03-01-2024 07:44 AM
Hello everyone.
We recently upgraded to Pro and this XQL stuff looks like an entirely different language to me still. I need some help if possible in getting started.
I'm looking to build two queries.
1) I need to go through our AD infrastructure (CIE up and running) and find which devices do not have Cortex XDR currently installed as well as another application we'll call "securityapp" for this scenario. 2 applications that need to be identified as non-existent on computers.
2) If I input a name (sam_account), I can get their last password reset date/time.
Additionally, are there any other examples that you can share? What works for you in your environment?
Thank you so much in advance.
03-01-2024 10:48 AM
Hi @CraigV123, thanks for reaching us using the Live Community.
Let's review your points.
1- The CIE is used to collect groups and OUs from users to assign policies or add the computers to groups based on those parameters.
To find devices without the agent installed, you can use a Broker VM with the Network Mapper applet. In this LC post you can see the answer to the same question: https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/rogue-device-discovery-with-cortex-xdr/m...
To retrieve the installed applications for the endpoints you need the Host Insights Add-On in your tenant. More info Here and Here in 10.c.
2- If you have the XDR Agent installed in the Domain Controllers, you can run this query and see how it goes:
dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id in (4724,4723) // Filtering by windows event log and id 4724 or 4723
| alter Domain = arrayindex(regextract(action_evtlog_message, "\n.Account Domain:.*?(\w.*)\r\n"),0), User_Name = arrayindex(regextract(action_evtlog_message,"\n.*?Account Name:.*?(\w.*?)\r\n"),0) // Using regextract to get just a part of the full event log message into an array, then using arrayindex to take the first item in the array
| filter User_Name = "YOUR_USER"
| fields User_Name, Domain, action_evtlog_message // Select all the fields to show them, you can pick up what you need
XQL: I'll recommend you this Crash Course with a complete content from the basics to some more advanced topics about XQL.
If this post solves your questions, please mark it as the solution.
03-01-2024 11:59 AM
Thank you, JM. I should have mentioned that we have Host Insights as well which is pretty phenomenal. I was told that we can use XQL to do it, but I'll comb through that crash course to see how to do it. Just wasn't sure if anyone had anything like that already.
I tried that XQL query to find the last password change date on the user and it did not work. I tried it with my user account, and it did not retrieve the information. I'll see if I can work with what you have though. Thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
