Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-10-2024 06:27 AM
I have tried using the below XQL query to identify the domains accessed and tried to test it using my own system but somehow I am not getting all the results. For eg : when I tried common domain names like "google.com", "reddit.com". It worked and fetched results for me. When I tried to access a specific uncommon domain name like for eg : "https://support.paloaltonetworks.com/" or "https://learn.microsoft.com/" on my system and then searched for this domain names using the below mentioned query it fetched no results.
I am not sure if there is something missing in the query to cover all the results. This has been a requirement for a long time but couldn't find a out of the box query from the query helper in XDR. Would appreciate if someone can help with this.
config case_sensitive = false
| preset = network_story
| filter (dns_resolutions != null)
| arrayexpand dns_resolutions
| alter Resolution_Value = dns_resolutions -> value{}, Resolution_Name = dns_resolutions -> name{}
| fields agent_hostname, actor_process_image_name, actor_process_image_path, actor_process_command_line, Resolution_Name, Resolution_Value, dns_query_type, dns_resolutions
| filter Resolution_Name contains $domain
| sort desc _time
Note : I replace the $domain with the a domain I want to look up.
05-10-2024 08:12 AM
Hi @ShubhamT281, thanks for reaching us using the Live Community.
I was able to reach the result using a more simple query:
config case_sensitive = false
| preset = network_story
| filter dst_action_external_hostname contains "yourdomain.com"The field "dst_action_external_hostname" is the key using that preset.
If this post answers your question, please mark it as the solution.
05-10-2024 08:12 AM
Hi @ShubhamT281, thanks for reaching us using the Live Community.
I was able to reach the result using a more simple query:
config case_sensitive = false
| preset = network_story
| filter dst_action_external_hostname contains "yourdomain.com"The field "dst_action_external_hostname" is the key using that preset.
If this post answers your question, please mark it as the solution.
05-13-2024 04:37 AM
Hi @jmazzeo ,
This query works, thanks a lot for the prompt response.
05-27-2024 11:52 AM
config case_sensitive = false timeframe = 30d
|dataset = xdr_data
| filter dns_query_name contains "insert domain" or action_external_hostname contains "insert domain" or dst_action_external_hostname contains "insert domain"
this is what we use to see any attempts registered by XDR to access the domains.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
