https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/the-cortex-xdr-not-installed-still-incident-getting-generated/m-p/567034#M5605 <P>We have observed incident on the server in which Cortex XDR is not installed. The system is only present in the asset inventory. How is this possible, on what basis incident is getting generated?</P> <P>Incident Name:&nbsp;<STRONG>Multiple Rare LOLBIN Process Executions by User</STRONG></P> <P>&nbsp;</P> <P>Thanks in advance.</P> Fri, 24 Nov 2023 14:54:08 GMT Shinde_Dipak 2023-11-24T14:54:08Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/the-cortex-xdr-not-installed-still-incident-getting-generated/m-p/567034#M5605 <P>We have observed incident on the server in which Cortex XDR is not installed. The system is only present in the asset inventory. How is this possible, on what basis incident is getting generated?</P> <P>Incident Name:&nbsp;<STRONG>Multiple Rare LOLBIN Process Executions by User</STRONG></P> <P>&nbsp;</P> <P>Thanks in advance.</P> Fri, 24 Nov 2023 14:54:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/the-cortex-xdr-not-installed-still-incident-getting-generated/m-p/567034#M5605 Shinde_Dipak 2023-11-24T14:54:08Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/the-cortex-xdr-not-installed-still-incident-getting-generated/m-p/567277#M5612 <P>Hello&nbsp;&nbsp;<A id="link_7" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/337761" target="_self" aria-label="View Profile of Shinde_Dipak">Shinde_Dipak,</A></P> <P>&nbsp;</P> <P>'Multiple Rare LOLBIN Process Executions by User' alert is generated by XDR Analytics were detected. Reference&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Multiple-Rare-LOLBIN-Process-Executions-by-User" target="_self">Multiple Rare LOLBIN Process Executions by User • Cortex XDR Analytics Alert Reference</A></P> <P>&nbsp;</P> <P>The source for this detection is data collected from the&nbsp;XDR Agent with<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics-Concepts" target="_self"> Identity Analytics</A> enabled. However, customers can take advantage&nbsp;of analytics network or identity detectors on a host in the absence of the XDR agent if additional network and identity data sources (<SPAN>Cloud Identity Engine, Azure etc.)</SPAN> are onboarded directly into Cortex XDR.&nbsp;</P> <P>&nbsp;</P> <P>For example, in addition to the agent, Cortex XDR can ingest PAN NGFW&nbsp;<SPAN>Enhanced application logs (EAL) and</SPAN> Third-party authentication service logs with the<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/License-Monitoring" target="_self"> Pro GB or Cloud license</A> to detect threats by collecting and analyzing cloud logs. Its analytics detectors examine cloud audit, flow, and identity logs to baseline behavior.</P> <P>&nbsp;</P> <P>Reference&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Data-from-Next-Generation-Firewall" target="_blank" rel="noopener">Ingest Data from Next-Generation Firewall • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal</A></P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Visibility-of-Logs-and-Alerts-from-External-Sources" target="_blank" rel="noopener">Visibility of Logs and Alerts from External Sources • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal</A></P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics" target="_blank" rel="noopener">Analytics • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal</A></P> <P>&nbsp;</P> <P>To investigate, concerning the endpoint data collection gathered to stitch an alert,&nbsp;review the Debug alert data collected from the event for analysis:</P> <P>&nbsp;</P> <P><STRONG data-aura-rendered-by="230:5538;a">Collect Debug data from Incidents Tab</STRONG></P> <OL data-aura-rendered-by="230:5538;a"> <LI>Go To Incidents Tab and select the Incident that you want to Debug.</LI> <LI>Alt+ Right Click on the Incident and select Download Debug Data</LI> </OL> <DIV id="tinyMceEditor_3d8e56a6a0558ejtalton_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditor_3d8e56a6a0558ejtalton_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jtalton_3-1701120088857.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55449i99A037DD34AED1D3/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jtalton_3-1701120088857.png" alt="jtalton_3-1701120088857.png" /></span></P> <P>&nbsp;</P> <P data-aura-rendered-by="230:5538;a"><STRONG>Collect Debug Alert data From Alerts page</STRONG></P> <OL data-aura-rendered-by="230:5538;a"> <LI>&nbsp;Go to the Alert and press Alt+ Right Click to select Debug Alert</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jtalton_4-1701120135457.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55450iCC9B9109DE21C483/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jtalton_4-1701120135457.png" alt="jtalton_4-1701120135457.png" /></span></P> <OL start="2" data-aura-rendered-by="230:5538;a"> <LI>It will open another window with Debug logs. Click on 'Copy Log' and view the logs for analysis.</LI> </OL> <P>If you found this answer helpful, please select<SPAN>&nbsp;</SPAN><STRONG>Accept as Solution</STRONG>.</P> <P>&nbsp;</P> <P>Thank you!</P> Mon, 27 Nov 2023 21:40:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/the-cortex-xdr-not-installed-still-incident-getting-generated/m-p/567277#M5612 jtalton 2023-11-27T21:40:56Z