About sushant1601

Hello Team,   We are using XQL to query data from cortex API for windows event logs. Our query run every 5 minutes and we have used parameter timeframe in the query. This parameter is provided in the API documentation. However, when we pull the logs, there is discrepancy in number of logs we pull and number of logs observed in Cortex XDR search. We suspect that we are using log generation time to pull logs and this discrepancy could be due to latency in log ingestion at the API. There are three field available in the logs: _time _insert_time insert_timestamp   I want to understand: what this parameter timeframe represents? Is it log generation time or ingestion time? What above three timestamp fields represent? what is the difference in those 3 fields? Is any of the above three field is log ingestion time, if so can we use it in XQL query? Thank you in advance!   Cortex XDR @zarnous  ... View more

Hello Everyone,   We use below endpoint to collect the alerts: /public_api/v1/alerts/get_alerts   Currently, we use creation_time to query alerts. But recently with the help of community answers only we found that creation_time is the time when an alert was created on the endpoint and not the time when the alert was ingested in XDR. For real time log collection if we use creation_time, we are missing few alerts.    In the API guide we can see that we can query based on server_creation_time. We want to know which field in the alert does this server_creation_time represents? Does it represents the field local_insert_ts?   Could you please also confirm if we use server_creation_time instead of creation_time, will it solve our issue of missing alerts if we fetch real time alerts?   Any help in this is appreciated.   Thank you.   Cortex XDR  ... View more

Hello Everyone,    We are pulling alerts from the XDR API using below endpoint: /public_api/v1/alerts/get_alerts   We query based on creation time which is shown as detection_timestamp in the log.  I am looking for clarity on below points:    1. what is local_insert_ts field? What is the significance of this field? How it is different from creation time? 2. Without local_insert_ts, is the log available in API to fetch? 3. Is it possible that the local_insert_ts value may get changed for the same event? If it get changed, in what condition it happens?   Thank you.    Cortex XDR  ... View more

Hello Everyone,    For one of the client, we need to fetch logs from XDR API using XQL. Currently, the ask is for windows event logs only, but later they want IIS logs as well.  Any help in below queries would be appreciated:   1. There are two queries by which I fetched logs successfully. One is using: dataset= xdr_data  | filter event_type = EVENT_LOG Second query I tried is using preset: preset = xdr_event_log By both of these queries I'm getting event logs. I would like to know if both the queries are correct and I'm not missing on anything.  If both the queries are correct, which would be efficient one?   2. Second query is regarding schema. I have gone through XDR_DATA schema. I just want to clarify if agent_hostname field's value changes each endpoint or is it same? This may sound stupid but basically we want to know which endpoint logged this event and if we can be sure that each agent on each endpoint has separate hostname.    3. In future we need to fetch IIS logs as well. I could not find any document or help regarding this. Which dataset or preset is used for IIS logs? Does XQL query even work for IIS or it logs to CDL?    Any help would be great.  Thanks in advance.  Cortex XDR  ... View more

Hello Everyone,   I am trying to fetch logs using xdr_data dataset and I was able to fetch it successfully. However, when I tried microsoft_windows_raw, it throws me server error.  As per the document I referred, https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Datasets-and-Presets , I should be able to use microsoft_windows_raw dataset as well.    Please guide me if my understanding is not correct.  ... View more