https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-pick-up-the-trail-when-it-stops-at-the-domain-controller/m-p/582678#M6461 <P>Hello Community!&nbsp;</P> <P><BR />Situation: We are seeing XDR incidents where NGFW detects something trying to reach out to malicious websites. This is automatically mitigated by dropping the connection on both ends, as it should. <STRONG>However, it seems this results in no causality chain</STRONG>. The source shows the domain controller involved, but that's not the actual origin of the request.</P> <P>&nbsp;</P> <P>Any ideas on how to query for more information that will lead us to what attempted to reach said malicious site? <BR /><BR />I'm fairly new to building XDR queries but have tried exploring datasets and trying to correlate the alert times stamps to other events/host network connections on the domain controller.&nbsp;</P> <P><BR />Example alert desc: "'generic:sussybadsite.bad along with 3 other alerts generated by PAN NGFW detected on host zdomainctrl1"<BR /><BR />We get a couple duplicate incidents per day and I'm burning with curiosity as what keeps attempting to reach out. Any and all thoughts/suggestions are most welcome!<BR /><BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 04 Apr 2024 17:28:00 GMT JacobYonkman 2024-04-04T17:28:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-pick-up-the-trail-when-it-stops-at-the-domain-controller/m-p/582678#M6461 <P>Hello Community!&nbsp;</P> <P><BR />Situation: We are seeing XDR incidents where NGFW detects something trying to reach out to malicious websites. This is automatically mitigated by dropping the connection on both ends, as it should. <STRONG>However, it seems this results in no causality chain</STRONG>. The source shows the domain controller involved, but that's not the actual origin of the request.</P> <P>&nbsp;</P> <P>Any ideas on how to query for more information that will lead us to what attempted to reach said malicious site? <BR /><BR />I'm fairly new to building XDR queries but have tried exploring datasets and trying to correlate the alert times stamps to other events/host network connections on the domain controller.&nbsp;</P> <P><BR />Example alert desc: "'generic:sussybadsite.bad along with 3 other alerts generated by PAN NGFW detected on host zdomainctrl1"<BR /><BR />We get a couple duplicate incidents per day and I'm burning with curiosity as what keeps attempting to reach out. Any and all thoughts/suggestions are most welcome!<BR /><BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 04 Apr 2024 17:28:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-pick-up-the-trail-when-it-stops-at-the-domain-controller/m-p/582678#M6461 JacobYonkman 2024-04-04T17:28:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-pick-up-the-trail-when-it-stops-at-the-domain-controller/m-p/582767#M6462 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/325621">@JacobYonkman</a>,</P> <P>&nbsp;</P> <P>Before we dive into XQL query/investigation. It's better to understand how's the infrastructure being setup.</P> <P>Questions:</P> <OL> <LI>Is your Domain Controller work as a DNS server</LI> <LI>Did the NGFW enable DNS sinkhole?</LI> <LI>Do all of your endpoints install with Cortex XDR agent?</LI> </OL> <P>Apart from Question 3, the investigation needs to be carry out from NGFW.</P> <P>Here's an article of DNSSinkhole that might help you identify the source that attempted to access a malicious website.</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/use-dns-queries-to-identify-infected-hosts-on-the-network/dns-sinkholing" target="_blank">How DNS Sinkholing Works (paloaltonetworks.com)</A></P> Fri, 05 Apr 2024 08:38:07 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-pick-up-the-trail-when-it-stops-at-the-domain-controller/m-p/582767#M6462 Antony_Chan 2024-04-05T08:38:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-pick-up-the-trail-when-it-stops-at-the-domain-controller/m-p/582805#M6467 <P>Hello Antony!<BR />The article is definitely helpful. <BR />1. No <BR />2. Yes <BR />3. Yes. MOST endpoints have the XDR agent. (There is also a chance people are plugging personal devices into endpoints for charging, which naturally will not have any agents installed)<BR /><BR /></P> <P>&nbsp;</P> Fri, 05 Apr 2024 15:47:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-pick-up-the-trail-when-it-stops-at-the-domain-controller/m-p/582805#M6467 JacobYonkman 2024-04-05T15:47:46Z