topic Re: Required Windows Event IDs for the best Cortex XDR detection performance in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/required-windows-event-ids-for-the-best-cortex-xdr-detection/m-p/590170#M6840 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1292845191">@agsaqqal</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for writing to live community.<BR /><BR />Yes, you are right.<BR />First the event has to be generated and present on the machine in order for XDR Agent to be able to collect it and forward to XDR cloud servers.<BR />For more details on what data XDR collect, you may refer&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Data-Collection" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Data-Collection</A><BR />I hope that answers your question.</P> <P>&nbsp;</P> <P>Please mark this as answer if you found it helpful.</P> Mon, 24 Jun 2024 06:02:27 GMT aspatil 2024-06-24T06:02:27Z Required Windows Event IDs for the best Cortex XDR detection performance https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/required-windows-event-ids-for-the-best-cortex-xdr-detection/m-p/590110#M6838 <P>Hello, dear Community,</P> <P>&nbsp;</P> <P>I need a list of Windows event IDs required for BIOC and other Cortex XDR rules to work effectively.</P> <P>For example, when we performed a Kerberos user enumeration attack using Kerbrute, it was not detected initially. Cortex XDR requires event ID 4768 to be enabled to detect such an attack. After enabling this event ID and testing the attack simulation again, it was successfully detected.</P> <P>I am now wondering which event IDs are crucial to enable in order to maximize detection opportunities for Cortex XDR. It would be great to get a list of these event IDs.</P> <P>Thanks.</P> Fri, 21 Jun 2024 19:18:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/required-windows-event-ids-for-the-best-cortex-xdr-detection/m-p/590110#M6838 agsaqqal 2024-06-21T19:18:42Z Re: Required Windows Event IDs for the best Cortex XDR detection performance https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/required-windows-event-ids-for-the-best-cortex-xdr-detection/m-p/590170#M6840 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1292845191">@agsaqqal</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for writing to live community.<BR /><BR />Yes, you are right.<BR />First the event has to be generated and present on the machine in order for XDR Agent to be able to collect it and forward to XDR cloud servers.<BR />For more details on what data XDR collect, you may refer&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Data-Collection" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Data-Collection</A><BR />I hope that answers your question.</P> <P>&nbsp;</P> <P>Please mark this as answer if you found it helpful.</P> Mon, 24 Jun 2024 06:02:27 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/required-windows-event-ids-for-the-best-cortex-xdr-detection/m-p/590170#M6840 aspatil 2024-06-24T06:02:27Z