This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

About Brad.Herbert

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Brad.Herbert
‎08-04-2023
since ‎01-09-2018
L2 Linker
User Activity
User Profile
Latest posts by Brad.Herbert
View All
User Badges
Community Statistics
Member Since ‎01-09-2018 05:56 AM
Date Last Visited ‎08-04-2023 06:30 PM
Posts 27

Re: XQL Query UTC Time Help

by in General Topics
‎07-31-2023 08:36 AM
‎07-31-2023 08:36 AM
@BPry    Yeah, that's kind of what we did.  Below is the final query we've scheduled...Pretty nice report for those that have Remote Employees that aren't really working.       config timeframe = 2d |dataset = xdr_data | alter username = lowercase(json_extract_scalar(action_evtlog_data_fields, "$.TargetUserName")) | alter Actual_Time = format_timestamp("%Y/%m/%d %H:%M:%S", _time, "America/Indiana/Indianapolis") | join conflict_strategy = left type = inner (preset = ad_users ) as users lowercase(users.sam_account_name) = username | filter _time >= to_timestamp(subtract(to_epoch(date_floor(current_time(), "d", "America/Indiana/Indianapolis"), "SECONDS"), 86400), "SECONDS") | filter _time <= date_floor(current_time(), "d", "America/Indiana/Indianapolis") | filter event_type = ENUM.EVENT_LOG | filter action_evtlog_event_id = 4800 or action_evtlog_event_id = 4801 or action_evtlog_event_id = 4634 | filter security_group_list contains "***" or security_group_list contains "***" | filter (agent_ip_addresses contains """10.100.5""") | alter Workstation_Status = If (action_evtlog_event_id = 4800,"Workstation Locked", if (action_evtlog_event_id = 4801, "Workstation Unlocked", if (action_evtlog_event_id = 4634, "Windows Logon", "Null"))) | fields -_time | fields Actual_Time, display_name, Workstation_Status | sort asc display_name, desc Actual_Time       *** Enter the Security Group from AD ... View more

XQL Query UTC Time Help

by in General Topics
‎07-28-2023 12:41 PM
‎07-28-2023 12:41 PM
We're capturing windows event 4800 and 4801 (Windows Locked and Windows Unlocked) and are working to build a report on it for the previous day, midnight to midnight.  I've got the query setup exactly as we want, however are struggling to get around UTC.  Does anyone have a good method to get around UTC?  Obviously, when I Run the report in XQL, results are correct because the platform is adjusting for the times, but when scheduling it to run, it's pulling UTC Time in the emailed report.  Surely someone has a method to adjust?     dataset = xdr_data | alter username = lowercase(json_extract_scalar(action_evtlog_data_fields, "$.TargetUserName")) | join conflict_strategy = left type = inner (preset = ad_users ) as users lowercase(users.sam_account_name) = username | filter event_type = ENUM.EVENT_LOG | filter action_evtlog_event_id = 4800 or action_evtlog_event_id = 4801 | alter Workstation_Status = If (action_evtlog_event_id = 4800,"Workstation Locked", if (action_evtlog_event_id = 4801, "Workstation Unlocked", "Null")) | fields _time, agent_hostname, display_name, Workstation_Status, action_evtlog_event_id | sort asc display_name, desc _time   ... View more

Re: XQL to get characters from Host Name

by in Cortex XDR Discussions
‎03-02-2023 01:27 PM
‎03-02-2023 01:27 PM
Thanks Ben, we ended up going this route shortly after I posed the question.  Thanks for the response! ... View more

XQL to get characters from Host Name

by in Cortex XDR Discussions
‎03-02-2023 07:09 AM
‎03-02-2023 07:09 AM
Hello All:   Our host_names are formatted the same across our fleet.  I'd like to pull out the 5-8 characters in the hostname.  We've tried using trim, ltrim and rtrim, and even with them nested.  Any suggestions?   In this example WX260920162Q2R we want to pull out 0920.   Thanks! ... View more

Re: NAT Only works part of the time

by in General Topics
‎05-24-2019 09:46 AM
‎05-24-2019 09:46 AM
Just an FYI, the issue was finally determined to be a bug in Pan-OS 8.0 - 8.1.6.  (PAN-103023).   ... View more

Python Script

by in General Topics
‎05-24-2019 09:38 AM
‎05-24-2019 09:38 AM
From Pan-OS 8.0 - 8.1.6, there is a bug when using FQDN's in rule sets.  Until we're ready to upgrade, I need to run a script to force a FQDN refresh, cli is "request system fqdn refresh force yes".  I'm really new to Python, but have created my API Keys.  Anyone have some guidance to pass along on how I can build this script? ... View more

Re: NAT Only works part of the time

by in General Topics
‎09-21-2018 01:15 PM
‎09-21-2018 01:15 PM
Going through the logs, nothing is being blocked by policy to/from by private address/NAT'd Address and the PBX.  Actually, the policy is set to allow any application, Service is Application-Default.  I enabled logging on my Interzone rule, however nothing is being dropped by policy, that I can find. ... View more

Re: NAT Only works part of the time

by in General Topics
‎09-21-2018 01:00 PM
‎09-21-2018 01:00 PM
Running another PCAP, i just noticed the Firewall is dropping UDP packets, inside to outside.  Looking back through, the source and destination ports are the same during the call, but are different with each call. ... View more

Re: NAT Only works part of the time

by in General Topics
‎09-21-2018 12:58 PM
‎09-21-2018 12:58 PM
Once the call is connected, Audio is not getting passed until 2 minutes into the session.     ... View more

Re: NAT Only works part of the time

by in General Topics
‎09-21-2018 12:41 PM
‎09-21-2018 12:41 PM
We aren't getting any audio, either way.  My Phone Rings just as it should, when I answer there isn't any audio either way.  Running PCAP's, I keep seeing 401 unauthorized responses back from the PBX.    Even wierder, just called that test phone from my cell phone, I just left the call established and after about 4 Minutes, i had audio both ways?     ... View more

Re: NAT Only works part of the time

by in General Topics
‎09-21-2018 12:10 PM
‎09-21-2018 12:10 PM
Finally have the NAT working 100% of the time, had to clear the old SIP Sessions.  However, Audio still is an issue so I'm going to try building out an Applicaion Override to see if that works.  ... View more

Re: NAT Only works part of the time

by in General Topics
‎09-20-2018 05:49 AM
‎09-20-2018 05:49 AM
I've changed to dynamin-ip-and-port, however I'm still getting the same results.  Currently, we're just testing with one phone back to the new PBX solution.  Support hasn't been any help, they've asked that I clear all sessions, would be suprised if that actually works.  Doesn't matter what I try, the TFTP Download from the PBX utilizes the NAT however the SIP Registration does not, same source and Destination addresses for both the TFTP Download and SIP Registration. ... View more

NAT Only works part of the time

by in General Topics
‎09-18-2018 01:07 PM
‎09-18-2018 01:07 PM
Ok, Who knows what's going here...Here is my Scenario..   We're looking at a new Phone Platform and I'm only able to get a NAT to work part of the time.  First, when the IP Phone loads, internal address of 172.23.1.1, It connects out to the Platform IP of 55.66.77.88, downloads the config from it's TFTP Service.  Since we don't want our Voice traffic mingled in with our other public traffic, we've NAT'd 172.23.0.0 /16 to a Public IP of 192.15.15.15, the NAT Works perfectly here.  Next, once the TFTP Load is complete, the Phone tries to register via SIP, same Internal Address 172.23.1.1 to the platform of 55.66.77.88, however the same NAT Statement is not being used.  I've ran numerous PCAP's, changed NAT several times, moved rules, but everything appears correct.  Furthermore, when I run test nat-policy-match with the proper destination and source on port 5060 and protocol 17, it test out correctly.     Setup is...   Inside Zone to Destination Zone, source address 172.23.0.0/16 to destination address 55.66.77.88, any interface and any service translate type Dynamic IP address of 192.15.15.15.  Anyone have any idea what's going on and why the NAT isn't getting applied 100% of the time?  When I look at the Web GUI of the phone platform, it's showing my phone as being registered with our Public IP of 192.15.15.8.  I am able to place and receive a call, however there is not audio.  Running another PCAP for a call session, all UDP packets from 172.23.1.1 are getting dropped.     One thing to note, SIP ALG is turned enabled, though I'm not sure if that's the issue.  Do try to get around SIP ALG, I created a custom Application, mirrored from SIP, and setup an Application Override with Inside/Outside, all IP's and UDP 5060, but still having the issue.   I've opened a Support Case, but with it being a low priority, thought I'd reach out to the community to see if anyone has ran into this issue inthe past.   We're running 8.0.8 PAN-OS version. ... View more

IPSec Tunnel Question

by in General Topics
‎07-17-2018 12:58 PM
‎07-17-2018 12:58 PM
I have a IPSec tunnel up where the Peer IP is the same as the Remote IP (Proxy ID - Remote).  The Tunnel is up, but traffic destined for that Remote IP isn't traversing the tunnel.  Typically, there is a Private IP as the Remote and a static route could then be set in Virtual Router to send the traffic back across the tunnel.  I'm sure I'm not the first this has happend to, but I'm not entirely sure how to resolve this.  Anyone out here know how to get traffic back across this tunnel?  Both phases of the tunnel is established. ... View more

Re: Problems with importing logs

by in Expedition Discussions
‎07-11-2018 06:28 AM
‎07-11-2018 06:28 AM
Looks like the upgrade did the trick, thank you...     ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎08-04-2023 06:30 PM
Latest Tags
Likes Given To
View All
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks