Advanced XQL This webinar covers how to utilize XQL to build out use cases, including an extensive XQL building demo.  For the best experience, we recommend watching the videos in a full-screen view.  Make sure to review the XQL queries under the videos:   Intro & Extraction Demo:    Scenario Introduction:   User Group Demo:   XQL queries:  Extraction demo:  Extraction Using arrayindex() and regextract() config case_sensitive = false | dataset = xdr_data // Using the xdr dataset | fields action_evtlog_message, event_type, action_evtlog_event_id, agent_hostname , action_evtlog_data_fields | filter event_type = ENUM.EVENT_LOG | filter action_evtlog_event_id in(4720) | alter SID_RegExtract = regextract(action_evtlog_message, "[\n\r][ \t]*Security ID:[ \t]*([^\n\r]*)") | alter AccountName_RegExtract = regextract(action_evtlog_message, "[\n\r][ \t]*Account Name:[ \t]*([^\n\r]*)") | alter AccountDomain_RegExtract = regextract(action_evtlog_message, "[\n\r][ \t]*Account Domain:[ \t]*([^\n\r]*)") | alter Subject_SID = arrayindex(SID_RegExtract , 0) | alter Target_SID = arrayindex(SID_RegExtract , 1) | alter Subject_AccountName = arrayindex(AccountName_RegExtract , 0) | alter Target_AccountName = arrayindex(AccountName_RegExtract , 1) | alter Subject_DomainName = arrayindex(AccountDomain_RegExtract , 0) | alter Target_DomainName = arrayindex(AccountDomain_RegExtract , 1) | alter Subject_SID_directEXT = arrayindex(regextract(action_evtlog_message, "[\n\r][ \t]*Security ID:[ \t]*([^\n\r]*)") , 0) | alter Subject_AccountName_directExt = arrayindex(regextract(action_evtlog_message, "[\n\r][ \t]*Account Name:[ \t]*([^\n\r]*)"), 0) | alter Target_AccountName_directExt = arrayindex(regextract(action_evtlog_message, "[\n\r][ \t]*Account Name:[ \t]*([^\n\r]*)"), 1) =================================== Extraction Using json_extract_scalar() config case_sensitive = false | dataset = xdr_data // Using the xdr dataset | fields action_evtlog_message, event_type, action_evtlog_event_id, agent_hostname , action_evtlog_data_fields | filter event_type = ENUM.EVENT_LOG | filter action_evtlog_event_id in(4720) | alter Subject_Account_Name = json_extract_scalar(action_evtlog_data_fields , "$.SubjectUserName") | alter Target_Account_Name = json_extract_scalar(action_evtlog_data_fields , "$.TargetUserName")   User group data JASON extraction demo: config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4720 | fields action_evtlog_message , action_evtlog_data_fields , action_evtlog_event_id , agent_hostname , agent_ip_addresses , action_evtlog_description , agent_hostname | alter Creator_Account_Name = json_extract_scalar(action_evtlog_data_fields , "$.SubjectUserName") | alter Creator_Account_SID = json_extract_scalar(action_evtlog_data_fields , "$.SubjectUserSid") | alter Created_Account_Name = json_extract_scalar(action_evtlog_data_fields , "$.TargetUserName") | alter Created_Account_SID = json_extract(action_evtlog_data_fields , "$.TargetSid") | alter Creator_Domain_name = json_extract_scalar(action_evtlog_data_fields , "$.SubjectDomainName") | alter Creator_User_Type = if ((Creator_Domain_name = agent_hostname ), "Local_User", "Domain_User") | join ( preset = xdr_event_log | filter action_evtlog_event_id = 4732 | alter Group_Member_SID = json_extract(action_evtlog_data_fields , "$.MemberSid") | alter User_Group_Name = json_extract_scalar(action_evtlog_data_fields , "$.TargetUserName") | alter Action_Account_Name = json_extract_scalar(action_evtlog_data_fields , "$.SubjectUserName") | alter User_Group_SID = json_extract_scalar(action_evtlog_data_fields , "$.TargetSid")) as DemoXQL demoxql.Group_Member_SID = Created_Account_SID | fields Creator_Account_Name , Created_Account_Name , Action_Account_Name , agent_hostname, Creator_Domain_name , Creator_User_Type ,User_Group_Name , User_Group_SID , action_evtlog_event_id , action_evtlog_message , action_evtlog_data_fields | filter (User_Group_Name = """Administrators""") | sort desc _time | join ( preset = host_inventory_users | fields endpoint_name , disabled as Is_Created_Account_Disabled , password_expired as Is_Created_Account_password_expired, name , full_name as Created_Account_full_name ) as AddedHostInventory addedhostinventory.endpoint_name = agent_hostname | filter name = Created_Account_Name | fields Creator_Account_Name , Action_Account_Name ,Created_Account_Name , Is_Created_Account_Disabled , Is_Created_Account_password_expired , agent_hostname , Creator_Domain_name ,Creator_User_Type , User_Group_Name , User_Group_SID , action_evtlog_event_id , action_evtlog_message , action_evtlog_data_fields  Recommended guides: Cortex XDR XQL Language Reference   Cortex XDR XQL Schema Reference    Have a question?  Post it on our Discussions forum Cortex XDR       

Endpoint Administration Webinar Part 1 This webinar covers the Cortex XDR agent-related administrative tasks from installations, architecture, common issues, and our pro tips!   Watch the video and use the resources that were shared during the webinar, listed below:      Resources: Adding proxy list during the installation: msiexec /i c:\install\cortexxdr.msi proxy_list=”My.Network.Name:808,10.196.20.244:8080”   For endpoint side-local uninstall - Disable Tamper Protect first cytool protect disable XQL custom widget for count of endpoints by minor release: config case_sensitive = false timeframe=30d |dataset = endpoints | filter endpoint_status = ENUM.CONNECTED or endpoint_status = ENUM.DISCONNECTED  | alter agent_version_formatted = regextract(agent_version ,"^\D*(\d+(?:\.\d+)?)") | arrayexpand agent_version_formatted | comp count (agent_version_formatted ) as no_of_agents by agent_version_formatted | fields agent_version_formatted , no_of_agents  | sort asc agent_version_formatted | view graph type = column subtype = grouped,horizontal header = "Count of Endpoints by Minor Release" show_callouts = `true` xaxis = agent_version_formatted yaxis = no_of_agents legend = `false` xaxistitle = "Agents by Minor Release"  List of duplicate endpoints: dataset = endpoints | fields endpoint_id, endpoint_name, last_seen  | comp count() as count by endpoint_name addrawdata = true as raw_data | filter count > 1 | sort desc count | alter endpoint_name = arrayindex (raw_data, 0) -> endpoint_name | alter endpoint_id = arrayindex (raw_data, 0) -> endpoint_id | alter last_seen = arrayindex (raw_data, 0) -> last_seen   XQL custom widget for top 20 duplicate endpoints: dataset = endpoints | fields endpoint_id, endpoint_name, last_seen  | comp count() as no_of_duplicates by endpoint_name | filter no_of_duplicates > 1 | fields endpoint_name, no_of_duplicates  | sort desc no_of_duplicates | view graph type = column subtype = grouped,horizontal header = "Top 20 duplicate endpoints" show_callouts = `true` xaxis = endpoint_name yaxis = no_of_duplicates legend = `false` xaxistitle = "Number of duplicates per endpoint"    Count of endpoints per operational status: dataset = endpoints  | fields endpoint_name, is_edr_enabled  | comp count_distinct(endpoint_name) as counter by is_edr_enabled | view graph type = pie show_callouts = `true` xaxis = is_edr_enabled yaxis = counter    Live Terminal command samples with Shift + Enter to execute: hostname C:\"Program Files"\"Palo Alto Networks"\Traps\cytool info   Live Terminal Python script  samples with Shift + Enter to execute: import os print(os.listdir('c:\\users'))   Demo Cytool commands (Tool used: Process Explorer) The list below is not an exhaustive list of = Attached Slide 24 and use the cytool helper to see all the available cytool commands   =========================== On Windows - https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/troubleshoot-cortex-xdr-for-windows/cytool ===========================   Run CMD as administrator Change directory to Cortex XDR binary folder - un command 'cd "C:\Program Files\Palo Alto Networks\Traps" ' Enter the Supervisor Password (Uninstall Password) for privileged commands: cytool runtime query cytool protect query cytool websocket query cytool connectivity_test   Another variant without changing path: C:\"Program Files"\"Palo Alto Networks"\Traps\cytool info   An alternative way to pause protection: cytool security [enable | disable]         enable           Enables security profiles.         disable          Disables security profiles.   ID extraction & reconnection To extract the distribution ID locally and reconnect back the agent (new distribution_id can be copied from your Cortex XDR tenant as well) cat /opt/traps/config/trapsd.xml | grep -i distribution_id Cytool reconnect cytool reconnect force DISTRIBUTION_ID   Try without distribution ID first;  Note: cytool reconnect force command will create duplicates and a new instance. As a result, its not meant to be used multiple times    =========================== On macOS  ===========================   sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime query sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime stop all sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime start all sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool checkin ============================ Linux ============================   Processes Protected by Cortex XDR: ./cytool enum Websocket: ./cytool websocket query Checkin: ./cytool Checkin Last Time Checkin: ./cytool last_checkin Agent files and directories in use for logs, EDR, download, etc: cat /opt/traps/config/common.xml Connectivity: ./cytool connectivity_test Agent version: cat /opt/traps/version.txt Agent Distribution ID: cat /opt/traps/config/trapsd.xml | grep -i distribution_id cat /opt/traps/config/db_backup/distribution_id.txt Proxy IP address Configured: cat /opt/traps/config/trapsd.xml | grep -i proxy_list   =========================   Agent functionality: In order to implement the agent functionality, the agent includes the ff components Drivers Services Cytool runtime query: Processes: the processes that start running when the service starts or when needed: cyserver.exe cortex-xdr-payload.exe tlaworker.exe cytray.exe cyveraconsole.exe   DLL: cyinjct.dll cyvrtrap.dll cyvera.dll Registry:  Holds important keys of policy information, policy configurations, protected processes Computer\HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\policy Cortex XDR