11-30-2023 09:39 AM - edited 12-13-2023 12:45 PM
This webinar covers the details of data ingestion from various sources and explores efficient monitoring practices using XQL.
Make sure to review the queries and other resources below the video.
Agent Monitoring Use Cases
config case_sensitive = false timeframe = 30d
| dataset = xdr_data
| join type=left (config case_sensitive = false | dataset =endpoints | filter endpoint_alias = $Hostname_Of_your_choice | dedup endpoint_name ) as wlatd wlatd.endpoint_name = agent_hostname | filter endpoint_name != null
| fields endpoint_name,operating_system , action_evtlog_description,action_evtlog_data_fields,action_evtlog_event_id,agent_os_sub_type,agent_os_type
| comp count (insert_timestamp ) as counter by endpoint_name, insert_timestamp
| comp sum(counter) by endpoint_name
config timeframe between "2023-10-29 00:00:00 +0800" and "2023-10-29 23:59:59 +0800"
|dataset = xdr_data
| fields _time, agent_hostname, actor_effective_username, agent_os_type , agent_os_sub_type, recordType
| filter agent_os_type = ENUM.AGENT_OS_LINUX //and recordType = "edr"
| alter minute_part = floor(divide(to_integer(extract_time(_time, "MINUTE")), 60))
| alter from_minute = multiply(minute_part, 60)
| alter from_minute_str = if(from_minute = 0, "00", to_string(from_minute))
| alter to_minute_str = to_string(add(from_minute, 59))
| alter from = format_timestamp(concat("%Y-%m-%d %H:", from_minute_str, ":00"), _time, "+08:00")
| alter to = format_timestamp(concat("%Y-%m-%d %H:", to_minute_str, ":59"), _time, "+08:00")
| fields _time, minute_part, agent_hostname, actor_effective_username, from, to
| comp count(agent_hostname) as log_count by agent_hostname , from, to
| sort desc log_count
//| comp sum(log_count ) as logsum by agent_hostname
//| fields agent_hostname , logsum
//| view graph type = line xaxis = from yaxis = log_count seriescolor("log_count","#12f332") headcolor = "#da3b10" gridcolor = "#7c2b0f
Third-party Data Ingestion
dataset = metrics_source
| fields _vendor , _product , total_size_bytes , total_size_rate
| comp sum(total_size_bytes ) as ingestion by _product //count the sum of all the bytes ingested by different products
| alter ingestiongb = divide (ingestion , pow(1024,3))//convert the respective data bytes to Gigabytes
| fields _product ,ingestiongb
| limit 20
| sort desc ingestiongb
| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = _product yaxis = ingestiongb seriescolor("ingestiongb","#d2510e") headcolor = "#171616" gridcolor = "#38def6" font = "Arial Black"
dataset = metrics_source
| fields _vendor , _product , total_size_bytes , total_size_rate
| comp sum(total_size_bytes ) as ingestion by _product
| alter Ingestion_by_MB = divide(round(multiply(divide(ingestion , pow(2,20)),10000)),10000) //rounding out to 4 decimal places and convert to MB
| fields _product ,Ingestion_by_MB
| limit 20
| sort desc Ingestion_by_MB
| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = _product yaxis = Ingestion_by_MB seriescolor("Ingestion_by_MB","#d2510e") headcolor = "#171616" gridcolor = "#38def6" font = "Arial Black"
XSIAM
dataset = collection_auditing
| filter (classification = """Error""" )
| comp latest(_time) by collector_type , instance , classification ,description preset = metrics_view
| comp sum(total_event_count) as total_event_count_sum by _collector_id, _collector_ip, _collector_name, _collector_type , _final_reporting_device_ip ,_final_reporting_device_name , _broker_device_id ,_vendor , _product
| filter total_event_count_sum = 0
preset = metrics_view
| comp sum(total_event_count) as total_event_count_sum by _collector_id, _collector_ip, _collector_name, _collector_type , _final_reporting_device_ip ,_final_reporting_device_name , _broker_device_id ,_vendor , _product
Monitoring with XQL How-To Video: Data Ingestion Metrics
Cortex XDR XQL Language Reference
Cortex XDR XQL Schema Reference
Beacon course
XQL basic crash course
XQL use cases & applications crash course
Have a question? Post it on our Discussions forum
