- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-25-2022 02:58 PM - edited 12-25-2022 03:06 PM
Hello dear community!
as you know, there are sometimes changes (computer names, domains, etc.) on the endpoints.
And know there is also a cortex version from PA, which has the problem too "kicking" out the endpoint from the endpoint group (not really, but the allocation doesn't work).
How do I catch this by alert? I want to be alerted, when the allocation to a group name is not upright.
Is this possible?
I tried it with correlation rule on dataset endpoints, but the group name of this endpoint is still the old entry and not the 0 or null entry.
Agent Log doesn't tell me anything what I need to create an alert.
How do you handle this use case with automation/alerting?
BR
Rob
01-12-2023 09:18 AM - edited 01-12-2023 09:19 AM
Hi Rob,
An out of the box automation is not available.
However, you may be able to tweak your correlation rule with an XQL query using a Regex expression substitution such as replace. Also, as an example, if you are ingesting the corresponding Windows Event ID for domain name changes (dataset=xdr_data) using the alter stage which assigns a value to a field name based on the returned value of the function, may yield better results.
Reference
Alter • Cortex XDR XQL Language Reference • Reader • Palo Alto Networks documentation portal
01-18-2023 01:30 PM
Thanks! I will have a look on it for the case when Domain changes.
But what if the group group is not allocated anymore or not yet?
It would be enough for me, when the endpoints dataset would be in sync, when there are changes in the allocation.
This should work by design.
BR
Rob
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!