This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Create a correlation between xdr agent and palo alto url filtering

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Create a correlation between xdr agent and palo alto url filtering

FabioFerreira
L2 Linker

‎02-27-2023 07:43 AM

Hi,

 

I need to get the correlation between url that are being access and found through url filtering in PA FW and xdr agent that shows me which machine are accessing this url.

In Cortex XDR I can see the the log from PA Firewall, source ip it is our internal DNS and destination the malicious URL, and I need to know who is doing this query, which user and client IP.

0 Likes Likes
1 REPLY 1

jtalton
L3 Networker

‎02-27-2023 12:51 PM

Hi Fabio, 

 

If you have Configured Your Network Devices to send PAN NGFW logs to the Cortex Data Lake, you can create an XQL query to search for the correlation. 

For example, the below query uses the Network Story preset, which groups xdr_data fields that are useful for analyzing specific areas of network and endpoint activity; this query displays any connections done by the specified browser(s) processes for an IP configured in the PANW NGFW logs:

preset = network_story  // Using XDR network story preset
| filter action_remote_ip = "ipaddress" and lowercase(actor_process_image_name) in ("chrome.exe", "msedge.exe","opera.exe", "firefox.exe", "iexplore.exe") // "ipaddress" enter the ipaddress associated with the event. Enter the browser process name
| fields agent_hostname, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname, actor_process_image_path, actor_process_image_sha256, actor_process_command_line // selecting the relevant fields
| dedup agent_hostname, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname, actor_process_image_path, actor_process_image_sha256, actor_process_command_line  by asc _time // dedupping to only show the first time it happened
| sort desc _time  // sorting in desc order

 

The network story preset also entails:

network_story dns_query_name string
network_story dns_query_type string
network_story dns_resolutions json
network_story dns_reply_code string

 

Thank you

If you found this answer helpful, please select Accept as Solution.
0 Likes Likes
  • 956 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks