HELP - XQL QUERY For XDR and XSOAR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HELP - XQL QUERY For XDR and XSOAR

L4 Transporter

Hi,

I am creating a playbook with the objective of integrating Cortex XSOAR  and Cortex XDR 

The idea is for Cortex XSOAR  to query Cortex XDR  , retrieve all the assets detected by the broker scanner, and verify which assets do or do not have the XDR agent.

 

Does anyone know if this is possible?


My idea is to use both solutions to achieve as much automation as possible.


Another playbook later on will involve XSOAR querying the XDR vulnerability section to identify machines with missing CVEs, listing the machines and CVEs, and then identifying the necessary KBs.


Can anyone help me? Does anyone know if this is possible, even with an XQL query?

Best regards
Tiago Marques
4 REPLIES 4

L2 Linker

Hi @tlmarques 

We have data of network mapper scans in network_mapper_raw you can get results of detected hosts there. From there you can probably join endpoints dataset and see which endpoint has xdr agent based on Ip address matching. That much should be possible I think. I need to try to test out the query though. 

 

Not sure about what you mention about cves. But we have va_endpoints with data you need. I.e each entry has endpoint name,cve list that the endpoint is exposed to.

If you want to link it to applications as well then you can use va_cves which has other related info. That's what I can think of. I will try xql and update if I can.

 

Hello @Fm12345 ,

Thanks for the information and help.
Where can I get network_mapper_raw? through XQL query?


If the mapper result tells me that the IP or hostname and if machine have or not XDR agent is perfect.

 

About CVE's it's the same thing, in the XDR tenant there is a module "Vulnerability Assessment", and my objective is to obtain the CVE's or machines that have update problems and then inject them into XSOAR to create automations.

Best regards
Tiago Marques

Yes.. use below query.

dataset = panw_network_mapper_raw

| filter ip not in (dataset = endpoints | arrayexpand ip_address |fields ip_address )

|fields ip,hostname

 

This will give you hosts that don't have xdr agent.  Use filters as per your need.

L4 Transporter

Hi @Fm12345  thanks a lot 😉 

do you know what is dataset for module "Vulnerability Assessment"?

 

Best regards
Tiago Marques
  • 1857 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!