topic Re: Visualize Running processes through XQL and send alert? in Cortex XDR Discussions

Visualize Running processes through XQL and send alert?

RFeyertag — Fri, 04 Nov 2022 20:23:03 GMT

Hello dear community!

is it possible to visualize through XQL a prozess which was not terminated and is still running?

In the causality view it is visualized, but I would need it to create a alert.

If a special process is still running, get a mail through correlation rule or bioc rule.

What do you say? Is that possible?

Rob

Re: Visualize Running processes through XQL and send alert?

mfakhouri — Tue, 08 Nov 2022 14:25:50 GMT

Hi Rob,

This workflow is possible utilizing several components in Cortex XDR.

The ENUM.PROCESS event type is able to reveal information about process usage through XQL. This can be accessed in the Query Builder with:

dataset = xdr_data

| event_type = ENUM.PROCESS

You can then add on to this preset to gather additional information depending on which process you would like to access. For example, to search for instances of OpenSSL process usage, you can add on to the query:

| filter action_process_image_name ~= “openssl”

A Correlation Rule or BIOC can then be defined with the newly created XQL query. This can be performed for either under Detection Rules -> Correlations/BIOC -> +Add Correlation/BIOC.

By navigating to the Notification Configuration, (Configurations -> General -> Notifications) a new Notification Forwarding Configuration can be made to be notified of these specific alerts via email. Once you select “Add Forwarding Configuration” and add a name and log type (which would be alert in your case), an alert scope can be defined. With filters, you can define the scope to include alerts that fall under your Correlation Rule or BIOC created.

Hope that helps!

References:

Create a Correlation Rule

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-correlation-rules/create-a-correlation-rule

Create a BIOC Rule

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-biocs/create-a-bioc-rule

Create a Notification Forwarding Configuration

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/create-notifications

Re: Visualize Running processes through XQL and send alert?

RFeyertag — Sat, 19 Nov 2022 00:37:34 GMT

Hello @mfakhouri, no it doens't help! I just wan't the actual running processes between time a and time b.

Like somebody in the office forgot to close the TeamViewer QS.

Alert: Process still running, after workhours, pc still on.

Rob

Re: Visualize Running processes through XQL and send alert?

mfakhouri — Tue, 22 Nov 2022 14:42:34 GMT

Hi @RFeyertag

You can utilize the "extract_time" function on top of the query mentioned to achieve your desired alert outside of working hours. Working with the previous query:

dataset = xdr_data

| event_type = ENUM.PROCESS //or ENUM.PROCESS.START for instances where the process is started

| filter action_process_image_name ~= “openssl” //openssl filter

| alter timeOfDay = extract_time(_time, "HOUR") //Extract the "Hour" unit value

| filter timeOfDay < 9 or timeOfDay > 17 //Example filter for process usage/start outside of example working hours.

| fields timeOfDay //You can add any additional fields to this section to visualize your output

You can further use the resources above to pivot toward a potential BIOC or Correlation rule.

Re: Visualize Running processes through XQL and send alert?

RFeyertag — Sat, 03 Dec 2022 22:44:37 GMT

so as I understand, you get these informations only when the process does something?

But, what if, a person forgets to close TV QS? How can I see the running process?

In case of an incident, there you have the (still running) symbol. Is it possible to get this into the xql query?

Rob

Re: Visualize Running processes through XQL and send alert?

bbucao — Fri, 09 Dec 2022 16:55:03 GMT

Hi RFeyertag,

As it relates to process events collected, XDR logs the start and stop actions. So building off of what @mfakhouri provided, you could add filtering to remove any process start event that also has an existing process stop event for the same time period, based off of the process ID (see example query below), so in theory, the remaining logs are process instances that have been started but not stopped for the given time window.

One other thing to keep in mind is the extract_time function is going to return a value in UTC, so when adding your filtering conditions you would want to keep that in mind to make sure the values you define match up to your organizations work hours.

Example:

dataset = xdr_data

|filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START

| alter timeOfDay = extract_time(_time, "HOUR")

| filter timeOfDay < 9 or timeOfDay > 17

//Using the "not in" operator, I have defined almost the exact same query as above, except changed the event_sub_type to "stop". So this filter will only return events for process ID's that don't have a corresponding process stop event.
|filter action_process_os_pid not in(dataset = xdr_data|filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_STOP| alter timeOfDay = extract_time(_time, "HOUR")| filter timeOfDay < 9 or timeOfDay > 17 |fields action_process_os_pid)

| fields agent_hostname, agent_ip_addresses, action_process_image_path

Regards,
Ben