About nsinghvirk

Hello @Antony_Chan    Thanks for reaching out on Live Community! XDR collect following data from O365 emails. All message details except the   body ,   bodyPreview , and   subject . Attachment details include file name, file type, file hash, size, and id. Based on above data Cortex XDR raise alerts  (Analytics, IOC, BIOC, and Correlation Rules). So if an attachment hash is listed under IOC/BIOC, XDR is going to raise an alert. Regarding useful data/alerts, use case vary from organisation to organisation. XDR collects lot of data like Azure AD logs, exchange logs, DLP etc. Based on these logs you can build use cases. Please refer below documentation for details on ingesting Microsoft O365 logs. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs-from-Microsoft-Office-365 ... View more

Hello @PC-TomS    Thanks for reaching out on Live Community! There are few pointers we need to clarify before we can suggest some solution. 1. Do you have enough number of Host Insight licenses? Since Host insight is an add-on separate from pro license, many times it happen that customer do not buy equal number licenses as compare to their pro licenses. So host insight will only work for the number of endpoints  for which add-on was bought. 2. Please verify if Host Insight was enabled for all the endpoints. When we have multiple profiles, it can happen that we may miss out on some profiles for which host insight capability was not enabled. Please ensure that all the profiles for which you want to enable host insight, you go to the agent setting profile and then first enable the pro capabilities(Disabled by default) and then enable host insight capability(Enabled by default) along with the sub menu for Endpoint Information Collection. 3. Please follow below document to verify if your endpoints meet the requirement for vulnerability assessment. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Vulnerability-Assessment?tocId=1asxAZOcVriCZCDhfe0jQQ ... View more

Hello @Shashanksinha    Thanks for reaching out on Live Community! The severity of an incident is govern by the severity of alerts in it. Incident will have the same severity as of the highest severity alert in it. For the alert side, severity depends on the type of alert it is. BIOC/IOC alerts will have the severity that was configured in them when those rules were created. For alerts from 3rd party integration, the severity will be same as was forwarded by the integrated product. You can refer to below document to see the severity of analytics alerts https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference   Unfortunately there is no consolidated document to show how the severity works for all kind of alerts. ... View more

Hello @AshokBabu ,   Thanks for reaching out on Live Community! Yes, you can create a correlation rule in order to generate alert for your use case. You can use custom dataset/lookup. It need not to be multi source in order for the correlation rule to work. Below are some points to remember when writing correlation rule. 1.  The XQL features for  transaction ,  call ,  top , and wildcards in datasets ( dataset   in   (<dataset prefix>_*) ) are not currently supported in Correlation Rules. If you add them to the XQL definition, you will not be able to  Create  or  Save  the Correlation Rule. 2. Using the current_time() function in your XQL query for a correlation rule can yield unexpected results when there are lags or during downtime. This happens if the correlation rule doesn’t run exactly at the time of the data inside the timeframe, for example when a rule is dependent on another rule, or when a rule is stuck due to an error, and then runs in recovery mode. Instead, we recommend using the time_frame_end() function, which returns the timestamp at the end of the time frame in which the rule is executed.   ... View more

Hello @hiroshi.sato    Thanks for reaching out on Live Community! Unfortunately there is currently no option to create exclusion based on the occurrence time of an incident. ... View more

Hello @unlucky ,   Thanks for reaching out on LiveCommunity! I think the function you are looking for is format_timestamp in place of format_string because your data is already in timestamp format. Lets understand the definition of these 3 functions. parse_timestamp () -> The  parse_timestamp ()  function returns a TIMESTAMP object after converting a string representation of a timestamp. format_timestamp () -> The  format_timestamp ()  function returns a string after formatting a timestamp according to a specified string format. format_string () -> The  format_string ()  function returns a string from a format string that contains zero or more format specifiers, along with a variable length list of additional arguments that matches the format specifiers.  Since the string you are trying to convert is already a timestamp hence please use format_timestamp function which will take a timestamp and return a string to parse_timestamp function to convert it to a timestamp of your choice. I have tried below line and its working for me. alter time_test = parse_timestamp("%Y/%m/%d %H:%M:%S", format_timestamp("%Y/%m/%d %H:%M:%S", _time))   Below are the reference link for above functions. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/parse_timestamp https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_timestamp https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_string     ... View more