XQL help AD

Hi everyone,

Anyone know how to query what types of AD queries users run?
I want to (1) find users/computers doing AD enumeration and (2) see what kind of enumeration they ran.

Cortex XDR: Removal on MacOS

Any resources on command-line/automated Cortex XDR removal (with key) for MacOS clients?

We're a MSP/MSSP and have requirement often to bulk remove XDR when (e.g.) offboarding clients or during M&A activities, etc. I'd open a case at support but si

Request for File Path Information in Cortex XDR Vulnerability Assessment Data

I'm using the XDR API to retrieve vulnerability assessment data (specifically the va_cves and va_endpoints datasets) provided by Host Insights. I would like to know if the API—or any other Cortex API—can provide the file path information associated w

Is there a Query to see the BIOS version with Cortex XDR Pro?

Looking for a query to see the BIOS version in Cortex XDR, if there is a variable to show it. We have XDR Pro with host insights.

Cortex XDR 

False Positive Issue - Multiple Windows System Processes Flagged by Cortex XDR

Hello everyone,

I'm experiencing ongoing false positive alerts with Cortex XDR that are affecting multiple endpoints in our environment. I'm seeking guidance on how to properly address this issue.

Environment Information:

• Cortex XDR Agent Version: 8.

Cortex XDR installation on GKE AutoPilot cluster

Cortex XDR seems to support GKE AutoPilot in latest release 8.9.

However, when generating the Kubernetes manifests on Cortex XDR dashboard, they will not deploy on AutoPilot cluster. 

Instead, error message is given after kubectl apply command:
Vi

Permission settings under Rules (BIOC, IOC and Correlations)

Hi team

Is there a way to configure a role that allows access to just BIOC, IOC or Correlations - without always having to bundle them all together?

Thanks!

Alert for each time a usb device is plugged

Hello,

Is there any way to set up an alert for each time a USB device is plugged into a host?
Even if it's not malicious.

All Asset Total Number-Cortext XDR

Hello,

I have added 5 endpoints to Cortex XDR. On the All Assets page, I can clearly see these 5 endpoints listed with their respective names and categorized as General Devices.

However, I’m seeing over 200 additional assets that:

• Have no names

• Are

Log delete block

Hi everyone,

There is a problem we facing with. We created BIOC rule for this action but we cannot prevent it. Is there any way to block this action via XDR? 

thanks

Verify default policy and custom on Cortex XDR

Dear Support,

I would like to open case for verify and confirm on these tasks below:

+ Currently we use this default rule on Cortex Prevention Policy Rules for customer that just enable it as protection mode but customer concern it’s not best practice

Alert Not Stitching (Custom Correlation Rule)

Hello everyone, I have a question about alert stitching in Cortex XSIAM/XDR. I created two correlation rules:

1. Policy - Violation Root Detection (Medium severity)

2. Policy - Successful Sudo Command (Low severity)

However, when I check the incidents,