Am I right? PA will take this useful feautre away, because they wan't to sell us a firewall? We allready have a firewall and we just need this information, which is shown in the xdr_agent_network preset. https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/features-introduced/features-introduced-in-2021 Network Events Deprecation ( Starting with the next Cortex XDR release ) After Cortex XDR introduced network collection events, that are stitched across endpoints and the Palo Alto Networks next-generation firewalls logs, there is no longer need to support raw Network events. Starting with the next Cortex XDR release, Network events will be deprecated. In light of the upcoming change, Palo Alto Networks encourages you to define BIOC rules and/or searches by using Network Connections in the Query Builder. When searching in XQL, you should avoid using the xdr_agent_network preset and use the newtork_story preset instead.
... View more