Alerting Endpoint misses an endpoint group allocation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Alerting Endpoint misses an endpoint group allocation

L4 Transporter

Hello dear community!

 

as you know, there are sometimes changes (computer names, domains, etc.) on the endpoints. 

And know there is also a cortex version from PA, which has the problem too "kicking" out the endpoint from the endpoint group (not really, but the allocation doesn't work). 

How do I catch this by alert? I want to be alerted, when the allocation to a group name is not upright. 

Is this possible? 

I tried it with correlation rule on dataset endpoints, but the group name of this endpoint is still the old entry and not the 0 or null entry. 

Agent Log doesn't tell me anything what I need to create an alert. 

How do you handle this use case with automation/alerting?

 

BR

 

Rob

 

2 REPLIES 2

L3 Networker

Hi Rob,

 

An out of the box automation is not available.

 

However, you may be able to tweak your correlation rule with an XQL query using a Regex expression substitution such as replace. Also, as an example, if you are ingesting the corresponding Windows Event ID for domain name changes (dataset=xdr_data) using the alter stage which assigns a value to a field name based on the returned value of the function, may yield better results.

 

Reference

Alter • Cortex XDR XQL Language Reference • Reader • Palo Alto Networks documentation portal

If you found this answer helpful, please select Accept as Solution.

Thanks! I will have a look on it for the case when Domain changes. 

But what if the group group is not allocated anymore or not yet? 

It would be enough for me, when the endpoints dataset would be in sync, when there are changes in the allocation.

This should work by design. 

 

BR 

 

Rob

  • 1007 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!