This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cortex XDR Query Builder

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR Query Builder

willh1
L0 Member

‎07-29-2022 08:46 AM

Hello Community,

Was wondering whether someone could assit me with an issue.

So at the moment i cannot make any search via the "Query Builder".

When i move to query center and create a custom query i can only return results when i search "dataset = pan_ngfw"

when i enter a search for network story i get results but with barely any information (below)

 


I have checked that cortex data lake is sending all necsassary logs from fw (file_data, threat, traffic, global protect etc)

Can someone please adivse

willh1_0-1659109209207.png

0 Likes Likes
1 REPLY 1

mfakhouri
L3 Networker

‎08-03-2022 12:17 PM

Hello @willh1,

 

If you have already confirmed that the Cortex Data Lake is sending the necessary logs (following the adequate procedures found at the documentation listed below), please ensure that you are able to view the firewall on the hub. From apps.paloaltonetworks.com/apps, navigate to the “Cortex Data Lake” app and ensure that your configured firewall is connected. This is indicated on the Inventory page with a green connected button under the "Connection Status" column.

 

Please ensure that you have an up-to-date Pro-per-TB license as well since it could be the case that you are not hitting a quota under Dataset Management with an expired license. Navigate to Configurations > Data Management > Dataset Management to view your quota under the "Storage License Details" and ensure it does not exceed as indicated by the graph.

 

Would you be able to provide the query you are searching with on the Query Builder or see if there are any results when utilizing the Network Connection query?

 

Relevant documentation:

 

Start sending logs to the Cortex Data Lake:

https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-start...

 

View Data Lake Inventory to see if the Firewall is connected:

https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/monitor-c...

 

Data Management page:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/data-management/dataset-man...

0 Likes Likes
  • 1718 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks