XQL query to add a widget to know the Protection Paused more than 30 days.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL query to add a widget to know the Protection Paused more than 30 days.

L2 Linker

Dear Team,

 

I am trying to write an XQL query to add a widget to know the Protection Paused more than 30 days. The Query is as follows, can someone help me to get the accurate results.

 

config timeframe = 30d
| dataset = endpoints
| filter manual_protection_pause != "PROTECTION_ACTIVE"
| join type = left (dataset = management_auditing | filter description contains "Protection Pause action initiated"| fields description) as mgmt mgmt.description contains endpoint_name
| comp count(endpoint_id) as Tally by endpoint_name
| filter Tally < 2
| view graph type = single subtype = standard yaxis = Tally

 

 

Venu
1 accepted solution

Accepted Solutions

Hi @VenuK,

 

The XQL query I provided to you, will look for endpoints with endpoint "manual_protection_pause" = "PROTECTION_PAUSED". If the query does not bring out any results, then that means that, at that moment, any of your enpoints are NOT on "PROTECTION_PAUSED".

 

The purpose of my query is that as soon as any of your endpoints are on "PROTECTION_PAUSED" and they have been in that state for more than 30 minutes based on the agent_audit_log dataset, and you add this query to a correlation rule, you will get an alert.

 

I do not really understand the 30D timeframe, if a machine is on "PROTECTION_PAUSED" for that long, that is a huge issue as a security risk. I would recommend checking all of your endpoints at this time, and if there are any that are on "PROTECTION_PAUSED", investigate why, and make sure to activate protections as soon as possible. 

 

Moving forward, use the provided XQL query to get alert notifications, via correlation rule, whenever an endpoint is on "PROTECTION_PAUSED" for too long. 

 

View solution in original post

6 REPLIES 6

L5 Sessionator

Hi @VenuK Unfortunately, I don't think there's a way to get this done accurately as the description field may contain text like "Protection Pause action initiated on laptop001 and 1 other endpoint". If the endpoint name is not specifically listed in the description, it won't accurately identify the endpoint in the description.

 

I'd recommend you to create some automation with XDR API's to retrieve the data of endpoints on a daily/weekly basis and compare historically how long an endpoint has remained in an unprotected status.

@bbarmanroy , Thank you for the valuable time and reply, can you help me with tuning the query, as I am still a rookie in XQL.

 

Venu

Hi @VenuK.,

 

I came up with this XQL query, see if it is something you could use,

dataset=endpoints
| fields endpoint_id, endpoint_name, manual_protection_pause as all_endpoints_protection_pause, endpoint_status
| filter all_endpoints_protection_pause = "PROTECTION_PAUSED" and endpoint_status in (ENUM.CONNECTED, ENUM.DISCONNECTED) // You could remove ENUM.DISCONNECTED
| join type=left(dataset = agent_auditing | filter agent_auditing_subtype = ENUM.AGENT_AUDIT_MANUAL_PROTECTION_STATUS | fields description, agent_auditing_subtype, endpoint_id, received_time ) as aal aal.endpoint_id = endpoint_id
| filter timestamp_diff(current_time(), received_time , "MINUTE") > 30 // You can change MINUTE by HOUR or DAY. In this example, I added a MINUTE to showcase the result

 

I would not recommend to look for machines with Protectection paused for >= 30 days. It would be better to know about this as soon as possible. Therefore, I would recommend adding this XQL query to a correlation rule to generate alerts whenever timestamp_diff is >= 30 minutes or so.  You can then create notifications filtering on the correlation alert. 

Thank you @fmoixsante for the query, I used it, but it did not give me any results, so I tired the blow. Kindly suggest.

config timeframe = 30D // The query cannot be created for more than 30 days hence limited to 30 days as per requirement
|dataset=endpoints
| join type = left (dataset = management_auditing | filter description contains "Paused "| fields description) as mgmt mgmt.description contains endpoint_status 
| fields endpoint_id, endpoint_name, manual_protection_pause as all_endpoints_protection_pause, endpoint_status
| filter all_endpoints_protection_pause = "PROTECTION_PAUSED" and endpoint_status in (ENUM.CONNECTED ) 
|comp count(endpoint_name) as tally by endpoint_name
|filter tally <2
| view graph type = single subtype = standard yaxis = Tally

 

Venu

Hi @VenuK,

 

The XQL query I provided to you, will look for endpoints with endpoint "manual_protection_pause" = "PROTECTION_PAUSED". If the query does not bring out any results, then that means that, at that moment, any of your enpoints are NOT on "PROTECTION_PAUSED".

 

The purpose of my query is that as soon as any of your endpoints are on "PROTECTION_PAUSED" and they have been in that state for more than 30 minutes based on the agent_audit_log dataset, and you add this query to a correlation rule, you will get an alert.

 

I do not really understand the 30D timeframe, if a machine is on "PROTECTION_PAUSED" for that long, that is a huge issue as a security risk. I would recommend checking all of your endpoints at this time, and if there are any that are on "PROTECTION_PAUSED", investigate why, and make sure to activate protections as soon as possible. 

 

Moving forward, use the provided XQL query to get alert notifications, via correlation rule, whenever an endpoint is on "PROTECTION_PAUSED" for too long. 

 

Sorry to jump in here, I tried this query, but it seems I am not able to get any results. I reproduced this by pausing an agent manually in the Endpoints view and then waited for 10 Minutes. If I understood your query it should display paused agents within the last 30 Minutes so it should pop up. So is it possible to read out the corresponding description given? Whenever you pause an agent, you can enter a comment, and it would be nice to see who paused it and what comment was entered.

 

Thanks

  • 1 accepted solution
  • 3120 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!