Hello XDR Community!
when the network (see screenshot) will be depprecated, will it be possible to get all the informations under network connections?
I don't get the same results and not dst_host which would be very usefull.
Here is my Query:
Network [ action type = all AND remote ip = XXX.XXX.XXX.X ] AND Time [ event timestamp in last 24H before Apr 9th 2022 01:03:51 ]
Has anybody of you a future proof XQL version of my query above?
Am I right? PA will take this useful feautre away, because they wan't to sell us a firewall? We allready have a firewall and we just need this information, which is shown in the xdr_agent_network preset.
Network Events Deprecation
Starting with the next Cortex XDR release)
After Cortex XDR introduced network collection events, that are stitched across endpoints and the Palo Alto Networks next-generation firewalls logs, there is no longer need to support raw
Networkevents. Starting with the next Cortex XDR release,
Networkevents will be deprecated. In light of the upcoming change, Palo Alto Networks encourages you to define BIOC rules and/or searches by using
Network Connectionsin the Query Builder. When searching in XQL, you should avoid using the
xdr_agent_networkpreset and use the
Please see if the below XQL helps your case? Please replace the necessary fields as per your requirements.
config case_sensitive = false | preset = network_story | filter agent_hostname = "you_end_point_name" and action_remote_ip != null and dst_action_external_hostname != null | fields _time as Time, actor_process_os_pid as Pid, actor_process_image_name as Process, action_local_ip as Local_IP, dst_action_external_hostname as External_Hostname, action_remote_ip as Destination_IP, action_remote_port as Destination_Port | sort desc Time
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!