XQL Query in which I can know by country how many logins exist.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL Query in which I can know by country how many logins exist.

L1 Bithead

Good morning,

I am starting this conversation to request your support to create an XQL query for Cortex XDR in which I can know by country how many logins exist.

If you help me with the geolocation dashboard it would be great.

For example:

from the USA there are 56 logins
Russia 15 logins.

Is it possible to do this with the XDR information?

 

Cortex XDR

1 REPLY 1

L3 Networker

Hello Rolando_Pena,

 

The following query provides a geo map of network activity in XDR:

 

preset = network_story
| iploc action_remote_ip loc_country
| filter loc_country != null
| union (preset = network_story| iploc action_local_ip loc_country | filter loc_country != null)
| comp count(event_id) as counter by loc_country
| view graph type = map xaxis = loc_country yaxis = counter default_limit = `false` seriestitle("counter","Volume")

 

jtalton_0-1712691660082.png


To create a query for successful logins by geolocation its best to include the ingestion of authentication logs which will create a dataset to query, example okta_data.

If you are ingesting authentication logs, which we highly recommend to enrich XDR data, you may use this query which utilizes the preset = auth_logs which is comprised of authentication logs (Okta, Ping, etc) and is a subset of xdr_data dataset.

 

dataset = auth_logs
| iploc action_remote_ip loc_country
| filter auth_outcome = "SUCCESS" and loc_country != null//Also auth_outcome_reason to specify a description example OKTA SSO failed
| union (preset = network_story| iploc action_local_ip loc_country as ConnectionCountry | filter ConnectionCountry != null)
| comp count(event_id) as Countby by ConnectionCountry
| sort desc Countby
|
view graph type = pie subtype = full xaxis = ConnectionCountry yaxis = Countby

jtalton_1-1712691759868.png

 


Note, a dataset is comprised of both raw EDR events reported by the Cortex XDR agent, and of logs from different sources such as third-party logs. To help you investigate events more efficiently, Cortex XDR also stitches these logs and events together into common schemas called stories. These stories are available using the Cortex XDR Presets.

Reference 

Datasets and Presets • Cortex XDR XQL Language Reference • Reader • Palo Alto Networks documentation...

LIVEcommunity - Cortex XDR Basic XQL Crash Course - LIVEcommunity - 544056 (paloaltonetworks.com)

 

 If you found this answer helpful, please select Accept as Solution.

If you found this answer helpful, please select Accept as Solution.
  • 1105 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!