About nsinghvirk

Hello @hiroshi.sato    Thanks for reaching out on Live Community! Unfortunately there is currently no option to create exclusion based on the occurrence time of an incident. ... View more

Hello @unlucky ,   Thanks for reaching out on LiveCommunity! I think the function you are looking for is format_timestamp in place of format_string because your data is already in timestamp format. Lets understand the definition of these 3 functions. parse_timestamp() -> The  parse_timestamp()  function returns a TIMESTAMP object after converting a string representation of a timestamp. format_timestamp() -> The  format_timestamp()  function returns a string after formatting a timestamp according to a specified string format. format_string() -> The  format_string()  function returns a string from a format string that contains zero or more format specifiers, along with a variable length list of additional arguments that matches the format specifiers.  Since the string you are trying to convert is already a timestamp hence please use format_timestamp function which will take a timestamp and return a string to parse_timestamp function to convert it to a timestamp of your choice. I have tried below line and its working for me. alter time_test = parse_timestamp("%Y/%m/%d %H:%M:%S", format_timestamp("%Y/%m/%d %H:%M:%S", _time))   Below are the reference link for above functions. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/parse_timestamp https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_timestamp https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_string     ... View more

Hello @Shaveta ,   Thanks for reaching out on LiveCommunity! Schedule time basically allow you to create a time window during which agent upgrade will take place. So as per your screenshot, 2 agents are going to be upgraded on the 2 days of your choice between 8 AM to 12 AM. Then the parallel upgrade repeats for next batch of agents. Regarding the time mismatch in audit logs, can you please confirm whether the timezone on your XDR tenant and XDR agents are same or different? ... View more

Hello @RNagarajan    Thank you for reaching out on LiveCommunity! If the given file was disappeared by XDR then you will be able to see it under Incident Response -> Action Center -> Currently Applied Actions -> File Quarantine. This scenario is possible if you have configured the malware security profile to quarantine malicious executables and the given file is malicious. Otherwise, if you have enabled the endpoint data collection you can take help from Query Builder. Go to Incident Response -> Query Builder -> File. Here you can search the file with name and/or other parameters along with various file operation types. This will show you the file history for the selected time period. Also looking into the alert table directly can help you find the alert related to this file if triggered. In the alert table you can filter alerts based on file path and file hash values. ... View more

Hello @OnurOnoglu    Thanks for reaching out to us! With "Respond to malicious casualty chain" feature enabled Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files. The agent then can automatically block the IP address to close all existing communication and block new connections from this IP address to the endpoint. When Cortex XDR blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. You can view the list of all blocked IP addresses per endpoint from the Action Center, as well as unblock them to re-enable communication as appropriate. Unfortunately we cannot share any such script or test to simulate such behaviour because this involves a remote host to simulate attack which go through your network and may create other problems for you.    ... View more

Hello @Venkatesh_Konar    Thanks for reaching out on LiveCommunity!   The "Report verdict as incorrect" is available when you open the "wildfire analysis report" for a particular artefact.     Please let me know if you are talking about the same option or different one. Is the "Wildfire analysis report" button not visible to these Analysts? ... View more

Hello @Claude_Schwab ,   Thanks for reaching out on LiveCommunity. You can create a correlation rule or query that should identify the assets without XDR agent installed. Dataset you need is "panw_network_mapper_raw", which contain output of Network Mapper scans. You can compare this dataset with "endpoints" dataset mainly with reference to IP address. So basically, first dataset will have complete list of assets (For given IP range in Network Mapper scan) and you can subtract assets from second dataset which are having agent installed on them. Below is an example query that you can refer and build something according to your use case. dataset = panw_network_mapper_raw | filter ip not in (dataset = endpoints | arrayexpand ip_address |fields ip_address ) |fields ip,hostname     Please refer below document for XQL queries. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-with-XQL ... View more

Hello @RFeyertag    You can create a correlation rule that should identify the assets without XDR agent installed. Dataset you need is "panw_network_mapper_raw", which contain output of Network Mapper scans. You can compare this dataset with "endpoints" dataset mainly with reference to IP address. So basically, first dataset will have completed list of assets  and you can subtract assets from second dataset which are having agent installed on them. Below is an example query that you can refer and build something according to your use case. dataset = panw_network_mapper_raw | filter ip not in (dataset = endpoints | arrayexpand ip_address |fields ip_address ) |fields ip,hostname   ... View more

Hello @RamyashreeMada    Thanks for reaching out on LiveCommunity. Creating an exception with broad scope is not a good security practise. Cortex XDR enable you to create granular exceptions by allowing you to choose particular module/profile. Hence we advise you to please investigate the alerts for the file for which you want to create exception. In alerts table, there is a column named "Module". Module column let you know which particular module has triggered the alert. Once you know the module, please create exception for that one only. Same goes for the profiles, please try to minimise the scope. For example, it may be possible that only endpoints which belong to IT team need exception. Hence we should only create exception for profile which belong to IT endpoints.  However, XDR allows you to select multiple profiles also. Please let me know if you have more questions. ... View more