Monitoring PowerShell Command

Hello everyone!
I received an alert about PowerShell with the DCsync rule.
I'd like to check if I can see the code that PowerShell executed.

I can only see the "PowerShell_ise.exe" process. I don't know what code or command generated the alert.

There

high priority 'Behavioral Threat' alert for smss.exe (system)?

Every few weeks or so getting a high priority alert:

How to find duplicates incidents

Hello! I would like to ask if anyone can help me find duplicate incidents based on key value pairs in Context data?

Parsing rule for tagging data from a specific broker-vm

reminder for subscription renewal

I'd would like to to know if any reminder process is in place for up coming subcription renewals. We had a cortex edr subscription and the subcription didnt generate any warnings (neither visual within the portal nor a via an enail) and silently we

Scan SharePoint Sites or other cloud storage using Cortex

Dear community,

Recently I noticed there are some suspicious files in some of our SharePoint folders. I'm wondering if it's possible to somehow scan SharePoint sites, network shares, or even other cloud storage using Cortex!

BR,

Storage Device Management

We are in the process of blocking USB Storage devices using Cortex XDR. We have the Device Configuration Extension Policy setup with the settings we want. The issue that we have is that it can only be Allowed or Blocked. How can we set to just monito

Broker VM || SYSLOG APPLET

Hi All,

We have deployed broker vm and enabled syslog applet and configured the broker vm ip as remote host in one of our linux server and IBM guardium database activity monitoring tool but we are unable to see the logs in the console.

unkonwn_unkno

Migración de NXS - Broker VM

En mi organización tenemos equipos que no tiene salida directa a internet, y para ello utilizamos Broker VM.

Por temas asociados a Infraestructura, se están migrando servidores de NSX. Desde esa área me comentaron que para realizar esta migración, cl

XQL or API access to Vulnerability Assessments

Is it possible to access the vulnerability assessments via XQL and/or API

I've been tasked with looking at the possiblity of taking the CVE lists from vulnerability assessment and matching them to MS KB. I don't want to be manually running reports

Delete detected infected file

We have malicious file detection on the clients. When they try to execute a task, Cortex blocks the action, but not the malicious file.

Could we have any documentation on how to delete the detected malicious file?

Thanks

How to Identify Endpoints triggering Application Restriction Profile

We have created a restriction profile to block executing an application by specifying the exe path in the file path configuration. This profile has been applied to all our endpoint groups to enforce application blocking globally.
We can view the numbe

Causality Chain

Hello,

Can you please explain the difference between the causality chain of the 2 attached photos?
What exactly are the executions?