06-01-2022 06:58 AM
Hello PA community ,
Please could you clarify a doubt ?
In Cortex XDR is there any way to alert if the endpoint is disconnected?
From my knowledge . i can confirm that we can retrieve disconnected agent by creating a filter from endpoint administration but not sure if we can create an Alert for this.
Also is it possible to receive an alarm when a user is created on an endpoint ?
Thanks in advance for your help on this.
Best regards
06-01-2022 06:18 PM
HI @RomainCouvreur you can create a Correlation Rule and see if that meets your needs. Here's a sample query:
dataset = endpoints
| filter endpoint_type = ENUM.TYPE_SERVER and endpoint_status = ENUM.DISCONNECTED
| filter last_seen != null
| alter ct = current_time()
| alter diff_in_days = timestamp_diff(ct, last_seen, "DAY")
| filter diff_in_days >0
| fields endpoint_name, last_seen, diff_in_days
| sort desc diff_in_days
Similarly, every new user creation is an event in Windows (event ID 4720). The entire list of event ID's that are captured by XDR is listed here: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/custo...
You can modify this to suit your needs, and wrap it in a Correlation rule as before:
dataset = xdr_data
| filter event_id ="4720"
You can consider to run Correlation Rules every 10 mins and look at historical data that have timestamps that are less than 10 mins.
Lemme know if that works for you!
06-01-2022 06:18 PM
HI @RomainCouvreur you can create a Correlation Rule and see if that meets your needs. Here's a sample query:
dataset = endpoints
| filter endpoint_type = ENUM.TYPE_SERVER and endpoint_status = ENUM.DISCONNECTED
| filter last_seen != null
| alter ct = current_time()
| alter diff_in_days = timestamp_diff(ct, last_seen, "DAY")
| filter diff_in_days >0
| fields endpoint_name, last_seen, diff_in_days
| sort desc diff_in_days
Similarly, every new user creation is an event in Windows (event ID 4720). The entire list of event ID's that are captured by XDR is listed here: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/custo...
You can modify this to suit your needs, and wrap it in a Correlation rule as before:
dataset = xdr_data
| filter event_id ="4720"
You can consider to run Correlation Rules every 10 mins and look at historical data that have timestamps that are less than 10 mins.
Lemme know if that works for you!
06-03-2022 12:09 AM
Hello bbarmanroy ,
Many thanks for the trick.
Please let me time to check it on customer environment and will confirm the result.
Thanks again and have a nice day ahead.
Best regards
07-06-2022 07:43 AM
Hello bbarmanroy ,
Customer has not provided us with feedback on this matter and i m not able to test it anymore.
So i understand that Correlation Rules did the job and we can give this discussion as closed.
Thanks again for your help on this !
Very appreciate.
Best regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
