Query Share: XDR/PAN-OS URL Category Stitched Correlation Alert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Query Share: XDR/PAN-OS URL Category Stitched Correlation Alert

L1 Bithead

Wanted to share a useful XQL query we have setup as a correlation rule in case anyone else finds it beneficial. This query requires that you have PAN-OS firewall URL logs available within XDR datasets, for example being sent to Cortex Data Lake. The query will return all hits from the firewall on a specific URL category, and then check to see if any local XDR agents have logs which also include the same URL/Source/Destination.

 

If it detects there's local agent logs to match the firewall URL data, the correlation alert will be created which includes the source process which initiated that traffic (i.e. chrome.exe). If no agent data is found which matches the firewall URL category hit, for example if it's an IoT device with no agent installed, an alert will still be generated due to it being a right join statement:

 

dataset=xdr_data | fields action_remote_ip as Destination, action_local_ip as Source, user_id, actor_process_image_name, action_external_hostname as Domain, _time as XDRTime, actor_process_image_command_line, actor_process_image_sha256, user_id, agent_hostname, action_external_port, actor_process_image_path
|join type = right
(dataset = panw_ngfw_url_raw | filter url_category contains "command-and-control" | fields _time as Time, url_category as Category, source_ip as Source, users as Username, uri as NGFWURL, referer as Referer, technology_of_app as App, user_agent as UserAgent, dest_ip as Destination, url_domain as Domain) as corellation Source = corellation.Source and Destination = corellation.Destination and Domain = corellation.Domain
| dedup Source, NGFWURL

1 REPLY 1

L5 Sessionator

Thank you for your contribution! 

  • 1699 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!