xql query for moved directory or folder

Joe-Oberfoell — Wed, 28 May 2025 19:13:43 GMT

There is a canned search for files but what about folders?

We are trying to find out who is moving or deleting a folder, hoping Cortex has something to help. Thx

Re: xql query for moved directory or folder

aspatil — Mon, 02 Jun 2025 07:47:06 GMT

The reason is, Cortex XDR agent does not collect all Windows Event Logs. It only collects specific security-relevant events as defined in the policy.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Data-Collection

To detect events based on the folder, you can Ingest Event ID 4660 and 4663 into Cortex XDR.

Use Broker VM + Log Forwarding App

This is the most effective and supported method by Palo Alto Networks.

Enable Audit Policies on Endpoints
- Enable object access auditing via GPO:
  
  Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access → Audit File System → Success and Failure
Configure SACLs on the Folder(s)
- Right-click the folder → Properties → Security → Advanced → Auditing → Add
- Choose the user/group, and select "Delete", "Delete Subfolders and Files", "Write", etc.
- This ensures events like 4663 and 4660 are logged.
Forward Logs to Cortex XDR:
- Install Broker VM and configure the Log Forwarding App.
- Use Windows Event Forwarding (WEF) or Winlogbeat/NXLog to forward the Security Event Log to the Broker.
- The Broker forwards logs to the Cortex Data Lake.

Create a correlation rule to create detection

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

topic Re: xql query for moved directory or folder in Cortex XDR Discussions

xql query for moved directory or folder

Re: xql query for moved directory or folder

Use Broker VM + Log Forwarding App