This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HELP - XQL QUERY For XDR and XSOAR

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HELP - XQL QUERY For XDR and XSOAR

tlmarques
L3 Networker

‎05-17-2024 09:04 AM

Hi,

I am creating a playbook with the objective of integrating Cortex XSOAR  and Cortex XDR 

The idea is for Cortex XSOAR  to query Cortex XDR  , retrieve all the assets detected by the broker scanner, and verify which assets do or do not have the XDR agent.

 

Does anyone know if this is possible?


My idea is to use both solutions to achieve as much automation as possible.


Another playbook later on will involve XSOAR querying the XDR vulnerability section to identify machines with missing CVEs, listing the machines and CVEs, and then identifying the necessary KBs.


Can anyone help me? Does anyone know if this is possible, even with an XQL query?

Best regards
Tiago Marques
0 Likes Likes
4 REPLIES 4

Fm12345
L1 Bithead

‎05-17-2024 09:22 AM

Hi @tlmarques 

We have data of network mapper scans in network_mapper_raw you can get results of detected hosts there. From there you can probably join endpoints dataset and see which endpoint has xdr agent based on Ip address matching. That much should be possible I think. I need to try to test out the query though. 

 

Not sure about what you mention about cves. But we have va_endpoints with data you need. I.e each entry has endpoint name,cve list that the endpoint is exposed to.

If you want to link it to applications as well then you can use va_cves which has other related info. That's what I can think of. I will try xql and update if I can.

 

tlmarques
L3 Networker
In response to Fm12345

‎05-17-2024 09:29 AM

Hello @Fm12345 ,

Thanks for the information and help.
Where can I get network_mapper_raw? through XQL query?


If the mapper result tells me that the IP or hostname and if machine have or not XDR agent is perfect.

 

About CVE's it's the same thing, in the XDR tenant there is a module "Vulnerability Assessment", and my objective is to obtain the CVE's or machines that have update problems and then inject them into XSOAR to create automations.

Best regards
Tiago Marques
0 Likes Likes

Fm12345
L1 Bithead
In response to tlmarques

‎05-17-2024 09:38 AM

Yes.. use below query.

dataset = panw_network_mapper_raw

| filter ip not in (dataset = endpoints | arrayexpand ip_address |fields ip_address )

|fields ip,hostname

 

This will give you hosts that don't have xdr agent.  Use filters as per your need.

(1)

tlmarques
L3 Networker

‎05-20-2024 03:32 AM

Hi @Fm12345  thanks a lot 😉 

do you know what is dataset for module "Vulnerability Assessment"?

 

Best regards
Tiago Marques
0 Likes Likes
  • 680 Views
  • 4 replies
  • 0 Likes
  • 78 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks