This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

About PhilBenson

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PhilBenson
since ‎05-09-2022
L0 Member
User Activity
User Profile
Latest posts by PhilBenson
View All
User Badges
Community Statistics
Member Since ‎05-09-2022 11:48 PM
Date Last Visited
Posts 2

Re: Cortex XDR PoC: Software Installations Blocking

by in Cortex XDR Articles
‎02-07-2023 12:03 PM
‎02-07-2023 12:03 PM
I have been looking into this extensively for executable (.exe) installations, I have a solution, but this will probably not be a "one size fits all". The following BIOC presumes the following: 1. "Normal" users only have write access to 'Downloads', 'Documents' and 'Desktop' 2. There is a requirement for privileged users (Administrator accounts) to install .exe based applications 3. the users 'Downloads' and ''Documents' directories are not always on the Root (C:) drive. Here is the BIOC that can be added to a restriction Profile. dataset = xdr_data | filter event_type = ENUM.PROCESS // If you use "Tier" accounts, these could be added here. and action_process_username !~= "^.+[sS][yY][sS][tT][eE][mM]$|^.+[aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR]$"  and action_process_image_path ~="^[a-zA-Z]:\\[uU][sS][eE][rR][sS]\\*.*\\[dD]ownloads\\*.*\\+.*[eE][xX][eE]$|^[a-zA-Z]:\\[uU][sS][eE][rR][sS]\\*.*\\[dD]ocuments\\*.*\\+.*[eE][xX][eE]$|^[a-zA-Z]:\\[uU][sS][eE][rR][sS]\\*.*\\[dD]esktop\\*.*\\+.*[eE][xX][eE]$"   If you use "Tier" accounts, these could be added to the regex for 'action_process_username' exception Feedback and or suggestions are welcom,   Cheers Phil     ... View more

Re: Cortex - Get all Incidents

by in Automation/API Discussions
‎11-22-2022 12:10 AM
‎11-22-2022 12:10 AM
Hi Michael, as the error says, the query filter should contain a "string", you are sending an "array". The API documentation is not always very clear...(https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-apis/incident-management/get-incidents) Change your query request to: Body: {             "request_data" : {                 "filters" : [                    {                         "field" :  "description" ,                         "operator" :  "contains" ,                         "value" :  "server1"                    }                ],                 "search_from" :  0 ,                 "search_to" :  100 ,                 "sort" : {                     "field" :  "creation_time" ,                     "keyword" :  "desc"                }            }     } and it should work...   Cheers Phil ... View more
Register or Sign-in
Contact Me
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks