article Cortex XDR Customer Success Webinar: Threat Hunting Methodologies in Cortex XDR Videos

article Cortex XDR Customer Success Webinar: Threat Hunting Methodologies in Cortex XDR Videos https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-threat-hunting-methodologies/ta-p/590513 <DIV class="lia-message-template-content-zone"> <H2 id="toc-hId-1735210246">Threat Hunting Methodologies with Cortex XDR </H2> <P>This session introduces Threat Hunting, its benefits, and how to put it to use. We cover the different Threat Hunting methodologies and available add-ons for XDR as Host Insights. </P> <P>You may review the queries we use in the video below.  </P> <P> </P> <P><div class="lia-vid-container video-embed-center"><div id="lia-vid-6355724980112w960h540r22" class="lia-video-brightcove-player-container"><video-js data-video-id="6355724980112" data-account="6058004142001" data-player="default" data-embed="default" class="vjs-fluid" controls="" data-application-id="" style="width: 100%; height: 100%;"></video-js></div><script src="https://players.brightcove.net/6058004142001/default_default/index.min.js"></script><script>(function() { var wrapper = document.getElementById('lia-vid-6355724980112w960h540r22'); var videoEl = wrapper ? wrapper.querySelector('video-js') : null; if (videoEl) { if (window.videojs) { window.videojs(videoEl).ready(function() { this.on('loadedmetadata', function() { this.el().querySelectorAll('.vjs-load-progress div[data-start]').forEach(function(bar) { bar.setAttribute('role', 'presentation'); bar.setAttribute('aria-hidden', 'true'); }); }); }); } }})();</script><a class="video-embed-link" href="https://live.paloaltonetworks.com/t5/video/gallerypage/video-id/6355724980112">(view in My Videos)</a></div></P> <P> </P> <P><STRONG>Sample queries:</STRONG></P> <P><FONT color="#FF6600">Process Execution Hunting</FONT></P> <LI-CODE lang="markup">dataset = xdr_data | filter action_process_image_name = "powershell.exe" OR action_process_image_name = "pwsh.exe" | comp count() as hits by actor_process_image_name | sort asc hits</LI-CODE> <P><FONT color="#FF6600">Persistence Hunting</FONT></P> <LI-CODE lang="markup">preset = xdr_event_log | filter action_evtlog_event_id = 7045 | alter service_name = trim(arrayindex(regextract(action_evtlog_message, "Service Name: (.*)"),0)) | alter service_file_name = trim(arrayindex(regextract(action_evtlog_message, "Service File Name: (.*)"),0)) | alter service_type = trim(arrayindex(regextract(action_evtlog_message, "Service Type: (.*)"), 0)) | alter service_start_type = trim(arrayindex(regextract(action_evtlog_message, "Service Start Type: (.*)"),0)) | alter service_account = trim(arrayindex(regextract(action_evtlog_message, "Service Account: (.*)"),0)) | fields service_* | filter service_start_type = "auto start" | comp count() as hits by service_name, service_file_name, service_type, service_account </LI-CODE> <P><FONT color="#FF6600">Activity Alerts</FONT></P> <LI-CODE lang="markup">dataset = alerts | filter alert_source = ENUM.XDR_ANALYTICS_BIOC | filter severity = ENUM.LOW | comp count() as alerts by host_name | sort desc alerts</LI-CODE> <P> </P> <P><FONT color="#FF6600">Anomalous Connections </FONT></P> <LI-CODE lang="markup">dataset = alerts | filter alert_source = ENUM.XDR_ANALYTICS_BIOC | filter severity = ENUM.LOW | arrayexpand user_name | comp count() as alerts by user_name | sort desc alerts</LI-CODE> <P> </P> <P> </P> <P><STRONG>Forensics* Artifacts Summary</STRONG></P> <P>As presented in this webinar. Please note that Forensics is an add-on license to XDR Pro. </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="High-level of Forensics Artifacts available" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60546iFC3461941562AF74/image-size/large?v=v2&px=999" role="button" title="XDR Threat Hunting - Forensics artifacts.jpg" alt="High-level of Forensics Artifacts available" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">High-level of Forensics Artifacts available</span></span></P> <P> </P> <P><SPAN>Have a question?  Post it on our </SPAN><FONT color="#FF6600"><STRONG><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bd-p/Analytics_Discussions" target="_self">Discussions forum</A></STRONG></FONT></P> <P><FONT color="#FF6600"><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT> </FONT></P> </DIV> Wed, 26 Jun 2024 18:25:05 GMT rtsedaka 2024-06-26T18:25:05Z Cortex XDR Customer Success Webinar: Threat Hunting Methodologies https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-threat-hunting-methodologies/ta-p/590513 <P>Getting started with Threat Hunting? Watch this webinar and review the resources available in the video. </P> Wed, 26 Jun 2024 18:25:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-threat-hunting-methodologies/ta-p/590513 rtsedaka 2024-06-26T18:25:05Z