This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

xdr_data dataset only returns nulls

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

xdr_data dataset only returns nulls

IanRedden
L1 Bithead

‎01-30-2023 10:38 AM

IanRedden_0-1675103876532.png

 

Any idea why this might be happening?

 

I am expecting to see data from my Cisco ASA firewalls, XDR Agents and hopefully some causality/actor information.  I only get Nulls.

 

0 Likes Likes
3 REPLIES 3

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎01-30-2023 01:58 PM

Hi @IanRedden ,

Your filter is very broad, you only limit the last 100 entries, but

- You haven't specified any event type, nor sorted by anything

- So the 100 events that you have received show all empty values, because the fields that are shown by default are not relevant for this event.

- If you tell the query to show all available fields and then tell the GUI to show all those fields in the return table you should see at least something 

dataset = xdr_data
| fields *
| limit 100

Above should return all fields of xdr_data dataset, but you still need to tell the GUI to show them in the return table

Astardzhiev_0-1675115815457.png

Click on the three dots and there you select all fields.

 

You query is still very broad so it is better to know what you are looking for and apply some better filters before showing the last 100 events.

0 Likes Likes

IanRedden
L1 Bithead
In response to aleksandar.astardzhiev

‎02-01-2023 06:29 AM

What does XDR_Data include? Everything? Including syslogs forwarded from the Broker VM?

0 Likes Likes

IanRedden
L1 Bithead
In response to IanRedden

‎02-01-2023 06:43 AM

Here is an example...

In my test environment, we ran AttackIQ to generate alerts.

IanRedden_0-1675262511184.png

I am looking for the above data from an XQL query searching on an indicator.  For example, show me XDR events from "DESKTOP-E0AMMSK".

 

This query:

config case_sensitive = false
| preset = network_story
| fields *
| filter agent_hostname = "DESKTOP-E0AMMSK"

 

Returns no results for a 1M period.

 

0 Likes Likes
  • 1104 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks