https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sorting-out-generic-website-fw-rules/m-p/543469#M4443 <P>Any update <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/232716">@anlynch</a> . I've did something similar in this rule, don't know if this can help you out:<BR /><BR /></P> <P>/*<BR />Query finds the last connection of a suspicious domain and then displays all connections 5 minutes prior and 10 seconds after the connection to a suspicious domain.<BR />Fields AGENT and DOMAIN are mandatory. <BR />You may change variables minutes_before_connection and seconds_after_connection to include more or less results around the connection.</P> <P>Last connection time used to filter for results is based both on established connections and dns queries.<BR />*/</P> <P><BR />dataset = xdr_data<BR />| filter agent_hostname = "AGENT" // &lt;-- Agent that you are investigating<BR />| alter suspicious_domain = "DOMAIN" // &lt;-- Domain that caused the alert<BR />| alter minutes_before_connection = 5<BR />| alter seconds_after_connection = 10<BR />| filter action_external_hostname != null or dns_query_name != null<BR />| join type = inner (<BR />dataset = xdr_data<BR />| alter domain = if(action_external_hostname != null, action_external_hostname, dns_query_name != null, dns_query_name, null)<BR />| filter domain != null and agent_hostname != null<BR />| comp max(_time) as last_visit by domain, agent_hostname <BR />) as X _time &lt;= X.last_visit and X.domain = suspicious_domain and X.agent_hostname = agent_hostname<BR />| filter <BR />timestamp_diff(last_visit, _time, "MINUTE") &lt;= minutes_before_connection and<BR />timestamp_diff(_time, last_visit, "SECOND") &lt;= seconds_after_connection<BR />| fields <BR />_time, <BR />actor_process_image_name,<BR />actor_process_image_command_line,<BR />action_external_hostname as established_connection,<BR />dns_query_name as dns_query, <BR />_product<BR />| sort desc _time<BR /><BR />As description shows, it is used to tell us number of connection before and after generic alert and incident. If this can help you, it's great. </P> Fri, 26 May 2023 08:45:00 GMT DragomirGaliaIT 2023-05-26T08:45:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sorting-out-generic-website-fw-rules/m-p/542868#M4394 <P>Hey everyone,<BR /><BR />We are trying to sort out generic firewall alerts that we get as the incidents. <BR /><BR />Currently, when there's site blocked that someone browsed through, we get the incident to check for it.<BR /><BR />I would like to implement some correlation rule that will only trigger alert for suspicious ad/website when there are more than 1 connection, especially established one, and not to give alert if there's one blocked connection.<BR />So if someone for example has one blocked connection to the site that is suspicious, but other one is established, that would also be alert and incident to check.<BR /><BR />Any ideas on how to complete that?<BR /><BR />BR,<BR /><BR />Dragomir.</P> Mon, 22 May 2023 07:30:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sorting-out-generic-website-fw-rules/m-p/542868#M4394 DragomirGaliaIT 2023-05-22T07:30:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sorting-out-generic-website-fw-rules/m-p/543114#M4411 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/269217">@DragomirGaliaIT</a>,</P> <P>&nbsp;</P> <P>Thanks for reaching out through LIVEcommunity!</P> <P>&nbsp;</P> <P>I'm going to do some research on this and get back to you.</P> Wed, 24 May 2023 01:33:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sorting-out-generic-website-fw-rules/m-p/543114#M4411 anlynch 2023-05-24T01:33:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sorting-out-generic-website-fw-rules/m-p/543469#M4443 <P>Any update <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/232716">@anlynch</a> . I've did something similar in this rule, don't know if this can help you out:<BR /><BR /></P> <P>/*<BR />Query finds the last connection of a suspicious domain and then displays all connections 5 minutes prior and 10 seconds after the connection to a suspicious domain.<BR />Fields AGENT and DOMAIN are mandatory. <BR />You may change variables minutes_before_connection and seconds_after_connection to include more or less results around the connection.</P> <P>Last connection time used to filter for results is based both on established connections and dns queries.<BR />*/</P> <P><BR />dataset = xdr_data<BR />| filter agent_hostname = "AGENT" // &lt;-- Agent that you are investigating<BR />| alter suspicious_domain = "DOMAIN" // &lt;-- Domain that caused the alert<BR />| alter minutes_before_connection = 5<BR />| alter seconds_after_connection = 10<BR />| filter action_external_hostname != null or dns_query_name != null<BR />| join type = inner (<BR />dataset = xdr_data<BR />| alter domain = if(action_external_hostname != null, action_external_hostname, dns_query_name != null, dns_query_name, null)<BR />| filter domain != null and agent_hostname != null<BR />| comp max(_time) as last_visit by domain, agent_hostname <BR />) as X _time &lt;= X.last_visit and X.domain = suspicious_domain and X.agent_hostname = agent_hostname<BR />| filter <BR />timestamp_diff(last_visit, _time, "MINUTE") &lt;= minutes_before_connection and<BR />timestamp_diff(_time, last_visit, "SECOND") &lt;= seconds_after_connection<BR />| fields <BR />_time, <BR />actor_process_image_name,<BR />actor_process_image_command_line,<BR />action_external_hostname as established_connection,<BR />dns_query_name as dns_query, <BR />_product<BR />| sort desc _time<BR /><BR />As description shows, it is used to tell us number of connection before and after generic alert and incident. If this can help you, it's great. </P> Fri, 26 May 2023 08:45:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/sorting-out-generic-website-fw-rules/m-p/543469#M4443 DragomirGaliaIT 2023-05-26T08:45:00Z