Reason for Query:
LOLBINs are used quite extensively in attacks, in some cases LOLBINs are renamed and then used to bypass behavior based detection rules. Hence, the query is built to hunt for renamed process execution eg; cmd.exe renamed to xyz.exe a
...
Is it possible to create an arrayexpand the action_evtlog_data_fields
the below fails to run
dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG
| arrayexpand action_evtlog_data_fields
| alter Username=json_extract(action_evtlog_data_fields, "$.Targe
Hi all, I have a problem with the agent - I have one agent that is not communicating with the xdr server after installation. The host in question had it's agent uninstalled via the xdr server, and then re-installed by the IT team. However now the hos
...
Hey!
I was just wondering if anyone knows of a way to get the total download/upload to show in MB or GB rather than bytes through an XQL queries' output?
XQL Query
dataset = xdr_data // Using the xdr dataset
| filter event_type = ENUM.NETWORK // Filt
Hello,
My question is what are the capabilities of Cortex XDR without endpoint agents and just with PANOS firewall integration? As the Palo Alto firewall can forward its logs to the XDR for extra checks what are the features that XDR can provide
...
