Cortex XDR Discussions

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Real time compliance of endpoints which goes under disconnected and connection lost state

Hi, Can we get real time compliance report of endpoints which goes under disconnected and connection lost state at that time only or can we create any rule by XQL query, when the systems are going in disconnected and connection lost state.

agent not auto upgrading

We're currently encountering problems with some of our endpoints as our agents are not upgrading. Do you have any suggestions on how to resolve this issue? and its support acs signature

Need to automate ingesting IOCs to Cortex XDR using Microsoft Sentinel or other means

Cortex XDR

High memory utilization

Hello, We are experiencing high disk space and high memory utilization on servers . How to stop endpoint data collection in cortex xdr? Can we delete data from traps folder?If yes what all files we can delete ? How can we lower disk space utilization? Regards, Shashank

Resolved! How to best block portable apps?

Has anyone successfully implemented in their environment? Do you do it by BIOC Restrictions, using digital signatures, file path or executable name?

My "User Login Expiration" settings are not updating

I changed my User Login Expiration settings from 8 to 10 hours to accommodate my workday. After a week it has still not changed. It's small, but bugging me. Has anyone else seen this?

SAML SSO configuration error - JumpCloud (Third-Party IDP Provider)

Hi All, We have setup SAML SSO but receiving an 'Unauthorized.Error 4014' error. The following configuration was made: IDP provider: Cortex XDR SSO configuration: Unfortunately we receive the below error: Would anyone know whats occuring here please. Many thanks Amit

Find Endpoint Serial no

Any option to find the endpoint serial no on cortex console currently we are using the cortex pro per endpoint

Blocking Powershell Execution

Hi, Is it possible to block PowerShell execution on all endpoints through CortexXDR, if possible kindly give the process to do the same? Thanks

Blocking of Powershell execution

Hello, We need to block PowerShell executions on the some endpoints. how can we block Powershell dll files so that PowerShell cannot be loaded. We have created a BIOC rule and it is flagging legitimate Powershell executions also. Can we exclude such legitimate executions by creation exceptions for CGO name? Regards, Shashank

'Failed Connections' alerts detected by XDR Analytics on 9 hosts involving user nt authority\system

Hi we have multiple failed connections from one host to several local IP below cmd was in initiator C:\WINDOWS\System32\svchost.exe -k NetSvcs -p -s iphlpsvc

Resolved! Forensics add-on || How-to get the most out of it

Does anyone have any tips or things they do to get the most out of the add-on? I'm just getting it configured it as my company purchased a few licenses for it. I think I've got it configured correctly in the agent settings but I'm also second guessing myself a bit on that as well. The documentation from Palo Alto hasn't been great on making s...

High RAM usage reaching up to 600 mb on Microsoft Windows Server 2019 Datacenter

We have a amazon EC2 server with 16GB ram, but the cortex agent is consuming more than 500 mb sometimes. Can any one answer what is the normal ram usage for cortex agent? version Cortex XDR 7.9.1.26645

Resolved! How to filter out some information with XQL

Hi Expert , I want to filter out some info from dataset such as " message:111.111.111.11" I want to filter just IP-address with regex and remove "message:" how to filter it on XQL Thank you

Disbaling Agent Notification

Hello Team, Is there any way to get a report/notification in XDR console whenever a user disables agent on their system. Do let us know if there is any way to track this activity.

Discussions

Welcome to the Cortex XDR Discussions!

Real time compliance of endpoints which goes under disconnected and connection lost state

agent not auto upgrading

Need to automate ingesting IOCs to Cortex XDR using Microsoft Sentinel or other means

High memory utilization

Resolved! How to best block portable apps?

My "User Login Expiration" settings are not updating

SAML SSO configuration error - JumpCloud (Third-Party IDP Provider)

Find Endpoint Serial no

Blocking Powershell Execution

Blocking of Powershell execution

'Failed Connections' alerts detected by XDR Analytics on 9 hosts involving user nt authority\system

Resolved! Forensics add-on || How-to get the most out of it

High RAM usage reaching up to 600 mb on Microsoft Windows Server 2019 Datacenter

Resolved! How to filter out some information with XQL

Disbaling Agent Notification

Is there a difference between issues and alerts in XQL queries?

Cortex Assets Report without agent installed

createNewIndicator - IP is not an existing indicator type in Cortex XDR

CSP HUB roles / accesses

Make MTP logs using XQL

Re: createNewIndicator - IP is not an existing indicator type in Cortex XDR

Re: Is there a difference between issues and alerts in XQL queries?

Re: Need help with XQL datetime interval

Re: XDR Automation Rules not triggering Playbook execution

StoreDesktopExtension.exe - Again alerts are generated

Unlock your full community experience!

Resolved! How to best block portable apps?

Resolved! Forensics add-on || How-to get the most out of it

Resolved! How to filter out some information with XQL