https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/rare-iptable-delete-command/m-p/525470#M3307 <P>Hi Muthuvel,&nbsp;</P> <P>&nbsp;</P> <P>I think the question is how can we see delete/flush command ?</P> <P>But event its, still some of the important informations are missing like</P> <P>What is the alert source?&nbsp;</P> <P>did you try to&nbsp;investigate casualty chain?&nbsp;</P> <P>did you check&nbsp;action_remote_process_image_command_line or&nbsp;actor_process_command_line fields for parameters?&nbsp;</P> <P>is your time line correct when you use Query builder?</P> Thu, 29 Dec 2022 14:07:33 GMT etugriceri 2022-12-29T14:07:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/rare-iptable-delete-command/m-p/525348#M3305 <P>We received couple of alerts on rare iptable delete command.On checking the host activity, we could able to observe all commands including newly entered command in the host machine but not able to see the iptable delete/flush command in the activity log under Query builder.</P> Wed, 28 Dec 2022 10:03:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/rare-iptable-delete-command/m-p/525348#M3305 Muthuvel 2022-12-28T10:03:35Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/rare-iptable-delete-command/m-p/525470#M3307 <P>Hi Muthuvel,&nbsp;</P> <P>&nbsp;</P> <P>I think the question is how can we see delete/flush command ?</P> <P>But event its, still some of the important informations are missing like</P> <P>What is the alert source?&nbsp;</P> <P>did you try to&nbsp;investigate casualty chain?&nbsp;</P> <P>did you check&nbsp;action_remote_process_image_command_line or&nbsp;actor_process_command_line fields for parameters?&nbsp;</P> <P>is your time line correct when you use Query builder?</P> Thu, 29 Dec 2022 14:07:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/rare-iptable-delete-command/m-p/525470#M3307 etugriceri 2022-12-29T14:07:33Z