This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Cortex XDR Customer Success Webinar: Monitoring with XQL

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR Customer Success Webinar: Monitoring with XQL

rtsedaka
L6 Presenter

‎11-30-2023 09:39 AM - edited ‎12-13-2023 12:45 PM

100% helpful (2/2)

Monitoring with XQL & Data Ingestion 

This webinar covers the details of data ingestion from various sources and explores efficient monitoring practices using XQL.

Make sure to review the queries and other resources below the video. 

 

(view in My Videos)

 

Queries: 

Agent Monitoring Use Cases 

  • A simple query to look up ingestion by timeframe
config case_sensitive = false timeframe = 30d
| dataset = xdr_data
| join type=left (config case_sensitive = false | dataset =endpoints  | filter endpoint_alias = $Hostname_Of_your_choice | dedup endpoint_name ) as wlatd wlatd.endpoint_name = agent_hostname | filter endpoint_name != null
| fields endpoint_name,operating_system , action_evtlog_description,action_evtlog_data_fields,action_evtlog_event_id,agent_os_sub_type,agent_os_type 
| comp count (insert_timestamp )  as counter by endpoint_name, insert_timestamp 
| comp sum(counter) by endpoint_name

 

  • Advanced query to lookup ingestion by timeframe
config timeframe between "2023-10-29 00:00:00 +0800" and "2023-10-29 23:59:59 +0800"
|dataset = xdr_data
| fields _time, agent_hostname, actor_effective_username, agent_os_type , agent_os_sub_type, recordType 
| filter agent_os_type = ENUM.AGENT_OS_LINUX //and recordType = "edr"
| alter minute_part = floor(divide(to_integer(extract_time(_time, "MINUTE")), 60))
| alter from_minute = multiply(minute_part, 60)
| alter from_minute_str = if(from_minute = 0, "00", to_string(from_minute))
| alter to_minute_str = to_string(add(from_minute, 59))
| alter from = format_timestamp(concat("%Y-%m-%d %H:", from_minute_str, ":00"), _time, "+08:00")
| alter to = format_timestamp(concat("%Y-%m-%d %H:", to_minute_str, ":59"), _time, "+08:00")
| fields _time, minute_part, agent_hostname, actor_effective_username, from, to
| comp count(agent_hostname) as log_count by agent_hostname , from, to
| sort desc log_count 
//| comp sum(log_count ) as logsum by agent_hostname 
//| fields agent_hostname , logsum
//| view graph type = line xaxis = from yaxis = log_count seriescolor("log_count","#12f332") headcolor = "#da3b10" gridcolor = "#7c2b0f

 


Third-party Data Ingestion 

  • Option 1- XDR Query with simple conversion of size ingested
    dataset = metrics_source 
| fields _vendor , _product , total_size_bytes , total_size_rate
| comp sum(total_size_bytes ) as ingestion by _product //count the sum of all the bytes ingested by different products
| alter ingestiongb = divide (ingestion , pow(1024,3))//convert the respective data bytes to Gigabytes
| fields  _product ,ingestiongb
| limit 20
| sort desc ingestiongb
| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = _product yaxis = ingestiongb seriescolor("ingestiongb","#d2510e") headcolor = "#171616" gridcolor = "#38def6" font = "Arial Black"

     

  • Show metrics data and convert into rounded MegaBytes of data streams
    dataset = metrics_source 
| fields _vendor , _product , total_size_bytes , total_size_rate
| comp sum(total_size_bytes ) as ingestion by _product 
| alter Ingestion_by_MB = divide(round(multiply(divide(ingestion , pow(2,20)),10000)),10000) //rounding out to 4 decimal places and convert to MB
| fields  _product ,Ingestion_by_MB
| limit 20
| sort desc Ingestion_by_MB 
| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = _product yaxis = Ingestion_by_MB seriescolor("Ingestion_by_MB","#d2510e") headcolor = "#171616" gridcolor = "#38def6" font = "Arial Black"

     

XSIAM 

  • When any data source collector instance is in an error state
    dataset = collection_auditing
| filter (classification = """Error""" )
| comp latest(_time) by collector_type , instance , classification ,description ​
  • No data ingested by the data source within a time frame
    preset = metrics_view  
| comp sum(total_event_count) as total_event_count_sum by _collector_id, _collector_ip, _collector_name, _collector_type , _final_reporting_device_ip ,_final_reporting_device_name , _broker_device_id ,_vendor , _product 
| filter total_event_count_sum = 0

     

  •  Volume of data and EPS by data source
    preset = metrics_view  
| comp sum(total_event_count) as total_event_count_sum by _collector_id, _collector_ip, _collector_name, _collector_type , _final_reporting_device_ip ,_final_reporting_device_name , _broker_device_id ,_vendor , _product

 

 Additional XQL Resources and Training:

Monitoring with XQL How-To Video: Data Ingestion Metrics 

Cortex XDR XQL Language Reference

Cortex XDR XQL Schema Reference

Beacon course 
XQL basic crash course

XQL use cases & applications crash course 

 

Have a question?  Post it on our Discussions forum

Cortex XDR 

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
Rate this article:
  • 689 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎12-13-2023 12:45 PM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks