This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

zarnous
L2 Linker

‎06-08-2023 07:03 AM

Hi @sushant1601 ,

Thank you for posting these questions, please find below my response to each of them:
1. You can query against either datasets or Presets in a dataset query ; however, presets offer groupings of xdr_data fields that are useful for analyzing specific areas of network and endpoint activity. All of the fields available for a preset are also available on the larger xdr_data dataset, but by using the preset your query can run more efficiently
For that, I would also recommend going over our newly published detailed training for XQL, the full course can be found here, and for the data sources part that is part of it , it can be also found under the title "2. XQL Building block: Data Source & Structure ". 

2. The field "agent_hostname" will operate the same in both the "preset = xdr_event_log" and "dataset = xdr_data", and yes, the hostname should remain the same in the query regardless when/ how you query the result, the value of the field should not changed unless the hostname itself changes. 

3. Yes, you can query IIS data ingested to XDR using XQL. Cortex XDR provides YAML templates for DHCP, DNS, IIS, and NGINX. This can be achieved by configuring an XDR Collector Profile for Windows. Then, to query the IIS logs, you can use XQL to query "dataset = iis_iis_raw" for the raw logs ingested to XDR, as well as the parsed logs if you happen to create a parsing rule for the raw logs, an example for doing so is below 
[INGEST:vendor = "iis", product = "iis", target_dataset ="microsoft_iis_parsed", no_hit = keep]
alter date = arrayindex(regextract(_raw_log, "[^\s]+"),0),
time = arrayindex(regextract(_raw_log, "[^\s]+"),1),
s_ip = arrayindex(regextract(_raw_log, "[^\s]+"),2),
cs_method = arrayindex(regextract(_raw_log, "[^\s]+"),3),
cs_uri_stem = arrayindex(regextract(_raw_log, "[^\s]+"),4),
cs_uri_query = arrayindex(regextract(_raw_log, "[^\s]+"),5),
s_port = arrayindex(regextract(_raw_log, "[^\s]+"),6),
cs_username = arrayindex(regextract(_raw_log, "[^\s]+"),7),
c_ip = arrayindex(regextract(_raw_log, "[^\s]+"),8),
cs_user_agent = arrayindex(regextract(_raw_log, "[^\s]+"),9),
cs_referer = arrayindex(regextract(_raw_log, "[^\s]+"),10),
sc_status = arrayindex(regextract(_raw_log, "[^\s]+"),11),
sc_substatus = arrayindex(regextract(_raw_log, "[^\s]+"),12),
sc_win32_status = arrayindex(regextract(_raw_log, "[^\s]+"),13),
time_taken = arrayindex(regextract(_raw_log, "[^\s]+"),14);

If you have this configured, then you cna query the dataset "dataset = microsoft_iis_parsed", and the name of the dataset is coming from the parsing rule first line seen above "[INGEST:vendor = "iis", product = "iis", target_dataset ="microsoft_iis_parsed", no_hit = keep]"

In addition, and as partially mentioned above, we have published a detailed training for XQL , with 2 parts, i will link theme below here as well, please feel free to take advantage of those and let me know if you happen to have any questions.

Cortex XDR Basic XQL Crash Course
Cortex XDR XQL Use Cases and Applications Crash Course

I hope the above was helpful and answered your questions, please let me know if any! 
Thanks
Z


Z

View solution in original post

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks