About bbucao

Hi RFeyertag, Ingested and parsed forensic data is retained for 1 year.   Regards, Ben ... View more

Alert Exclusion rules hide alerts and excludes them from being included in Incidents, but does NOT change the behavior of the XDR agent in any way. In addition, when you create an alert exclusion policy you have the option to apply the exclusion to historical alerts, if this option is chosen, existing alerts that match the rule conditions will be grayed out in the alerts table. If all alerts contained in an existing Incident are excluded, the Incident will be auto-resolved.   Creating an Exception rule DOES change the behavior of the XDR agent. If you create an alert exception, Cortex XDR will no longer take action or alert on matching traffic. Example scenario: You have a Behavioral Threat Prevention alert that was blocked. You determine the associated traffic to be legitimate business related traffic and therefore do not wish to alert on it in the future. If you were to create an alert exclusion policy to match this traffic, you would not see future matching alerts, and they would not be included in any future Incidents, but the agent would continue to block the matching traffic since only an alert exclusion was configured. To prevent the XDR agent from blocking this traffic in the future, you would need to create an Exception. For both Exclusions and Exceptions, best practice is to define your rules as specific as possible in order to best tune out noise without degrading the ability to alert/prevent malicious activity. Regards, Ben     ... View more

In order to no longer receive email notifications for alerts that have been excluded, navigate to settings>configurations>Notifications, then find the configuration that is being used to email alert notifications, right-click the configuration row and select "edit", then click "next" to bring you to the "Scope" page for this rule. From the scope page add a filter criteria for "Excluded = no", then click "next", then "save". Thanks, Ben ... View more

Hi Luismi.Anton, There is not an API for disabling policies, this must be done via the UI. If you are using specific policies temporarily, one possible workaround is to target endpoints for these policies based on the endpoint 'tags'. If the policies are configured in that way, you can effectively change the endpoints assigned policy via API by assigning or removing endpoint tags via API. Thanks, Ben ... View more

Hi KanwarSingh01, When defining 'event_sub_type' as part of the fields stage you must also include the 'event_type' field. Simply add  'event_type' to your fields stage and I think you will find the issue is resolved. Thanks, Ben ... View more

Hi SARowe_NZ, If I understand your use-case correctly I think using a left join could work. A left join will include all results from the parent query plus any results from the join result where it intersects with the parent. In the example below I am using the _time field with various functions and operators to only join the results if the shutdown event occurs within one minute (in seconds) of the process stop event, as well as requiring the hostnames to match. The results have some process stop events joined with related shutdown events. Next, I just filter for any log rows where my field "related_shutdown_event" equals null, which leaves me with the process stop events that do not have a related shutdown event. Let me know if this works for you! dataset = xdr_data | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_STOP and actor_process_image_name = "PanGPS.exe" |join conflict_strategy = both type = left (dataset = xdr_data | filter action_evtlog_event_id = 1074 and action_evtlog_message contains "has initiated the restart of computer"|fields agent_hostname, action_evtlog_description as related_shutdown_event) as resulting_records agent_hostname = resulting_records.agent_hostname and add(to_epoch(_time, "SECONDS"), 60) >= to_epoch(resulting_records._time) and subtract(to_epoch(_time, "SECONDS"), 60) <= to_epoch(resulting_records._time) |filter related_shutdown_event = null |dedup _time by desc agent_hostname Regards, Ben ... View more

Hi VenuK,   Try using the values function in the comp stage like in the example below. This will give you a field for each endpoint with an array of the applications  preset = host_inventory_applications |filter endpoint_type = AGENT_TYPE_WORKSTATION |filter application_name in("Application A","application B", "Application C") |comp values(application_name) as installed_applications by endpoint_name   Thanks, Ben ... View more

Hi VenuK, Try using the preset in the query example below instead. This preset has the data you are looking for already parsed out nicely. In the host_inventory dataset, the application data is in a json array and would need additional XQL functions used to extract it. preset = host_inventory_applications |fields Vendor, application_name, version, manager_name, endpoint_name |comp count(endpoint_name) as counter by vendor, application_name, version, manager_name |sort desc counter     Regards, Ben ... View more