- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-17-2024 10:56 AM
Wondering if there are plans to help build queries? Something as simple as looking for a file called "testfile" requires the query with the below code:
|preset = xdr_file
|filter action_file_name contains "testfile"
Another example that we are currently working on is a way to search for specific models of computers. As an example: "find all Latitude 7440" and show hostname, user, ip, last seen. We are assuming the information is hidden in a json file somewhere.
It makes it difficult to figure out what's needed when the easy way (builder) doesn't have certain forms and aspects to drill into. That leads to trial and error to find a solution. We tried converting Splunk queries using the convert to XQL slider which has yet to work for us.
Is there a user Library other than the official one which only has 1 in it?
Are there plans to add an AI helper to Cortex to help build queries?
SentinelONE has Purple, Crowdstrike has Charlotte, Sophos has it built into their platform as a few examples.
Thanks!
10-21-2024 08:26 AM - edited 10-21-2024 08:26 AM
Hi @J.Suter, thanks for reaching us using the Live Community.
The XDR console has a built-in Query Library in the XQL Query designer with, for now, 90+ examples.
This list gets updated on each XDR Console new release, if there are important new queries to add.
We have here in the LC this advanced XQL crash course than can help you to build some very specific use cases as the ones you mention: https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-xql-use-cases-and-applicati...
Regarding the AI, we have Cortex Copilot for XSIAM since the last release, so is a matter of time that this will also be available for XDR.
If this post answers your question, please mark it as the solution.
10-21-2024 08:26 AM - edited 10-21-2024 08:26 AM
Hi @J.Suter, thanks for reaching us using the Live Community.
The XDR console has a built-in Query Library in the XQL Query designer with, for now, 90+ examples.
This list gets updated on each XDR Console new release, if there are important new queries to add.
We have here in the LC this advanced XQL crash course than can help you to build some very specific use cases as the ones you mention: https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-xql-use-cases-and-applicati...
Regarding the AI, we have Cortex Copilot for XSIAM since the last release, so is a matter of time that this will also be available for XDR.
If this post answers your question, please mark it as the solution.
10-22-2024 05:33 AM
Crash course is nice, thank you, and the query library is helpful and has given us some templates to work with. That copilot will be needed in the CortexXDR Pro space, hopefully that comes sooner than later, appreciate the response!
11-21-2024 03:45 AM
Hi jmazzeo ,
Crash course is very nice. I watched whole videos. Thank you!
Best regards,
Elmir Jafarov. Cybersecurity Engineer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!