https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-ioc-incidents-query/m-p/559433#M5209 <P>Hi Team,</P> <P>&nbsp;</P> <P>We have detected several IOC incidents in the Cortex XDR console. The action status for these incidents is marked as 'detected,' but upon further investigation, we found that the internal network team had prevented these incidents in the Palo Alto firewall. Simultaneously, when we checked the Cortex XDR console's IOC incidents debug alerts, we noticed that 'action_network_success' was set to 'false.' This discrepancy raises doubts about whether 'action_network_success' being 'false' indicates prevention or detection."</P> Tue, 26 Sep 2023 05:40:53 GMT Vinothkumar_SBA 2023-09-26T05:40:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-ioc-incidents-query/m-p/559433#M5209 <P>Hi Team,</P> <P>&nbsp;</P> <P>We have detected several IOC incidents in the Cortex XDR console. The action status for these incidents is marked as 'detected,' but upon further investigation, we found that the internal network team had prevented these incidents in the Palo Alto firewall. Simultaneously, when we checked the Cortex XDR console's IOC incidents debug alerts, we noticed that 'action_network_success' was set to 'false.' This discrepancy raises doubts about whether 'action_network_success' being 'false' indicates prevention or detection."</P> Tue, 26 Sep 2023 05:40:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-ioc-incidents-query/m-p/559433#M5209 Vinothkumar_SBA 2023-09-26T05:40:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-ioc-incidents-query/m-p/559645#M5221 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/243138">@Vinothkumar_SBA</a>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for writing to live community!</P> <P>If I understood correctly there is an IOC in XDR whose alert was generated by Alert source as XDR IOC, but those IOC were prevented by PANW firewall do you mean this?&nbsp;</P> <P>Since IOC was reported as Detected by Cortex XDR agent therefore&nbsp;<SPAN>action_network_success which corresponds to that alert has/had value false.&nbsp;</SPAN></P> <P><SPAN>Could you share what&nbsp;discrepancy you see with the Detected alert and action_network_success as false? Additionally&nbsp;you may also can verify NGFW event by running XQL query for preset =&nbsp;network_story dataset and then look for events related to that IOC Alert. Then you may check the "action_network_success" field value.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks</SPAN></P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 27 Sep 2023 11:33:01 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-ioc-incidents-query/m-p/559645#M5221 PiyushKohli 2023-09-27T11:33:01Z