https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/dns-resolution-was-wrong-for-firewall-alerts/m-p/544536#M4475 <P>Dear LIVEcommunity,</P> <P>&nbsp;</P> <P>Did anyone encounter problem such as hostname does not match with the IP address for alert ingested from NGFW?</P> <P>This is especially true when come to host that doesn't have Cortex XDR agent installed. Now, if the host cannot install with Cortex XDR agent for whatever reason, is there any way that I could improve the accuracy of the DNS resolution?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="myu06kkn_1-1685698402054.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50619iB78C83A3AFD7E09D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="myu06kkn_1-1685698402054.png" alt="myu06kkn_1-1685698402054.png" /></span></P> <P>Right now, I'm considering DNS server log ingestion. But I'm uncertain that it will solve the issue.</P> <P>Thank you.</P> <P><BR /><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Fri, 02 Jun 2023 09:35:13 GMT Antony_Chan 2023-06-02T09:35:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/dns-resolution-was-wrong-for-firewall-alerts/m-p/544536#M4475 <P>Dear LIVEcommunity,</P> <P>&nbsp;</P> <P>Did anyone encounter problem such as hostname does not match with the IP address for alert ingested from NGFW?</P> <P>This is especially true when come to host that doesn't have Cortex XDR agent installed. Now, if the host cannot install with Cortex XDR agent for whatever reason, is there any way that I could improve the accuracy of the DNS resolution?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="myu06kkn_1-1685698402054.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50619iB78C83A3AFD7E09D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="myu06kkn_1-1685698402054.png" alt="myu06kkn_1-1685698402054.png" /></span></P> <P>Right now, I'm considering DNS server log ingestion. But I'm uncertain that it will solve the issue.</P> <P>Thank you.</P> <P><BR /><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Fri, 02 Jun 2023 09:35:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/dns-resolution-was-wrong-for-firewall-alerts/m-p/544536#M4475 Antony_Chan 2023-06-02T09:35:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/dns-resolution-was-wrong-for-firewall-alerts/m-p/544860#M4493 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/202190">@Antony_Chan</a>,</P> <P>&nbsp;</P> <P>I'm looking into this issue and i'll get back to you as soon as I have something.</P> Mon, 05 Jun 2023 20:56:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/dns-resolution-was-wrong-for-firewall-alerts/m-p/544860#M4493 anlynch 2023-06-05T20:56:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/dns-resolution-was-wrong-for-firewall-alerts/m-p/546054#M4578 <P>Hi Myu06kkn,</P> <P>&nbsp;</P> <P data-unlink="true">Since you have a Pro per TB license, you can ingest your Microsoft DHCP logs which will help improve this data (assuming that the endpoint in question is receiving an IP address assignment from DHCP).&nbsp; These logs can be ingested with the <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs-from-Windows-DHCP-using-Elasticsearch-Filebeat?tocId=JANxyCY9tIF4GTt6_GoPXQ" target="_self">XDR Collector&nbsp;</A>and configuring it to ingest Microsoft DHCP log files.</P> Wed, 14 Jun 2023 16:57:29 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/dns-resolution-was-wrong-for-firewall-alerts/m-p/546054#M4578 afurze 2023-06-14T16:57:29Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/dns-resolution-was-wrong-for-firewall-alerts/m-p/546101#M4581 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/219403">@afurze</a>&nbsp;Thanks for the input. In my case, it was static IP address that assigned to servers. So DHCP log ingestion may not be applicable. I'll keep that in mind if the same issue occurred to DHCP hosts.</P> Thu, 15 Jun 2023 06:06:28 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/dns-resolution-was-wrong-for-firewall-alerts/m-p/546101#M4581 Antony_Chan 2023-06-15T06:06:28Z