Filter a XQL Query of DNS requests

Arman_Zaheri — Thu, 18 Apr 2024 18:38:54 GMT

Hello,

I'm trying to write a XQL query to find DNS requests from clients in multiple IP ranges, e.g. "10.0.0.0/24, 10.1.1.0/24, 10.5.2.0/24, ..." and also filter DNS query name based on hundreds of domain names obtained from Firewall logs. How should I filter my query? Below you see a template of what I'm trying to start with:

preset= network_story
| filter (dns_query_name != null)
| arrayexpand dns_resolutions
| filter (action_local_ip in ???) and (dns_query_name in ???)

This is also a question for me, can we use a file or dataset as a parameter here? Is it possible to store a dynamic list obtained from Cortex Data Lake as a parameter?

Thank you for your support

Re: Filter a XQL Query of DNS requests

nsinghvirk — Fri, 02 Feb 2024 03:35:45 GMT

Hello @Arman_Zaheri

Apologies for delayed response. In order to filter the local IP against a range you can use incidr function as shown below.

preset=network_story
| alter inrange = incidr(action_local_ip ,"10.0.0.0/24")
| filter inrange = true

Output of incidr is a boolean (true/false) which you can filter next.

Regarding filtering out a list of domains, you need to create a lookup {Upload a csv, tsv, or json file (max. 30MB) to be used as a dataset} and then join it within in your query.

Reference lookup- https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Datasets

Join stage- https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Getrole

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

topic Re: Filter a XQL Query of DNS requests in Strata Logging Service Discussions

Filter a XQL Query of DNS requests

Re: Filter a XQL Query of DNS requests