topic Re: Alerting Endpoint misses an endpoint group allocation in Cortex XDR Discussions

Alerting Endpoint misses an endpoint group allocation

RFeyertag — Sun, 25 Dec 2022 23:06:17 GMT

Hello dear community!

as you know, there are sometimes changes (computer names, domains, etc.) on the endpoints.

And know there is also a cortex version from PA, which has the problem too "kicking" out the endpoint from the endpoint group (not really, but the allocation doesn't work).

How do I catch this by alert? I want to be alerted, when the allocation to a group name is not upright.

Is this possible?

I tried it with correlation rule on dataset endpoints, but the group name of this endpoint is still the old entry and not the 0 or null entry.

Agent Log doesn't tell me anything what I need to create an alert.

How do you handle this use case with automation/alerting?

Rob

Re: Alerting Endpoint misses an endpoint group allocation

jtalton — Thu, 12 Jan 2023 17:19:10 GMT

Hi Rob,

An out of the box automation is not available.

However, you may be able to tweak your correlation rule with an XQL query using a Regex expression substitution such as replace. Also, as an example, if you are ingesting the corresponding Windows Event ID for domain name changes (dataset=xdr_data) using the alter stage which assigns a value to a field name based on the returned value of the function, may yield better results.

Reference

Alter • Cortex XDR XQL Language Reference • Reader • Palo Alto Networks documentation portal

Re: Alerting Endpoint misses an endpoint group allocation

Cyber1985 — Wed, 18 Jan 2023 21:30:46 GMT

Thanks! I will have a look on it for the case when Domain changes.

But what if the group group is not allocated anymore or not yet?

It would be enough for me, when the endpoints dataset would be in sync, when there are changes in the allocation.

This should work by design.

Rob