Combine dataset of File Path XDR-dataset and PANNGFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Combine dataset of File Path XDR-dataset and PANNGFW

L1 Bithead

Hi Expert ,

 

I would like to know how to combine or join dataset between XDR-data and PANNGFW  I make xql of PANNGFW  when found, alert wildfire or antivirus will show file-sha256 by the way I want to combine dataset of xdr-agent to find file-path this example my rule of panngfw 

 

dataset in (panw_ngfw_threat_raw )
| alter user= source_user ,Src_IP = source_ip , Dst_IP= dest_ip , Threat_name = threat_name ,Threat_category=threat_category,Port= dest_port,File_SHA256=file_sha_256,Serveritys = severity ,File_Name=file_name
|filter File_SHA256 != Null
| fields _time , user , Src_IP , Dst_IP, Threat_name,Threat_category, Serveritys ,Port,File_Name,File_SHA256

 

 

Thank you

 

 

 

 

 

 

1 accepted solution

Accepted Solutions

L2 Linker

Hi @Pattarachai-FTH 

Looking at your query, you can join that with XDr data (using file sha256 as the common criteria as i understood ) and can be written as below:


dataset = panw_ngfw_threat_raw
| alter user= source_user ,Src_IP = source_ip , Dst_IP= dest_ip , Threat_name = threat_name ,Threat_category=threat_category,Port= dest_port,File_SHA256=file_sha_256,Serveritys = severity ,File_Name=file_name
|filter File_SHA256 != Null
| fields _time , user , Src_IP , Dst_IP, Threat_name,Threat_category, Serveritys ,Port,File_Name,File_SHA256

| join (dataset = xdr_data ) as XDR xdr.action_file_sha256 = File_SHA256


For the above query , you can the fields of interest and also stage more filter to get to the final requirment you are trying to build for your use case.

I Hope that helps and shed some light, please do let me know if you have any questions, and if this answers your question, feel free to mark this as a resolution so others can benefit from! 

Best
Z

Z

View solution in original post

3 REPLIES 3

L4 Transporter

Hello @Pattarachai-FTH 

 

Thanks for reaching out on LiveCommunity!

You can use 'join' stage to combine results from two datasets. Please refer to below document to learn about it. There is also an example query included within it.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Join

 

 

L2 Linker

Hi @Pattarachai-FTH 

Looking at your query, you can join that with XDr data (using file sha256 as the common criteria as i understood ) and can be written as below:


dataset = panw_ngfw_threat_raw
| alter user= source_user ,Src_IP = source_ip , Dst_IP= dest_ip , Threat_name = threat_name ,Threat_category=threat_category,Port= dest_port,File_SHA256=file_sha_256,Serveritys = severity ,File_Name=file_name
|filter File_SHA256 != Null
| fields _time , user , Src_IP , Dst_IP, Threat_name,Threat_category, Serveritys ,Port,File_Name,File_SHA256

| join (dataset = xdr_data ) as XDR xdr.action_file_sha256 = File_SHA256


For the above query , you can the fields of interest and also stage more filter to get to the final requirment you are trying to build for your use case.

I Hope that helps and shed some light, please do let me know if you have any questions, and if this answers your question, feel free to mark this as a resolution so others can benefit from! 

Best
Z

Z

Hi @zarnous 

 

Thank you for your recommend I will follow for this  

 

 

  • 1 accepted solution
  • 628 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!