Looking for a XQL query to identify if a specific domain is accessed in our environment.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Looking for a XQL query to identify if a specific domain is accessed in our environment.

L1 Bithead

I have tried using the below XQL query to identify the domains accessed and tried to test it using my own system but somehow I am not getting all the results. For eg : when I tried common domain names like "google.com", "reddit.com". It worked and fetched results for me. When I tried to access a specific uncommon domain name like for eg : "https://support.paloaltonetworks.com/" or "https://learn.microsoft.com/" on my system and then searched for this domain names using the below mentioned query it fetched no results.

 

I am not sure if there is something missing in the query to cover all the results. This has been a requirement for a long time but couldn't find a out of the box query from the query helper in XDR. Would appreciate if someone can help with this.

 

config case_sensitive = false
| preset = network_story
| filter (dns_resolutions != null)
| arrayexpand dns_resolutions
| alter Resolution_Value = dns_resolutions -> value{}, Resolution_Name = dns_resolutions -> name{}
| fields agent_hostname, actor_process_image_name, actor_process_image_path, actor_process_command_line, Resolution_Name, Resolution_Value, dns_query_type, dns_resolutions
| filter Resolution_Name contains $domain
| sort desc _time

 

Note : I replace the $domain with the a domain I want to look up.

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @ShubhamT281, thanks for reaching us using the Live Community.

 

I was able to reach the result using a more simple query:

 

config case_sensitive = false
| preset = network_story
| filter dst_action_external_hostname contains "yourdomain.com"

The field "dst_action_external_hostname" is the key using that preset.

 

If this post answers your question, please mark it as the solution.

JM

View solution in original post

3 REPLIES 3

L5 Sessionator

Hi @ShubhamT281, thanks for reaching us using the Live Community.

 

I was able to reach the result using a more simple query:

 

config case_sensitive = false
| preset = network_story
| filter dst_action_external_hostname contains "yourdomain.com"

The field "dst_action_external_hostname" is the key using that preset.

 

If this post answers your question, please mark it as the solution.

JM

L1 Bithead

Hi @jmazzeo ,

This query works, thanks a lot for the prompt response.

L1 Bithead

config case_sensitive = false timeframe = 30d

|dataset = xdr_data

| filter dns_query_name contains "insert domain" or action_external_hostname contains "insert domain" or dst_action_external_hostname contains "insert domain"

 

this is what we use to see any attempts registered by XDR to access the domains.

  • 1 accepted solution
  • 1779 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!