Help me on developing XQL Query

N.B238890 — Mon, 16 Mar 2026 11:04:58 GMT

Hi Community,

Please help me on creating XQL query for cortex XSIAM on the below requirement.

VPN Credential Abuse / Anomalous VPN Access

Objective:
Detect initial access via compromised VPN credentials, the primary entry vector used by Handala Hack. It looks for suspicious VPN authentication events such as first‑time logins from new geolocations, commercial VPN IP ranges, sudden admin elevation after VPN login, or anomalous remote access activity. By correlating authentication anomalies with VPN session metadata, the hunt surfaces early indicators of credential misuse and unauthorized access. This aligns with T1078 (Valid Accounts) and T1090 (Proxy).

Re: Help me on developing XQL Query

susekar — Mon, 16 Mar 2026 14:09:36 GMT

Hello @N.B238890 ,

Greetings for the day.

To detect initial access via compromised VPN credentials and subsequent anomalous activity, you can utilize Cortex XSIAM's ability to query and correlate metadata from GlobalProtect and general authentication datasets. While a single, all-encompassing query for every objective may not exist, the following components can be used to build a comprehensive hunt for the behaviors you described.

1. Detecting VPN Access from Commercial/Hosting IP Ranges

Cortex XSIAM automatically enriches source IP data with Autonomous System (AS) information from providers such as Spur and MaxMind GeoLite2. You can identify commercial VPN or proxy usage by filtering for Autonomous System Names (ASNs) associated with hosting providers such as DigitalOcean or Amazon.

Use the following query structure to identify logins from hosting provider ASNs:

dataset = xdr_data 
| filter vpn_service = "GlobalProtect" and auth_outcome = "SUCCESS"
| fields _time, auth_identity, action_local_ip, xdm.source.asn.as_name, xdm.source.asn.as_number
| filter xdm.source.asn.as_name in ("DigitalOcean", "Amazon", "Google", "Microsoft") // Hosting providers often used by commercial VPNs

Note: Specific direct XDM boolean flags for Spur-provided VPN metadata (for example xdm.source.is_vpn) may vary depending on the schema version. Review the latest XDM Schema Guide or inspect available fields in your dataset.

2. Identifying VPN Logins from Unusual Geolocations

You can monitor successful connections originating from unexpected countries by filtering on geographic metadata associated with the source IP.

Example query to find logins outside a designated home country:

config case_sensitive = false
| dataset = xdr_data
| filter vpn_service = "GlobalProtect" and vpn_event_description = "gateway-auth" and action_location != null and auth_outcome = "SUCCESS"
| alter country_code = json_extract(to_json_string(action_location), "$.country")
| filter country_code not contains "[HOME_COUNTRY_CODE]" // Replace with your standard country code (e.g., "US")
| fields _time, agent_hostname, auth_identity, action_local_ip, country_code, auth_outcome

For first-time logins from new geolocations, Cortex XSIAM includes built-in analytics alerts such as “A user connected to a VPN from a new country.” These alerts rely on historical baselining of user login behavior.

3. Monitoring for Administrative Elevation and Anomalous Activity

After a suspicious VPN login, you should monitor for potential privilege escalation or lateral movement. Examples of activity to watch for include:

Windows Event ID 4624 – Successful interactive logon
Windows Event ID 4768 – Kerberos authentication ticket request

These events occurring shortly after a VPN login may indicate that compromised credentials are being used to pivot within the environment.

4. Detecting Unauthorized Remote Access Tools (RATs)

If stolen credentials are used to deploy or execute remote access tools such as TeamViewer, you can detect them through process execution or file activity telemetry.

Example query to identify TeamViewer execution and the associated user:

dataset = xdr_data
| filter actor_process_image_path contains "TeamViewer"
| fields _time, actor_effective_username, action_file_path, action_remote_ip, agent_hostname

TeamViewer also generates local logs at:

C:\Program Files (x86)\TeamViewer\TVNetwork.log

These artifacts can be correlated with user activity and endpoint telemetry stored in the xdr_data dataset.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".