topic Re: Rules for new install server in Cortex XDR Discussions

Rules for new install server

DCHKen_Yu — Wed, 01 Feb 2023 06:34:46 GMT

I would like to set a detect rule for the servers which installed the agent in the last 30days. After 30 days, Those servers will be applied for block rule.

The current setting is to select the server in the target and remove it from the target after 30days.

In Edit Policy, Target, I can't add install date in the filter. Is there any other way to do this automatically?

Re: Rules for new install server

neelrohit — Wed, 01 Feb 2023 08:15:46 GMT

Hi @DCHKen_Yu ,

Thank you for writing to live community!

You can do that by creating alerts in form of correlation rules by writing an XQL query on endpoints dataset.

dataset = endpoints | fields endpoint_status, last_seen, endpoint_name, endpoint_type, install_date , first_seen | alter ct = current_time() | alter diff = timestamp_diff(ct, install_date, "DAY") | filter endpoint_status != ENUM.CONNECTION_LOST and endpoint_type = TYPE_SERVER and diff >= 30

The above query should be saved as a correlation rule and should be able to help you.

Please mark the response as "Accept as Solution" if it helps!

Regards

Re: Rules for new install server

DCHKen_Yu — Wed, 01 Feb 2023 08:48:50 GMT

Hi @neelrohit ,

Thanks for your reply!

Sorry I am new to Cortex so I don't understand how this alert can help me creating that new server policy.

Is this a query to list out the servers installed older than 30days and then I remove the servers from the my policy(installed the agent in the last 30days) according to the query result?

Thanks!

Re: Rules for new install server

neelrohit — Wed, 01 Feb 2023 10:34:14 GMT

Hi @DCHKen_Yu ,

You will have to create a server policy on your own. Just create a policy rule in report mode for all servers/ workstations(depending upon your choice)

If your requirement is that you want to keep servers or endpoints in report mode for 30 days of monitoring and then move them to block mode policy after that, then this query will help you list down those servers and then you can tag them/alias them.

Alternatively, just query and dowload the list of endpoints, put them in a notepad file and upload it to endpoint groups, tag all the endpoints of the group as some keyword of your choice (eg. "setblock" or "block" or "30days" etc.) and then you can delete the endpoint group.

Under your block mode policy rule target parameter, put a filter as per your choice with the tag. (Eg. Endpoint type= server and tags=30days) and place it on top of your report mode policy rule.

The moment you tag the endpoints, the endpoints will automatically take the block mode policy in the next heartbeat.

Hope this helps!

Please mark the response "Accept as Solution" if it helps.

Regards

Re: Rules for new install server

DCHKen_Yu — Thu, 02 Feb 2023 02:33:27 GMT

Hi @neelrohit ,

I searched for the XQL Language Reference and found that there is an "add" command that seems tag a dataset.

So, can I save the XQL query you provided to create a dataset named ServersMoreThan30Days, then run a XQL query to tag the dataset like below and apply the tag to the policy?

dataset = ServersMoreThan30Days | tag add "ServersMoreThan30Days"

Or run a XQL like below?

Thanks for your help!

Re: Rules for new install server

neelrohit — Tue, 07 Feb 2023 15:03:27 GMT

Hi @DCHKen_Yu ,

If the above response was able to help, please mark the response as "Accept as Solution". Thank you.