https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/find-the-responsible-application-in-windows-for-making-malicious/m-p/590479#M6853 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/922167235">@Arman_Zaheri</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>Try this XQL Query with your required data:</P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset = xdr_data | filter agent_hostname = "Your_Hostname" //If needed | filter event_type = ENUM.STORY | filter dns_query_name contains "microsoft" // Set your domain to search | fields agent_hostname, agent_ip_addresses, actor_process_image_name, actor_process_image_path, causality_actor_process_command_line, dns_query_name </LI-CODE> <P>Please let us know how it goes.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Wed, 26 Jun 2024 13:44:21 GMT jmazzeo 2024-06-26T13:44:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/find-the-responsible-application-in-windows-for-making-malicious/m-p/590423#M6847 <P>Hello everybody,</P> <P>I sometimes receive alerts from our firewall blocking a malicious DNS request, but when I want to track it to the application that made that request, I just see Windows DNS cache service. Is there any way to audit specific DNS requests e.g. "gyoutube.com" ,which is actually malicious, in a Windows client using Cortex or other tools and find exactly which process made that request?</P> <P>&nbsp;</P> <P>Many thanks,</P> Wed, 26 Jun 2024 06:40:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/find-the-responsible-application-in-windows-for-making-malicious/m-p/590423#M6847 Arman_Zaheri 2024-06-26T06:40:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/find-the-responsible-application-in-windows-for-making-malicious/m-p/590479#M6853 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/922167235">@Arman_Zaheri</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>Try this XQL Query with your required data:</P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset = xdr_data | filter agent_hostname = "Your_Hostname" //If needed | filter event_type = ENUM.STORY | filter dns_query_name contains "microsoft" // Set your domain to search | fields agent_hostname, agent_ip_addresses, actor_process_image_name, actor_process_image_path, causality_actor_process_command_line, dns_query_name </LI-CODE> <P>Please let us know how it goes.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Wed, 26 Jun 2024 13:44:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/find-the-responsible-application-in-windows-for-making-malicious/m-p/590479#M6853 jmazzeo 2024-06-26T13:44:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/find-the-responsible-application-in-windows-for-making-malicious/m-p/590572#M6857 <P>Hello again,</P> <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/32392">@jmazza</a>&nbsp;many thanks for the quick and correct answer. I was using the following query before that utilizes "network_story" preset and usually I could find DNS requests made by a host, but not the latter one&nbsp; mentioned. What's the difference between using this preset and xdr_data in this case?</P> <P>&nbsp;</P> <LI-CODE lang="python">preset= network_story | filter (dns_query_name != null) | arrayexpand dns_resolutions | filter (dns_query_name contains "gyoutube")</LI-CODE> <P>&nbsp;</P> Thu, 27 Jun 2024 06:03:04 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/find-the-responsible-application-in-windows-for-making-malicious/m-p/590572#M6857 Arman_Zaheri 2024-06-27T06:03:04Z