Skip to main content

Cortex XDR - XQL Query Engine

This Integration is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Cortex XDR - XQL Query Engine enables you to run XQL queries on your data sources. This integration was integrated and tested with version 3.0 of Cortex XDR - XQL Query Engine

In order to access all of the datasets, make sure your api token role is set to at least 'investigator'. Investigation query view will provide you access to all of the datasets except endpoints and host_inventory. For additional information see Predefined User Roles for Cortex XDR

Configure Cortex XDR - XQL Query Engine in Cortex#

ParameterRequired
Server URLTrue
API Key IDFalse
API KeyFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

xdr-xql-generic-query#


Execute an XQL query and retrieve results of an executed XQL query API. The command will be executed every 10 seconds until results are retrieved or until a timeout error is raised. When more than 1000 results are retrieved, the command will return a compressed gzipped JSON format file, unless the argument 'parse_result_file_to_context' is set to true and then the results will be extracted to the context.

Base Command#

xdr-xql-generic-query

Input#

Argument NameDescriptionRequired
queryString of the XQL query. By default up to 100 results are returned. To retrieve more results, enter a custom limit in the query.Required
time_frameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and between 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.Optional
tenant_idList of strings used for running APIs on local and Managed Security tenants. Valid values:
For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).
For multi-tenant investigations (Managed Security parent who investigate children and\or local), enter a multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Optional
interval_in_secondsInterval in seconds between each poll.Optional
max_fieldsThe maximum number of returned fields per result. Default is 20.Optional
query_nameThe name of the query.Required
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.GenericQuery.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.GenericQuery.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.GenericQuery.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.GenericQuery.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.GenericQuery.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.GenericQuery.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.GenericQuery.results._timeDateResult time.
PaloAltoNetworksXQL.GenericQuery.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.GenericQuery.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.GenericQuery.results.macUnknownHost MAC address.
PaloAltoNetworksXQL.GenericQuery.results.actor_effective_usernameStringParent user name.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_image_nameStringThe name of the process that initiated the activity.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_image_pathStringPath of the initiating process.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_command_lineStringCommand line arguments of the initiator.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_os_pidNumberInitiator process ID.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_image_sha256StringThe SHA256 value of the initiator.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_signature_vendorStringInitiator signer.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_signature_statusStringSigning status of the initiator. Possible values: Unsigned, Signed, Invalid Signature, and Unknown.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_image_nameStringThe name of the process that initiated the causality chain.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_image_pathStringCausality group owner path of the initiating process.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_command_lineStringCommand line arguments of the causality group owner.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_os_pidNumberCausality group owner process ID.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_image_sha256StringThe SHA256 value of the causality group owner.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_signature_vendorStringCausality group owner signer.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_signature_statusStringSigning status of the causality group owner. Possible values: Unsigned, Signed, Invalid Signature, and Unknown.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_typeStringThe type of the causality group owner.
PaloAltoNetworksXQL.GenericQuery.results.os_actor_process_image_nameStringThe name of the operating system that initiated the activity.
PaloAltoNetworksXQL.GenericQuery.results.os_actor_process_image_pathStringOperating system parent path.
PaloAltoNetworksXQL.GenericQuery.results.os_actor_process_command_lineStringCommand line arguments of the operating system parent.
PaloAltoNetworksXQL.GenericQuery.results.os_actor_process_os_pidNumberOperating system parent process ID.
PaloAltoNetworksXQL.GenericQuery.results.action_remote_process_image_sha256UnknownThe SHA256 value of the operating system parent.
PaloAltoNetworksXQL.GenericQuery.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.GenericQuery.results._productStringThe result product.
PaloAltoNetworksXQL.GenericQuery.results.agent_install_typeStringInitiator install type.

Command Example#

!xdr-xql-generic-query query=`dataset = xdr_data | fields action_evtlog_message, event_id | limit 10

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQueryQuery CostRemaining QuotaStatus
12345678_inv10dataset = xdr_data | fields action_evtlog_message, event_id | limit 10376699223: 0.0002125999.9994905555556SUCCESS

Data Results#

ProductTimeVendorAction Evtlog MessageEvent IdInsert Timestamp
P12021-08-28T09:15:56.000ZPANWtest12021-08-28T09:22:39.000Z
P12021-08-28T09:17:55.000ZPANWtest22021-08-28T09:22:39.000Z
P12021-08-28T09:14:57.000ZPANWtest32021-08-28T09:22:23.000Z
P12021-08-28T09:14:57.000ZPANWtest42021-08-28T09:22:29.000Z
P12021-08-28T09:14:57.000ZPANWtest52021-08-28T09:22:29.000Z
P12021-08-28T09:14:57.000ZPANWtest62021-08-28T09:22:14.000Z
P12021-08-28T09:14:57.000ZPANWtest72021-08-28T09:22:23.000Z
P12021-08-28T09:14:57.000ZPANWtest82021-08-28T09:22:14.000Z
P12021-08-28T09:14:57.000ZPANWtest92021-08-28T09:22:29.000Z
P12021-08-28T09:12:57.000ZPANWtest102021-08-28T09:22:23.000Z

xdr-xql-get-quota#


Retrieve the amount of query quota available and used.

Base Command#

xdr-xql-get-quota

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.Quota.license_quotaNumberAmount of daily quota allocated to your tenant based on your license type and size.
PaloAltoNetworksXQL.Quota.additional_purchased_quotaNumberAmount of query quota purchased.
PaloAltoNetworksXQL.Quota.used_quotaNumberAmount of query quota used over the past 24 hours.

Command Example#

!xdr-xql-get-quota

Context Example#

{
"PaloAltoNetworksXQL": {
"Quota": {
"additional_purchased_quota": 0,
"eval_quota": 0,
"license_quota": 1000,
"used_quota": 0.00299
}
}
}

Human Readable Output#

Quota Results#

Additional Purchased QuotaEval QuotaLicense QuotaUsed Quota
0.00.010000.00299

xdr-xql-get-query-results#


Retrieve results of an executed XQL query API. When more than 1000 results are retrieved, the command will return a compressed gzipped JSON format file, unless the argument 'parse_result_file_to_context' is set to true and then the results will be extracted to the context.

Base Command#

xdr-xql-get-query-results

Input#

Argument NameDescriptionRequired
query_idInteger representing the unique execution ID generated by the response to start an XQL query API.Required
max_fieldsThe maximum number of returned fields per result. Default is 20.Optional
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.GenericQuery.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.GenericQuery.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.GenericQuery.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.GenericQuery.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.GenericQuery.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.GenericQuery.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.GenericQuery.results._timeDateResult time.
PaloAltoNetworksXQL.GenericQuery.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.GenericQuery.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.GenericQuery.results.macUnknownHost MAC address.
PaloAltoNetworksXQL.GenericQuery.results.actor_effective_usernameStringParent user name.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_image_nameStringThe name of the process that initiated the activity.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_image_pathStringPath of the initiating process.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_command_lineStringCommand line arguments of the initiator.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_os_pidNumberInitiator process ID.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_image_sha256StringThe SHA256 value of the initiator.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_signature_vendorStringInitiator signer.
PaloAltoNetworksXQL.GenericQuery.results.actor_process_signature_statusStringSigning status of the initiator. Possible values: Unsigned, Signed, Invalid Signature, and Unknown.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_image_nameStringThe name of the process that initiated the causality chain.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_image_pathStringCausality group owner path of the initiating process.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_command_lineStringCommand line arguments of the causality group owner.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_os_pidNumberCausality group owner process ID.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_image_sha256StringThe SHA256 value of the causality group owner.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_signature_vendorStringCausality group owner signer.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_process_signature_statusStringSigning status of the causality group owner. Possible values: Unsigned, Signed, Invalid Signature, and Unknown.
PaloAltoNetworksXQL.GenericQuery.results.causality_actor_typeStringThe type of the causality group owner.
PaloAltoNetworksXQL.GenericQuery.results.os_actor_process_image_nameStringThe name of the operating system that initiated the activity.
PaloAltoNetworksXQL.GenericQuery.results.os_actor_process_image_pathStringOperating system parent path.
PaloAltoNetworksXQL.GenericQuery.results.os_actor_process_command_lineStringCommand line arguments of the operating system parent.
PaloAltoNetworksXQL.GenericQuery.results.os_actor_process_os_pidNumberOperating system parent process ID.
PaloAltoNetworksXQL.GenericQuery.results.action_remote_process_image_sha256UnknownThe SHA256 value of the operating system parent.
PaloAltoNetworksXQL.GenericQuery.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.GenericQuery.results._productStringThe result product.
PaloAltoNetworksXQL.GenericQuery.results.agent_install_typeStringInitiator install type.

Command Example#

!xdr-xql-get-query-results query_id=12345678_inv

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQuery CostRemaining QuotaStatus
12345678_inv2376699223: 0.0007208333333333333999.9845016666667SUCCESS

Data Results#

ProductTimeVendorEvent IdInsert Timestamp
XDR agent2021-08-29T07:40:07.000ZPANWtest12021-08-29T07:45:08.000Z
XDR agent2021-08-29T07:40:06.000ZPANWtest22021-08-29T07:45:08.000Z

xdr-xql-file-event-query#


Query file events by the SHA256 file.

Base Command#

xdr-xql-file-event-query

Input#

Argument NameDescriptionRequired
endpoint_idXDR endpoint ID to run the query on.Optional
file_sha256SHA256 file to run the query on.Required
extra_fieldsExtra fields to add to the query results.Optional
time_frameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and between 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.Optional
limitInteger representing the maximum number of results to return. For example:
If limit = 100 and the query produced 1,000 results, only the first 100 results will be returned.
If limit = 100 and the query produced 50 results, only 50 results will be returned.
If limit=5000, 5,000 results are returned.
If limit=null or empty (default) up to 100 results are returned. . Default is 100.
Optional
tenant_idList of strings used for running APIs on local and Managed Security tenants. Valid values:

For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).

For multi-tenant investigations (Managed Security parent who investigate children and\or local), enter a multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Optional
query_nameThe name of the query.Required
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.FileEvent.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.FileEvent.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.FileEvent.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.FileEvent.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.FileEvent.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.FileEvent.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.FileEvent.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.FileEvent.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.FileEvent.results.agent_idStringEndpoint ID.
PaloAltoNetworksXQL.FileEvent.results.action_file_pathStringFile path of the action.
PaloAltoNetworksXQL.FileEvent.results.action_file_sha256StringSHA256 hash value of the file.
PaloAltoNetworksXQL.FileEvent.results.actor_process_file_create_timeStringInitiator file create time.
PaloAltoNetworksXQL.FileEvent.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.FileEvent.results._timeStringResult time.
PaloAltoNetworksXQL.FileEvent.results.insert_timestampStringResult insert timestamp.
PaloAltoNetworksXQL.FileEvent.results._productStringThe result product.

Command Example#

!xdr-xql-file-event-query file_sha256=12345,6789 endpoint_id=test1,test2 time_frame="1 month"

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQueryQuery CostRemaining QuotaStatusTime Frame
12345678_inv1dataset = xdr_data | filter agent_id in ("test1","test2")
and event_type = FILE and action_file_sha256 in ("12345","6789")|
fields agent_hostname, agent_ip_addresses, agent_id, action_file_path,
action_file_sha256, actor_process_file_create_time | limit 200
376699223: 0.002704166666666667999.9795586111111SUCCESS1 month

Data Results#

ProductTimeVendorAction File PathAction File Sha256Actor Process File Create TimeAgent HostnameAgent IdAgent Ip AddressesInsert Timestamp
XDR agent2021-08-04T10:57:09.000ZPANWC:\Users\test1\test2Action File SHA2021-05-21T11:20:52.000ZWIN10X64AgentIDIP2021-08-04T11:01:08.000Z

xdr-xql-process-event-query#


Query process events by the SHA256 process.

Base Command#

xdr-xql-process-event-query

Input#

Argument NameDescriptionRequired
endpoint_idXDR endpoint ID to run the query on.Optional
process_sha256The SHA256 hash of the primary involved process to search on the XDR dataset.Required
extra_fieldsExtra fields to add to the query results.Optional
time_frameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and between 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.Optional
limitInteger representing the maximum number of results to return. For example:
If limit = 100 and the query produced 1,000 results, only the first 100 results will be returned.
If limit = 100 and the query produced 50 results, only 50 results will be returned.
If limit=5000, 5,000 results are returned.
If limit=null or empty (default) up to 100 results are returned. . Default is 100.
Optional
tenant_idList of strings used for running APIs on local and Managed Security tenants. Valid values:

For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).

For multi-tenant investigations (Managed Security parent who investigate children and\or local), enter a multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Optional
query_nameThe name of the query.Required
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.ProcessEvent.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.ProcessEvent.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.ProcessEvent.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.ProcessEvent.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.ProcessEvent.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.ProcessEvent.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.ProcessEvent.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.ProcessEvent.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.ProcessEvent.results.agent_idStringEndpoint ID.
PaloAltoNetworksXQL.ProcessEvent.results.action_process_image_sha256StringTarget SHA256 process.
PaloAltoNetworksXQL.ProcessEvent.results.action_process_image_nameStringTarget process name.
PaloAltoNetworksXQL.ProcessEvent.results.action_process_image_pathStringTarget process image path.
PaloAltoNetworksXQL.ProcessEvent.results.action_process_instance_idStringTarget process instance ID.
PaloAltoNetworksXQL.ProcessEvent.results.action_process_causality_idStringTarget process causality ID.
PaloAltoNetworksXQL.ProcessEvent.results.action_process_signature_vendorStringProcess execution signer.
PaloAltoNetworksXQL.ProcessEvent.results.action_process_signature_productStringProcess signature product.
PaloAltoNetworksXQL.ProcessEvent.results.action_process_image_command_lineStringTarget process command line.
PaloAltoNetworksXQL.ProcessEvent.results.actor_process_image_nameStringThe name of the process that initiated the activity.
PaloAltoNetworksXQL.ProcessEvent.results.actor_process_image_pathStringPath of the initiating process.
PaloAltoNetworksXQL.ProcessEvent.results.actor_process_instance_idStringInitiator instance ID.
PaloAltoNetworksXQL.ProcessEvent.results.actor_process_causality_idStringInitiator causality ID.
PaloAltoNetworksXQL.ProcessEvent.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.ProcessEvent.results._timeStringResult time.
PaloAltoNetworksXQL.ProcessEvent.results.insert_timestampStringResult insert timestamp.
PaloAltoNetworksXQL.ProcessEvent.results._productStringThe result product.

Command Example#

!xdr-xql-process-event-query process_sha256=12345,6789 endpoint_id=test1,test2 time_frame="1 month"

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQueryQuery CostRemaining QuotaStatusTime Frame
2743_inv3dataset = xdr_data | filter agent_id in ("1234","2345") and event_type = PROCESS and
action_process_image_sha256 in ("abcd","acdb") | fields agent_hostname, agent_ip_addresses,
agent_id, action_process_image_sha256, action_process_image_name,
action_process_image_path, action_process_instance_id, action_process_causality_id,
action_process_signature_vendor, action_process_signature_product,
action_process_image_command_line, actor_process_image_name, actor_process_image_path,
actor_process_instance_id, actor_process_causality_id | limit 200
376699223: 0.0013455555555555556999.9782130555556SUCCESS1 month

Data Results#

ProductTimeVendorAction Process Causality IdAction Process Image Command LineAction Process Image NameAction Process Image PathAction Process Image Sha256Action Process Instance IdAction Process Signature ProductAction Process Signature VendorActor Process Causality IdActor Process Image NameActor Process Image PathActor Process Instance IdAgent HostnameAgent IdAgent Ip AddressesInsert Timestamp
XDR agent2021-08-01T12:39:04.000ZPANWtest1C:\Windows\test1\test1.exetest1.exeC:\Windows\test1\test1.exetest1 Action Process Image Sha256test1_idMicrosoft WindowsMicrosoft Corporationtest1 IDtest.exeC:\Windows\test.exeIDWIN10X64Agent IDIP2021-08-01T12:43:59.000Z
XDR agent2021-07-29T13:22:32.000ZPANWtest2C:\Windows\test2\test2.exetest2.exeC:\Windows\test2\test2.exetest2 Action Process Image Sha256test2_idMicrosoft WindowsMicrosoft Corporationtest2 IDtest.exeC:\Windows\test.exeIDWIN10X64Agent IDIP2021-07-29T13:26:32.000Z
XDR agent2021-07-29T13:22:28.000ZPANWtest3C:\Windows\test3\test3.exetest3.exeC:\Windows\test3\test3.exetest3 Action Process Image Sha256test3_idMicrosoft WindowsMicrosoft Corporationtest3 IDtest.exeC:\Windows\test.exeIDWIN10X64Agent IDIP2021-07-29T13:26:32.000Z

xdr-xql-dll-module-query#


Query DLL module events by the SHA256 DLL.

Base Command#

xdr-xql-dll-module-query

Input#

Argument NameDescriptionRequired
endpoint_idXDR endpoint ID to run the query on.Optional
loaded_module_sha256SHA256 DLL module to search on the XDR dataset.Required
extra_fieldsExtra fields to add to the query results.Optional
time_frameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and between 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.Optional
limitInteger representing the maximum number of results to return. For example:
If limit = 100 and the query produced 1,000 results, only the first 100 results will be returned.
If limit = 100 and the query produced 50 results, only 50 results will be returned.
If limit=5000, 5,000 results are returned.
If limit=null or empty (default) up to 100 results are returned. . Default is 100.
Optional
tenant_idList of strings used for running APIs on local and Managed Security tenants. Valid values:

For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).

For multi-tenant investigations (Managed Security parent who investigate children and\or local), enter a multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Optional
query_nameThe name of the query.Required
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.DllModule.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.DllModule.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.DllModule.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.DllModule.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.DllModule.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.DllModule.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.DllModule.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.DllModule.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.DllModule.results.agent_idStringEndpoint ID.
PaloAltoNetworksXQL.DllModule.results.actor_effective_usernameStringParent user name.
PaloAltoNetworksXQL.DllModule.results.action_module_sha256StringAction SHA256 module.
PaloAltoNetworksXQL.DllModule.results.action_module_pathStringAction module path.
PaloAltoNetworksXQL.DllModule.results.action_module_file_infoStringAction module file information.
PaloAltoNetworksXQL.DllModule.results.action_module_file_create_timeStringAction module file create time.
PaloAltoNetworksXQL.DllModule.results.actor_process_image_nameStringThe name of the process that initiated the activity.
PaloAltoNetworksXQL.DllModule.results.actor_process_image_pathStringPath of the initiating process.
PaloAltoNetworksXQL.DllModule.results.actor_process_command_lineStringCommand line arguments of the initiator.
PaloAltoNetworksXQL.DllModule.results.actor_process_image_sha256StringThe SHA256 value of the initiator.
PaloAltoNetworksXQL.DllModule.results.actor_process_instance_idStringInitiator instance ID.
PaloAltoNetworksXQL.DllModule.results.actor_process_causality_idStringInitiator causality ID.
PaloAltoNetworksXQL.DllModule.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.DllModule.results._timeStringResult time.
PaloAltoNetworksXQL.DllModule.results.insert_timestampStringResult insert timestamp.
PaloAltoNetworksXQL.DllModule.results._productStringThe result product.

Command Example#

!xdr-xql-dll-module-query loaded_module_sha256=1234,2345 endpoint_id=test1,test2

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQueryQuery CostRemaining QuotaStatus
1234_inv3dataset = xdr_data | filter agent_id in ("test1","test2")
and event_type = LOAD_IMAGE and action_module_sha256 in ("1234","2345")|
fields agent_hostname, agent_ip_addresses, agent_id, actor_effective_username, action_module_sha256,
action_module_path, action_module_file_info, action_module_file_create_time, actor_process_image_name,
actor_process_image_path, actor_process_command_line, actor_process_image_sha256, actor_process_instance_id,
actor_process_causality_id | limit 200
376699223: 0.001661388888888889999.9754347222222SUCCESS

Data Results#

ProductTimeVendorAction Module File Create TimeAction Module File InfoAction Module PathAction Module Sha256Actor Effective UsernameActor Process Causality IdActor Process Command LineActor Process Image NameActor Process Image PathActor Process Image Sha256Actor Process Instance IdAgent HostnameAgent IdAgent Ip AddressesInsert Timestamp
XDR agent2021-08-28T11:52:12.000ZPANW2020-10-14T03:12:11.000Z{"company":"Test Corporation","description":""1234NT AUTHORITY\SYSTEMid_test"C:\Program Files (x86)\test1"test1.exe"C:\Program Files (x86)\test1"ID_1ID_1WIN10X641234IP Addr2021-08-28T11:54:02.000Z
XDR agent2021-08-28T15:49:52.000ZPANW2021-01-12T21:25:51.000Z{"company":"Test Corporation","description":""2345NT AUTHORITY\SYSTEMid_test"C:\Program Files (x86)\test2"test2.exe"C:\Program Files (x86)\test2"ID_2ID_2WIN10X641234IP Addr2021-08-28T15:54:40.000Z
XDR agent2021-08-28T22:52:11.000ZPANW2021-01-12T21:25:51.000Z{"company":"Test Corporation","description":""3456NT AUTHORITY\SYSTEMid_test"C:\Program Files (x86)\test3"test3.exe"C:\Program Files (x86)\test3"ID_3ID_3WIN10X641234IP Addr2021-08-28T22:55:50.000Z

xdr-xql-network-connection-query#


Query network connections between a source IP, destination IP and port.

Base Command#

xdr-xql-network-connection-query

Input#

Argument NameDescriptionRequired
endpoint_idXDR endpoint ID to run the query on.Optional
local_ipSource IP of the network connection query.Optional
remote_ipDestination IP of the network connection query.Required
portDestination port of the network connection query.Optional
extra_fieldsExtra fields to add to the query results.Optional
time_frameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and between 2021-02-01 12:34:56 +02:00").The default is the last 24 hours.Optional
limitInteger representing the maximum number of results to return. For example:
If limit = 100 and the query produced 1,000 results, only the first 100 results will be returned.
If limit = 100 and the query produced 50 results, only 50 results will be returned.
If limit=5000, 5,000 results are returned.
If limit=null or empty (default) up to 100 results are returned. . Default is 100.
Optional
tenant_idList of strings used for running APIs on local and Managed Security tenants. Valid values:

For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).

For multi-tenant investigations (Managed Security parent who investigate children and\or local), enter a multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Optional
query_nameThe name of the query.Required
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.NetworkConnection.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.NetworkConnection.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.NetworkConnection.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.NetworkConnection.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.NetworkConnection.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.NetworkConnection.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.NetworkConnection.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.NetworkConnection.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.NetworkConnection.results.agent_idStringEndpoint ID.
PaloAltoNetworksXQL.NetworkConnection.results.actor_effective_usernameStringParent user name.
PaloAltoNetworksXQL.NetworkConnection.results.action_local_ipStringLocal IP.
PaloAltoNetworksXQL.NetworkConnection.results.action_remote_ipStringRemote IP.
PaloAltoNetworksXQL.NetworkConnection.results.action_remote_portStringRemote port.
PaloAltoNetworksXQL.NetworkConnection.results.dst_action_external_hostnameStringExternal hostname.
PaloAltoNetworksXQL.NetworkConnection.results.action_countryStringAction country.
PaloAltoNetworksXQL.NetworkConnection.results.actor_process_image_nameStringThe name of the process that initiated the activity.
PaloAltoNetworksXQL.NetworkConnection.results.actor_process_image_pathStringPath of the initiating process.
PaloAltoNetworksXQL.NetworkConnection.results.actor_process_command_lineStringCommand line arguments of the initiator.
PaloAltoNetworksXQL.NetworkConnection.results.actor_process_image_sha256StringThe SHA256 value of the initiator.
PaloAltoNetworksXQL.NetworkConnection.results.actor_process_instance_idStringInitiator instance ID.
PaloAltoNetworksXQL.NetworkConnection.results.actor_process_causality_idStringInitiator causality ID.
PaloAltoNetworksXQL.NetworkConnection.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.NetworkConnection.results._timeStringResult time.
PaloAltoNetworksXQL.NetworkConnection.results.insert_timestampStringResult insert timestamp.
PaloAltoNetworksXQL.NetworkConnection.results._productStringThe result product.

Command Example#

!xdr-xql-network-connection-query endpoint_id=1234,2345 local_ip=test_ip_1,test_ip_2 remote_ip=test_remote_ip_1,test_remote_ip_2 port=test_port1,test_port2 limit=2

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQueryQuery CostRemaining QuotaStatus
2758_inv2dataset = xdr_data | filter agent_id in ("1234","2345") and event_type = STORY and
action_local_ip in("test_ip1","test_ip2") and action_remote_ip in("test_remote_ip_1","test_remote_ip2") and
action_remote_port in(test_port_1,test_port_2) | fields agent_hostname, agent_ip_addresses, agent_id,
actor_effective_username, action_local_ip, action_remote_ip, action_remote_port,
dst_action_external_hostname, action_country, actor_process_image_name, actor_process_image_path,
actor_process_command_line, actor_process_image_sha256, actor_process_instance_id, actor_process_causality_id | limit 2
376699223: 0.0004875999.9737266666667SUCCESS

Data Results#

ProductTimeVendorAction CountryAction Local IpAction Remote IpAction Remote PortActor Effective UsernameActor Process Causality IdActor Process Command LineActor Process Image NameActor Process Image PathActor Process Image Sha256Actor Process Instance IdAgent HostnameAgent IdAgent Ip AddressesDst Action External HostnameInsert Timestamp
P12021-08-28T12:08:23.000ZPANWUNKNOWNAction Local Ip 1Action Remote Ip 1port1WIN10X64Agent12021-08-28T12:15:26.000Z
P12021-08-28T12:05:42.000ZPANWUNKNOWNAction Local Ip 2Action Remote Ip 2port2WIN10X64Agent22021-08-28T12:10:23.000Z

xdr-xql-registry-query#


Query windows registry by registry key name.

Base Command#

xdr-xql-registry-query

Input#

Argument NameDescriptionRequired
endpoint_idXDR endpoint ID to run the query on.Optional
reg_key_nameRegistry key name to search (for example: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print).Required
extra_fieldsExtra fields to add to the query results.Optional
time_frameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and between 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.Optional
limitInteger representing the maximum number of results to return. For example:
If limit = 100 and the query produced 1,000 results, only the first 100 results will be returned.
If limit = 100 and the query produced 50 results, only 50 results will be returned.
If limit=5000, 5,000 results are returned.
If limit=null or empty (default) up to 100 results are returned. . Default is 100.
Optional
tenant_idList of strings used for running APIs on local and Managed Security tenants. Valid values:

For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).

For multi-tenant investigations (Managed Security parent who investigate children and\or local), enter a multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Optional
query_nameThe name of the query.Required
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.Registry.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.Registry.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.Registry.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.Registry.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.Registry.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.Registry.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.Registry.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.Registry.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.Registry.results.agent_idStringEndpoint ID.
PaloAltoNetworksXQL.Registry.results.agent_os_typeStringHost operating system.
PaloAltoNetworksXQL.Registry.results.agent_os_sub_typeStringAgent operating system subtype.
PaloAltoNetworksXQL.Registry.results.event_typeStringEvent type.
PaloAltoNetworksXQL.Registry.results.event_sub_typeStringEvent subtype.
PaloAltoNetworksXQL.Registry.results.action_registry_key_nameStringRegistry key name.
PaloAltoNetworksXQL.Registry.results.action_registry_value_nameStringRegistry value name.
PaloAltoNetworksXQL.Registry.results.action_registry_dataStringRegistry data.
PaloAltoNetworksXQL.Registry.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.Registry.results._timeStringResult time.
PaloAltoNetworksXQL.Registry.results.insert_timestampStringResult insert timestamp.
PaloAltoNetworksXQL.Registry.results._productStringThe result product.

Command Example#

!xdr-xql-registry-query endpoint_id=1234,2345 reg_key_name=<reg_key_name> limit=2 time_frame="1 month"

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQueryQuery CostRemaining QuotaStatusTime Frame
2767_inv2dataset = xdr_data | filter agent_id in ("1234","2345") and event_type = REGISTRY and
action_registry_key_name in ("reg_key_name") | fields agent_hostname, agent_id, agent_ip_addresses,
agent_os_type, agent_os_sub_type, event_type, event_sub_type, action_registry_key_name,
action_registry_value_name, action_registry_data | limit 2
376699223: 0.0012475999.9699388888889SUCCESS1 month

Data Results#

ProductTimeVendorAction Registry DataAction Registry Key NameAction Registry Value NameAgent HostnameAgent IdAgent Ip AddressesAgent Os Sub TypeAgent Os TypeEvent Sub TypeEvent TypeInsert Timestamp
XDR agent2021-08-04T06:27:44.000ZPANWAction Registry DataAction Registry DataWIN10X64IDIPWindows 10AGENT_OS_WINDOWSREGISTRY_SET_VALUEREGISTRY2021-08-04T06:30:22.000Z
XDR agent2021-08-04T06:27:44.000ZPANWAction Registry DataAction Registry DataWIN10X64IDIPWindows 10AGENT_OS_WINDOWSREGISTRY_SET_VALUEREGISTRY2021-08-04T06:30:22.000Z

xdr-xql-event-log-query#


Query event logs by event ID.

Base Command#

xdr-xql-event-log-query

Input#

Argument NameDescriptionRequired
endpoint_idXDR endpoint ID to run the query on.Optional
event_idevent log ID to search. - Windows: Event ID of the event-log - Linux: For action_evtlog_source = AuthLog, one of the following: 0 = Unknown 1 = Successful Login 2 = Failed Login 3 = Failed Password (Same as failed login, but should include a username) 4 = Logout.Required
extra_fieldsExtra fields to add to the query results.Optional
time_frameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and between 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.Optional
limitInteger representing the maximum number of results to return. For example:
If limit = 100 and the query produced 1,000 results, only the first 100 results will be returned.
If limit = 100 and the query produced 50 results, only 50 results will be returned.
If limit=5000, 5,000 results are returned.
If limit=null or empty (default) up to 100 results are returned. . Default is 100.
Optional
tenant_idList of strings used for running APIs on local and Managed Security tenants. Valid values:

For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).

For multi-tenant investigations (Managed Security parent who investigate children and\or local), enter a multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Optional
query_nameThe name of the query.Required
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.EventLog.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.EventLog.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.EventLog.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.EventLog.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.EventLog.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.EventLog.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.EventLog.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.EventLog.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.EventLog.results.agent_idStringEndpoint ID.
PaloAltoNetworksXQL.EventLog.results.agent_os_typeStringHost operating system.
PaloAltoNetworksXQL.EventLog.results.agent_os_sub_typeStringAgent operating system subtype.
PaloAltoNetworksXQL.EventLog.results.action_evtlog_event_idStringEvent log ID.
PaloAltoNetworksXQL.EventLog.results.event_typeStringEvent type.
PaloAltoNetworksXQL.EventLog.results.event_sub_typeStringEvent subtype.
PaloAltoNetworksXQL.EventLog.results.action_evtlog_messageStringEvent log message.
PaloAltoNetworksXQL.EventLog.results.action_evtlog_provider_nameStringEvent log provider name.
PaloAltoNetworksXQL.EventLog.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.EventLog.results._timeStringResult time.
PaloAltoNetworksXQL.EventLog.results.insert_timestampStringResult insert timestamp.
PaloAltoNetworksXQL.EventLog.results._productStringThe result product.

Command Example#

!xdr-xql-event-log-query endpoint_id=1234,2345 event_id=4444,5555 limit=2

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQueryQuery CostRemaining QuotaStatus
2773_inv2dataset = xdr_data | filter agent_id in ("1234","2345") and event_type = EVENT_LOG and
action_evtlog_event_id in (4444,5555) | fields agent_hostname, agent_id, agent_ip_addresses,
agent_os_type, agent_os_sub_type, action_evtlog_event_id, event_type, event_sub_type,
action_evtlog_message, action_evtlog_provider_name | limit 2
376699223: 0.0009633333333333333999.9677783333333SUCCESS

Data Results#

ProductTimeVendorAction Evtlog Event IdAction Evtlog MessageAction Evtlog Provider NameAgent HostnameAgent IdAgent Ip AddressesAgent Os Sub TypeAgent Os TypeEvent Sub TypeEvent TypeInsert Timestamp
XDR agent2021-08-28T12:31:24.000ZPANW4444MessageMicrosoft-Windows-Security-AuditingDESKTOP-11IDIPWindows 10AGENT_OS_WINDOWSEVENT_LOG_AGENT_EVENT_LOGEVENT_LOG2021-08-28T12:36:21.000Z
XDR agent2021-08-28T12:31:24.000ZPANW5555MessageMicrosoft-Windows-Security-AuditingDESKTOP-22IDIPWindows 10AGENT_OS_WINDOWSEVENT_LOG_AGENT_EVENT_LOGEVENT_LOG2021-08-28T12:36:21.000Z

xdr-xql-dns-query#


Query by DNS query or domain name.

Base Command#

xdr-xql-dns-query

Input#

Argument NameDescriptionRequired
endpoint_idXDR endpoint ID to run the query on.Optional
external_domainQuery by external domain name.Optional
dns_queryQuery by DNS query.Optional
extra_fieldsExtra fields to add to the query results.Optional
time_frameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and between 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.Optional
limitInteger representing the maximum number of results to return. For example:
If limit = 100 and the query produced 1,000 results, only the first 100 results will be returned.
If limit = 100 and the query produced 50 results, only 50 results will be returned.
If limit=5000, 5,000 results are returned.
If limit=null or empty (default) up to 100 results are returned. . Default is 100.
Optional
tenant_idList of strings used for running APIs on local and Managed Security tenants. Valid values:

For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).

For multi-tenant investigations (Managed Security parent who investigate children and\or local), enter a multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Optional
query_nameThe name of the query.Required
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.DNS.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.DNS.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.DNS.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.DNS.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.DNS.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.DNS.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.DNS.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.DNS.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.DNS.results.agent_idStringEndpoint ID.
PaloAltoNetworksXQL.DNS.results.agent_os_typeStringHost operating system.
PaloAltoNetworksXQL.DNS.results.agent_os_sub_typeStringAgent operating system subtype.
PaloAltoNetworksXQL.DNS.results.action_local_ipStringLocal IP address.
PaloAltoNetworksXQL.DNS.results.action_remote_ipStringRemote IP address.
PaloAltoNetworksXQL.DNS.results.action_remote_portStringRemote port.
PaloAltoNetworksXQL.DNS.results.dst_action_external_hostnameStringExternal hostname.
PaloAltoNetworksXQL.DNS.results.dns_query_nameStringDNS query name.
PaloAltoNetworksXQL.DNS.results.action_app_id_transitionsStringList of application IDs action, actual activities that took place and recorded by the agent
PaloAltoNetworksXQL.DNS.results.action_total_downloadStringTotal downloads.
PaloAltoNetworksXQL.DNS.results.action_total_uploadStringTotal uploads.
PaloAltoNetworksXQL.DNS.results.action_countryStringAction country.
PaloAltoNetworksXQL.DNS.results.action_as_dataStringThe action as data.
PaloAltoNetworksXQL.DNS.results.os_actor_process_image_pathStringOperating system parent path.
PaloAltoNetworksXQL.DNS.results.os_actor_process_command_lineStringCommand line arguments of the operating system parent.
PaloAltoNetworksXQL.DNS.results.os_actor_process_instance_idStringInitiator instance ID.
PaloAltoNetworksXQL.DNS.results.os_actor_process_causality_idStringInitiator causality ID.
PaloAltoNetworksXQL.DNS.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.DNS.results._timeStringResult time.
PaloAltoNetworksXQL.DNS.results.insert_timestampStringResult insert timestamp.
PaloAltoNetworksXQL.DNS.results._productStringThe result product.

Command Example#

!xdr-xql-dns-query endpoint_id=1234,2345 external_domain=<external_domain> limit=2

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQueryQuery CostRemaining QuotaStatus
2782_inv2dataset = xdr_data | filter agent_id in ("1234","2345") and event_type = STORY and
dst_action_external_hostname in ("<external_domain>") or dns_query_name in ("*")
| fields agent_hostname, agent_id, agent_ip_addresses, agent_os_type, agent_os_sub_type, action_local_ip,
action_remote_ip, action_remote_port, dst_action_external_hostname, dns_query_name, action_app_id_transitions,
action_total_download, action_total_upload, action_country, action_as_data, os_actor_process_image_path,
os_actor_process_command_line, os_actor_process_instance_id, os_actor_process_causality_id | limit 2
376699223: 0.0009897222222222221999.9651905555555SUCCESS

Data Results#

ProductTimeVendorAction App Id TransitionsAction As DataAction CountryAction Local IpAction Remote IpAction Remote PortAction Total DownloadAction Total UploadAgent HostnameAgent IdAgent Ip AddressesAgent Os Sub TypeAgent Os TypeDns Query NameDst Action External HostnameInsert TimestampOs Actor Process Causality IdOs Actor Process Command LineOs Actor Process Image PathOs Actor Process Instance Id
P12021-08-29T00:01:18.000ZPANWip,
tcp
UNKNOWNLOCAL_IPREMOTE_IP44331011413DESKTOPIDIPWindows 10AGENT_OS_WINDOWSarray812.prod.do.dsp.mp.microsoft.com2021-08-29T00:07:38.000ZID_1
P12021-08-29T00:02:06.000ZPANWip,
tcp
UNKNOWNLOCAL_IPREMOTE_IP443481316311DESKTOPIDIPWindows 10AGENT_OS_WINDOWSus-v20.events.data.microsoft.com2021-08-29T00:07:38.000ZID_2

xdr-xql-file-dropper-query#


Search for the process that wrote the given file, by its SHA256 or file path.

Base Command#

xdr-xql-file-dropper-query

Input#

Argument NameDescriptionRequired
endpoint_idXDR endpoint ID to run the query on.Optional
file_sha256SHA256 file to search on the XDR dataset.Optional
file_pathFile path to search on the XDR dataset.Optional
extra_fieldsExtra fields to add to the query results.Optional
time_frameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and between 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.Optional
limitInteger representing the maximum number of results to return. For example:
If limit = 100 and the query produced 1,000 results, only the first 100 results will be returned.
If limit = 100 and the query produced 50 results, only 50 results will be returned.
If limit=5000, 5,000 results are returned.
If limit=null or empty (default) up to 100 results are returned. . Default is 100.
Optional
tenant_idList of strings used for running APIs on local and Managed Security tenants. Valid values:

For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).

For multi-tenant investigations (Managed Security parent who investigate children and\or local), enter a multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Optional
query_nameThe name of the query.Required
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.FileDropper.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.FileDropper.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.FileDropper.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.FileDropper.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.FileDropper.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.FileDropper.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.FileDropper.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.FileDropper.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.FileDropper.results.agent_idStringEndpoint ID.
PaloAltoNetworksXQL.FileDropper.results.action_file_sha256StringSHA256 hash value of the file.
PaloAltoNetworksXQL.FileDropper.results.action_file_pathStringFile path of the action.
PaloAltoNetworksXQL.FileDropper.results.actor_process_image_nameStringThe name of the process that initiated the activity.
PaloAltoNetworksXQL.FileDropper.results.actor_process_image_pathStringPath of the initiating process.
PaloAltoNetworksXQL.FileDropper.results.actor_process_command_lineStringCommand line arguments of the initiator.
PaloAltoNetworksXQL.FileDropper.results.actor_process_signature_vendorStringInitiator signer.
PaloAltoNetworksXQL.FileDropper.results.actor_process_signature_productStringInitiator product.
PaloAltoNetworksXQL.FileDropper.results.actor_process_image_sha256StringThe SHA256 value of the initiator.
PaloAltoNetworksXQL.FileDropper.results.actor_primary_normalized_userStringNormalized user.
PaloAltoNetworksXQL.FileDropper.results.os_actor_process_image_pathStringOperating system parent path.
PaloAltoNetworksXQL.FileDropper.results.os_actor_process_command_lineStringCommand line arguments of the operating system parent.
PaloAltoNetworksXQL.FileDropper.results.os_actor_process_signature_vendorStringOperating system parent signer.
PaloAltoNetworksXQL.FileDropper.results.os_actor_process_signature_productStringOperating system parent signer product.
PaloAltoNetworksXQL.FileDropper.results.os_actor_process_image_sha256StringThe SHA256 value of the operating system parent.
PaloAltoNetworksXQL.FileDropper.results.os_actor_effective_usernameStringOperating system parent user name.
PaloAltoNetworksXQL.FileDropper.results.causality_actor_remote_hostStringRemote host.
PaloAltoNetworksXQL.FileDropper.results.causality_actor_remote_ipStringremote IP.
PaloAltoNetworksXQL.FileDropper.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.FileDropper.results._timeStringResult time.
PaloAltoNetworksXQL.FileDropper.results.insert_timestampStringResult insert timestamp.
PaloAltoNetworksXQL.FileDropper.results._productStringThe result product.

Command Example#

!xdr-xql-file-dropper-query endpoint_id=1234,2345 file_path=<file_path> file_sha256=<file_SHA> limit=2 time_frame="1 month"

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQueryQuery CostRemaining QuotaStatusTime Frame
2788_inv2dataset = xdr_data | filter agent_id in ("1234","2345") and event_type = FILE and
event_sub_type in (FILE_WRITE, FILE_RENAME) and action_file_path in ("<file_path>") or
action_file_sha256 in ("<file_SHA>") | fields agent_hostname, agent_ip_addresses, agent_id,
action_file_sha256, action_file_path, actor_process_image_name, actor_process_image_path,
actor_process_image_path, actor_process_command_line, actor_process_signature_vendor,
actor_process_signature_product, actor_process_image_sha256, actor_primary_normalized_user,
os_actor_process_image_path, os_actor_process_command_line, os_actor_process_signature_vendor,
os_actor_process_signature_product, os_actor_process_image_sha256, os_actor_effective_username,
causality_actor_remote_host,causality_actor_remote_ip | limit 2
376699223: 0.0014269444444444444999.9627805555556SUCCESS1 month

Data Results#

ProductTimeVendorAction File PathAction File Sha256Actor Primary Normalized UserActor Process Command LineActor Process Image NameActor Process Image PathActor Process Image Sha256Actor Process Signature ProductActor Process Signature VendorAgent HostnameAgent IdAgent Ip AddressesCausality Actor Remote HostCausality Actor Remote IpInsert TimestampOs Actor Effective UsernameOs Actor Process Command LineOs Actor Process Image PathOs Actor Process Image Sha256Os Actor Process Signature ProductOs Actor Process Signature Vendor
XDR agent2021-08-04T10:57:09.000ZPANWPath1X CorporationWIN10X64IDIP2021-08-04T11:01:08.000ZIDX CorporationX Corporation

xdr-xql-process-instance-network-activity-query#


Search for network connection created by a given process instance ID.

Base Command#

xdr-xql-process-instance-network-activity-query

Input#

Argument NameDescriptionRequired
endpoint_idXDR endpoint ID to run the query on.Optional
process_instance_idProcess instance ID to search on the XDR dataset.Required
extra_fieldsExtra fields to add to the query results.Optional
time_frameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and between 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.Optional
limitInteger representing the maximum number of results to return. For example:
If limit = 100 and the query produced 1,000 results, only the first 100 results will be returned.
If limit = 100 and the query produced 50 results, only 50 results will be returned.
If limit=5000, 5,000 results are returned.
If limit=null or empty (default) up to 100 results are returned. . Default is 100.
Optional
tenant_idList of strings used for running APIs on local and Managed Security tenants. Valid values:

For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).

For multi-tenant investigations (Managed Security parent who investigate children and\or local), enter a multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Optional
query_nameThe name of the query.Required
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.agent_idStringEndpoint ID.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.action_local_ipStringLocal IP address.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.action_remote_ipStringRemote IP address.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.action_remote_portStringRemote port.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.dst_action_external_hostnameStringExternal hostname.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.dns_query_nameStringDNS query name.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.action_app_id_transitionsStringList of application IDs action, actual activities that took place and recorded by the agent.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.action_total_downloadStringTotal downloads.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.action_total_uploadStringTotal uploads.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.action_countryStringAction country.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.action_as_dataStringThe action as data.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.actor_process_image_sha256StringThe SHA256 value of the initiator.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.actor_process_image_nameStringThe name of the process that initiated the activity.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.actor_process_image_pathStringPath of the initiating process.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.actor_process_signature_vendorStringInitiator signer.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.actor_process_signature_productStringInitiator product.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.actor_causality_idStringCID.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.actor_process_image_command_lineStringImage command line.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.actor_process_instance_idStringInitiator instance ID.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results._timeStringResult time.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results.insert_timestampStringResult insert timestamp.
PaloAltoNetworksXQL.ProcessInstanceNetworkActivity.results._productStringThe result product.

Command Example#

!xdr-xql-process-instance-network-activity-query endpoint_id=1234,2345 process_instance_id=<process_instance_id> limit=2 time_frame="1 month"

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQueryQuery CostRemaining QuotaStatusTime Frame
2791_inv2dataset = xdr_data | filter agent_id in ("1234","2345") and event_type = NETWORK and
actor_process_instance_id in ("<process_instance_id>") | fields agent_hostname, agent_ip_addresses,
agent_id, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname,
dns_query_name, action_app_id_transitions, action_total_download, action_total_upload, action_country,
action_as_data, actor_process_image_sha256, actor_process_image_name , actor_process_image_path,
actor_process_signature_vendor, actor_process_signature_product, actor_causality_id,
actor_process_image_command_line, actor_process_instance_id | limit 2
376699223: 0.0008680555555555555999.9619125SUCCESS1 month

Data Results#

ProductTimeVendorAction App Id TransitionsAction As DataAction CountryAction Local IpAction Remote IpAction Remote PortAction Total DownloadAction Total UploadActor Causality IdActor Process Image Command LineActor Process Image NameActor Process Image PathActor Process Image Sha256Actor Process Instance IdActor Process Signature ProductActor Process Signature VendorAgent HostnameAgent IdAgent Ip AddressesDns Query NameDst Action External HostnameInsert Timestamp
XDR agent2021-08-11T06:08:47.000ZPANWUNITED_KINGDOMLOCAL_IPREMOTE_IP443IDx.exeWindows PublisherX CorporationWIN10X642021-08-11T06:09:34.000Z

xdr-xql-process-causality-network-activity-query#


Search for network connection created by a given process causality ID.

Base Command#

xdr-xql-process-causality-network-activity-query

Input#

Argument NameDescriptionRequired
endpoint_idXDR endpoint ID to run the query on.Optional
process_causality_idProcess causality ID to search on the XDR dataset.Required
extra_fieldsExtra fields to add to the query results.Optional
time_frameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and between 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.Optional
limitInteger representing the maximum number of results to return. For example:
If limit = 100 and the query produced 1,000 results, only the first 100 results will be returned.
If limit = 100 and the query produced 50 results, only 50 results will be returned.
If limit=5000, 5,000 results are returned.
If limit=null or empty (default) up to 100 results are returned. . Default is 100.
Optional
tenant_idList of strings used for running APIs on local and Managed Security tenants. Valid values:

For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).

For multi-tenant investigations (Managed Security parent who investigate children and\or local), enter a multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Optional
query_nameThe name of the query.Required
parse_result_file_to_contextIf set to 'true' and the query returns more than 1000 results, it will be extracted as JSON data to context instead of being returned as a .gz file. If set to 'false' and the query returns more than 1000 results, it will return the .gz file without extracting the results to context.Optional

Context Output#

PathTypeDescription
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.query_nameStringThe given name of the query.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.execution_idStringAn integer representing a unique ID of a successful XQL query execution. The execution_id value can be passed to the xdr-xql-get-query-results command.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.statusStringString representing the status of the API call; SUCCESS, FAIL, or PENDING.
For multi-tenant queries, PARTIAL_SUCCESS means that at least one tenant failed to execute the query. Only partial results are available.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.number_of_resultsNumberInteger representing the number of results returned.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.query_costUnknownFloating number representing the number of query units collected for this API. For example, {"local_tenant_id": 0.01}.
For multi-tenant queries, the field displays a value per child tenant. For example, {"tenant_id_1": 0.01, "tenant_id_2": 2.3}.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.remaining_quotaNumberFloating number representing the number of query units available for you to use.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.agent_hostnameStringThe agent host name.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.agent_ip_addressesStringThe agent IP addresses.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.agent_idStringEndpoint ID.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.action_local_ipStringLocal IP address.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.action_remote_ipStringRemote IP address.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.action_remote_portStringRemote port.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.dst_action_external_hostnameStringExternal hostname.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.dns_query_nameStringDNS query name.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.action_app_id_transitionsStringList of application IDs action, actual activities that took place and recorded by the agent.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.action_total_downloadStringTotal downloads.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.action_total_uploadStringTotal uploads.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.action_countryStringAction country.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.action_as_dataStringThe action as data.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.actor_process_image_sha256StringThe SHA256 value of the initiator.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.actor_process_image_nameStringThe name of the process that initiated the activity.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.actor_process_image_pathStringPath of the initiating process.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.actor_process_signature_vendorStringInitiator signer.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.actor_process_signature_productStringInitiator product.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.actor_causality_idStringCID.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.actor_process_image_command_lineStringImage command line.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.actor_process_instance_idStringInitiator instance ID.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results._vendorStringThe result vendor.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results._timeStringResult time.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results.insert_timestampStringResult insert timestamp.
PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results._productStringThe result product.

Command Example#

!xdr-xql-process-causality-network-activity-query endpoint_id=1234,2345 process_causality_id=<process_causality_id> limit=1 time_frame="1 month"

Human Readable Output#

General Results#

Execution IdNumber Of ResultsQueryQuery CostRemaining QuotaStatusTime Frame
2794_inv1dataset = xdr_data | filter agent_id in ("1234","2345") and event_type = NETWORK and
actor_process_causality_id in ("<process_causality_id>") | fields agent_hostname, agent_ip_addresses,
agent_id, action_local_ip, action_remote_ip, action_remote_port, dst_action_external_hostname,
dns_query_name, action_app_id_transitions, action_total_download, action_total_upload, action_country,
action_as_data, actor_process_image_sha256, actor_process_image_name , actor_process_image_path,
actor_process_signature_vendor, actor_process_signature_product, actor_causality_id,
actor_process_image_command_line, actor_process_instance_id | limit 1
376699223: 0.0007380555555555556999.9611744444444SUCCESS1 month

Data Results#

ProductTimeVendorAction App Id TransitionsAction As DataAction CountryAction Local IpAction Remote IpAction Remote PortAction Total DownloadAction Total UploadActor Causality IdActor Process Image Command LineActor Process Image NameActor Process Image PathActor Process Image Sha256Actor Process Instance IdActor Process Signature ProductActor Process Signature VendorAgent HostnameAgent IdAgent Ip AddressesDns Query NameDst Action External HostnameInsert Timestamp
XDR agent2021-07-31T01:47:07.000ZPANWISRAELLOCAL_IPREMOTE_IP80x.exeWindows PublisherX CorporationWIN10X64IP2021-07-31T01:48:03.000Z