Cortex XDR: Removal on MacOS

Any resources on command-line/automated Cortex XDR removal (with key) for MacOS clients?

We're a MSP/MSSP and have requirement often to bulk remove XDR when (e.g.) offboarding clients or during M&A activities, etc. I'd open a case at support but si

Request for File Path Information in Cortex XDR Vulnerability Assessment Data

I'm using the XDR API to retrieve vulnerability assessment data (specifically the va_cves and va_endpoints datasets) provided by Host Insights. I would like to know if the API—or any other Cortex API—can provide the file path information associated w

Is there a Query to see the BIOS version with Cortex XDR Pro?

Looking for a query to see the BIOS version in Cortex XDR, if there is a variable to show it. We have XDR Pro with host insights.

Cortex XDR 

False Positive Issue - Multiple Windows System Processes Flagged by Cortex XDR

Hello everyone,

I'm experiencing ongoing false positive alerts with Cortex XDR that are affecting multiple endpoints in our environment. I'm seeking guidance on how to properly address this issue.

Environment Information:

• Cortex XDR Agent Version: 8.

Cortex XDR installation on GKE AutoPilot cluster

Cortex XDR seems to support GKE AutoPilot in latest release 8.9.

However, when generating the Kubernetes manifests on Cortex XDR dashboard, they will not deploy on AutoPilot cluster. 

Instead, error message is given after kubectl apply command:
Vi

Permission settings under Rules (BIOC, IOC and Correlations)

Hi team

Is there a way to configure a role that allows access to just BIOC, IOC or Correlations - without always having to bundle them all together?

Thanks!

Alert for each time a usb device is plugged

Hello,

Is there any way to set up an alert for each time a USB device is plugged into a host?
Even if it's not malicious.

All Asset Total Number-Cortext XDR

Hello,

I have added 5 endpoints to Cortex XDR. On the All Assets page, I can clearly see these 5 endpoints listed with their respective names and categorized as General Devices.

However, I’m seeing over 200 additional assets that:

• Have no names

• Are

Log delete block

Hi everyone,

There is a problem we facing with. We created BIOC rule for this action but we cannot prevent it. Is there any way to block this action via XDR? 

thanks

Verify default policy and custom on Cortex XDR

Dear Support,

I would like to open case for verify and confirm on these tasks below:

+ Currently we use this default rule on Cortex Prevention Policy Rules for customer that just enable it as protection mode but customer concern it’s not best practice

Alert Not Stitching (Custom Correlation Rule)

Hello everyone, I have a question about alert stitching in Cortex XSIAM/XDR. I created two correlation rules:

1. Policy - Violation Root Detection (Medium severity)

2. Policy - Successful Sudo Command (Low severity)

However, when I check the incidents,

Best practice for installing agents on Windows "multi-session" Azure AVD?

Which method should be used to install the Cortex XDR agents for the Azure-only Windows 11 multi-session VDI? Since it's both a terminal server, and a non-persistent VDI that gets re-imaged from a golden image?