Correlation Rule for services

Is it possible to create a correlation rule to identify when new services are present on an endpoint

For example,

Create a correlation rule ,using a query that returns all services on an endpoint, that creates a new data set of the results..say there a

Cortex XDR with Citrix App Layering and MCS

We're in the process of installing a new setup with Citrix App Layering (Full User layers) and MCS. I've followed the suggestions here on non-persistent installation (VDI_ENABLED=1); even though our setup technically is sort of persistent (because of

Endpoint Connection Lost

Hi all,

Some of our endpoints in our Cortex XDR Console shows  a "Connection Lost" Status but the endpoint is still active.

The cytray shows disabled and no connection. We also checked the control panel and upon checking, The installed Cortex XDR Agen

Cortex XDR disk encryption

Hello,

I can't turn off disk encryption. I disabled the disk encryption policy for an endpoint, then the encryption status returned as not configured. But I can still see bitlocker on the endpoint is ON. How can I turn off bitlocker on endoint not ma

Citrix PVS servers consuming multiple Cortex XDR licenses

Hi all,

We're having an issue where Citrix PVS servers running Cortex XDR consume a new XDR license every time they reboot. I don't fully know how PVS works, but essentially from what I can gather is upon booting up, it pulls a copy of an image from

Does Pathfinder require an agent to be installed on the endpoint?

No, Pathfinder uses an agentless endpoint analysis service, running its own code on suspicious endpoints to collect information about running processes on the endpoint and determine if the processes are malware or greyware.

Cloudflare logs to Cortex Data Lake

Is it possible to send logs from Cloudflare to Cortex Data Lake? If possible how can i send? Anyone tried something like this before?

Thanks!

How to get the list of alerts/incidents for a particular list of hosts?

Hi,

I need to know how can we get alerts for particular hosts/ a specific group ( Ex: 1000 agents ) in the Cortex XDR console -> Incident Response -> Incidents -> Alerts table. I have tried from filter option but it doesn't work. We can't add all the

CIDR Lookup or Join for IP Enrichment

I would like to use some custom datasets to enrich some of our XQL searches.  It could be our subnets from our IPAM or in this example the ASN information.  I have used lookups and joins in the past to accomplish this in others tools and would like t

Verdict of VT and WildFire

Hello Team,

From XDR console, we wanted to export alerts includes verdict from WildFire and Virus Total which we are not getting.

Can anyone help me with XQL query or other way to get verdict (for e.g. Process: Excel.exe WF Verdict: Benign and VT sco