1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ Pro Administrator’s Guide
    5. Investigation and Response
    6. Search Queries
    7. Cortex XDR Query Builder
    8. Create an Event Log Query

    Create an Event Log Query

    Create a query to investigate Windows event log attributes and investigate event logs across endpoints.
    From the
    Query Builder
     you can search Windows event log attributes and investigate event logs across endpoints with an Cortex XDR agent installed.
    query-search-event-log.png
    Some examples of event log queries you can run include:
    • Critical level messages on specific endpoints.
    • Message descriptions with specific keywords on specific endpoints.
    To build a file query:
    1. From Cortex XDR, select
      INVESTIGATION
      Query Builder
      .
    2. Select
      EVENT LOG
      .
    3. Enter the search criteria for your Windows event log query.
      Define any event attributes for which you want to search. By default, Cortex XDR will return the events that match the attribute you specify. To exclude an attribute value, toggle the
      =
       option to
      =!
      . Attributes are:
        • PROVIDER NAME
          —The provider of the event log.
        • USERNAME
          —The username associated with the event.
        • EVENT ID
          —The unique ID of the event.
        • LEVEL
          —The event severity level.
        • MESSAGE
          —The description of the event.
        To specify an additional exception (match this value except), click the
        +
         to the right of the value and specify the exception value.
    4. (
      Optional
      ) Limit the scope to an endpoint or endpoint attributes:
      Select query-host-scope.png and specify one or more of the following attributes:
      • HOST
        HOST NAME
        ,
        HOST IP
         address,
        HOST OS
        , or
        HOST MAC ADDRESS
        .
      • PROCESS
        NAME
        ,
        PATH
        ,
        CMD
        ,
        MD5
        ,
        SHA256
        ,
        USER NAME
        ,
        SIGNATURE
        , or
        PID
      Use a pipe (
      |
      ) to separate multiple values. Use an asterisk (
      *
      ) to match any string of characters.
    5. Specify the time period for which you want to search for events.
      Options are:
      Last 24H
       (hours),
      Last 7D
       (days),
      Last 1M
       (month), or select a
      Custom
       time period.
    6. Choose when to run the query.
      query-save-options.png
      Select the calendar icon to schedule a query to run on or before a specific date,
      Run in background
       to run the query as resources are available, or
      Run
       to run the query immediately and view the results in the
      Query Center
      .
    7. When you are ready, View the Results of a Query.
    8. Specify the time period for which you want to search for events.
      Options are:
      Last 24H
       (hours),
      Last 7D
       (days),
      Last 1M
       (month), or select a
      Custom
       time period.
    9. Choose when to run the query.
      query-save-options.png
      Select the calendar icon to schedule a query to run on or before a specific date,
      Run in background
       to run the query as resources are available, or
      Run
       to run the query immediately and view the results in the
      Query Center
      .
    10. When you are ready, View the Results of a Query.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo