Create a correlation between xdr agent and palo alto url filtering

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Create a correlation between xdr agent and palo alto url filtering

L2 Linker

Hi,

 

I need to get the correlation between url that are being access and found through url filtering in PA FW and xdr agent that shows me which machine are accessing this url.

In Cortex XDR I can see the the log from PA Firewall, source ip it is our internal DNS and destination the malicious URL, and I need to know who is doing this query, which user and client IP.

1 REPLY 1

L3 Networker

Hi Fabio, 

 

If you have Configured Your Network Devices to send PAN NGFW logs to the Cortex Data Lake, you can create an XQL query to search for the correlation. 

For example, the below query uses the Network Story preset, which groups xdr_data fields that are useful for analyzing specific areas of network and endpoint activity; this query displays any connections done by the specified browser(s) processes for an IP configured in the PANW NGFW logs:

preset = network_story  // Using XDR network story preset
| filter action_remote_ip = "ipaddress" and lowercase(actor_process_image_name) in ("chrome.exe", "msedge.exe","opera.exe", "firefox.exe", "iexplore.exe") // "ipaddress" enter the ipaddress associated with the event. Enter the browser process name
| fields agent_hostname, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname, actor_process_image_path, actor_process_image_sha256, actor_process_command_line // selecting the relevant fields
| dedup agent_hostname, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname, actor_process_image_path, actor_process_image_sha256, actor_process_command_line  by asc _time // dedupping to only show the first time it happened
| sort desc _time  // sorting in desc order

 

The network story preset also entails:

network_story dns_query_name string
network_story dns_query_type string
network_story dns_resolutions json
network_story dns_reply_code string

 

Thank you

If you found this answer helpful, please select Accept as Solution.
  • 943 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!