Hello Rolando_Pena,
The following query provides a geo map of network activity in XDR:
preset = network_story
| iploc action_remote_ip loc_country
| filter loc_country != null
| union (preset = network_story| iploc action_local_ip loc_country | filter loc_country != null)
| comp count(event_id) as counter by loc_country
| view graph type = map xaxis = loc_country yaxis = counter default_limit = `false` seriestitle("counter","Volume")
To create a query for successful logins by geolocation its best to include the ingestion of authentication logs which will create a dataset to query, example okta_data.
If you are ingesting authentication logs, which we highly recommend to enrich XDR data, you may use this query which utilizes the preset = auth_logs which is comprised of authentication logs (Okta, Ping, etc) and is a subset of xdr_data dataset.
dataset = auth_logs
| iploc action_remote_ip loc_country
| filter auth_outcome = "SUCCESS" and loc_country != null//Also auth_outcome_reason to specify a description example OKTA SSO failed
| union (preset = network_story| iploc action_local_ip loc_country as ConnectionCountry | filter ConnectionCountry != null)
| comp count(event_id) as Countby by ConnectionCountry
| sort desc Countby
|
view graph type = pie subtype = full xaxis = ConnectionCountry yaxis = Countby
Note, a dataset is comprised of both raw EDR events reported by the Cortex XDR agent, and of logs from different sources such as third-party logs. To help you investigate events more efficiently, Cortex XDR also stitches these logs and events together into common schemas called stories. These stories are available using the Cortex XDR Presets.
Reference
LIVEcommunity - Cortex XDR Basic XQL Crash Course - LIVEcommunity - 544056 (paloaltonetworks.com)
If you found this answer helpful, please select Accept as Solution.
