Unable to retrive downloaded exe's

Hello everyone,

I was trying to check all the downloaded exe's via firewall on all the endpoints in past 24hrs. I tried retrieving all downloaded exe's in downloads folder with the help of this query below. 

dataset = xdr_data
| filter event_type =

XDR & Java installs

With the upcoming Oracle Java license changes, I'm looking into using XQL to report on existing installs, and potentially a process based BIOC to block new installs which would incur a licensing fee. 

Anyone familiar with Java know how to differentiat

SearchHost.exe

Hello Everyone,

I am new to Cortex XDR. I wanted to ask what is searchHost.exe? and if it is safe when it generates alarm (level Medium) in Cortex XDR? If not then any recommendations?

Thanks

Uninstall Cortex XDR Agents from endpoints programmatically

Hi, 

I would like to programmatically uninstall agents from endpoints but are running into dead ends. 

Currently, based on the documentation (https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Uninstall-the-Cor

Cortex XDR VDI_ENABLED=1 and TS_ENABLED=1

I want to know about how TS_ENABLED=1 and VDI_ENABLED=1 command works during installation.

And how Temporary sessions are managed by Cortex XDR Agent.

USB protection exeption for ClickShare usb Device

Hello everybody,

if we block USB Drives/Windows drives our ClickShare (USB Screen Share Dongle) devices also get blocked.

But they don´t appear in the "Device Control Violations" list so we can´t exclude them from blocking. 

We tried to exlude the

Plans to use device control violation / permanent exceptions in RBAC mode?

Hello dear community, 

we have 2 groups in the Dashboard. The client os team and the incl. server os team. Only the server os team can use the device permanent exceptions for device control.

Are there any plans to solve this issue?

RBAC is nice,

Directories CIEE x Cortex

dear, I have two directories in the cie, but in the cortex in the preset function it only brings the old one, not the newer one. How can I do it in Cortex so that it only brings information from the new directory?

Broker VM Frequency to connect to cloud

Dear Team,

As per the client requirement, Could you please let us know about the frequency of the Broker VM to connect with the Palo Alto Cloud?

Thanks & Regards,

Atul Bisht

XQL query for network events within a subnet

I need an idea for an XQL query to find network events where the remote and local IPs belong to the same subnet. Thanks. 

Impossible uninstall Cortex XDR

Hello,

Because of my previous work, I had to install Cortex XDR to work remotely from home and access to the VPN.

Now that I'm no longer working for them, I would like to uninstall Cortex XDR from my laptop (MacBook Pro M2) but it is impossible. I