Creating an Alert when a lost Endpoint device comes back online

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating an Alert when a lost Endpoint device comes back online

L1 Bithead

I want to create an alert and to do this, my understanding is to create a XQL query in the Correlations, to create the alert. I then can use the Automation to create the Email and text alert.

My struggle is I'm not that good with creating XQL stuff. I figured out how to look for the Host and if it has an IP, but now I need to add one more line to look for it have and IP after todays date.

1 accepted solution

Accepted Solutions

I think this is what you want.

 

dataset = endpoints
| filter endpoint_status = ENUM.CONNECTION_LOST
| fields endpoint_name, ip_address, last_seen
| filter ip_address != null and timestamp_diff(current_time(),last_seen, "DAY") < 1
| alter alert_message = "Endpoint " + endpoint_name + " with IP address " + to_string(ip_address) + " came back online at " + last_seen
| fields alert_message

View solution in original post

9 REPLIES 9

L0 Member

Hello, Dog Likes Best
XQL is a query language that enables you to analyze the data ingested into Cortex XDR and perform various security operations. Here are some sources that I found:

Cortex XDR - XQL Query Engine | Cortex XSOAR: This is a documentation page that explains how to configure and use the Cortex XDR - XQL Query Engine integration on Cortex XSOAR, which is a security orchestration, automation, and response platform. You can use this integration to run XQL queries on Cortex XDR and get the results as a table, a file, or a context output.
XDR Best Practices: 5 Tips For Better XQL Queries: This is a blog post that provides some key tips and best practices for utilizing XQL more effectively, optimizing query performance, and leveraging its powerful features to streamline your data analysis workflows. You can learn how to use query templates and translations, format your stages, be granular with your queries, avoid repetitive logical operators, and use time functions and variables.
Please share your useful XQL queries! - LIVEcommunity: This is a forum thread where users share and discuss their useful and interesting XQL queries for various use cases and scenarios. You can find some examples of queries that search for CVEs, scan errors, rundll32 running HTML applications, and more. You can also ask questions and get feedback from other users and experts.
Based on these sources, I think you can create an alert when a lost endpoint device comes back online by using a query like this:

dataset = endpoints
| filter endpoint_status = "LOST"
| fields endpoint_name, ip_address, last_seen
| filter ip_address != null and last_seen > now() - 1d
| alter alert_message = "Endpoint " + endpoint_name + " with IP address " + ip_address + " came back online at " + last_seen
| fields alert_message

This query will filter the endpoints dataset for devices that have a status of “LOST”, and then select the endpoint name, IP address, and last seen time. It will then filter for devices that have an IP address and were seen in the last day, indicating that they came back online. It will then create an alert message for each device with the relevant information, and display the alert messages as the output.

You can then use the Automation feature to create an email and text alert based on the query output. You can follow the steps in this document to configure the Automation settings and actions.

I hope this helps you create the alert that you want.

It doesnt like the now ()1d  

Am i to put something in the brackets?

I think this is what you want.

 

dataset = endpoints
| filter endpoint_status = ENUM.CONNECTION_LOST
| fields endpoint_name, ip_address, last_seen
| filter ip_address != null and timestamp_diff(current_time(),last_seen, "DAY") < 1
| alter alert_message = "Endpoint " + endpoint_name + " with IP address " + to_string(ip_address) + " came back online at " + last_seen
| fields alert_message

Hello,

Thank you for the detailed response. I also tried this and created an scheduled query. The query executed and returned two results in my case but no alert generated. Is there a way to generate an alert from within a XQL query?

Put the query in a Custom BIOC rule.

From the XDR Portal:

Detection Rules > Correlation Rules > + Add Correlation

Paste the query in the Correlation Rule and make it a medium level alert.

This is not available in the Prevent license though.

Problem with BIOC rule is, we don't have access to "dataset = endpoints" there. How can we find field "last_seen" in xdr_data?

I wrote it wrong in the title. Did you try BIOC or correlation?

 

Try it in correlation.

Thanks, it worked. Alerts will be generated and I'm able to see them in Alerts page. But the problem is, when I try to find the same alerts in the Automation rule, they won't show up. It can not simply find them. I attached screenshots of the alerts.

 

L2 Linker

I didn't find any reason why these specific alerts don't show up in Automation rules, but I just found a workaround for it through Cortex Settings -> Configuration -> Notification. It works and generated alerts appear here and I was able to send Emails via this.

  • 1 accepted solution
  • 2917 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!