Hello dear community!
as you know, there are sometimes changes (computer names, domains, etc.) on the endpoints.
And know there is also a cortex version from PA, which has the problem too "kicking" out the endpoint from the endpoint group (not really, but the allocation doesn't work).
How do I catch this by alert? I want to be alerted, when the allocation to a group name is not upright.
Is this possible?
I tried it with correlation rule on dataset endpoints, but the group name of this endpoint is still the old entry and not the 0 or null entry.
Agent Log doesn't tell me anything what I need to create an alert.
How do you handle this use case with automation/alerting?
An out of the box automation is not available.
However, you may be able to tweak your correlation rule with an XQL query using a Regex expression substitution such as replace. Also, as an example, if you are ingesting the corresponding Windows Event ID for domain name changes (dataset=xdr_data) using the alter stage which assigns a value to a field name based on the returned value of the function, may yield better results.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!