Cortex XDR Discussions

Resolved! Cortex XDR solution for WSL running on Windows

I am aware that Cortex XDR Agent can monitor traffic leaving WSL in the same way that it does with VMWARE or other virtualisation platforms with the WSL processes being a source of activity onto the windows system which is monitored, but the internal

...

Resolved! Rule to detect change in file extensions over a given period in a single system

Hi,

We want to write a logic to detect if there have been X number of file renames in Y time for a particular system

Please let me know what is the way to achieve the same ?

Resolved! XQL query to get the list of new software/applications

Looking for help. I would like to come up with the query to find all new applications installed compare to the last month inventory.

The logic would be what new application/software have been installed on the hosts this month.

Send alert from Cortex XDR via MS TEAM

Dear all,

I'm planning to deploy Cortex XDR on my DC, but I don't see the integrated options for MS Teams.

Could I know whether or not I can send alerts from Cortex XDR via MS Teams?

Can global uninstall password expire?

We noticed that the global uninstall password set last year at the end of May no loger works, in the Management Audit Logs there are no other events "Agent global uninstall password updated".

Can it expire? or be changed without generating an even

...

Regex Not Functioning Properly in XQL

Hello everyone, I'm attempting to extract fields from DHCP logs but encounter an error stating, "Your query failed to run as it's invalid." my regex code works correctly on regex101 and CyberChef. Does anyone have any insights on how to troubleshoot

...

How to create exception/Exclusions for BIOC analytics and XDR analytics alerts

Hello Team ,

We are getting multiple alerts for BIOC analytics and XDR analytics right now as checked on console there is no option visible to add exception/exclusion for this alert.

Can some one please guide how we can create a exception/exclusi

...

Resolved! File Integrity Monitoring FIM using Auditbeat module

Hello,

Looking to set up FIM using the Cortex XDR agent and from what I have found so far, it seems unsupported. Has anyone set up FIM using any method?

The only possible option I have found so far is maybe using an auditbeat with the FIM module:

...

Unable to install Cortex XDR agents 8.1.x or later on Windows 10 Pro Computers

Hello peers,

I tried installing Cortex XDR agent v8.1.x earlier and v8.2.x recently - the Setup Wizard ends prematurely because of some error not presented in detail.

Alternatively, I could install previous version and further upgrade to latest.

...

Using Cortex with DeTTeCT and dettectinator

I am using the DeTTeCT approach to assessing our coverage against ATT&CK: GitHub - rabobank-cdc/DeTTECT: Detect Tactics, Techniques & Combat Threats. In this approach, you need to start with a set of yaml files that have your datasources and detectio

...

Correlation rule for detecting Account Created /deleted or Group created /deleted from AD server

Hi Community,

I am looking for correlation rule where in i can detect Account Created /deleted or Group created /deleted from AD server log source.

Scan status details of Cortex XDR

Hi Team,

Can I get more information on scan status for below scenarios.

. If the scan initiated and before completion the endpoint got disconnected what will be the status?

.. when the endpoint connects back, whether the scan automatically resum

...

Resolved! Cortex EDL and network range

I enabled EDL in Cortex XDR and I'm trying to add network range, but this seems to be not possible for some reason. Is it supported or only single IPs can be added?

Resolved! About iOS Agent

Hi Everyone：

Do I need to manually activate the iOS APP every time I restart my mobile phone?
If I accidentally turn it off, will it stop working?
Or can it still be executed in the background?

Richard

Resolved! Cortex XDR Delete IOS Endpoint

Hello everyone：

Does anyone know how to remove the ios endpoint from the Console?
I have removed the APP from my mobile phone a day ago but the Console still shows that it is connected and cannot be removed.

best regards