XQL Query for CVE counts in XDR per endpoint_name

MarkDupuis — Wed, 03 Jan 2024 19:41:41 GMT

does anyone have a xql query that will return endpoint_names with and associated CVE count?

Re: XQL Query for CVE counts in XDR per endpoint_name

cpayne26 — Thu, 04 Jan 2024 15:33:32 GMT

va_cves or va_endpoints would contain this data. Below are some example queries that might work.
======================================================

dataset = va_cves
| arrayexpand affected_hosts
| comp count(name) as Total_CVE_per_host by affected_hosts

===============================================

dataset = va_endpoints
|arrayexpand cves
|comp count(cves) by endpoint_name
==========================================
Here's the details on the schemas (va_cves and va_endpoints) https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Vulnerability-Assessment?tocId=VuEt62_vG3Boj_TAap2ZCg
Here's the link to the syntax example from the pandev page for the xql query engine integration. You would use this with the xdr-xql-generic-query command in xsoar https://xsoar.pan.dev/docs/reference/integrations/cortex-xdr---xql-query-engine#command-example

topic XQL Query for CVE counts in XDR per endpoint_name in Cortex XSOAR Discussions

XQL Query for CVE counts in XDR per endpoint_name

Re: XQL Query for CVE counts in XDR per endpoint_name