https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-alerts-slack-integration/m-p/349062#M298 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/154986">@CChampagne1</a>,</P><P>&nbsp;</P><P>I reached out to one of our Cortex XDR Product Managers on this to verify.&nbsp; If the ability to include the hostname is a not available via configuration, I will submit a feature request.&nbsp; I will keep you posted.&nbsp;</P> Mon, 14 Sep 2020 13:14:19 GMT dfalcon 2020-09-14T13:14:19Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-alerts-slack-integration/m-p/348002#M282 <P>Is there any way to include the&nbsp;<FONT color="#FF0000"><EM>hostname</EM></FONT> for alerts received in Slack? They are very valuable to receive on the phone late at night, but would be even better if we had a bit more information:&nbsp;<EM>hostname, domain, something that indicates this is a test box... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></EM><BR /><BR />Any takers? Is there something we need to tweak, or is this a feature request?<BR /><BR />Examples:<BR /><BR /></P><DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"><DIV class="p-section_block p-section_block--no_top_margin"><DIV class="p-section_block_text_content"><DIV class="p-section_block__text"><DIV class="p-mrkdwn_element"><FONT size="2"><SPAN><STRONG>Alert Name:</STRONG>&nbsp;Local Analysis Malware</SPAN></FONT></DIV></DIV></DIV></DIV></DIV><DIV class="p-block_kit_renderer__block_wrapper"><DIV class="p-section_block"><DIV class="p-section_block_text_content"><DIV class="p-section_block__text"><DIV class="p-mrkdwn_element"><FONT size="1 2 3 4 5 6 7"><SPAN><SPAN><FONT size="2"><I><STRONG>Severity:</STRONG>&nbsp;Medium</I></FONT><BR /><FONT size="2"><I><STRONG>Source:</STRONG>&nbsp;XDR Agent</I></FONT><BR /><FONT size="2"><I><STRONG>Category:</STRONG>&nbsp;Malware</I></FONT><BR /><FONT size="2"><I><STRONG>Action:</STRONG>&nbsp;Detected (Reported)</I></FONT><BR /><I><FONT size="2"><STRONG>Description:</STRONG>&nbsp;Suspicious executable detected</FONT><BR /></I></SPAN></SPAN></FONT><DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"><DIV class="p-section_block p-section_block--no_top_margin"><DIV class="p-section_block_text_content"><DIV class="p-section_block__text"><DIV class="p-mrkdwn_element"><FONT size="1 2 3 4 5 6 7"><SPAN><STRONG><BR /><FONT size="2">Alert Name:</FONT></STRONG><FONT size="2">&nbsp;Binary file being created to disk with a double extension</FONT></SPAN></FONT></DIV></DIV></DIV></DIV></DIV><DIV class="p-block_kit_renderer__block_wrapper"><DIV class="p-section_block"><DIV class="p-section_block_text_content"><DIV class="p-section_block__text"><DIV class="p-mrkdwn_element"><FONT size="2"><SPAN><I><STRONG>Severity:</STRONG>&nbsp;Medium</I><BR /><I><STRONG>Source:</STRONG>&nbsp;XDR BIOC</I><BR /><I><STRONG>Category:</STRONG>&nbsp;File Type Obfuscation</I><BR /><I><STRONG>Action:</STRONG>&nbsp;Detected</I><BR /><I><STRONG>Description:</STRONG>&nbsp;File file name =&nbsp;<STRONG>.docx.exe,&nbsp;</STRONG>.xlsx.exe,&nbsp;<STRONG>.pptx.exe,&nbsp;</STRONG>.pdf.exe,&nbsp;<STRONG>.wav.exe,&nbsp;</STRONG>.mp3.exe,&nbsp;<STRONG>.mkv.exe,&nbsp;</STRONG>.avi.exe,&nbsp;<STRONG>.mp4.exe,&nbsp;</STRONG>.gif.exe,&nbsp;<STRONG>.bmp.exe,&nbsp;</STRONG>.png.exe,&nbsp;<STRONG>.jpg.exe,&nbsp;</STRONG>.jpeg.exe,&nbsp;<STRONG>.m4a.exe,&nbsp;</STRONG>.html.exe,&nbsp;<STRONG>.htm.exe,&nbsp;</STRONG>.mht.exe,&nbsp;<STRONG>.d…</STRONG></I></SPAN></FONT></DIV><DIV class="p-mrkdwn_element">&nbsp;</DIV><DIV class="p-mrkdwn_element"><SPAN><FONT face="arial,helvetica,sans-serif" size="4">I ask because the <STRONG>Email</STRONG> Alerts have this info:</FONT><I><BR /><FONT face="arial,helvetica,sans-serif" size="2">Source:XDR Agent</FONT><BR /><FONT face="arial,helvetica,sans-serif" size="2">Category:Malware</FONT><BR /><FONT face="arial,helvetica,sans-serif" size="2">Action:Detected (Reported)</FONT><BR /><FONT face="arial,helvetica,sans-serif" size="2" color="#FF0000">Host:MSEDGEWIN10</FONT><BR /><FONT face="arial,helvetica,sans-serif" size="2">Starred:No</FONT><BR /><FONT face="arial,helvetica,sans-serif" size="2">Excluded:No</FONT><BR /><FONT face="arial,helvetica,sans-serif" size="2">Alert:39439</FONT><BR /><FONT face="arial,helvetica,sans-serif" size="2">Incident:13</FONT></I></SPAN></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Wed, 09 Sep 2020 23:42:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-alerts-slack-integration/m-p/348002#M282 CChampagne1 2020-09-09T23:42:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-alerts-slack-integration/m-p/349062#M298 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/154986">@CChampagne1</a>,</P><P>&nbsp;</P><P>I reached out to one of our Cortex XDR Product Managers on this to verify.&nbsp; If the ability to include the hostname is a not available via configuration, I will submit a feature request.&nbsp; I will keep you posted.&nbsp;</P> Mon, 14 Sep 2020 13:14:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-alerts-slack-integration/m-p/349062#M298 dfalcon 2020-09-14T13:14:19Z