Cortex XDR Discussions

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

xql query for moved directory or folder

There is a canned search for files but what about folders?

We are trying to find out who is moving or deleting a folder, hoping Cortex has something to help. Thx

Resolved! Cortex XDR compatibility with Microsoft security products

Was wondering if anyone had come across having Cortex XDR with the following microsoft security products, and found any compatibility issues or performance issues with either cortex or the usage of the security products?

Microsoft Purview
Microsoft En

...

Cortex Broker Mapper scans

We’re experiencing an issue with Cortex brokers related to the network mapper.
When we run network scans using the "ICMP Echo" flag, the scan completes successfully and everything works as expected.

However, when performing a "TCP SYN" scan on the foll

...

How can I see the device control violations logs from XQL?

Good afternoon,

Is there a way to see the logs that are generated in Device control Violations?

I know that using preset = device_control in XQL we can see devices but this preset does not give me all the data that appears in the Violations section..

...

Resolved! Query to see user that launched an EXE and how many times

I've been trying so many different queries and cant seem to make one that shows me what users launched an EXE and when or how many times as a count.

As an example to make it easy:

Search for everyone that executed winword.exe and show me when they did

...

Resolved! In Cortex XDR, if the Cloud Identity Engine Azure Sync fails and then reconnects automatically without any action,

Hi Team,

We are currently using the Cortex XDR Pro Per Endpoint license and have enabled the Cloud Identity Engine feature.

We observed that the Azure directory synchronization within the Cloud Identity Engine failed temporarily but reconnected succe

...

Installing Cortex Agent on Linux LXD

Hello everyone,

I am looking to install the Cortex Agent on a Linux system within an LXD container. Does anyone have insights or a step-by-step guide on how to install the Cortex Agent in this environment?
Additionally, is Cortex officially supported

...

Automatic endpoint isolation after an unauthorized attempt to delete an agent.

Hi. Maybe someone know, if there is such an opportunity to create a rule that will automatically isolate the hosts on which attempts have been made to remove the agent in a non-traditional way?

BTP Exception not working for ps1 script

Hi Team -

I've created a Legacy Agent Exception Rule to prevent the Behavioral Threat Protection component from blocking a specific (and legitimate) .ps1 file on my network (within a specific user profile), but Cortex keeps blocking the script.

The

...

Resolved! IoC Source Reliability Basis

Hi Team,

On what basis this Reliability level is classified on Cortex XDR

Thank you

Get results before and after 10 seconds of creation_time field

I need a query which will give me results 10seconds before and 10seconds after the alert creation_time field for investigation from a hostname. So i need to add 10seconds to the alert creation_time field and subtract 10seconds from the creation_time

...

Change alert (not incident) severity for future same alerts

The severity of "Administrative Hash Exception" alerts (not incidents) is low, and since they are not created as incidents, I want to change the severity of these alerts to medium so that they are created as incidents next time.

When I go to Incident

...

Resolved! Palo Alto Cortex Broker Virtual Machine (Broker VM) security understanding

Following my company's compliance guidelines, we are looking for some confirmations about the Palo Alto Cortex Broker Virtual Machine (Broker VM). Could you, please, confirm that we have correct understanding on how the product works?
1- It is not pos

...

RedHat 8/9 XDR client count limited

As I have added clients to my XDR Linux group I have seen a situation where I hit a limit on client count (under 20 BTW). After I have them all added there will be 2 or 3 missing. If I restart the process on a missing client, that one immediately app

...

Resolved! [Cortex XDR] Are there any How-To video recordered about Windows Event Collector applet for the broker VM?

Dear,

Following the acquisition of the Pro license for GB to collect Windows logs from domain controllers, I saw documentation regarding the configuration of the Windows Event Collector applet from the Broker VM.

However, I was wondering if there

...

Discussions

Welcome to the Cortex XDR Discussions!

Rules and Best Practices

xql query for moved directory or folder

Resolved! Cortex XDR compatibility with Microsoft security products

Cortex Broker Mapper scans

How can I see the device control violations logs from XQL?

Resolved! Query to see user that launched an EXE and how many times

Resolved! In Cortex XDR, if the Cloud Identity Engine Azure Sync fails and then reconnects automatically without any action,

Installing Cortex Agent on Linux LXD

Automatic endpoint isolation after an unauthorized attempt to delete an agent.

BTP Exception not working for ps1 script

Resolved! IoC Source Reliability Basis

Get results before and after 10 seconds of creation_time field

Change alert (not incident) severity for future same alerts

Resolved! Palo Alto Cortex Broker Virtual Machine (Broker VM) security understanding

RedHat 8/9 XDR client count limited

Resolved! [Cortex XDR] Are there any How-To video recordered about Windows Event Collector applet for the broker VM?

monitor command line on powershell or cmd with XQL

How endpoint devices, XDR Broker VM and XSIAM Cloud communicate in case of HA configuration

High Memory Usage by Cortex XDR Agent on Windows Devices

Migrate policies from Carbon Black to Cortex XDR

Quarantined File Automatically Moved to Allow List from Block List after File Restore Action

Re: monitor command line on powershell or cmd with XQL

XQL - "After hours" query

Re: Migrate policies from Carbon Black to Cortex XDR

Re: High Memory Usage by Cortex XDR Agent on Windows Devices

Re: Quarantined File Automatically Moved to Allow List from Block List after File Restore Action

Unlock your full community experience!

Rules and Best Practices

Resolved! Cortex XDR compatibility with Microsoft security products

Resolved! Query to see user that launched an EXE and how many times

Resolved! In Cortex XDR, if the Cloud Identity Engine Azure Sync fails and then reconnects automatically without any action,

Resolved! IoC Source Reliability Basis

Resolved! Palo Alto Cortex Broker Virtual Machine (Broker VM) security understanding

Resolved! [Cortex XDR] Are there any How-To video recordered about Windows Event Collector applet for the broker VM?