topic Re: XQL query to add a widget to know the Protection Paused more than 30 days. in Cortex XDR Discussions

XQL query to add a widget to know the Protection Paused more than 30 days.

VenuK — Fri, 17 Mar 2023 05:08:58 GMT

Dear Team,

I am trying to write an XQL query to add a widget to know the Protection Paused more than 30 days. The Query is as follows, can someone help me to get the accurate results.

config timeframe = 30d
| dataset = endpoints
| filter manual_protection_pause != "PROTECTION_ACTIVE"
| join type = left (dataset = management_auditing | filter description contains "Protection Pause action initiated"| fields description) as mgmt mgmt.description contains endpoint_name
| comp count(endpoint_id) as Tally by endpoint_name
| filter Tally < 2
| view graph type = single subtype = standard yaxis = Tally

Re: XQL query to add a widget to know the Protection Paused more than 30 days.

bbarmanroy — Fri, 17 Mar 2023 08:42:05 GMT

Hi @VenuK Unfortunately, I don't think there's a way to get this done accurately as the description field may contain text like "Protection Pause action initiated on laptop001 and 1 other endpoint". If the endpoint name is not specifically listed in the description, it won't accurately identify the endpoint in the description.

I'd recommend you to create some automation with XDR API's to retrieve the data of endpoints on a daily/weekly basis and compare historically how long an endpoint has remained in an unprotected status.

Re: XQL query to add a widget to know the Protection Paused more than 30 days.

VenuK — Fri, 17 Mar 2023 10:28:57 GMT

@bbarmanroy , Thank you for the valuable time and reply, can you help me with tuning the query, as I am still a rookie in XQL.

Re: XQL query to add a widget to know the Protection Paused more than 30 days.

fmoixsante — Sat, 18 Mar 2023 15:32:43 GMT

Hi @VenuK.,

I came up with this XQL query, see if it is something you could use,

dataset=endpoints
| fields endpoint_id, endpoint_name, manual_protection_pause as all_endpoints_protection_pause, endpoint_status
| filter all_endpoints_protection_pause = "PROTECTION_PAUSED" and endpoint_status in (ENUM.CONNECTED, ENUM.DISCONNECTED) // You could remove ENUM.DISCONNECTED
| join type=left(dataset = agent_auditing | filter agent_auditing_subtype = ENUM.AGENT_AUDIT_MANUAL_PROTECTION_STATUS | fields description, agent_auditing_subtype, endpoint_id, received_time ) as aal aal.endpoint_id = endpoint_id
| filter timestamp_diff(current_time(), received_time , "MINUTE") > 30 // You can change MINUTE by HOUR or DAY. In this example, I added a MINUTE to showcase the result

I would not recommend to look for machines with Protectection paused for >= 30 days. It would be better to know about this as soon as possible. Therefore, I would recommend adding this XQL query to a correlation rule to generate alerts whenever timestamp_diff is >= 30 minutes or so. You can then create notifications filtering on the correlation alert.

Re: XQL query to add a widget to know the Protection Paused more than 30 days.

VenuK — Mon, 20 Mar 2023 03:52:16 GMT

Thank you @fmoixsante for the query, I used it, but it did not give me any results, so I tired the blow. Kindly suggest.

config timeframe = 30D // The query cannot be created for more than 30 days hence limited to 30 days as per requirement
|dataset=endpoints
| join type = left (dataset = management_auditing | filter description contains "Paused "| fields description) as mgmt mgmt.description contains endpoint_status
| fields endpoint_id, endpoint_name, manual_protection_pause as all_endpoints_protection_pause, endpoint_status
| filter all_endpoints_protection_pause = "PROTECTION_PAUSED" and endpoint_status in (ENUM.CONNECTED )
|comp count(endpoint_name) as tally by endpoint_name
|filter tally <2
| view graph type = single subtype = standard yaxis = Tally

Re: XQL query to add a widget to know the Protection Paused more than 30 days.

fmoixsante — Mon, 20 Mar 2023 10:45:54 GMT

Hi @VenuK,

The XQL query I provided to you, will look for endpoints with endpoint "manual_protection_pause" = "PROTECTION_PAUSED". If the query does not bring out any results, then that means that, at that moment, any of your enpoints are NOT on "PROTECTION_PAUSED".

The purpose of my query is that as soon as any of your endpoints are on "PROTECTION_PAUSED" and they have been in that state for more than 30 minutes based on the agent_audit_log dataset, and you add this query to a correlation rule, you will get an alert.

I do not really understand the 30D timeframe, if a machine is on "PROTECTION_PAUSED" for that long, that is a huge issue as a security risk. I would recommend checking all of your endpoints at this time, and if there are any that are on "PROTECTION_PAUSED", investigate why, and make sure to activate protections as soon as possible.

Moving forward, use the provided XQL query to get alert notifications, via correlation rule, whenever an endpoint is on "PROTECTION_PAUSED" for too long.

Re: XQL query to add a widget to know the Protection Paused more than 30 days.

N.Ernst — Thu, 06 Jun 2024 08:08:40 GMT

Sorry to jump in here, I tried this query, but it seems I am not able to get any results. I reproduced this by pausing an agent manually in the Endpoints view and then waited for 10 Minutes. If I understood your query it should display paused agents within the last 30 Minutes so it should pop up. So is it possible to read out the corresponding description given? Whenever you pause an agent, you can enter a comment, and it would be nice to see who paused it and what comment was entered.

Thanks