This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cortex XQL help

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XQL help

elnur.abbasov
L0 Member

‎07-12-2024 06:24 AM

Hello Dear Community, I want to count events based on specified time periods. For example I want to query hosts that scanned more than 50 hosts in 10 seconds. How can I write XQL in that case?  

Cortex XDR 

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
2 REPLIES 2

aspatil
L5 Sessionator

‎07-16-2024 12:02 AM

Hello @elnur.abbasov ,

 

Could you please confirm what kindly of events are you looking for and what type of scanning you have mentioned.

 

Regards,

Ashutosh

Ashutosh Patil
0 Likes Likes

Antony_Chan
L2 Linker

‎07-17-2024 01:07 AM

Hello @elnur.abbasov ,


Not a direct answer to your question, but you may start with the one that I'm using:

dataset = xdr_data
//Event_type = 2 is referred to "NETWORK"
//Search for remote host that scan for specific ports
| filter event_type = 2 and action_network_is_server = True and action_remote_ip not in (null, "::1", "127.0.0.1") and causality_actor_process_image_path = "System" 
| comp count_distinct(action_local_ip) as connection_count, values(action_local_ip) as destination by action_remote_ip,action_local_port
| filter connection_count > 100

//Joining XDR endpoint dataset to validate the present of Cortex XDR agent on Remote IP
| join type=left conflict_strategy = right  (
    dataset=endpoints 
    | filter ip_address != null 
    | fields ip_address, endpoint_name
    | arrayexpand ip_address) as ep ep.ip_address = action_remote_ip
| filter endpoint_name = null
//Correlate hostname based on ip address. This information are obtained from NGFW. (Fairly reliable, but not 100% accurate - especially workstation's ip will change due to DHCP.)
| join type= left conflict_strategy = right (
    preset = network_story 
    | filter action_external_hostname != null
    | dedup action_local_ip
    | fields action_external_hostname as DNS_name, action_local_ip) as FWdata fwdata.action_local_ip = action_remote_ip 
| fields action_remote_ip as remote_ip, DNS_name, destination, connection_count, action_local_port as destination_port
| sort desc connection_count

Let me know if you have any questions.

AC
0 Likes Likes
  • 492 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks