- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-12-2021 02:10 PM
Hello -
I'm totally new to Cortex XDR and its XQL - though I need to find machines in our environment that have ports 80/433 open. Is this possible via XQL?
I started with these lines to see which column/s I could use for what I want to accomplish and I think it did not have it:
dataset = xdr_data
| limit 10
Please help! Thank you
12-13-2021 02:21 AM
Hi @JonathanYang_RX the data is not available, IIRC.
If your intention is to leverage XDR, you can write a Python script and execute it via Action Center, and parse the data for your needs.
12-13-2021 07:34 AM
Dear Jonathon,
You cannot query active network state of hosts. Best way is doing this, as @bbarmanroy mentioned, Action Center.
You can write python script or you can execute command (netstat, ss etc) for the check current state of ports.
with XQL, you can only query historical data. that might be either process data or firewall data.
for process, you can use
dataset = xdr_data | field action_local_port = "80" or field action_local_port = "443"
for windows firewall, (if enabled)
dataset = host_firewall_events
| filter local_port = 443 or local_port = 80
in case of a made a connection towards to ports, you should have telemetry data.
12-13-2021 02:09 PM
Dears,
contributing with my 5 cents.
for the command to run
nmap -p 80,443 192.168.1.0/24
or also
nmap -p 80,443 192.168.1.*
Will scan your 80,443 ports on the whole 192.168.1.X network with /24 network mask, you will be able to see which ones are open from the output of that command and if on top of that you can see the traffic on the defender fw as @etugriceri shown on his XQL query, you could check also which ones had traffic (even due to your nmap) on the mentioned ports.
Take into account that with this commands you will see if the ports are open (not if there was traffic previous to the nmap command)
KR,
Luis
12-23-2021 02:50 AM
Hello -
Apologies for late response. Once the script runs, will the result be available in xdr_data dataset or it will be locally available on each target machine?
12-23-2021 02:53 AM
Hello Emre -
Thank you for these suggestions, though I could not see action_local_port = "80" or field action_local_port = "443".
Tried using Firewall data and I think it's easier, though unfortunately we haven't deployed/enabled the firewall feature across our estate.
12-24-2021 06:04 AM
Dear Jonathan,
Scripts which is located in Action Center is not updating xdr_data. You can only search data from that dataset, if an application establish TCP connection via that ports. (not listen).
Thats why you can use execute_command script with "netstat -a"
or you can develop your own python script for getting that information from remote systems.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!