XDR as "SIEM" (challenge for discussion)

I wanted to leave a challenge here for discussion in the group.

Why not use XDR as if it were a SIEM, in order to analyze more events with better accuracy, and to create more correlation and data enrichment?

I’m referring to an environment with:
XDR, X

Process injection into lsass

We received an alert indicating creation of a remote thread in the lsass process by the Cortex XDR agent (cyserver.exe).

I noticed that during the same time period, there were a few other processes that got injected by the agent (e.g. explorer, svcho

How to find the assets that do not have XDR agent installed in new Cortex 4.x version ?

Hi,

earlier in the old Cortex 3.x version, it was easier to list out the assets that do not have Cortex XDR agent installed, from Asset Inventory (from the boolean value : Has_XDR_Agent as shown in the attachment).

Is this feature removed from the ne

Cortex Data Lake - Windows 11 Build & Enablement(?) Info

Windows 11 (and 10 presumably) has a series of numbers which, together, identify the build and patch level of the OS.  This would be a combination of Version: Windows 11 and/or Build Number: 10.0.22631.  The Patch Level (or Enablement Level) is shown

XDR Legacy Agent Exception's behavior

Hi,

We have confirmed through the official manual that XDR does not perform evaluation on files or paths allowed under XDR Legacy Agent Exception.
What I would like to know is whether files covered by a Legacy Agent Exception policy also do not genera

How to delete Endpoints that have old agent and could not be uninstalled

Hello,

I have 2 endpoints with old version:

- 7.3.0.16740 on a server

- 8.6.0.3704 on a computer

I could not upgrade them and have no more access to those computers (in another country).

I asked admin to uninstall, he did not.

How to remove link betw

Cortex Endpoint Isolation - Allowing Microsoft Intune

Anyone have tips on figuring out how to allow exceptions to successfully communication over the internet while an endpoint is in isolation? I would like Microsoft Intune to be able to continue to reach the device while the device is in isolation for

Parsing Rule - SonicWall NGFW

Your mileage may vary. Here's what I came up with 

Yellow Dot

What does the yellow dot mean? I see it in the Artifacts area and in the Assets portion.

Upgrade 4.X Cortex Tenant

Does anyone know how to upgrade the Cortex tenant from 3.x to 4.x, do I have to talk to Palo Alto or it can be upgraded by myself?

Allowing access to a specific IP while blocking the rest of IPs in XDR host firewall

Is there a way to allow access to only one IP on an endpoint while blocking all the other IPs at the same time in xdr host firewall.

I tried using the official documentation , but it's not working

we have a XDR console, in the console there is no system serial number, gateway ip.

we have a XDR console, in the console there is no system serial number, gateway ip.
Cortex XDR Cortex XSIAM