topic Re: Automation of Reports in Cortex XDR Discussions

Automation of Reports

RamyashreeMada — Wed, 15 Mar 2023 17:06:15 GMT

Hello Team,

We need to create automated XDR report to detect executions of “Python.exe” and “PowerShell.exe & PowerShell_ise.exe” in our environment.
Can we query a incident/alerts to make a report or suggest us how we can generate reports based on the above requirements.
Can we configure a scheduler in this report so that all the intended recipients would receive this report.

Re: Automation of Reports

PiyushKohli — Thu, 16 Mar 2023 05:10:01 GMT

Thank you for writing to live community!

For your above use case, one approach could be by creating a new Report from scratch under the Report Template using XQL Query and under XQL query bolt query to search for actor/action process image name with “Python.exe” , “PowerShell.exe" & "PowerShell_ise.exe”. However you may have to tweak this query to exclude administrative executions of this processes based on your Use Case.

For Report creation you may refer to this

Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.

Thanks

Re: Automation of Reports

RamyashreeMada — Thu, 16 Mar 2023 05:31:11 GMT

Hello @PiyushKohli,

We need to create a report for the alerts that are triggered for the above files. Is the possible to automate report based on alerts?

Re: Automation of Reports

VenuK — Thu, 16 Mar 2023 07:42:49 GMT

You may try the below query and see if this results with your requirement. This did work for us.

dataset = xdr_data
|filter event_type = ENUM.PROCESS
|filter lowercase(actor_process_image_name ) ="python.exe" or lowercase(actor_process_image_name ) ="powershell.exe" or lowercase(actor_process_image_name ) ="powershell_ise.exe"
|fields causality_actor_process_image_path, actor_process_image_path, agent_hostname, action_file_path, action_file_name
|dedup causality_actor_process_image_path, actor_process_image_path, agent_hostname, action_file_path, action_file_name

Thank you

Re: Automation of Reports

PiyushKohli — Thu, 16 Mar 2023 09:02:08 GMT

Hi @RamyashreeMada

Thanks for clarifying. Since you need a report/notification for the alerts that are triggered for mentioned processes. You may configure the Notifications under Configuration for the same.

Reference URL: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-Notification-Forwarding

Screenshot for Reference:

Note: Update the configuration scope according to your Use Case, so that all alerts corresponding to those processes for which you want to be notified are selected.

Aside to @VenuK . Thanks for sharing the query!

Hope this helps!

Please mark the response as "Accept as Solution" if it answers your query.