topic Re: Looking for a XQL query to identify if a specific domain is accessed in our environment. in Cortex XDR Discussions

Looking for a XQL query to identify if a specific domain is accessed in our environment.

ShubhamT281 — Fri, 10 May 2024 13:27:11 GMT

I have tried using the below XQL query to identify the domains accessed and tried to test it using my own system but somehow I am not getting all the results. For eg : when I tried common domain names like "google.com", "reddit.com". It worked and fetched results for me. When I tried to access a specific uncommon domain name like for eg : "https://support.paloaltonetworks.com/" or "https://learn.microsoft.com/" on my system and then searched for this domain names using the below mentioned query it fetched no results.

I am not sure if there is something missing in the query to cover all the results. This has been a requirement for a long time but couldn't find a out of the box query from the query helper in XDR. Would appreciate if someone can help with this.

config case_sensitive = false
| preset = network_story
| filter (dns_resolutions != null)
| arrayexpand dns_resolutions
| alter Resolution_Value = dns_resolutions -> value{}, Resolution_Name = dns_resolutions -> name{}
| fields agent_hostname, actor_process_image_name, actor_process_image_path, actor_process_command_line, Resolution_Name, Resolution_Value, dns_query_type, dns_resolutions
| filter Resolution_Name contains $domain
| sort desc _time

Note : I replace the $domain with the a domain I want to look up.

Re: Looking for a XQL query to identify if a specific domain is accessed in our environment.

jmazzeo — Fri, 10 May 2024 15:12:08 GMT

Hi @ShubhamT281, thanks for reaching us using the Live Community.

I was able to reach the result using a more simple query:

config case_sensitive = false | preset = network_story | filter dst_action_external_hostname contains "yourdomain.com"

The field "dst_action_external_hostname" is the key using that preset.

If this post answers your question, please mark it as the solution.

Re: Looking for a XQL query to identify if a specific domain is accessed in our environment.

ShubhamT281 — Mon, 13 May 2024 11:37:28 GMT

Hi @jmazzeo ,

This query works, thanks a lot for the prompt response.

Re: Looking for a XQL query to identify if a specific domain is accessed in our environment.

rufat87 — Mon, 27 May 2024 18:52:37 GMT

config case_sensitive = false timeframe = 30d

|dataset = xdr_data

| filter dns_query_name contains "insert domain" or action_external_hostname contains "insert domain" or dst_action_external_hostname contains "insert domain"

this is what we use to see any attempts registered by XDR to access the domains.