About nsinghvirk

Hello @Sree Rag R    Thanks for reaching out on LiveCommunity! I have a created a XQL query which you can use as reference to create your own correlation rule. dataset = endpoints | filter (user not in (null, """""")) | comp count(endpoint_name) as NumOfComputer by user | filter NumOfComputer > 1 | fields user , NumOfComputer   This query will list the users who have logged on more then one endpoints.   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @dbherol    Thanks for reaching out on LiveCommunity! UEFI protection module compliments UEFI secure boot. It stops new threats targeting the UEFI image that attempt to compromise the host’s boot process, prior to the OS loading. The new UEFI Protection Module uses behavioral analysis to detect suspicious changes to the UEFI image, then blocks these attacks proactively or can notify an analyst when an image was tampered with. This module is vendor agnostic for any UEFI image. This module ensure that secure boot isn't bypassed and prevents attacks on UEFI modification.   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @JahidAliyev    Thanks for reaching out on LiveCommunity! Please make sure that you have allowed the required resources for XDR collector to communicate with XDR tenant. Please refer below link to find the list of URLs/IPs that needs to be allowed on firewall. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access-to-XDR-Collectors   ... View more

Hello @Phattarachanon.Khummool    Thanks for reaching out on LiveCommunity! Please share the error message that you are seeing when running above commands. ... View more

Hello @tejaspatil12    Thanks for reaching out on LiveCommunity! Analytics BIOC alerts are for detect/alert purpose they do not provide block functionality. Analytics BIOCs are not produced in real time and therefore cannot block. Please take a look at the Analytics Concepts. for a better understanding of how analytics work.  Essentially it's looking at a lot of different factors after the event to determine the larger picture. By looking into the activity that caused the alert you may be able to find similarities you can use to create a high fidelity BIOC and then you can configure BIOC rules as custom prevention rules and incorporate them with your Restrictions profiles. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Working-with-BIOCs   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @Rolando_Pena    Thanks for reaching out on LiveCommunity! I tried to create the XQL query according to your use cases. These queries give you the fields that provide the required  information. 1. dataset= endpoints | fields endpoint_name , operating_system , os_version    2. dataset = incidents | filter status contains "RESOLVED*" | fields status , creation_time , resolve_comment , resolved_ts , incident_id    Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @ldonahue    Thanks for reaching out on LiveCommunity! 1. XDR do not support scan of .eml files. For the exchange server, XDR will provide protection like any other endpoint and scan the associated disk spaces within it based on the set schedule of scan. 2. Yes, XDR can scan files stored on Sharepoint's disk space provided that the file format is supported. Scan of files is according to the scan schedule. Please follow below link to find the list of supported file formats. https://docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-overview/advanced-wildfire-file-type-support/advanced-wildfire-file-type-support-complete   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @Piotr_Kowalczyk    Thanks for reaching out on LiveCommunity! Please follow below link in order to check details regarding MFA. https://sso.paloaltonetworks.com/enduser/settings    For more details:- https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN9CAK         ... View more

Hello @Kelvin_Ng    Thanks for reaching out on LiveCommunity! Apologies for delayed response. Below are the answers to your queries. 1. In order to identify the user as administrator we need the AD group information. We can build query to look for login events (e.g. Event id. 4624) and then correlate these events with group information to find out whether the user was an admin on not. If you are using Cloud Identity Engine then you can use pan_dss_raw  dataset to query AD data. Reference- https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Set-Up-Cloud-Identity-Engine 2. Window has different event IDs for various services start and stop status. I have used the 5025 event id for window firewall service being stopped and built below query which also checks the status of endpoint. You can modify below query according to your use case. dataset = xdr_data | filter action_evtlog_event_id = 5025 //Event id for firewall service being stopped. | join (dataset=endpoints | filter endpoint_status = CONNECTED | fields endpoint_status , endpoint_name , operational_status ) as ep ep.endpoint_name = agent_hostname | fields action_evtlog_event_id , action_evtlog_message , endpoint_name , operational_status , endpoint_status   3. Regarding endpoint status change, I have built below query which check for endpoint status being changed from Protected. dataset=endpoints | filter (operational_status != PROTECTED) | fields endpoint_name , operational_status , endpoint_status , operating_system   I hope these queries will help you to create your own based on use case. Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @orkhan_alibayli    Thanks for reaching out on LiveCommunity! In this case we need to check the severity of the alert. Because Analytic BIOC alerts with medium or above severity generate the incidents and however alerts with low severity not necessarily generate incidents.  Please tell us about the severity of alert and is the 24 hour period was between actual event and incident creation or between alert generation and incident generation?  ... View more

Hello @Anirudha_Jadhav    Please share the XQL query of the BIOC rule. You can get it by going to BIOC rule and then right click to Open in XQL. ... View more