This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About eluis

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
eluis
‎07-17-2025
since ‎08-16-2021
L4 Transporter
User Activity
User Profile
Latest posts by eluis
View All
User Badges
Community Statistics
Member Since ‎08-16-2021 07:39 AM
Date Last Visited ‎07-17-2025 04:15 AM
Posts 153
Total Likes Received 44

Re: Create Alert from Data Lookup

by in Cortex XDR Discussions
‎07-18-2025 06:08 AM
‎07-18-2025 06:08 AM
Hello G.Anshar,    Lookup dataset is not eligible to create BIOC on them. You can create correlation rules for the lookup data and please note that this is not normalised data so it does not qualify for stitching or log aggregation. Hence, malicious file detection cannot happen around the same, unless your lookup dataset has a field that classifies a specific log containing a filename or a file hash or any prooperty of file as malicious. This value can be filtered as a search criteria for your correlation rule and then you can query it. But since this is not a streaming data, alert generation is not possible.    If you want to stream data from Qradar into Cortex XDR, you should have the Pro per GB license to ingest data to be streamed(1), the correlation rules written on that data finding the desired value/log(2), then the alerts/incidets being triggered(3).   I wonder why you want to raise an alert when a malicious file is attempted to be opened through querying a lookup dataset and BIOC rules if this is done already natively by the Cortex XDR agent and this should happen ideally on the basis of any logs being sent by the endpoints using Cortex XDR agent(only).  Hope this suffices your query. Feel free to mark the response as "Äccepted as Solution" if it answered your query. ... View more

Re: Cortex XDR Dataset - Total Days Stored

by in Cortex XDR Discussions
‎07-17-2025 06:28 AM
‎07-17-2025 06:28 AM
Hi Nohash4u,    The logins_log dataset incorporates login logs from xdr agent and other login logs from other products (Global Protect VPN, Firewall....),  XDR_dataset has much more types of different events.    According with what I see in the pic you sent, I see that login_logs dataset has data from 22nd Jun to 12th Jul which means that there was no login events captured before and after those dates respectively    Same explanation from xdr_dataset, which contains much more types of events so different types of events than logins were captured before and after the login events in the previous dataset.    If you believe that some login logs might have been missed or lost, please feel free to open a TAC support case to investigate it further.   Does it make sense ?    If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis   ... View more

Re: dashboard to view logins

by in Cortex XDR Discussions
‎07-17-2025 06:06 AM
‎07-17-2025 06:06 AM
Hi Rolando_Pena,  This is definitely possible in XDR, based on the data collected by cortex XDR agent.  In fact, a sample example is available in the query library of the Cortex XDR XQL search.      Using the same query and tweaking it for graph views, you can create a widget and incorporate it to your custom Dashboards.   Please review the event IDs and create the same. If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis     ... View more

Re: IP Adress Not Show When Use XDR Collector

by in Cortex XDR Discussions
‎07-16-2025 06:11 AM
1 Kudo
‎07-16-2025 06:11 AM
1 Kudo
Hi G.Anshar,  There might be 2 reasons that I can think of fast:  IP address was not stored on log file. Then xdr collector, collects log file without IP  Even the log is produced with the IP addresses, at parse time, that specific field is lost or not properly populated in the correct IP address field. Please review that the regexes are working and properly designed  You might check if the raw files produced in the servers are storing IP addresses     The following doc helps on parsing rules https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Parsing-Rules If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis ... View more

Re: How to Deliver Upgrades to Endpoints with a Connection Lost Status

by in Cortex XDR Discussions
‎07-16-2025 05:57 AM
1 Kudo
‎07-16-2025 05:57 AM
1 Kudo
Hi k.imai349842,  It is normal that if a connection is lost from more than 30 days since for the tenant, those endpoints are not reachable.  It might be even that some endpoints are switched off or there is no network path to reach them.  It is a best practice recommended that agents/endpoints are maintained on a regular basis to avoid connection issues in the future from agents that lost connection and were unmanaged long long time ago   You can force the reconnection of those endpoints: C:\Program Files\Palo Alto Networks\Traps\cytool reconnect force Please check the documentation on cytool  https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.2/Cortex-XDR-Agent-Administrator-Guide/Cytool-for-Windows     If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis     ... View more

Re: Best Practice Prevention Rule for Cortex XDR Pro

by in Cortex XDR Discussions
‎07-15-2025 04:48 AM
‎07-15-2025 04:48 AM
Hi SopanhaRoth,    This specific use case you mention is not documented since it will vary a lot depending on the different environments of customers, business, etc.  However you can have a look at the following video as a reference:  https://www.youtube.com/watch?v=GCY7___N2KM   The best approach here will be to reach out Customer Success and get the Best Practice Assessment report or the Health Check report from them.      If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis   ... View more

Re: Integrating Log Audit Management XDR / XSOAR

by in Cortex XDR Discussions
‎07-15-2025 04:35 AM
‎07-15-2025 04:35 AM
Hi A.Faruq,    It is possible to integrate and send Audit Management logs to a SIEM, like Elastic search or other, There is no native integration, but there is a possibility to do such by:   1- Create a new syslog server configuration. Please follow the doc below, and ensure you are following the prerequisites: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Integrate-a-syslog-receiver 2- Configure a new notification forwarding selecting the scope as Management Audit Logs which is what you want to send to your Elastic instance. In this step, the syslog server where you send the Management Audit Logs is the one you have created in the previous step. Please check the doc:  https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Cloud-Documentation/Configure-notification-forwarding#     If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis ... View more

Re: CIE Data Sync Alert Across Customers – XDR Console

by in Cortex XDR Discussions
‎07-11-2025 07:25 AM
‎07-11-2025 07:25 AM
Hi Vinothkumar_SBA,   After some internal investigations, I can confirm that there is a backend issue being researched and on the way to be solved.    Please open a TAC support ticket and upload screenshots of your evidences (xql query showing last data from x date), sync failure notifications in tenant and hub saying that sync is Ok   If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis ... View more

Re: Parsing and Mapping 3rd party log source logs

by in Cortex XDR Discussions
‎07-10-2025 07:18 AM
‎07-10-2025 07:18 AM
Hi !  At XQL query builder, you can set the run of your query that populates your custom dataset with the periodicity you want, so the dataset will be updated with the frequency you need. And you can set the query to overwrite the dataset or to append data at the end.    As per your second question, you can use just the INGEST (for the dataset) and RULE (for the logic).      If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis             ... View more

Re: Cortex scan report

by in Cortex XDR Discussions
‎07-08-2025 04:29 AM
‎07-08-2025 04:29 AM
Hi C.Constantin,  Please bare in mind that Cortex XDR is a tool that alerts and blocks after an attempt of execution, this can be the mismatch between what you see after the scan and the alerts you find. There is a functionality for windows on-write scan that you can activate too. But lets focus on your current situation/question.    To locate the files "any file you want", you can go to the Action Center (under response menu) and from there look for the functionality file search. From the action center you can find any files even in all your endpoints managed by XDR doesnt matter if they were executed or not. And you can use search and destroy too to remove those files.  Related to your question of having a scan report with different info as you have today, let me inform you that if you have Customer Success Premium Services you will have assigned a CSA and a CSM and you can ask for New Feature Requests for XDR. I have no idea the type of services and contracts that you have signed with us, Im just trying to add more info and solutions to your questions.  So if you have CSA/CSM assigned, please contact them for New Feature Requests topics   If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis ... View more

Re: Detect user who moved a folder using XDR and XQL

by in Cortex XDR Discussions
‎07-03-2025 06:57 AM
‎07-03-2025 06:57 AM
Ola Tiago,  Let me give you some hints:  With this query you can identigy all file movements that happened.  You will see fields like actor_effective_username , action_file_previous_file_path and action_file_path  preset = xdr_file | filter (`event_sub_type` in (FILE_CREATE_NEW, FILE_REMOVE, FILE_RENAME, FILE_OPEN, FILE_WRITE))   Based on the event_sub_type and provided fields, try to identify the events which occurred after moving the file and create the correlation rule to detect it. If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis   ... View more

Re: XQL Query Assets XSOAR

by in Cortex XDR Discussions
‎07-03-2025 05:57 AM
1 Kudo
‎07-03-2025 05:57 AM
1 Kudo
Ola Tiago,  There is no dataset for the Asset Inventory page/table.    If you go to cogwheel settings click on configuration and then select Dataset Management option, you can filter the two datasets: host_inventory PANW_Network_Mapper_raw   You can pick up the information from those two datasets you can right click on them and see the fields within those two datasets.  I hope this helps    If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis ... View more

Re: Cortex XDR "The target location already contains a file named" problem

by in Cortex XDR Discussions
‎07-03-2025 05:20 AM
‎07-03-2025 05:20 AM
Hi L.Filipow,    I assume that the OSs and builds/kernels you are installing the agents on are tested and fully compatible with the versions of XDR agents you are using.  Please check the following doc, Compatibility Matrix: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Compatibility-Matrix/Windows   If the Agent versions are certified to be tested on the former table, please open a TAC support ticket since this might be some kind of bug.    If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis ... View more

Re: Full disk access requirement on macos agent

by in Cortex XDR Discussions
‎07-02-2025 01:52 AM
‎07-02-2025 01:52 AM
Hi Tmeksik,    Full disk access on mac is required to give full protection against malicious activities in your endpoint as you can see in the documentation below at step 9. To provide full protection from antimalware flow full disk access is required: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.3/Cortex-XDR-Agent-Administrator-Guide/Install-the-Cortex-XDR-Agent-Manually I see that MacOs Somoa and Sequoia are versions 14 and 15 respectively. The full disk access is required since version MacOs v10.15 as the documentation says. The output of cytool seems to say that the agent does not have full access to the disk. Could you please double check on your mac configurations ? I dont have a Mac with me now, I believe it is under the Privacy & Security menu of your Mac. Please make sure that you have granted full access to the XDR agent over the disk in your Mac endpoint.  I have checked too that XDR Agent 8.7.1.2855 is compatible with MacOs Sequoia and Sonoma: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Compatibility-Matrix/Mac If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis ... View more

Re: Cortex XDR file quarantine

by in Cortex XDR Discussions
‎07-01-2025 07:52 AM
1 Kudo
‎07-01-2025 07:52 AM
1 Kudo
Hi Oasha,    Answering your questions:  You can use the feature search and destroy files at the Action Center. If you search and destroy by hash, that file will be deleted no matter the path where it is located and even if there are more than one copy of that file at the same endpoint, it will delete it. The agents make a scan once they are installed and keep a database of files with hashes, paths etc.. so every Agent will know where to find that file if it exists. Please you can use the doc for more info: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Search-and-destroy-malicious-files Related to delete the malicious files without confirmation by the user: At profiles configuration, and specifically Malware Profiles, you will see a different area of configuration options for every malware protection module. There you can choose block mode in one option and in another you can choose quarantine enabled or disabled. If you use block mode and quarantine disabled, the malicious files will be blocked but not deleted, so you need to use the File Search and Destroy feature mentioned on the previous answer.  If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.   KR,  Luis   ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎07-17-2025 04:15 AM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks