https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-series-part-3-improving/ta-p/580939 <DIV class="lia-message-template-content-zone"> <H2>Improving Application Security with Parsing &amp; Correlations</H2> <P><SPAN data-offset-key="32g60-0-0">Watch the final session of the webinar series and learn how to improve application security using Parsing and Correlation Rules with practical tips and demonstrations available for</SPAN><SPAN>&nbsp;<EM>Cortex XDR Pro per GB license.</EM></SPAN></P> <P><SPAN data-offset-key="32g60-0-0">We recommend reviewing the previous sessions' recordings:&nbsp;</SPAN></P> <UL> <LI><FONT color="#FF6600"><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-customer-success-webinar-series-part-1-getting-started/ta-p/575388" target="_blank" rel="noopener">Part 1 - Getting Started with parsing rules</A></FONT></LI> <LI><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-xdr-customer-success-webinar-series-part-2-correlation/ta-p/578690" target="_blank" rel="noopener">Part 2 - The Core of Detection</A></LI> </UL> <P><SPAN data-offset-key="32g60-0-0">Make sure to review the resources shared below the video.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-offset-key="32g60-0-0"><div class="lia-vid-container video-embed-center"><div id="lia-vid-6349827730112w960h540r811" class="lia-video-brightcove-player-container"><video-js data-video-id="6349827730112" data-account="6058004142001" data-player="default" data-embed="default" class="vjs-fluid" controls="" data-application-id="" style="width: 100%; height: 100%;"></video-js></div><script src="https://players.brightcove.net/6058004142001/default_default/index.min.js"></script><script>(function() { var wrapper = document.getElementById('lia-vid-6349827730112w960h540r811'); var videoEl = wrapper ? wrapper.querySelector('video-js') : null; if (videoEl) { if (window.videojs) { window.videojs(videoEl).ready(function() { this.on('loadedmetadata', function() { this.el().querySelectorAll('.vjs-load-progress div[data-start]').forEach(function(bar) { bar.setAttribute('role', 'presentation'); bar.setAttribute('aria-hidden', 'true'); }); }); }); } }})();</script><a class="video-embed-link" href="https://live.paloaltonetworks.com/t5/video/gallerypage/video-id/6349827730112">(view in My Videos)</a></div></SPAN></P> <P>&nbsp;</P> <P><SPAN data-offset-key="32g60-0-0">Filebeat Download:<BR /><A class="c-link c-link--underline" href="https://www.elastic.co/downloads/beats/filebeat" target="_blank" rel="noopener noreferrer" data-stringify-link="https://www.elastic.co/downloads/beats/filebeat" data-sk="tooltip_parent">https://www.elastic.co/downloads/beats/filebeat</A></SPAN></P> <P><SPAN data-offset-key="32g60-0-0">Filebeat Inputs:<BR /><A class="c-link c-link--underline" href="https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html" target="_blank" rel="noopener noreferrer" data-stringify-link="https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html" data-sk="tooltip_parent">https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html</A></SPAN></P> <P><SPAN data-offset-key="32g60-0-0">Filebeat Outputs:<BR /><A class="c-link c-link--underline" href="https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html" target="_blank" rel="noopener noreferrer" data-stringify-link="https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html" data-sk="tooltip_parent">https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html</A></SPAN></P> <P><SPAN data-offset-key="32g60-0-0">XDR Filebeat Custom Collector Docs:<BR /><A class="c-link c-link--underline" href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs-from-Elasticsearch-Filebeat" target="_blank" rel="noopener noreferrer" data-stringify-link="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs-from-Elasticsearch-Filebeat" data-sk="tooltip_parent">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs-from-Elasticsearch-Filebeat</A></SPAN></P> <P><SPAN data-offset-key="32g60-0-0">XDR Collector Docs:<BR /><A class="c-link c-link--underline" href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/XDR-Collectors" target="_blank" rel="noopener noreferrer" data-stringify-link="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/XDR-Collectors" data-sk="tooltip_parent">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/XDR-Collectors</A>XDR Collector How-To Video Custom Logs:<BR /><A class="c-link c-link--underline" href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-series-ingest-and-parse-custom-log/ta-p/517812" target="_blank" rel="noopener noreferrer" data-stringify-link="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-series-ingest-and-parse-custom-log/ta-p/517812" data-sk="tooltip_parent">https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-series-ingest-and-parse-custom-log/ta-p/517812</A></SPAN></P> <P><SPAN data-offset-key="32g60-0-0">XQL Crash Course:&nbsp;</SPAN></P> <P><SPAN data-offset-key="32g60-0-0"><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-basic-xql-crash-course/ta-p/544056" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-basic-xql-crash-course/ta-p/544056</A></SPAN></P> <P>&nbsp;</P> <P><SPAN data-offset-key="32g60-0-0">filebeat.yml - Minimal Example:</SPAN></P> <LI-CODE lang="markup"># ============================== Filebeat inputs =============================== filebeat.inputs: - type: filestream id: webinar-webserver-log paths: - /path/to/log/file # &lt;======= enter file path here # ---------------------------- Elasticsearch Output ---------------------------- output.elasticsearch: enabled: true hosts: [""] # &lt;======= enter API URL here protocol: "https" compression_level: 5 bulk_max_size: 100 api_key: "" # &lt;======= enter API Key here allow_older_versions: true # ============================== Logging ======================================= logging.level: debug</LI-CODE> <P>&nbsp;</P> <DIV class="p-rich_text_section">Parsing Test Query</DIV> <DIV class="p-rich_text_section"><LI-CODE lang="markup">dataset = webinar_webserver_raw | alter source_time = regextract(_raw_log, "(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3})"), logger = arrayindex(split(_raw_log, "-"), 3), level = arrayindex(split(_raw_log, "-"), 4), message = arrayindex(split(_raw_log, "-"), 5), request_type = arrayindex(regextract(arrayindex(split(_raw_log, "-"), 6), "(\w+)"), 0), user_agent = arrayindex(regextract(arrayindex(split(_raw_log, "-"), 7), "User Agent: (.)"), 0) | alter username = arrayindex(regextract(message, "user '(.*)'"), 0)</LI-CODE> <P>&nbsp;</P> <DIV class="p-rich_text_section">Parsing Rule</DIV> <DIV class="p-rich_text_section"><LI-CODE lang="markup">[INGEST:vendor="Webinar", product="Webserver", target_dataset="webinar_webserver_raw", no_hit=drop] alter source_time = regextract(_raw_log, "(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3})"), logger = arrayindex(split(_raw_log, "-"), 3), level = arrayindex(split(_raw_log, "-"), 4), message = arrayindex(split(_raw_log, "-"), 5), request_type = arrayindex(regextract(arrayindex(split(_raw_log, "-"), 6), "(\w+)"), 0), user_agent = arrayindex(regextract(arrayindex(split(_raw_log, "-"), 7), "User Agent: (.*)"), 0) | alter username = arrayindex(regextract(message, "user '(.*)'"), 0);</LI-CODE> <P>&nbsp;</P> <DIV class="p-rich_text_section">Correlation Query</DIV> <DIV class="p-rich_text_section"><LI-CODE lang="markup">dataset = webinar_dryrun_raw | filter username != "admin" | filter message contains "Accessed hidden page" | fields level, logger, message, username, user_agent, source_time, request_type, _log_source_file_name, _reporting_device_ip </LI-CODE> <P>&nbsp;</P> <DIV class="p-rich_text_section">Drilldown Query</DIV> <DIV class="p-rich_text_section"><LI-CODE lang="markup">dataset = webinar_dryrun_raw | filter username = $username | fields level, logger, message, username, user_agent, source_time, request_type, _log_source_file_name, _reporting_device_ip</LI-CODE> <P>&nbsp;</P> <P><SPAN>Have a question?&nbsp; Post it on our&nbsp;</SPAN><FONT color="#FF6600"><STRONG><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bd-p/Analytics_Discussions" target="_self">Discussions forum</A></STRONG></FONT></P> <P><FONT color="#FF6600"><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</FONT></P> </DIV> </DIV> </DIV> </DIV> </DIV> Wed, 27 Mar 2024 21:13:33 GMT rtsedaka 2024-03-27T21:13:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-series-part-3-improving/ta-p/580939 <P>Click to watch the third and final episode of the Parsing &amp; Correlation Rules webinar series. Don't miss out on all the resources shared below the video!&nbsp;</P> Wed, 27 Mar 2024 21:13:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-series-part-3-improving/ta-p/580939 rtsedaka 2024-03-27T21:13:33Z