- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-08-2022 04:39 PM
Hello XDR Community!
when the network (see screenshot) will be depprecated, will it be possible to get all the informations under network connections?
I don't get the same results and not dst_host which would be very usefull.
Here is my Query:
Network [ action type = all AND remote ip = XXX.XXX.XXX.X ] AND Time [ event timestamp in last 24H before Apr 9th 2022 01:03:51 ]
Has anybody of you a future proof XQL version of my query above?
BR
Rob
04-15-2022 05:33 AM
Hello to ALL!
I found the mistake.
It was my fault. I didn't check the period in the top right corner when writing the query *shame on me*
The network_story works like the agent_network_story!
Thanks you very much for the help!
BR
Rob
04-09-2022 12:19 PM
The two data sources deliver completly other results:
preset = xdr_agent_network | filter action_remote_ip = "185.x.x.x"
preset = network_story | filter action_remote_ip = "185.x.x.x"
Will there be a possibility to move the informations from XDR_AGENT_NETWORK to NETWORK_STORY?
04-09-2022 02:29 PM
Am I right? PA will take this useful feautre away, because they wan't to sell us a firewall? We allready have a firewall and we just need this information, which is shown in the xdr_agent_network preset.
Network Events Deprecation ( Starting with the next Cortex XDR release ) | After Cortex XDR introduced network collection events, that are stitched across endpoints and the Palo Alto Networks next-generation firewalls logs, there is no longer need to support raw Network events. Starting with the next Cortex XDR release, Network events will be deprecated. In light of the upcoming change, Palo Alto Networks encourages you to define BIOC rules and/or searches by using Network Connections in the Query Builder. When searching in XQL, you should avoid using the xdr_agent_network preset and use the newtork_story preset instead. |
04-12-2022 10:18 PM
Please see if the below XQL helps your case? Please replace the necessary fields as per your requirements.
config case_sensitive = false
| preset = network_story
| filter agent_hostname = "you_end_point_name" and action_remote_ip != null and dst_action_external_hostname != null
| fields
_time as Time,
actor_process_os_pid as Pid,
actor_process_image_name as Process,
action_local_ip as Local_IP,
dst_action_external_hostname as External_Hostname,
action_remote_ip as Destination_IP,
action_remote_port as Destination_Port
| sort desc Time
04-15-2022 05:33 AM
Hello to ALL!
I found the mistake.
It was my fault. I didn't check the period in the top right corner when writing the query *shame on me*
The network_story works like the agent_network_story!
Thanks you very much for the help!
BR
Rob
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!