- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-20-2023 11:21 AM
We wanted to see if we could use XQL to query for if a URL was visited in our environment. Is there a way to structure a working query for this using XQL? We've tried unsuccessfully so far, so we are turning to you, the community.
Thank you for any assistance.
03-20-2023 12:49 PM
Hi @KErickson1,
There are a few ways you could go about forming this type of query via XQL. If the forensics add-on is in use, you can query the various forensics_<browser>_history datasets.
Another option could be investigating DNS queries from clients with the XDR agent installed using the network_story preset. Of course, this won't be as detailed as entries in a browser history database (will not be able to determine if a specific URL was visited), but can still be useful in an investigation. Here is a query to help get started with this:
config case_sensitive = false
| preset = network_story
| filter (dns_resolutions != null)
| arrayexpand dns_resolutions
| alter Resolution_Value = dns_resolutions -> value{}, Resolution_Name = dns_resolutions -> name{}
| fields agent_hostname, actor_process_image_name, actor_process_image_path, actor_process_command_line, Resolution_Name, Resolution_Value, dns_query_type, dns_resolutions
| filter Resolution_Name contains $domain
| sort desc _time
If you save it to the query library, you can input a particular domain name you are interested in, or simply replace $domain
in line 7 with your target domain directly in the query (e.g. "example.com"
) :
I hope this helps!
Regards,
Tim
03-20-2023 12:49 PM
Hi @KErickson1,
There are a few ways you could go about forming this type of query via XQL. If the forensics add-on is in use, you can query the various forensics_<browser>_history datasets.
Another option could be investigating DNS queries from clients with the XDR agent installed using the network_story preset. Of course, this won't be as detailed as entries in a browser history database (will not be able to determine if a specific URL was visited), but can still be useful in an investigation. Here is a query to help get started with this:
config case_sensitive = false
| preset = network_story
| filter (dns_resolutions != null)
| arrayexpand dns_resolutions
| alter Resolution_Value = dns_resolutions -> value{}, Resolution_Name = dns_resolutions -> name{}
| fields agent_hostname, actor_process_image_name, actor_process_image_path, actor_process_command_line, Resolution_Name, Resolution_Value, dns_query_type, dns_resolutions
| filter Resolution_Name contains $domain
| sort desc _time
If you save it to the query library, you can input a particular domain name you are interested in, or simply replace $domain
in line 7 with your target domain directly in the query (e.g. "example.com"
) :
I hope this helps!
Regards,
Tim
03-20-2023 03:22 PM
Thanks Tim for getting back to us so quickly, this worked brilliantly first run!
10-18-2024 11:41 AM
What if you need to search 50 domains at one? Is there an efficient way?
10-20-2024 09:53 AM
This below query may also help you
preset = network_story
| filter dst_action_external_hostname in ("google.com", "telegram.com")
| fields _time, agent_hostname , agent_ip_addresses , actor_effective_username , agent_os_type , action_remote_ip, action_remote_port , actor_remote_ip , actor_remote_port, dst_action_external_hostname , action_external_hostname, action_total_upload
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!