https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/hashes-of-the-attachment-from-the-o365-log/m-p/558425#M5170 <P>Dear community,</P> <P><BR />I've been evaluating the benefits of ingesting o365 logs so far. Seeking those who have the mentioned logs ingested into Cortex XDR -</P> <P>does Cortex XDR review and raise alert using the hashes of the attachment if the attachment is a malware?<BR /><BR />Besides, what are the useful data / alert that you think it helped your organization in terms of day-to-day operation/investigation?</P> <P>&nbsp;</P> <P>Thank you<BR /><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Mon, 18 Sep 2023 19:22:33 GMT Antony_Chan 2023-09-18T19:22:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/hashes-of-the-attachment-from-the-o365-log/m-p/558425#M5170 <P>Dear community,</P> <P><BR />I've been evaluating the benefits of ingesting o365 logs so far. Seeking those who have the mentioned logs ingested into Cortex XDR -</P> <P>does Cortex XDR review and raise alert using the hashes of the attachment if the attachment is a malware?<BR /><BR />Besides, what are the useful data / alert that you think it helped your organization in terms of day-to-day operation/investigation?</P> <P>&nbsp;</P> <P>Thank you<BR /><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Mon, 18 Sep 2023 19:22:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/hashes-of-the-attachment-from-the-o365-log/m-p/558425#M5170 Antony_Chan 2023-09-18T19:22:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/hashes-of-the-attachment-from-the-o365-log/m-p/558508#M5173 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/202190">@Antony_Chan</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on Live Community!</P> <P>XDR collect following data from O365 emails.</P> <UL class="itemizedlist"> <LI class="listitem"> <P>All message details except the<SPAN>&nbsp;</SPAN><CODE class="computeroutput hljs language-css"><SPAN class="hljs-selector-tag">body</SPAN></CODE>,<SPAN>&nbsp;</SPAN><CODE class="computeroutput hljs language-undefined">bodyPreview</CODE>, and<SPAN>&nbsp;</SPAN><CODE class="computeroutput hljs language-undefined">subject</CODE>.</P> </LI> <LI class="listitem"> <P>Attachment details include file name, file type, file hash, size, and id.</P> </LI> </UL> <P>Based on above data Cortex XDR raise alerts&nbsp;<SPAN>(Analytics, IOC, BIOC, and Correlation Rules). So if an attachment hash is listed under IOC/BIOC, XDR is going to raise an alert.</SPAN></P> <P><SPAN>Regarding useful data/alerts, use case vary from organisation to organisation. XDR collects lot of data like Azure AD logs, exchange logs, DLP etc. Based on these logs you can build use cases. Please refer below documentation for details on ingesting Microsoft O365 logs.</SPAN></P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs-from-Microsoft-Office-365" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs-from-Microsoft-Office-365</A></SPAN></P> Tue, 19 Sep 2023 08:26:49 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/hashes-of-the-attachment-from-the-o365-log/m-p/558508#M5173 nsinghvirk 2023-09-19T08:26:49Z