https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-xdr-and-xsoar/m-p/587142#M6689 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1372551263">@Fm12345</a>&nbsp;,</P> <P>Thanks for the information and help.<BR />Where can I get network_mapper_raw? through XQL query?</P> <P><BR />If the mapper result tells me that the IP or hostname and if machine have or not XDR agent is perfect.</P> <P>&nbsp;</P> <P>About CVE's it's the same thing, in the XDR tenant there is a module "Vulnerability Assessment", and my objective is to obtain the CVE's or machines that have update problems and then inject them into XSOAR to create automations.</P> Fri, 17 May 2024 16:29:55 GMT tlmarques 2024-05-17T16:29:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-xdr-and-xsoar/m-p/587139#M6686 <P>Hi,</P> <P>I am creating a playbook with the objective of integrating<SPAN>&nbsp;</SPAN><A id="hoverCardLink" class="lia-link-navigation lia-product-hover-card-link lia-product-mention lia-tooltip-trigger" href="https://live.paloaltonetworks.com/t5/c-twzvq79624/Cortex+XSOAR/pd-p/Cortex_XSOAR" target="_blank">Cortex XSOAR</A><SPAN>&nbsp;</SPAN>&nbsp;and<SPAN>&nbsp;</SPAN><A id="hoverCardLink_1" class="lia-link-navigation lia-product-hover-card-link lia-product-mention lia-tooltip-trigger" href="https://live.paloaltonetworks.com/t5/c-twzvq79624/Cortex+XDR/pd-p/Cortex_XDR" target="_blank">Cortex XDR</A><SPAN>&nbsp;</SPAN>.&nbsp;</P> <P>The idea is for<SPAN>&nbsp;</SPAN><A id="hoverCardLink_3" class="lia-link-navigation lia-product-hover-card-link lia-product-mention lia-tooltip-trigger" href="https://live.paloaltonetworks.com/t5/c-twzvq79624/Cortex+XSOAR/pd-p/Cortex_XSOAR" target="_blank">Cortex XSOAR</A><SPAN>&nbsp;</SPAN>&nbsp;to query<SPAN>&nbsp;</SPAN><A id="hoverCardLink_5" class="lia-link-navigation lia-product-hover-card-link lia-product-mention lia-tooltip-trigger" href="https://live.paloaltonetworks.com/t5/c-twzvq79624/Cortex+XDR/pd-p/Cortex_XDR" target="_blank">Cortex XDR</A><SPAN>&nbsp;</SPAN>&nbsp;, retrieve all the assets detected by the broker scanner, and verify which assets do or do not have the XDR agent.</P> <P>&nbsp;</P> <P>Does anyone know if this is possible?</P> <P><BR />My idea is to use both solutions to achieve as much automation as possible.</P> <P><BR />Another playbook later on will involve XSOAR querying the XDR vulnerability section to identify machines with missing CVEs, listing the machines and CVEs, and then identifying the necessary KBs.</P> <P><BR />Can anyone help me? Does anyone know if this is possible, even with an XQL query?</P> Fri, 17 May 2024 16:04:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-xdr-and-xsoar/m-p/587139#M6686 tlmarques 2024-05-17T16:04:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-xdr-and-xsoar/m-p/587141#M6688 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307134">@tlmarques</a>&nbsp;</P> <P>We have data of network mapper scans in network_mapper_raw you can get results of detected hosts there. From there you can probably join endpoints dataset and see which endpoint has xdr agent based on Ip address matching. That much should be possible I think. I need to try to test out the query though.&nbsp;</P> <P>&nbsp;</P> <P>Not sure about what you mention about cves. But we have va_endpoints with data you need. I.e each entry has endpoint name,cve list that the endpoint is exposed to.</P> <P>If you want to link it to applications as well then you can use va_cves which has other related info. That's what I can think of. I will try xql and update if I can.</P> <P>&nbsp;</P> Fri, 17 May 2024 16:22:59 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-xdr-and-xsoar/m-p/587141#M6688 Fm12345 2024-05-17T16:22:59Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-xdr-and-xsoar/m-p/587142#M6689 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1372551263">@Fm12345</a>&nbsp;,</P> <P>Thanks for the information and help.<BR />Where can I get network_mapper_raw? through XQL query?</P> <P><BR />If the mapper result tells me that the IP or hostname and if machine have or not XDR agent is perfect.</P> <P>&nbsp;</P> <P>About CVE's it's the same thing, in the XDR tenant there is a module "Vulnerability Assessment", and my objective is to obtain the CVE's or machines that have update problems and then inject them into XSOAR to create automations.</P> Fri, 17 May 2024 16:29:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-xdr-and-xsoar/m-p/587142#M6689 tlmarques 2024-05-17T16:29:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-xdr-and-xsoar/m-p/587144#M6690 <P>Yes.. use below query.</P> <P>dataset = panw_network_mapper_raw</P> <P>| filter ip not in (dataset = endpoints | arrayexpand ip_address |fields ip_address )</P> <P>|fields ip,hostname</P> <P>&nbsp;</P> <P>This will give you hosts that don't have xdr agent.&nbsp; Use filters as per your need.</P> Fri, 17 May 2024 16:38:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-xdr-and-xsoar/m-p/587144#M6690 Fm12345 2024-05-17T16:38:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-xdr-and-xsoar/m-p/587263#M6700 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1372551263">@Fm12345</a>&nbsp; thanks a lot <span class="lia-unicode-emoji" title=":winking_face:">😉</span>&nbsp;<BR /><BR />do you know what is dataset for module "<SPAN>Vulnerability Assessment"?</SPAN></P> <P>&nbsp;</P> Mon, 20 May 2024 10:32:40 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/help-xql-query-for-xdr-and-xsoar/m-p/587263#M6700 tlmarques 2024-05-20T10:32:40Z