Find USB mounted storage devices on Windows and macOS

Hi All, looking for some help here. We've been using a query a colleague wrote to find computers with USB's mounted. 

This is the query: 

// Description: Show drive mount activity

dataset = xdr_data

| filter event_type = ENUM.MOUNT

| alter mount_po

Repeated False Incidents with Unknown Verdicts

Hi everyone,

I’m currently facing an issue with Cortex XDR where I regularly receive incidents flagged as suspicious,

This particular one shows:

• WF (WildFire) Verdict: Unknown

• VT (VirusTotal): 0/64 detections

Every week, I keep seeing similar in

Is there a documentation available for Cortex XDR related to event_type and event_sub_type?

Hi, 

Is there available documentation for ENUM numeric values in event_type and event_sub_type in XDR? Trying it in a query and it asks for the numeric value (Example: event_type = 1; PROCESS). 

Thanks!

Notifications Cortex XDR Pro / missing in the settings

Hello dear community, 

is there a way you can send this notifactions through mail? I can't find anything in the management or agent logs. 

BR

Rob

Understanding ENUM Constants in Cortex XSIAM XDR Data XQL

Hi Everyone, 

I’ve seen a lot of questions lately about the usage of constant ENUMs in Cortex XDR/XSIAM, especially after Unit42 released some IOC detection queries. These queries often contain clauses like:

Cortex XDR API requests

Hi everyone,

There is an problem im facing with. The problem is -- Some of API requests are not shown in "Management Audit Logs". There is another API's which ones can be shown in "Management Audit Logs". Is there other option for this case? To col

Wildfire API for scanning before upload

Hi,

I want to scan files before they get processed or uploaded to a linux server, if the file is malicious it is blocked from being uploaded, if clean then it gets uploaded and processed.

Cortex XDR Prevent has on-write feature for windows only. I

Cortex XDR Device Control Violation Query

Hi Team,

How can I check device control violations using an XQL query? I have tried the query preset = device_controlbut I am only seeing details for USB device violations. I am expecting to see Bluetooth violations as well. Is this possible? If yes,

Questions about IOC/BIOC Suppression rules

We are doing a (somewhat rushed) Cortex XDR implementation, and I am new to EDR things (in general). 

I created an IOC/BIOC Supp rule today for an issue with running the Guardian Browser (I'll let you know if it works), and while there I see 52 Sys

How to remove Old versions of Cortex Agent

Hello everyone,

We're facing issues upgrading older versions of the Cortex agent on Windows endpoints — particularly versions 7.x and in some cases 8.x. These agents fail to upgrade both automatically and manually.

Requesting a cleaner for each min

Port scan alert

Hi everyone,

There is some situation in our case.

For example there is 2 windows host. Host1 and Host2. Host1 have XDR. But Host2 not. If Host2 executes port scan action (it doesn't matter which tool is using -- nmap, zenmap and etc) to Host1 in