01-31-2023 10:34 PM
I would like to set a detect rule for the servers which installed the agent in the last 30days. After 30 days, Those servers will be applied for block rule.
The current setting is to select the server in the target and remove it from the target after 30days.
In Edit Policy, Target, I can't add install date in the filter. Is there any other way to do this automatically?
02-01-2023 02:34 AM
Hi @DCHKen_Yu ,
You will have to create a server policy on your own. Just create a policy rule in report mode for all servers/ workstations(depending upon your choice)
If your requirement is that you want to keep servers or endpoints in report mode for 30 days of monitoring and then move them to block mode policy after that, then this query will help you list down those servers and then you can tag them/alias them.
Alternatively, just query and dowload the list of endpoints, put them in a notepad file and upload it to endpoint groups, tag all the endpoints of the group as some keyword of your choice (eg. "setblock" or "block" or "30days" etc.) and then you can delete the endpoint group.
Under your block mode policy rule target parameter, put a filter as per your choice with the tag. (Eg. Endpoint type= server and tags=30days) and place it on top of your report mode policy rule.
The moment you tag the endpoints, the endpoints will automatically take the block mode policy in the next heartbeat.
Hope this helps!
Please mark the response "Accept as Solution" if it helps.
Regards
02-01-2023 12:15 AM
Hi @DCHKen_Yu ,
Thank you for writing to live community!
You can do that by creating alerts in form of correlation rules by writing an XQL query on endpoints dataset.
dataset = endpoints
| fields endpoint_status, last_seen, endpoint_name, endpoint_type, install_date , first_seen
| alter ct = current_time()
| alter diff = timestamp_diff(ct, install_date, "DAY")
| filter endpoint_status != ENUM.CONNECTION_LOST and endpoint_type = TYPE_SERVER and diff >= 30
The above query should be saved as a correlation rule and should be able to help you.
Please mark the response as "Accept as Solution" if it helps!
Regards
02-01-2023 12:48 AM
Hi @neelrohit ,
Thanks for your reply!
Sorry I am new to Cortex so I don't understand how this alert can help me creating that new server policy.
Is this a query to list out the servers installed older than 30days and then I remove the servers from the my policy(installed the agent in the last 30days) according to the query result?
Thanks!
02-01-2023 02:34 AM
Hi @DCHKen_Yu ,
You will have to create a server policy on your own. Just create a policy rule in report mode for all servers/ workstations(depending upon your choice)
If your requirement is that you want to keep servers or endpoints in report mode for 30 days of monitoring and then move them to block mode policy after that, then this query will help you list down those servers and then you can tag them/alias them.
Alternatively, just query and dowload the list of endpoints, put them in a notepad file and upload it to endpoint groups, tag all the endpoints of the group as some keyword of your choice (eg. "setblock" or "block" or "30days" etc.) and then you can delete the endpoint group.
Under your block mode policy rule target parameter, put a filter as per your choice with the tag. (Eg. Endpoint type= server and tags=30days) and place it on top of your report mode policy rule.
The moment you tag the endpoints, the endpoints will automatically take the block mode policy in the next heartbeat.
Hope this helps!
Please mark the response "Accept as Solution" if it helps.
Regards
02-01-2023 06:33 PM
Hi @neelrohit ,
I searched for the XQL Language Reference and found that there is an "add" command that seems tag a dataset.
So, can I save the XQL query you provided to create a dataset named ServersMoreThan30Days, then run a XQL query to tag the dataset like below and apply the tag to the policy?
dataset = ServersMoreThan30Days
| tag add "ServersMoreThan30Days"
Or run a XQL like below?
dataset = endpoints
| fields endpoint_status, last_seen, endpoint_name, endpoint_type, install_date , first_seen
| alter ct = current_time()
| alter diff = timestamp_diff(ct, install_date, "DAY")
| filter endpoint_status != ENUM.CONNECTION_LOST and endpoint_type = TYPE_SERVER and diff >= 30
| target type = dataset ServersMoreThan30Days
dataset = ServersMoreThan30Days
| tag add "ServersMoreThan30Days"
Thanks for your help!
02-07-2023 07:03 AM
Hi @DCHKen_Yu ,
If the above response was able to help, please mark the response as "Accept as Solution". Thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
