Use Cortex XDR to find host with ports 80,443 open

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Use Cortex XDR to find host with ports 80,443 open

L1 Bithead

Hello -

 

I'm totally new to Cortex XDR and its XQL - though I need to find machines in our environment that have ports 80/433 open. Is this possible via XQL?

 

I started with these lines to see which column/s I could use for what I want to accomplish and I think it did not have it:

dataset = xdr_data 
| limit 10

 

Please help! Thank you

Cortex XDR Cortex Data Lake 

Jes Yang
6 REPLIES 6

L5 Sessionator

Hi @JonathanYang_RX the data is not available, IIRC.
If your intention is to leverage XDR, you can write a Python script and execute it via Action Center, and parse the data for your needs.

L3 Networker

Dear Jonathon, 

 

You cannot query active network state of hosts. Best way is doing this, as @bbarmanroy mentioned, Action Center. 
You can write python script or you can execute command (netstat, ss etc) for the check current state of ports. 

with XQL, you can only query historical data. that might be either process data or firewall data. 

 

for process, you can use

dataset = xdr_data | field action_local_port = "80" or field action_local_port = "443"

for windows firewall, (if enabled)

dataset = host_firewall_events
| filter local_port = 443 or local_port = 80

 

in case of a made a connection towards to ports, you should have telemetry data. 

 

Dears, 

contributing with my 5 cents. 

for the command to run

nmap -p 80,443 192.168.1.0/24 

or also

nmap -p 80,443 192.168.1.*

 


Will scan your 80,443 ports on the whole 192.168.1.X network with /24 network mask, you will be able to see which ones are open from the output of that command and if on top of that you can see the traffic on the defender fw  as @etugriceri shown on his XQL query, you could check also which ones had traffic (even due to your nmap) on the mentioned ports. 

Take into account that with this commands you will see if the ports are open (not if there was traffic previous to the nmap command)

 

KR, 

Luis 

 

 

Hello - 

 

Apologies for late response. Once the script runs, will the result be available in xdr_data dataset or it will be locally available on each target machine?

Jes Yang

Hello Emre - 

 

Thank you for these suggestions, though I could not see action_local_port = "80" or field action_local_port = "443".

 

Tried using Firewall data and I think it's easier, though unfortunately we haven't deployed/enabled the firewall feature across our estate.

Jes Yang

L3 Networker

Dear Jonathan,

 

Scripts which is located in Action Center is not updating xdr_data. You can only search data from that dataset, if an application establish TCP connection via that ports. (not listen). 

 

Thats why you can use execute_command script with "netstat -a"

or you can develop your own python script for getting that information from remote systems. 

  • 3594 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!