11-04-2022 01:23 PM
Hello dear community!
is it possible to visualize through XQL a prozess which was not terminated and is still running?
In the causality view it is visualized, but I would need it to create a alert.
If a special process is still running, get a mail through correlation rule or bioc rule.
What do you say? Is that possible?
BR
Rob
11-08-2022 06:25 AM
Hi Rob,
This workflow is possible utilizing several components in Cortex XDR.
The ENUM.PROCESS event type is able to reveal information about process usage through XQL. This can be accessed in the Query Builder with:
dataset = xdr_data
| event_type = ENUM.PROCESS
You can then add on to this preset to gather additional information depending on which process you would like to access. For example, to search for instances of OpenSSL process usage, you can add on to the query:
| filter action_process_image_name ~= “openssl”
A Correlation Rule or BIOC can then be defined with the newly created XQL query. This can be performed for either under Detection Rules -> Correlations/BIOC -> +Add Correlation/BIOC.
By navigating to the Notification Configuration, (Configurations -> General -> Notifications) a new Notification Forwarding Configuration can be made to be notified of these specific alerts via email. Once you select “Add Forwarding Configuration” and add a name and log type (which would be alert in your case), an alert scope can be defined. With filters, you can define the scope to include alerts that fall under your Correlation Rule or BIOC created.
Hope that helps!
References:
Create a Correlation Rule
Create a BIOC Rule
Create a Notification Forwarding Configuration
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/create-notifications
11-18-2022 04:37 PM
Hello @mfakhouri, no it doens't help! I just wan't the actual running processes between time a and time b.
Like somebody in the office forgot to close the TeamViewer QS.
Alert: Process still running, after workhours, pc still on.
BR
Rob
11-22-2022 06:42 AM
Hi @RFeyertag
You can utilize the "extract_time" function on top of the query mentioned to achieve your desired alert outside of working hours. Working with the previous query:
dataset = xdr_data
| event_type = ENUM.PROCESS //or ENUM.PROCESS.START for instances where the process is started
| filter action_process_image_name ~= “openssl” //openssl filter
| alter timeOfDay = extract_time(_time, "HOUR") //Extract the "Hour" unit value
| filter timeOfDay < 9 or timeOfDay > 17 //Example filter for process usage/start outside of example working hours.
| fields timeOfDay //You can add any additional fields to this section to visualize your output
You can further use the resources above to pivot toward a potential BIOC or Correlation rule.
12-03-2022 02:44 PM
so as I understand, you get these informations only when the process does something?
But, what if, a person forgets to close TV QS? How can I see the running process?
In case of an incident, there you have the (still running) symbol. Is it possible to get this into the xql query?
BR
Rob
12-09-2022 08:55 AM
Hi RFeyertag,
As it relates to process events collected, XDR logs the start and stop actions. So building off of what @mfakhouri provided, you could add filtering to remove any process start event that also has an existing process stop event for the same time period, based off of the process ID (see example query below), so in theory, the remaining logs are process instances that have been started but not stopped for the given time window.
One other thing to keep in mind is the extract_time function is going to return a value in UTC, so when adding your filtering conditions you would want to keep that in mind to make sure the values you define match up to your organizations work hours.
Example:
dataset = xdr_data
|filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START
| alter timeOfDay = extract_time(_time, "HOUR")
| filter timeOfDay < 9 or timeOfDay > 17
//Using the "not in" operator, I have defined almost the exact same query as above, except changed the event_sub_type to "stop". So this filter will only return events for process ID's that don't have a corresponding process stop event.
|filter action_process_os_pid not in(dataset = xdr_data|filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_STOP| alter timeOfDay = extract_time(_time, "HOUR")| filter timeOfDay < 9 or timeOfDay > 17 |fields action_process_os_pid)
| fields agent_hostname, agent_ip_addresses, action_process_image_path
Regards,
Ben
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
