Query Network

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Query Network

L4 Transporter

Hello XDR Community!

 

when the network (see screenshot) will be depprecated, will it be possible to get all the informations under network connections? 

I don't get the same results and not dst_host which would be very usefull. 

 

Here is my Query:

Network [ action type = all AND remote ip = XXX.XXX.XXX.X ] AND Time [ event timestamp in last 24H before Apr 9th 2022 01:03:51 ]

 

Has anybody of you a future proof XQL version of my query above? 

 

RFeyertag_0-1649460837699.png

BR

Rob

1 accepted solution

Accepted Solutions

Hello to ALL!

 

I found the mistake. 

It was my fault. I didn't check the period in the top right corner when writing the query *shame on me*

 

The network_story works like the agent_network_story!

 

Thanks you very much for the help! 

 

BR

 

Rob

View solution in original post

4 REPLIES 4

L3 Networker

The two data sources deliver completly other results:

preset = xdr_agent_network | filter action_remote_ip = "185.x.x.x" 

preset = network_story | filter action_remote_ip = "185.x.x.x"

 

Will there be a possibility to move the informations from XDR_AGENT_NETWORK  to NETWORK_STORY? 

Am I right? PA will take this useful feautre away, because they wan't to sell us a firewall? We allready have a firewall and we just need this information, which is shown in the xdr_agent_network preset. 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/fea...

 

Network Events Deprecation
(
Starting with the next Cortex XDR release
)
After Cortex XDR introduced network collection events, that are stitched across endpoints and the Palo Alto Networks next-generation firewalls logs, there is no longer need to support raw 
Network
 events. Starting with the next Cortex XDR release, 
Network
 events will be deprecated. In light of the upcoming change, Palo Alto Networks encourages you to define BIOC rules and/or searches by using 
Network Connections
 in the Query Builder. When searching in XQL, you should avoid using the 
xdr_agent_network
 preset and use the 
newtork_story
 preset instead.

L3 Networker

@RFeyertag 

Please see if the below XQL helps your case? Please replace the necessary fields as per your requirements.

config case_sensitive = false
| preset = network_story
| filter agent_hostname = "you_end_point_name" and action_remote_ip != null and dst_action_external_hostname != null
| fields
_time as Time,
actor_process_os_pid as Pid,
actor_process_image_name as Process,
action_local_ip as Local_IP,
dst_action_external_hostname as External_Hostname,
action_remote_ip as Destination_IP,
action_remote_port as Destination_Port
| sort desc Time

 

Kind Regards
KS

Hello to ALL!

 

I found the mistake. 

It was my fault. I didn't check the period in the top right corner when writing the query *shame on me*

 

The network_story works like the agent_network_story!

 

Thanks you very much for the help! 

 

BR

 

Rob

  • 1 accepted solution
  • 3193 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!