https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-help/m-p/592285#M6933 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/111040965">@elnur.abbasov</a>&nbsp;,</P> <P><BR />Not a direct answer to your question, but you may start with the one that I'm using:</P> <LI-CODE lang="markup">dataset = xdr_data //Event_type = 2 is referred to "NETWORK" //Search for remote host that scan for specific ports | filter event_type = 2 and action_network_is_server = True and action_remote_ip not in (null, "::1", "127.0.0.1") and causality_actor_process_image_path = "System" | comp count_distinct(action_local_ip) as connection_count, values(action_local_ip) as destination by action_remote_ip,action_local_port | filter connection_count &gt; 100 //Joining XDR endpoint dataset to validate the present of Cortex XDR agent on Remote IP | join type=left conflict_strategy = right ( dataset=endpoints | filter ip_address != null | fields ip_address, endpoint_name | arrayexpand ip_address) as ep ep.ip_address = action_remote_ip | filter endpoint_name = null //Correlate hostname based on ip address. This information are obtained from NGFW. (Fairly reliable, but not 100% accurate - especially workstation's ip will change due to DHCP.) | join type= left conflict_strategy = right ( preset = network_story | filter action_external_hostname != null | dedup action_local_ip | fields action_external_hostname as DNS_name, action_local_ip) as FWdata fwdata.action_local_ip = action_remote_ip | fields action_remote_ip as remote_ip, DNS_name, destination, connection_count, action_local_port as destination_port | sort desc connection_count</LI-CODE> <P>Let me know if you have any questions.</P> Wed, 17 Jul 2024 08:07:05 GMT Antony_Chan 2024-07-17T08:07:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-help/m-p/591845#M6909 <P>Hello Dear Community, I want to count events based on specified time periods. For example I want to query hosts that scanned more than 50 hosts in 10 seconds. How can I write XQL in that case?&nbsp;&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Fri, 12 Jul 2024 13:24:01 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-help/m-p/591845#M6909 elnur.abbasov 2024-07-12T13:24:01Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-help/m-p/592111#M6922 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/111040965">@elnur.abbasov</a>&nbsp;,</P> <P>&nbsp;</P> <P>Could you please confirm what kindly of events are you looking for and what type of scanning you have mentioned.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Ashutosh</P> Tue, 16 Jul 2024 07:02:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-help/m-p/592111#M6922 aspatil 2024-07-16T07:02:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-help/m-p/592285#M6933 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/111040965">@elnur.abbasov</a>&nbsp;,</P> <P><BR />Not a direct answer to your question, but you may start with the one that I'm using:</P> <LI-CODE lang="markup">dataset = xdr_data //Event_type = 2 is referred to "NETWORK" //Search for remote host that scan for specific ports | filter event_type = 2 and action_network_is_server = True and action_remote_ip not in (null, "::1", "127.0.0.1") and causality_actor_process_image_path = "System" | comp count_distinct(action_local_ip) as connection_count, values(action_local_ip) as destination by action_remote_ip,action_local_port | filter connection_count &gt; 100 //Joining XDR endpoint dataset to validate the present of Cortex XDR agent on Remote IP | join type=left conflict_strategy = right ( dataset=endpoints | filter ip_address != null | fields ip_address, endpoint_name | arrayexpand ip_address) as ep ep.ip_address = action_remote_ip | filter endpoint_name = null //Correlate hostname based on ip address. This information are obtained from NGFW. (Fairly reliable, but not 100% accurate - especially workstation's ip will change due to DHCP.) | join type= left conflict_strategy = right ( preset = network_story | filter action_external_hostname != null | dedup action_local_ip | fields action_external_hostname as DNS_name, action_local_ip) as FWdata fwdata.action_local_ip = action_remote_ip | fields action_remote_ip as remote_ip, DNS_name, destination, connection_count, action_local_port as destination_port | sort desc connection_count</LI-CODE> <P>Let me know if you have any questions.</P> Wed, 17 Jul 2024 08:07:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xql-help/m-p/592285#M6933 Antony_Chan 2024-07-17T08:07:05Z