https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453555#M1380 <P>Hi Kamal,</P><P>&nbsp;</P><P>Try .xlsm instead.</P><P>&nbsp;</P><P>Thanks</P> Thu, 16 Dec 2021 06:57:28 GMT jcandelaria 2021-12-16T06:57:28Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453382#M1370 <P>Can Cortex see if macros have been launched on an endpoint, specifically Office Macros?&nbsp;</P><P>I tried the "All Actions" query and searched for .doc and .xls files but no luck.&nbsp;</P><P>&nbsp;</P><P>Has anyone tried to search for macros using Cortex query or xql?&nbsp;</P><P>&nbsp;</P><DIV class=""><DIV class=""><P>Just to clarify, I was trying to hunt for any macro executions seen on our endpoints whether they are malicious or not.&nbsp;</P></DIV></DIV> Wed, 15 Dec 2021 19:04:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453382#M1370 Kamal.Kishore 2021-12-15T19:04:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453398#M1371 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/136837">@Kamal.Kishore</a>&nbsp;</P><P>&nbsp;</P><P>If you know the hash value of macro part of the Excel file, yes. You can use Hash View to search for it, or Query Builder, or XQL queries.</P> Wed, 15 Dec 2021 17:49:34 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453398#M1371 fmoixsante 2021-12-15T17:49:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453409#M1373 <P>Ya I wouldn't know the hash value, it would be a general search or audit looking for any Office Macros by their file properties.&nbsp;</P> Wed, 15 Dec 2021 18:04:20 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453409#M1373 Kamal.Kishore 2021-12-15T18:04:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453415#M1374 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/136837">@Kamal.Kishore</a>,</P><P>&nbsp;</P><P>The XDR agent office protection ignores Excel files with no macros and will only report on those with a seemingly malicious macro. What you can do is look in XQL for all executed Excel files.</P><P>&nbsp;</P><P>You could try something like this<BR /><STRONG><EM>dataset = xdr_data </EM></STRONG><BR /><STRONG><EM>| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_OPEN and actor_process_image_name = "EXCEL.EXE"</EM></STRONG></P> Wed, 15 Dec 2021 18:31:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453415#M1374 fmoixsante 2021-12-15T18:31:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453417#M1375 <P>Hi Fmoixsante,</P><P>&nbsp;</P><P>Thank you for your response.&nbsp;</P><P>That's a great query to identify where Excel.exe is running but I don't see any data pertaining to macro events.&nbsp;</P> Wed, 15 Dec 2021 19:00:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453417#M1375 Kamal.Kishore 2021-12-15T19:00:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453554#M1379 Hi Kamal,<BR /><BR />Try .xlsm instead.<BR /> Thu, 16 Dec 2021 06:56:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453554#M1379 jcandelaria 2021-12-16T06:56:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453555#M1380 <P>Hi Kamal,</P><P>&nbsp;</P><P>Try .xlsm instead.</P><P>&nbsp;</P><P>Thanks</P> Thu, 16 Dec 2021 06:57:28 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453555#M1380 jcandelaria 2021-12-16T06:57:28Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453592#M1383 <P>The query I shared also gives all the files that Excel has opened. The query is just a basic query that you could use and modify as you like.&nbsp;</P><P>&nbsp;</P><P>For instance,</P><P><EM><STRONG>dataset = xdr_data</STRONG></EM><BR /><EM><STRONG>| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_OPEN and actor_process_command_line contains "xlsm"</STRONG></EM></P><P>&nbsp;</P><P>I would suggest you check our XQL documentation <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-xql-language-reference/get-started-with-xql.html" target="_self">here</A>&nbsp;and <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-xql-language-reference.html" target="_self">here</A>.</P><P>&nbsp;</P><P>I would also recommend you check our <A href="https://live.paloaltonetworks.com/t5/cortex-xdr-walkthroughs/tkb-p/Cortex_XDR_Walkthroughs" target="_self">Cortex XDR Walkthrough videos</A>. We have many videos showcasing every part of the Cortex XDR product.</P> Thu, 16 Dec 2021 09:43:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/is-it-possible-to-search-for-macros-in-cortex/m-p/453592#M1383 fmoixsante 2021-12-16T09:43:12Z