This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About RFeyertag

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
RFeyertag
‎03-04-2024
since ‎08-15-2021
L4 Transporter
User Activity
User Profile
Latest posts by RFeyertag
View All
User Badges
Community Statistics
Member Since ‎08-15-2021 09:12 AM
Date Last Visited ‎03-04-2024 12:05 PM
Posts 199
Total Likes Received 12

PA & Bug bounty program?

by in Cortex XDR Discussions
‎08-05-2022 02:05 PM
‎08-05-2022 02:05 PM
Hello dear community,    has PA a bug bounty program?   BR   Rob ... View more

Re: XQL - New attacks through ZIPs and ISOs

by in Cortex XDR Discussions
‎08-05-2022 01:48 PM
‎08-05-2022 01:48 PM
Thank you very much, this one worked like a charm 🙂 BR   Rob ... View more

Re: Alert from which source/rule?

by in Cortex XDR Discussions
‎08-04-2022 11:17 AM
‎08-04-2022 11:17 AM
Thanks a lot! 😊 ... View more

Alert from which source/rule?

by in Cortex XDR Discussions
‎08-04-2022 10:42 AM
‎08-04-2022 10:42 AM
Hello!   We have some alerts which show us a large upload.      My problem is now, I saw other clients uploading a ton of bytes, but this Alert wasn't fired.  I also cannot find any Rule for this.  Where is it comming from?    BR   Rob     ... View more

Re: XQL - New attacks through ZIPs and ISOs

by in Cortex XDR Discussions
‎08-02-2022 07:44 AM
‎08-02-2022 07:44 AM
Is there any possibility to migrate this query into xql? Here it is working.        BR   Rob   ... View more

Re: XQL - New attacks through ZIPs and ISOs

by in Cortex XDR Discussions
‎08-02-2022 07:36 AM
‎08-02-2022 07:36 AM
Hello!    I tried to tweak it, with the initial query I didn't get any result. And with my tweaked one there was the same result.          Is there anything wrong with this query?    BR   Rob   ... View more

Global Rule a4978720-39fc-404f-bb74-c3db07ef4f9d - ISO mounted manually questions

by in Cortex XDR Discussions
‎08-01-2022 05:17 AM
‎08-01-2022 05:17 AM
Hello dear community,    in my mount tests I could find out following:   - if you mount the same file name 2 times with different file data inside the iso, the alert isn't created because the file isn't beeing created. I think the recent folder is not made for this, because the lnk file stays there.  - when mounting via cmd.exe no lnk file is created in recent folder   is there a better way to create a check for mounting iso/img files?    BR   Rob   ... View more

Re: Xdr ramsonware test is not detected

by in Cortex XDR Discussions
‎08-01-2022 04:01 AM
‎08-01-2022 04:01 AM
@Ignacio_Medina  Hey  Ignacio_Medina,   how does it end and was improved?   BR   Rob ... View more

XQL - New attacks through ZIPs and ISOs

by in Cortex XDR Discussions
‎08-01-2022 03:43 AM
‎08-01-2022 03:43 AM
Hello dear Community,    has someone of you a ready to implement XQL Query for downloading zip/rar/iso file containing a iso? The source can be outlook, etc. I found a sigma rule based on:   https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_iso_file_mount.yml   I would be appreciate for some examples.    BR Rob ... View more

Re: XQL question command line with " to XQL query

by in Cortex XDR Discussions
‎06-23-2022 12:09 PM
‎06-23-2022 12:09 PM
Sorry, I don't get it.  How would you type in, if i want to check exactly following string.    "C:\Windows\System32\hh.exe" C:\Program Files (x86)\ASSA ABLOY\Vision\Vision.chm::/Use_Guest_CheckIn_Steps_Single.htm     BR Rob   ... View more

XQL question command line with " to XQL query

by in Cortex XDR Discussions
‎06-22-2022 02:21 PM
‎06-22-2022 02:21 PM
Hello dear community,    is there a way to put the whole command line into the XQL query? As you can see the doublequotes are already set by the command line itself.  In SQL I know to do it whith extra double quotes ""XYZ"". But how does that work with XQL?   BR   Rob   ... View more

XQL query for hunting MS-DFSNM

by in Cortex XDR Discussions
‎06-22-2022 02:05 PM
‎06-22-2022 02:05 PM
Hello dear community,    has anyone of you a XQL Query for this type of attack?   https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-attack-allows-windows-domain-takeover/   BR   Rob ... View more

Re: Installation Cortex XDR Agent 7.7.1 on Windows Terminal Server

by in Cortex XDR Discussions
‎06-22-2022 01:53 PM
‎06-22-2022 01:53 PM
In our case the sessions are lost, when we reboot the RDP-Server.  The session only persits, when the employee disconnects its RDP-Session. But all the changes in the logged out and OS restartet sessions are persistent.   A user can have X sessions with the same user, without disconnecting the other sessions.  Sorry, my knowledge about Terminalserver needs improvement.    BR   Rob   ... View more

Re: Forensics Addon - Best practise licence and usage

by in Cortex XDR Discussions
‎06-22-2022 01:20 PM
‎06-22-2022 01:20 PM
From point of the technical aspect, I have no clue how the process can be in a real life scenario. Is there any ressource existing, where we can ask how to setup our Cortex XDR for a good practise way belonging to forensics incidents? I know in the end, we will have a team of forensics persons in the house, which will need informations quick. Therefore I thought we will collect every day forensics data from all endpoints. To divide them to endpoint forensic and endpoint non forensic is not solved well. I would like to see a type of tag to be more flexible without putting the client/server to another endpoint group/policy/profile and dividing the inventory.  So now for my understanding, the triage is the function, which collects all forensic data based on the agent settings to the console/Host Timeline? When the collector in the agent settings is set to 12 hours, what will haben with this data? Is it collected, but the clients needs triage flag to get the informations to the host Timeline?   BR   Rob   ... View more

Forensics Addon - Best practise licence and usage

by in Cortex XDR Discussions
‎06-15-2022 11:55 AM
1 Kudo
‎06-15-2022 11:55 AM
1 Kudo
Hello dear community,    how do we use this addon?  I had found a article about the forensics addon which said, you can also put this feature to an client/server after the incident etc. happened. What is the difference between having this addon for all our servers/clients active or to put this profile to our client/server after a real incident which needs a forensic investigation to dig deeper.    How and when does the addon pull the forensic logs, when clients are offline and they get online only for 8 hours? Does it happen when the client is turned on?   We do really want to know if we need to buy more licences for this addon or if it is not neccasarry.    Thanks a lot!   BR   Rob   ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎03-04-2024 12:05 PM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks