Cortex XDR Customer Success Webinar Series Part 3: Improving Application Security with Parsing & Correlations

Improving Application Security with Parsing & Correlations

Watch the final session of the webinar series and learn how to improve application security using Parsing and Correlation Rules with practical tips and demonstrations available for Cortex XDR Pro per GB license.

We recommend reviewing the previous sessions' recordings: 

• Part 1 - Getting Started with parsing rules
• Part 2 - The Core of Detection

Make sure to review the resources shared below the video. 

Filebeat Download:
https://www.elastic.co/downloads/beats/filebeat

Filebeat Inputs:
https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html

Filebeat Outputs:
https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html

XDR Filebeat Custom Collector Docs:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs...

XDR Collector Docs:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/XDR-Collect...XDR Collector How-To Video Custom Logs:
https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-series-ingest-...

XQL Crash Course: 

https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-basic-xql-crash-course/ta-p...

filebeat.yml - Minimal Example:

# ============================== Filebeat inputs ===============================

filebeat.inputs:

  - type: filestream
    id: webinar-webserver-log
    paths:
      - /path/to/log/file # <======= enter file path here

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  enabled: true
  hosts: [""] # <======= enter API URL here

  protocol: "https"
  compression_level: 5
  bulk_max_size: 100
  api_key: "" # <======= enter API Key here
  allow_older_versions: true

# ============================== Logging =======================================

logging.level: debug

dataset = webinar_webserver_raw
| alter source_time = regextract(_raw_log, "(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3})"),
logger = arrayindex(split(_raw_log, "-"), 3),
level = arrayindex(split(_raw_log, "-"), 4),
message = arrayindex(split(_raw_log, "-"), 5),
request_type = arrayindex(regextract(arrayindex(split(_raw_log, "-"), 6), "(\w+)"), 0),
user_agent = arrayindex(regextract(arrayindex(split(_raw_log, "-"), 7), "User Agent: (.)"), 0)
| alter username = arrayindex(regextract(message, "user '(.*)'"), 0)

[INGEST:vendor="Webinar", product="Webserver", target_dataset="webinar_webserver_raw", no_hit=drop]
alter source_time = regextract(_raw_log, "(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3})"),
        logger = arrayindex(split(_raw_log, "-"), 3),
        level = arrayindex(split(_raw_log, "-"), 4),
        message = arrayindex(split(_raw_log, "-"), 5),
        request_type = arrayindex(regextract(arrayindex(split(_raw_log, "-"), 6), "(\w+)"), 0),
        user_agent = arrayindex(regextract(arrayindex(split(_raw_log, "-"), 7), "User Agent: (.*)"), 0)
| alter username = arrayindex(regextract(message, "user '(.*)'"), 0);

dataset = webinar_dryrun_raw
| filter username != "admin"
| filter message contains "Accessed hidden page"
| fields level, logger, message, username, user_agent, source_time, request_type, _log_source_file_name, _reporting_device_ip 

dataset = webinar_dryrun_raw
| filter username = $username
| fields level, logger, message, username, user_agent, source_time, request_type, _log_source_file_name, _reporting_device_ip