https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-hostfirewall-events/m-p/1253466#M9304 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1561359921">@J.Gammara</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.<BR /><BR /></P> <DIV class="relative basis-auto flex-col -mb-(--composer-overlap-px) pb-(--composer-overlap-px) [--composer-overlap-px:28px] grow flex"> <DIV class="flex flex-col text-sm"> <SECTION class="text-token-text-primary w-full focus:outline-none [--shadow-height:45px] has-data-writing-block:pointer-events-none has-data-writing-block:-mt-(--shadow-height) has-data-writing-block:pt-(--shadow-height) [&amp;:has([data-writing-block])&gt;*]:pointer-events-auto [content-visibility:auto] supports-[content-visibility:auto]:[contain-intrinsic-size:auto_100lvh] R6Vx5W_threadScrollVars scroll-mb-[calc(var(--scroll-root-safe-area-inset-bottom,0px)+var(--thread-response-height))] scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]" dir="auto" data-turn="assistant" data-scroll-anchor="false" data-testid="conversation-turn-2" data-turn-id="request-WEB:1bca8f7b-5d3b-4d1b-9f45-e577caf4b9b6-0"> <DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:var(--thread-content-margin-xs,calc(var(--spacing)*4))] @w-sm/main:[--thread-content-margin:var(--thread-content-margin-sm,calc(var(--spacing)*6))] @w-lg/main:[--thread-content-margin:var(--thread-content-margin-lg,calc(var(--spacing)*16))] px-(--thread-content-margin)"> <DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn"> <DIV class="flex max-w-full flex-col gap-4 grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal outline-none keyboard-focused:focus-ring [.text-message+&amp;]:mt-1" dir="auto" tabindex="0" data-turn-start-message="true" data-message-model-slug="gpt-5-3" data-message-id="3714b27e-9b00-4cb9-99de-af4091cac3b9" data-message-author-role="assistant"> <DIV class="flex w-full flex-col gap-1 empty:hidden"> <DIV class="markdown prose dark:prose-invert w-full wrap-break-word light markdown-new-styling"> <P data-end="375" data-start="0">To review and correlate network traffic with Host Firewall events efficiently in Cortex XDR, you should utilize a combination of dedicated datasets and optimized XQL join stages.</P> <P data-end="375" data-start="0">&nbsp;</P> <P data-end="375" data-start="0">The optimal approach involves querying the <CODE data-end="244" data-start="222">host_firewall_events</CODE> dataset for firewall-specific enforcement and joining it with normalized network presets to gain process and connectivity context.</P> <P data-end="375" data-start="0">&nbsp;</P> <H4 data-end="413" data-start="377" data-section-id="195wcm3">1. Identify the Correct Datasets:</H4> <UL data-end="837" data-start="414"> <LI data-end="574" data-start="414" data-section-id="1efxxmn"><STRONG data-end="441" data-start="416">Host Firewall Events:</STRONG> Enforcement actions (Allow/Block) taken by the agent's firewall module are stored in the dedicated <CODE data-end="563" data-start="541">host_firewall_events</CODE> dataset.</LI> <LI data-end="837" data-start="575" data-section-id="1jw7skf"><STRONG data-end="597" data-start="577">Network Traffic:</STRONG> General network activity is best reviewed using the <CODE data-end="665" data-start="650">network_story</CODE> (Network Connections) preset, which contains stitched logs combining events from various sources. Alternatively, raw agent network events reside in the <CODE data-end="828" data-start="818">xdr_data</CODE> dataset.</LI> </UL> <H4 data-end="871" data-start="839" data-section-id="1wl8sif">Sample XQL Correlation Query:</H4> <P data-end="1028" data-start="872">The following query correlates blocked Host Firewall events with network connectivity data to identify which processes were involved in the blocked traffic:</P> <DIV class="relative w-full mt-4 mb-1"> <DIV class=""> <DIV class="relative"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="border border-token-border-light border-radius-3xl corner-superellipse/1.1 rounded-3xl"> <DIV class="h-full w-full border-radius-3xl bg-token-bg-elevated-secondary corner-superellipse/1.1 overflow-clip rounded-3xl lxnfua_clipPathFallback"> <DIV class="pointer-events-none absolute end-1.5 top-1 z-2 md:end-2 md:top-1">&nbsp;</DIV> <DIV class="relative"> <DIV class="pe-11 pt-3"> <DIV class="relative z-0 flex max-w-full"> <DIV id="code-block-viewer" class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼd ͼr" dir="ltr"> <DIV class="cm-scroller"> <PRE class="cm-content q9tKkq_readonly m-0"><CODE><SPAN>dataset = host_firewall_events </SPAN><BR /><SPAN>| filter action = 2 // Filter for Blocked events</SPAN><BR /><SPAN>| fields _time, agent_hostname, action_local_ip, action_remote_ip, action_remote_port, action_process_image_path, actor_process_instance_id, agent_id</SPAN><BR /><SPAN>| join (</SPAN><BR /><SPAN> preset = network_story </SPAN><BR /><SPAN> | fields agent_hostname, actor_process_instance_id, action_app_id_transitions, action_external_hostname</SPAN><BR /><SPAN>) as net network.agent_hostname = agent_hostname and network.actor_process_instance_id = actor_process_instance_id</SPAN><BR /><SPAN>| fields _time, agent_hostname, action_process_image_path, action_local_ip, action_remote_ip, action_remote_port, net.action_app_id_transitions, net.action_external_hostname</SPAN></CODE></PRE> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </SECTION> </DIV> </DIV> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking<SPAN>&nbsp;</SPAN><STRONG>like</STRONG><SPAN>&nbsp;</SPAN>and on<SPAN>&nbsp;</SPAN><STRONG>"mark this as a Solution".</STRONG><BR /><BR /></P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 05 May 2026 13:38:41 GMT susekar 2026-05-05T13:38:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-hostfirewall-events/m-p/1253448#M9299 <P data-path-to-node="6">Hi everyone,</P> <P data-path-to-node="7">What is the best and most efficient way to review network traffic and correlate or compare it with Host Firewall events using XQL?</P> <P data-path-to-node="8">I am looking for the optimal approach to query and analyze this data together without impacting performance. If anyone has a sample XQL query or advice on how you handle this in your SOC, I would really appreciate it.</P> <P data-path-to-node="9">Thanks in advance!</P> Mon, 04 May 2026 16:46:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-hostfirewall-events/m-p/1253448#M9299 J.Gammara 2026-05-04T16:46:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-hostfirewall-events/m-p/1253466#M9304 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1561359921">@J.Gammara</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.<BR /><BR /></P> <DIV class="relative basis-auto flex-col -mb-(--composer-overlap-px) pb-(--composer-overlap-px) [--composer-overlap-px:28px] grow flex"> <DIV class="flex flex-col text-sm"> <SECTION class="text-token-text-primary w-full focus:outline-none [--shadow-height:45px] has-data-writing-block:pointer-events-none has-data-writing-block:-mt-(--shadow-height) has-data-writing-block:pt-(--shadow-height) [&amp;:has([data-writing-block])&gt;*]:pointer-events-auto [content-visibility:auto] supports-[content-visibility:auto]:[contain-intrinsic-size:auto_100lvh] R6Vx5W_threadScrollVars scroll-mb-[calc(var(--scroll-root-safe-area-inset-bottom,0px)+var(--thread-response-height))] scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]" dir="auto" data-turn="assistant" data-scroll-anchor="false" data-testid="conversation-turn-2" data-turn-id="request-WEB:1bca8f7b-5d3b-4d1b-9f45-e577caf4b9b6-0"> <DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:var(--thread-content-margin-xs,calc(var(--spacing)*4))] @w-sm/main:[--thread-content-margin:var(--thread-content-margin-sm,calc(var(--spacing)*6))] @w-lg/main:[--thread-content-margin:var(--thread-content-margin-lg,calc(var(--spacing)*16))] px-(--thread-content-margin)"> <DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn"> <DIV class="flex max-w-full flex-col gap-4 grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal outline-none keyboard-focused:focus-ring [.text-message+&amp;]:mt-1" dir="auto" tabindex="0" data-turn-start-message="true" data-message-model-slug="gpt-5-3" data-message-id="3714b27e-9b00-4cb9-99de-af4091cac3b9" data-message-author-role="assistant"> <DIV class="flex w-full flex-col gap-1 empty:hidden"> <DIV class="markdown prose dark:prose-invert w-full wrap-break-word light markdown-new-styling"> <P data-end="375" data-start="0">To review and correlate network traffic with Host Firewall events efficiently in Cortex XDR, you should utilize a combination of dedicated datasets and optimized XQL join stages.</P> <P data-end="375" data-start="0">&nbsp;</P> <P data-end="375" data-start="0">The optimal approach involves querying the <CODE data-end="244" data-start="222">host_firewall_events</CODE> dataset for firewall-specific enforcement and joining it with normalized network presets to gain process and connectivity context.</P> <P data-end="375" data-start="0">&nbsp;</P> <H4 data-end="413" data-start="377" data-section-id="195wcm3">1. Identify the Correct Datasets:</H4> <UL data-end="837" data-start="414"> <LI data-end="574" data-start="414" data-section-id="1efxxmn"><STRONG data-end="441" data-start="416">Host Firewall Events:</STRONG> Enforcement actions (Allow/Block) taken by the agent's firewall module are stored in the dedicated <CODE data-end="563" data-start="541">host_firewall_events</CODE> dataset.</LI> <LI data-end="837" data-start="575" data-section-id="1jw7skf"><STRONG data-end="597" data-start="577">Network Traffic:</STRONG> General network activity is best reviewed using the <CODE data-end="665" data-start="650">network_story</CODE> (Network Connections) preset, which contains stitched logs combining events from various sources. Alternatively, raw agent network events reside in the <CODE data-end="828" data-start="818">xdr_data</CODE> dataset.</LI> </UL> <H4 data-end="871" data-start="839" data-section-id="1wl8sif">Sample XQL Correlation Query:</H4> <P data-end="1028" data-start="872">The following query correlates blocked Host Firewall events with network connectivity data to identify which processes were involved in the blocked traffic:</P> <DIV class="relative w-full mt-4 mb-1"> <DIV class=""> <DIV class="relative"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="border border-token-border-light border-radius-3xl corner-superellipse/1.1 rounded-3xl"> <DIV class="h-full w-full border-radius-3xl bg-token-bg-elevated-secondary corner-superellipse/1.1 overflow-clip rounded-3xl lxnfua_clipPathFallback"> <DIV class="pointer-events-none absolute end-1.5 top-1 z-2 md:end-2 md:top-1">&nbsp;</DIV> <DIV class="relative"> <DIV class="pe-11 pt-3"> <DIV class="relative z-0 flex max-w-full"> <DIV id="code-block-viewer" class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼd ͼr" dir="ltr"> <DIV class="cm-scroller"> <PRE class="cm-content q9tKkq_readonly m-0"><CODE><SPAN>dataset = host_firewall_events </SPAN><BR /><SPAN>| filter action = 2 // Filter for Blocked events</SPAN><BR /><SPAN>| fields _time, agent_hostname, action_local_ip, action_remote_ip, action_remote_port, action_process_image_path, actor_process_instance_id, agent_id</SPAN><BR /><SPAN>| join (</SPAN><BR /><SPAN> preset = network_story </SPAN><BR /><SPAN> | fields agent_hostname, actor_process_instance_id, action_app_id_transitions, action_external_hostname</SPAN><BR /><SPAN>) as net network.agent_hostname = agent_hostname and network.actor_process_instance_id = actor_process_instance_id</SPAN><BR /><SPAN>| fields _time, agent_hostname, action_process_image_path, action_local_ip, action_remote_ip, action_remote_port, net.action_app_id_transitions, net.action_external_hostname</SPAN></CODE></PRE> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </SECTION> </DIV> </DIV> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking<SPAN>&nbsp;</SPAN><STRONG>like</STRONG><SPAN>&nbsp;</SPAN>and on<SPAN>&nbsp;</SPAN><STRONG>"mark this as a Solution".</STRONG><BR /><BR /></P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 05 May 2026 13:38:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-hostfirewall-events/m-p/1253466#M9304 susekar 2026-05-05T13:38:41Z