Cortex XQL Query

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XQL Query

L1 Bithead

Hi Guys,


Sort of new to XDR does anyone have any good xql queries for detecting assets without cortex agents installed and if the cyserver service has stopped working?





L3 Networker

Hi @KarlHalpin The Agent Service is captured in the Agent Audit Logs. The agent audit logs are not currently exposed as a dataset in ordered to be queried utilizing XQL. The agent audit logs are able to be exported to file or you may to configure notification forwarding to support your monitoring needs.


From an XQL enablement standpoint, there is a new feature to Pause Endpoint Protection that requires the Cortex XDR agent 7.7 and above, which is apart of the Endpoints dataset; therefore, you can leverage XQL. Please reference the following example query: 


dataset = endpoints |filter manual_protection_pause = "PROTECTION_PAUSED"


The results from this XQL query will display only endpoints that are configured with the XDR agent and have the endpoint protection manually paused. 

L5 Sessionator

To add onto what @WSeldenIII stated for endpoints without XDR, you can achieeve the same with Network Mapper.

Alternately, you can look at integrating Cloud Identity Engine and compare the assets with endpoints dataset and identify the assets that do not appear in both datasets with XQL. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!