Specific Cortex XDR Alert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Specific Cortex XDR Alert

L2 Linker

Hello PA community ,

 

Please could you clarify a doubt ?

 

In Cortex XDR is there any way to alert if the endpoint is disconnected?

 

From my knowledge . i can confirm that we can retrieve disconnected agent by creating a filter from endpoint administration but not sure if we can create an Alert for this.


Also is it possible to receive an alarm when a user is created on an endpoint ?

 

Thanks in advance for your help on this.

 

Best regards

1 accepted solution

Accepted Solutions

L5 Sessionator

HI @RomainCouvreur you can create a Correlation Rule and see if that meets your needs. Here's a sample query:

dataset = endpoints
| filter endpoint_type = ENUM.TYPE_SERVER and endpoint_status = ENUM.DISCONNECTED
| filter last_seen != null
| alter ct = current_time()
| alter diff_in_days = timestamp_diff(ct, last_seen, "DAY")
| filter diff_in_days >0
| fields endpoint_name, last_seen, diff_in_days
| sort desc diff_in_days

Similarly, every new user creation is an event in Windows (event ID 4720). The entire list of event ID's that are captured by XDR is listed here: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/custo...

You can modify this to suit your needs, and wrap it in a Correlation rule as before:

dataset = xdr_data 
| filter event_id ="4720"

 

You can consider to run Correlation Rules every 10 mins and look at historical data that have timestamps that are less than 10 mins.

 

Lemme know if that works for you!

 

View solution in original post

3 REPLIES 3

L5 Sessionator

HI @RomainCouvreur you can create a Correlation Rule and see if that meets your needs. Here's a sample query:

dataset = endpoints
| filter endpoint_type = ENUM.TYPE_SERVER and endpoint_status = ENUM.DISCONNECTED
| filter last_seen != null
| alter ct = current_time()
| alter diff_in_days = timestamp_diff(ct, last_seen, "DAY")
| filter diff_in_days >0
| fields endpoint_name, last_seen, diff_in_days
| sort desc diff_in_days

Similarly, every new user creation is an event in Windows (event ID 4720). The entire list of event ID's that are captured by XDR is listed here: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/custo...

You can modify this to suit your needs, and wrap it in a Correlation rule as before:

dataset = xdr_data 
| filter event_id ="4720"

 

You can consider to run Correlation Rules every 10 mins and look at historical data that have timestamps that are less than 10 mins.

 

Lemme know if that works for you!

 

L2 Linker

Hello bbarmanroy ,

 

Many thanks for the trick.

 

Please let me time to check it on customer environment and will confirm the result.

 

Thanks again and have a nice day ahead.

 

Best regards

 

 

 

L2 Linker

Hello bbarmanroy ,

 

Customer has not provided us with feedback on this matter and i m not able to test it anymore.

So i understand that Correlation Rules did the job and we can give this discussion as closed.

 

Thanks again for your help on this !

 

Very appreciate.

 

Best regards

 

 

  • 1 accepted solution
  • 2328 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!