query for successful logins by geolocation its best to include the ingestion of authentication logs which will create a dataset to query, example okta_data. <BR /><BR />If you are ingesting authentication logs, which we highly recommend to enrich XDR data, you may use this query which utilizes the preset = auth_logs which is comprised of authentication logs (Okta, Ping, etc) and is a subset of xdr_data dataset.</P> <P>&nbsp;</P> <P><FONT face="courier new,courier">dataset = auth_logs </FONT><BR /><FONT face="courier new,courier">| iploc action_remote_ip loc_country </FONT><BR /><FONT face="courier new,courier">| filter auth_outcome = "SUCCESS" and loc_country != null//Also auth_outcome_reason to specify a description example OKTA SSO failed</FONT><BR /><FONT face="courier new,courier">| union (preset = network_story| iploc action_local_ip loc_country as ConnectionCountry | filter ConnectionCountry != null) </FONT><BR /><FONT face="courier new,courier">| comp count(event_id) as Countby by ConnectionCountry</FONT><BR /><FONT face="courier new,courier">| sort desc Countby </FONT><BR /><FONT face="courier new,courier">|</FONT><BR /><FONT face="courier new,courier">view graph type = pie subtype = full xaxis = ConnectionCountry yaxis = Countby</FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jtalton_1-1712691759868.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/58909iE32B39169A22F981/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jtalton_1-1712691759868.png" alt="jtalton_1-1712691759868.png" /></span></P> <P>&nbsp;</P> <P><BR />Note, a dataset is comprised of both raw EDR events reported by the Cortex XDR agent, and of logs from different sources such as third-party logs. To help you investigate events more efficiently, Cortex XDR also stitches these logs and events together into common schemas called stories. These stories are available using the Cortex XDR Presets.<BR /><BR />Reference&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Datasets-and-Presets" target="_blank" rel="noopener">Datasets and Presets • Cortex XDR XQL Language Reference • Reader • Palo Alto Networks documentation portal</A></P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-basic-xql-crash-course/ta-p/544056" target="_blank" rel="noopener">LIVEcommunity - Cortex XDR Basic XQL Crash Course - LIVEcommunity - 544056 (paloaltonetworks.com)</A></P> <P>&nbsp;</P> <P><SPAN>&nbsp;If you found this answer helpful, please select Accept as Solution.</SPAN></P> Tue, 09 Apr 2024 19:47:16 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-in-which-i-can-know-by-country-how-many-logins-exist/m-p/583100#M6479 jtalton 2024-04-09T19:47:16Z