article Cortex XDR Customer Success Webinar: Monitoring with XQL in Cortex XDR Videos

article Cortex XDR Customer Success Webinar: Monitoring with XQL in Cortex XDR Videos https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-monitoring-with-xql/ta-p/567803 <DIV class="lia-message-template-content-zone"> <H2>Monitoring with XQL & Data Ingestion </H2> <P><SPAN>This webinar covers the details of data ingestion from various sources and explores efficient monitoring practices using XQL.</SPAN></P> <P><SPAN>Make sure to review the queries and other resources below the video. </SPAN></P> <P> </P> <P><SPAN><div class="lia-vid-container video-embed-center"><div id="lia-vid-6342093528112w960h540r738" class="lia-video-brightcove-player-container"><video-js data-video-id="6342093528112" data-account="6058004142001" data-player="default" data-embed="default" class="vjs-fluid" controls="" data-application-id="" style="width: 100%; height: 100%;"></video-js></div><script src="https://players.brightcove.net/6058004142001/default_default/index.min.js"></script><script>(function() { var wrapper = document.getElementById('lia-vid-6342093528112w960h540r738'); var videoEl = wrapper ? wrapper.querySelector('video-js') : null; if (videoEl) { if (window.videojs) { window.videojs(videoEl).ready(function() { this.on('loadedmetadata', function() { this.el().querySelectorAll('.vjs-load-progress div[data-start]').forEach(function(bar) { bar.setAttribute('role', 'presentation'); bar.setAttribute('aria-hidden', 'true'); }); }); }); } }})();</script><a class="video-embed-link" href="https://live.paloaltonetworks.com/t5/video/gallerypage/video-id/6342093528112">(view in My Videos)</a></div></SPAN></P> <P> </P> <H3><SPAN>Queries: </SPAN></H3> <P><FONT color="#FF6600"><SPAN>Agent Monitoring Use Cases </SPAN></FONT></P> <UL> <LI><SPAN>A simple query to look up ingestion by timeframe</SPAN></LI> </UL> <LI-CODE lang="markup">config case_sensitive = false timeframe = 30d | dataset = xdr_data | join type=left (config case_sensitive = false | dataset =endpoints | filter endpoint_alias = $Hostname_Of_your_choice | dedup endpoint_name ) as wlatd wlatd.endpoint_name = agent_hostname | filter endpoint_name != null | fields endpoint_name,operating_system , action_evtlog_description,action_evtlog_data_fields,action_evtlog_event_id,agent_os_sub_type,agent_os_type | comp count (insert_timestamp ) as counter by endpoint_name, insert_timestamp | comp sum(counter) by endpoint_name </LI-CODE> <P> </P> <UL> <LI><SPAN><SPAN>Advanced query to lookup ingestion by timeframe<BR /></SPAN></SPAN></LI> </UL> <LI-CODE lang="markup">config timeframe between "2023-10-29 00:00:00 +0800" and "2023-10-29 23:59:59 +0800" |dataset = xdr_data | fields _time, agent_hostname, actor_effective_username, agent_os_type , agent_os_sub_type, recordType | filter agent_os_type = ENUM.AGENT_OS_LINUX //and recordType = "edr" | alter minute_part = floor(divide(to_integer(extract_time(_time, "MINUTE")), 60)) | alter from_minute = multiply(minute_part, 60) | alter from_minute_str = if(from_minute = 0, "00", to_string(from_minute)) | alter to_minute_str = to_string(add(from_minute, 59)) | alter from = format_timestamp(concat("%Y-%m-%d %H:", from_minute_str, ":00"), _time, "+08:00") | alter to = format_timestamp(concat("%Y-%m-%d %H:", to_minute_str, ":59"), _time, "+08:00") | fields _time, minute_part, agent_hostname, actor_effective_username, from, to | comp count(agent_hostname) as log_count by agent_hostname , from, to | sort desc log_count //| comp sum(log_count ) as logsum by agent_hostname //| fields agent_hostname , logsum //| view graph type = line xaxis = from yaxis = log_count seriescolor("log_count","#12f332") headcolor = "#da3b10" gridcolor = "#7c2b0f </LI-CODE> <P> </P> <P><SPAN><BR /><FONT color="#FF6600">Third-party Data Ingestion </FONT></SPAN></P> <UL> <LI><FONT color="#333333"><FONT color="#333333"><SPAN>Option 1- XDR Query with simple conversion of size ingested<BR /></SPAN></FONT></FONT><LI-CODE lang="markup">dataset = metrics_source | fields _vendor , _product , total_size_bytes , total_size_rate | comp sum(total_size_bytes ) as ingestion by _product //count the sum of all the bytes ingested by different products | alter ingestiongb = divide (ingestion , pow(1024,3))//convert the respective data bytes to Gigabytes | fields _product ,ingestiongb | limit 20 | sort desc ingestiongb | view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = _product yaxis = ingestiongb seriescolor("ingestiongb","#d2510e") headcolor = "#171616" gridcolor = "#38def6" font = "Arial Black" </LI-CODE> <P> </P> </LI> <LI><SPAN><SPAN>Show metrics data and convert into rounded MegaBytes of data streams<BR /></SPAN></SPAN><LI-CODE lang="markup">dataset = metrics_source | fields _vendor , _product , total_size_bytes , total_size_rate | comp sum(total_size_bytes ) as ingestion by _product | alter Ingestion_by_MB = divide(round(multiply(divide(ingestion , pow(2,20)),10000)),10000) //rounding out to 4 decimal places and convert to MB | fields _product ,Ingestion_by_MB | limit 20 | sort desc Ingestion_by_MB | view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = _product yaxis = Ingestion_by_MB seriescolor("Ingestion_by_MB","#d2510e") headcolor = "#171616" gridcolor = "#38def6" font = "Arial Black" </LI-CODE> <P> </P> </LI> </UL> <P><FONT color="#FF6600">XSIAM </FONT></P> <UL> <LI>When any data source collector instance is in an error state<BR /><LI-CODE lang="markup">dataset = collection_auditing | filter (classification = """Error""" ) | comp latest(_time) by collector_type , instance , classification ,description </LI-CODE></LI> <LI><SPAN><SPAN>No data ingested by the data source within a time frame<BR /></SPAN></SPAN><LI-CODE lang="markup">preset = metrics_view | comp sum(total_event_count) as total_event_count_sum by _collector_id, _collector_ip, _collector_name, _collector_type , _final_reporting_device_ip ,_final_reporting_device_name , _broker_device_id ,_vendor , _product | filter total_event_count_sum = 0</LI-CODE> <P> </P> </LI> <LI> <SPAN><SPAN>Volume of data and EPS by data source<BR /></SPAN></SPAN><LI-CODE lang="markup">preset = metrics_view | comp sum(total_event_count) as total_event_count_sum by _collector_id, _collector_ip, _collector_name, _collector_type , _final_reporting_device_ip ,_final_reporting_device_name , _broker_device_id ,_vendor , _product </LI-CODE></LI> </UL> <P> </P> <H3> <STRONG>Additional XQL Resources and Training:</STRONG></H3> <P>Monitoring with XQL How-To Video: <A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-monitoring-with-xql-data-ingestion/ta-p/564534" target="_blank" rel="noopener">Data Ingestion Metrics</A> </P> <P><A class="c-link c-link--underline" href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-with-XQL" target="_blank" rel="noopener noreferrer nofollow" data-stringify-link="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-with-XQL" data-sk="tooltip_parent">Cortex XDR XQL Language Reference</A></P> <P><A class="c-link c-link--underline" href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XQL-Schema-Reference-Guide" target="_blank" rel="noopener noreferrer nofollow" data-stringify-link="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Schema-Reference/Schema-Overview" data-sk="tooltip_parent">Cortex XDR XQL Schema Reference</A></P> <P><A href="https://beacon.paloaltonetworks.com/student/catalog/list?search=XQL+" target="_blank" rel="noopener">Beacon course </A><BR /><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-basic-xql-crash-course/ta-p/544056" target="_blank" rel="noopener">XQL basic crash course</A></P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-xql-use-cases-and-applications-crash-course/ta-p/544228" target="_blank" rel="noopener">XQL use cases & applications crash course </A></P> <P> </P> <P><SPAN>Have a question?  Post it on our </SPAN><FONT color="#FF6600"><STRONG><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bd-p/Analytics_Discussions" target="_self">Discussions forum</A></STRONG></FONT></P> <P><FONT color="#FF6600"><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT> </FONT></P> </DIV> Wed, 13 Dec 2023 20:45:33 GMT rtsedaka 2023-12-13T20:45:33Z Cortex XDR Customer Success Webinar: Monitoring with XQL https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-monitoring-with-xql/ta-p/567803 <P>Click to review this webinar and check out the queries and other useful resources we share. </P> Wed, 13 Dec 2023 20:45:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-monitoring-with-xql/ta-p/567803 rtsedaka 2023-12-13T20:45:33Z