Cortex XDR Discussions

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

Cortex XDR Agent Cloud Compliance

Hi Community,

We are using Nessus scanners. Why should I enable cloud compliance in Cortex XDR agent, and what is the main difference between Cortex XDR cloud compliance and Nessus scanners?

Cortex XDR XQL Query

Hi,
I wanna sort my query as operational_status in (UNPROTECTED, PARTIALLY_PROTECTED) everyday (Like from Monday to Sunday Statistics)
My query looks like this
config case_sensitive = false
| dataset = endpoints
| filter operational_status in (UNPROT

...

XQL Query to find all Mac_OS endpoints and return the version of Netskope installed on the hosts.

I am new to using xql and I am having trouble getting the information I need using a search query. I need to pull a list of all Mac_OS hosts and then within the applications field return the version of NetSkope installed on the client. I have started

...

Resolved! Cortex XDR Forensics doesn't display Endpoints

When I configure Forensics, at the 'Endpoints' step, it doesn't show the name of any endpoint. "Monitor and Collect Forensics Data" is enabled on Agent Settings. User role is Instance Administrator. Triage type is "Online".

Resolved! LSASS creating a cache1.bin on appdata

We have an alert on 2 different device that LSASS is creating a cache1.bin on app data.

All are created by NT\SYSTEM

Location detected

C:\Users<my username>\AppData\Local\Microsoft\Windows\SFAP\cache1.bin

C:\Windows\ServiceProfiles\UIFlowService\Ap

...

Winget Command

Hello dear Community,

I have the following problem: I can’t use the Win-Get command on the XDR terminal in Cortex. Can someone help me to make this command executable on the PowerShell XDR terminal.

Cloud Identity Engine

Hi Community,

We have integrated the Cloud Identity Engine into the environment. Currently, the Palo Alto Hub page shows the Cloud Identity certificate expiring in a month.

We checked the Palo Alto article https://docs.paloaltonetworks.com/cloud-

...

Resolved! json_extract_array do not return result

I've got json like below and trying to extract each key_name via json_extract_array but getting empty column vendor

query is

dataset = host_inventory

| fields application as aps

| alter vendor = json_extract_array(to_json_string(aps),"$.key_name")

...

Why is the interface of my conter xdr different from everyone's

My brother once activated the XDR interface, but I found that their XDR interface was different from mine when I sought help from the documentation.

my:

People in the community:

Why is that, urgent

XDR Agent 8.5.0.2457 on macos 14.5

Hi community,

After my laptop upgrade to the last version of xdr agent i get the following:

Randomly the system looks as if it's loading and after a few seconds it's back to normal. the machine doesn't crash but the mouse keeps showing the hourgl

...

Resolved! Cortex XDR Cloud Compliance

Hi Community,

We have enabled the Cortex XDR agent Cloud Compliance on certain Linux machines. The configuration was successfully completed, and the Cloud Compliance tab is visible. We are interested in retrieving the Cloud Compliance data using an

...

XDR Email Alerts json attachment

Is there any way to format the json attachment the comes with XDR emails? It's somewhat annoying to have to use another tool to view the json output since the attachment is not formatted.

Preventing CrowdStrike disaster in Cortex XDR Pro

Hello dear community!

what could we or PA setup in PA Cortex XDR to prevent us from such a disaster which happened to CrowdStrike?

Are there any settings or recommendations which can be shared?

BR

Rob

XQL search for DOM hash and cryptocurrency wallet address

Hi all,

Anyone knows how to do XQL search for DOM hash and cryptocurrency wallet address in XDR Query search?

Thanks.

Alert "Script Activity - 245655498"

Hello everyone,

I just received this alert "Script Activity - 245655498" with this description "Suspicious script with keywords written in a non-standard way." in Cortex multiple times related to PowerShell script execution on a developer machine.

...

Discussions

Welcome to the Cortex XDR Discussions!

Rules and Best Practices

Cortex XDR Agent Cloud Compliance

Cortex XDR XQL Query

XQL Query to find all Mac_OS endpoints and return the version of Netskope installed on the hosts.

Resolved! Cortex XDR Forensics doesn't display Endpoints

Resolved! LSASS creating a cache1.bin on appdata

Winget Command

Cloud Identity Engine

Resolved! json_extract_array do not return result

Why is the interface of my conter xdr different from everyone's

XDR Agent 8.5.0.2457 on macos 14.5

Resolved! Cortex XDR Cloud Compliance

XDR Email Alerts json attachment

Preventing CrowdStrike disaster in Cortex XDR Pro

XQL search for DOM hash and cryptocurrency wallet address

Alert "Script Activity - 245655498"

Get Data Per Week within a Month

GlobalProtect App Log Collection - Determining Disconnected Agents

XQL Query - look for any local administrator account on endpoint

Cortex XDR file quarantine

Correlation Rules that detect tor browser

Re: Understanding ENUM Constants in Cortex XSIAM XDR Data XQL

Re: Wildfire API for scanning before upload

Understanding ENUM Constants in Cortex XSIAM XDR Data XQL

Re: Cortex XDR login issue

Re: Policy scoping by partial endpoint_name --> Endpoint Group

Unlock your full community experience!

Rules and Best Practices

Resolved! Cortex XDR Forensics doesn't display Endpoints

Resolved! LSASS creating a cache1.bin on appdata

Resolved! json_extract_array do not return result

Resolved! Cortex XDR Cloud Compliance