XQL query for searching extensions installed within an application

Hi All,

Looking for an XQL query to detect extensions installed from an applications marketplace to use within the application. For eg. someone installing "github actions" extension from the azure marketplace.

Huge Cortex XDR upload traffic observed from firewall

We have branch network connected to Data center via MPLS VPN link. All branch PCs internet traffic going out from the DC firewall. From all the branch PCs (Around 8000), we have observed a huge outbound traffic towards internet related to Cortex XDR

API Syntax Issue

Hi everyone,

I'm trying to use the 'run_script' API to start the built-in 'Execute_Commands' script on a target machine. I've worked through a few error messages already regarding the command string having black slashes, timeout not being set as in

Cortex XDR Kubernetes Agent - Cluster Name

Hi,

Can anyone tell me what is the purpose of the "Cluster Name" and "Development Platform" fields when creating a Cortex XDR Kubernetes Agent Install Package? Both fields are not mentioned in the documentation.

Thanks

Cortex XDR 

Required Windows Event IDs for the best Cortex XDR detection performance

Hello, dear Community,

I need a list of Windows event IDs required for BIOC and other Cortex XDR rules to work effectively.

For example, when we performed a Kerberos user enumeration attack using Kerbrute, it was not detected initially. Cortex XDR

XQL LLMNR/NBT-NS poisoning querry

Hi guys, has anyone tried to create a correlation rule that detects LLMNR/NBT-NS poisoning attempts? or if Cortex XDR by default already detects

Allowing child process from parent process in Cortex XDR

Hello,

Is there a way to allow a legitimate parent process to create a legitimate child process on Cortex XDR that is being blocked due to "Suspicious Process Creation"? In my case, I whitelisted the child process but the block continues. I do not wa

report endpoint without an agent

How to create a report of all endpoints that are in "ASSET INVENTORY" that don't have an Cortex XDR agent ?

Multiple Paths in Disable Prevention Rules

Hello
Is it possible to specify multiple values while creating prevention rules exception for one "application" ? If so what is the schematics of adding those ?
Especially in path section. As if application has multiple location paths for its different

how frequently XDR will push logs to Cortex?

Hi, 

how frequently XDR will push logs to Cortex? We have application it will write logs 400k per sec and log rotation setup like if file size is 50 MB it will compress the file and zips it. due to this we are missing logs in cortex xdr.

can you plea

Application WhiteListing

I have an application that needs whitelisting.

Actions Done:

Add to Allow List

Add to Malware Profile, under specific module that triggered alert/incident.

It is still showing up in incidents when executed. Any idea what could be going on?