topic Re: Endpoints with Public IP in Cortex XDR Discussions

Endpoints with Public IP

Joe_Carissimo — Sun, 02 Mar 2025 19:54:10 GMT

Hi All, looking for some help here on creating an XQL query to search for any endpoints that are assigned public IP addresses. I searched and didn't see anything in the Live Community that already speaks to this.

I appreciate any support you can provide.
Thank you,
Joe

Re: Endpoints with Public IP

aspatil — Mon, 03 Mar 2025 07:40:31 GMT

Hello @Joe_Carissimo ,

Thanks for reaching out on LiveCommunity!

Below query should help:

dataset = xdr_data
| filter agent_external_ip != null
| fields action_remote_ip, agent_ip_addresses, agent_hostname, agent_external_ip, _time, actor_remote_ip, action_local_ip, actor_local_ip
|dedup agent_hostname

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Re: Endpoints with Public IP

Joe_Carissimo — Fri, 07 Mar 2025 20:41:27 GMT

Hi @aspatil, well this is the second time today I'm replying to you. For some reason the first time did not go through...

Thank you for your reply. However, this is not what I'm trying to accomplish. What I want to do is run a query to select agent_hostname and agent_ip_address from xdr_data where NOT incidr(192.168.0.0/16 or 10.0.0.0/24 or 172.16.0.0/20).

I'm just not using the right syntax with incidr and I also think the function "arrayexpand ip_address" has to come into play because the IP address can be multiple local addresses. For example, I could be connected to our VPN with a 172.23.129.50 address as well as my internal IP address being 192.168.1.197.

I hope this makes sense and you're able to help.

Thank you again,
Joe

Re: Endpoints with Public IP

aspatil — Mon, 10 Mar 2025 09:18:07 GMT

I think you should target Endpoint data set. Please refer to below query:
dataset = endpoints
| fields endpoint_name as agent_hostname, ip_address as agent_ip_address
| arrayexpand agent_ip_address
| filter not incidr(agent_ip_address, "10.0.0.0/24")
and not incidr(agent_ip_address, "172.16.0.0/20")
and not incidr(agent_ip_address, "192.168.0.0/16")

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Re: Endpoints with Public IP

Joe_Carissimo — Tue, 11 Mar 2025 17:40:09 GMT

Thank you, @aspatil, this is what I needed. Much appreciated.