https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/force-xdr-agent/m-p/1243598#M8907 <P>Hello,</P> <P>&nbsp;</P> <P>Please, how to force XDR Agent to capture all commands on CMD and PowerShell without GPO?</P> <P>&nbsp;</P> <P>For example, we can detect <STRONG>quser</STRONG> command, but we can't detect&nbsp;<STRONG>Set-Alias&nbsp;</STRONG>command.</P> <P>&nbsp;</P> <P>The problem is another vendor can detect any command line running in memory.</P> <P>&nbsp;</P> <P>Best regards.</P> Wed, 10 Dec 2025 09:24:35 GMT Bouzeghoub 2025-12-10T09:24:35Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/force-xdr-agent/m-p/1243598#M8907 <P>Hello,</P> <P>&nbsp;</P> <P>Please, how to force XDR Agent to capture all commands on CMD and PowerShell without GPO?</P> <P>&nbsp;</P> <P>For example, we can detect <STRONG>quser</STRONG> command, but we can't detect&nbsp;<STRONG>Set-Alias&nbsp;</STRONG>command.</P> <P>&nbsp;</P> <P>The problem is another vendor can detect any command line running in memory.</P> <P>&nbsp;</P> <P>Best regards.</P> Wed, 10 Dec 2025 09:24:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/force-xdr-agent/m-p/1243598#M8907 Bouzeghoub 2025-12-10T09:24:35Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/force-xdr-agent/m-p/1243634#M8911 <LI-CODE lang="markup">dataset = xdr_data | filter (event_type = 31 and event_sub_type = 10) or (event_type = 15 and action_evtlog_event_id IN (4104)) | alter script_data = if (event_type = 15, action_evtlog_message , to_string(dynamic_event_string_map)) | fields agent_hostname, event_type, event_sub_type, actor_process_image_path, actor_process_os_pid, actor_process_image_md5, actor_process_signature_vendor, actor_process_signature_status, actor_effective_username, script_data</LI-CODE> <DIV id="tinyMceEditor_9ad8488cbef427ChrisDavila_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>You need to find the data you are looking for. Use this xql query to narrow things down.&nbsp;</P> <P>&nbsp;</P> Wed, 10 Dec 2025 21:27:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/force-xdr-agent/m-p/1243634#M8911 ChrisDavila 2025-12-10T21:27:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/force-xdr-agent/m-p/1243686#M8913 <P>Thank you so much for this&nbsp;<SPAN>xql query.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Best regards</SPAN></P> Thu, 11 Dec 2025 07:00:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/force-xdr-agent/m-p/1243686#M8913 Bouzeghoub 2025-12-11T07:00:32Z