I'm totally new to Cortex XDR and its XQL - though I need to find machines in our environment that have ports 80/433 open. Is this possible via XQL?
I started with these lines to see which column/s I could use for what I want to accomplish and I think it did not have it:
dataset = xdr_data | limit 10
Please help! Thank you
You cannot query active network state of hosts. Best way is doing this, as @bbarmanroy mentioned, Action Center.
You can write python script or you can execute command (netstat, ss etc) for the check current state of ports.
with XQL, you can only query historical data. that might be either process data or firewall data.
for process, you can use
dataset = xdr_data | field action_local_port = "80" or field action_local_port = "443"
for windows firewall, (if enabled)
dataset = host_firewall_events
| filter local_port = 443 or local_port = 80
in case of a made a connection towards to ports, you should have telemetry data.
contributing with my 5 cents.
for the command to run
nmap -p 80,443 192.168.1.0/24
nmap -p 80,443 192.168.1.*
Will scan your 80,443 ports on the whole 192.168.1.X network with /24 network mask, you will be able to see which ones are open from the output of that command and if on top of that you can see the traffic on the defender fw as @etugriceri shown on his XQL query, you could check also which ones had traffic (even due to your nmap) on the mentioned ports.
Take into account that with this commands you will see if the ports are open (not if there was traffic previous to the nmap command)
Scripts which is located in Action Center is not updating xdr_data. You can only search data from that dataset, if an application establish TCP connection via that ports. (not listen).
Thats why you can use execute_command script with "netstat -a"
or you can develop your own python script for getting that information from remote systems.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!