XQL query for critical commands

Hi everyone.
I'm trying to create an XQL query for a BIOC that will trigger an alert when specific commands are run.
I've tried the "visudo" and "sudo -l" commands on two servers. On one it detects both commands and on the other it only detects the "vi

Clean up Tags list

Hello All,

I want to clean up my tags list, because some of the old tags that we used are not needed any more.

We don't have active devices with tags that I want to remove.

Any idea from where i can do that?

Regards,

Vasil

Anti-tampering Protection

Hello, 

I got incident with Anti-tampering protection which was blocked, i reviewed the alert by CMD C:\WINDOWS\system32\svchost.exe -k GPSvcGroup

it it false postive?
any ideas?

Cortex XDR 

Security Channel Subscription Errors

Team,

While trying to collect logs from windows, one channel that is consistently resulting in errors is security channel. Systems and Applications work just fine eliminating any possibility connectivity or authentication issues. It is the security c

Cortex XDR Query for USB/External Drive Usage

Hi Family 

Good morning.

I am trying to filter the timeframe when a user last connected a USB flash drive or external hard drive using a Cortex XDR query. However, the following query did not return the expected results:

Issues with Mass Uninstallation of Cortex XDR Agents via SCCM

Cortex XDR sometimes have these stubborn machines that refuse to upgrade to the latest versions.

what are ways you use to alleviate this issue? Mine is SCCM.

I am trying to automate the mass uninstallation of older versions of Cortex XDR agents via SC

query to pull specific hosts for successful logins

Hello,

I'm using a canned library query called "Successful Windows Logins" This is a great query but how can I modify it so that its only looking at specific hosts vs all hosts? I can't figure out how to edit this. Can anyone help?

How to (temporarily) disable security in Cortex XDR to be able to update the client from outside the Console

Hello team,

We need to know how to disable (temporarily) the security in Cortex XDR to be able to update the client from outside the Console.

The updates from the console are causing us blue screens and we want to test it using scripts when shutting

How much resource consumed by XDR agent

Hello, 

Just wondering how much resource (CPU, Memory, Bandwidth) will be consumed on Windows agent normally? 

what is the  bandwidth requirement per 1000 agents? Defference with or without brokervm? 
Thanks,

SdG

Cortex XDR 

Cortex host insight Vulnerability Assessment average severity score

trying to find XQL query that will take all of our severity scores and give us a average and send that to report. I cant seem find the dataset 

Not very good with XQL at this time. maybe someone from the community can help

dataset = host_inventory
|

XQL query time setting

Hi!

I want to make a report that generates every month and it contains the previous month's data. My problem is that i cannot make it to be created on the first day of the month. So I tried to make the XQL query to work with the previous month's data