03-16-2023 09:06 PM - edited 03-16-2023 10:08 PM
Dear Team,
I am trying to write an XQL query to add a widget to know the Protection Paused more than 30 days. The Query is as follows, can someone help me to get the accurate results.
config timeframe = 30d
| dataset = endpoints
| filter manual_protection_pause != "PROTECTION_ACTIVE"
| join type = left (dataset = management_auditing | filter description contains "Protection Pause action initiated"| fields description) as mgmt mgmt.description contains endpoint_name
| comp count(endpoint_id) as Tally by endpoint_name
| filter Tally < 2
| view graph type = single subtype = standard yaxis = Tally
03-20-2023 03:45 AM
Hi @VenuK,
The XQL query I provided to you, will look for endpoints with endpoint "manual_protection_pause" = "PROTECTION_PAUSED". If the query does not bring out any results, then that means that, at that moment, any of your enpoints are NOT on "PROTECTION_PAUSED".
The purpose of my query is that as soon as any of your endpoints are on "PROTECTION_PAUSED" and they have been in that state for more than 30 minutes based on the agent_audit_log dataset, and you add this query to a correlation rule, you will get an alert.
I do not really understand the 30D timeframe, if a machine is on "PROTECTION_PAUSED" for that long, that is a huge issue as a security risk. I would recommend checking all of your endpoints at this time, and if there are any that are on "PROTECTION_PAUSED", investigate why, and make sure to activate protections as soon as possible.
Moving forward, use the provided XQL query to get alert notifications, via correlation rule, whenever an endpoint is on "PROTECTION_PAUSED" for too long.
03-17-2023 01:42 AM
Hi @VenuK Unfortunately, I don't think there's a way to get this done accurately as the description field may contain text like "Protection Pause action initiated on laptop001 and 1 other endpoint". If the endpoint name is not specifically listed in the description, it won't accurately identify the endpoint in the description.
I'd recommend you to create some automation with XDR API's to retrieve the data of endpoints on a daily/weekly basis and compare historically how long an endpoint has remained in an unprotected status.
03-17-2023 03:28 AM
@bbarmanroy , Thank you for the valuable time and reply, can you help me with tuning the query, as I am still a rookie in XQL.
03-18-2023 08:32 AM
Hi @VenuK.,
I came up with this XQL query, see if it is something you could use,
dataset=endpoints
| fields endpoint_id, endpoint_name, manual_protection_pause as all_endpoints_protection_pause, endpoint_status
| filter all_endpoints_protection_pause = "PROTECTION_PAUSED" and endpoint_status in (ENUM.CONNECTED, ENUM.DISCONNECTED) // You could remove ENUM.DISCONNECTED
| join type=left(dataset = agent_auditing | filter agent_auditing_subtype = ENUM.AGENT_AUDIT_MANUAL_PROTECTION_STATUS | fields description, agent_auditing_subtype, endpoint_id, received_time ) as aal aal.endpoint_id = endpoint_id
| filter timestamp_diff(current_time(), received_time , "MINUTE") > 30 // You can change MINUTE by HOUR or DAY. In this example, I added a MINUTE to showcase the result
I would not recommend to look for machines with Protectection paused for >= 30 days. It would be better to know about this as soon as possible. Therefore, I would recommend adding this XQL query to a correlation rule to generate alerts whenever timestamp_diff is >= 30 minutes or so. You can then create notifications filtering on the correlation alert.
03-19-2023 08:52 PM
Thank you @fmoixsante for the query, I used it, but it did not give me any results, so I tired the blow. Kindly suggest.
config timeframe = 30D // The query cannot be created for more than 30 days hence limited to 30 days as per requirement
|dataset=endpoints
| join type = left (dataset = management_auditing | filter description contains "Paused "| fields description) as mgmt mgmt.description contains endpoint_status
| fields endpoint_id, endpoint_name, manual_protection_pause as all_endpoints_protection_pause, endpoint_status
| filter all_endpoints_protection_pause = "PROTECTION_PAUSED" and endpoint_status in (ENUM.CONNECTED )
|comp count(endpoint_name) as tally by endpoint_name
|filter tally <2
| view graph type = single subtype = standard yaxis = Tally
03-20-2023 03:45 AM
Hi @VenuK,
The XQL query I provided to you, will look for endpoints with endpoint "manual_protection_pause" = "PROTECTION_PAUSED". If the query does not bring out any results, then that means that, at that moment, any of your enpoints are NOT on "PROTECTION_PAUSED".
The purpose of my query is that as soon as any of your endpoints are on "PROTECTION_PAUSED" and they have been in that state for more than 30 minutes based on the agent_audit_log dataset, and you add this query to a correlation rule, you will get an alert.
I do not really understand the 30D timeframe, if a machine is on "PROTECTION_PAUSED" for that long, that is a huge issue as a security risk. I would recommend checking all of your endpoints at this time, and if there are any that are on "PROTECTION_PAUSED", investigate why, and make sure to activate protections as soon as possible.
Moving forward, use the provided XQL query to get alert notifications, via correlation rule, whenever an endpoint is on "PROTECTION_PAUSED" for too long.
06-06-2024 01:08 AM
Sorry to jump in here, I tried this query, but it seems I am not able to get any results. I reproduced this by pausing an agent manually in the Endpoints view and then waited for 10 Minutes. If I understood your query it should display paused agents within the last 30 Minutes so it should pop up. So is it possible to read out the corresponding description given? Whenever you pause an agent, you can enter a comment, and it would be nice to see who paused it and what comment was entered.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
