- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-17-2024 09:04 AM
Hi,
I am creating a playbook with the objective of integrating Cortex XSOAR and Cortex XDR .
The idea is for Cortex XSOAR to query Cortex XDR , retrieve all the assets detected by the broker scanner, and verify which assets do or do not have the XDR agent.
Does anyone know if this is possible?
My idea is to use both solutions to achieve as much automation as possible.
Another playbook later on will involve XSOAR querying the XDR vulnerability section to identify machines with missing CVEs, listing the machines and CVEs, and then identifying the necessary KBs.
Can anyone help me? Does anyone know if this is possible, even with an XQL query?
05-17-2024 09:22 AM
Hi @tlmarques
We have data of network mapper scans in network_mapper_raw you can get results of detected hosts there. From there you can probably join endpoints dataset and see which endpoint has xdr agent based on Ip address matching. That much should be possible I think. I need to try to test out the query though.
Not sure about what you mention about cves. But we have va_endpoints with data you need. I.e each entry has endpoint name,cve list that the endpoint is exposed to.
If you want to link it to applications as well then you can use va_cves which has other related info. That's what I can think of. I will try xql and update if I can.
05-17-2024 09:29 AM
Hello @Fm12345 ,
Thanks for the information and help.
Where can I get network_mapper_raw? through XQL query?
If the mapper result tells me that the IP or hostname and if machine have or not XDR agent is perfect.
About CVE's it's the same thing, in the XDR tenant there is a module "Vulnerability Assessment", and my objective is to obtain the CVE's or machines that have update problems and then inject them into XSOAR to create automations.
05-17-2024 09:38 AM
Yes.. use below query.
dataset = panw_network_mapper_raw
| filter ip not in (dataset = endpoints | arrayexpand ip_address |fields ip_address )
|fields ip,hostname
This will give you hosts that don't have xdr agent. Use filters as per your need.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!