XDR as "SIEM" (challenge for discussion)

I wanted to leave a challenge here for discussion in the group.

Why not use XDR as if it were a SIEM, in order to analyze more events with better accuracy, and to create more correlation and data enrichment?

I’m referring to an environment with:
XDR, X

Process injection into lsass

We received an alert indicating creation of a remote thread in the lsass process by the Cortex XDR agent (cyserver.exe).

I noticed that during the same time period, there were a few other processes that got injected by the agent (e.g. explorer, svcho

Cortex Data Lake - Windows 11 Build & Enablement(?) Info

Windows 11 (and 10 presumably) has a series of numbers which, together, identify the build and patch level of the OS.  This would be a combination of Version: Windows 11 and/or Build Number: 10.0.22631.  The Patch Level (or Enablement Level) is shown

How to delete Endpoints that have old agent and could not be uninstalled

Hello,

I have 2 endpoints with old version:

- 7.3.0.16740 on a server

- 8.6.0.3704 on a computer

I could not upgrade them and have no more access to those computers (in another country).

I asked admin to uninstall, he did not.

How to remove link betw

Cortex Endpoint Isolation - Allowing Microsoft Intune

Anyone have tips on figuring out how to allow exceptions to successfully communication over the internet while an endpoint is in isolation? I would like Microsoft Intune to be able to continue to reach the device while the device is in isolation for

Parsing Rule - SonicWall NGFW

Your mileage may vary. Here's what I came up with 

Yellow Dot

What does the yellow dot mean? I see it in the Artifacts area and in the Assets portion.

Allowing access to a specific IP while blocking the rest of IPs in XDR host firewall

Is there a way to allow access to only one IP on an endpoint while blocking all the other IPs at the same time in xdr host firewall.

I tried using the official documentation , but it's not working

we have a XDR console, in the console there is no system serial number, gateway ip.

we have a XDR console, in the console there is no system serial number, gateway ip.
Cortex XDR Cortex XSIAM 

CorteXDR License Pro - Send Event

The Pro per Endpoint license includes the option "Send Security Event from other data sources."
Why don't I have the Syslog option in BrokerVM?

Thank you very much for your suggestions and answers.

Cortex XDR - Automation Rules

Greetings,

Im trying to configure "Automation Rules" to "High" severity issues for the automatic isolation of endpoints.

Right now its configured as the following images show, but theyre not triggering the playbooks nor rules.

¿Any ideas or sugge

high priority 'Behavioral Threat' alert for smss.exe (system)?

Every few weeks or so getting a high priority alert:

xql query for process

Hi. i just try to do some basic threat hunting. 

dataset = xdr_data
| filter action_process_image_name in ("a.exe", "b.exe")
| fields agent_hostname, actor_effective_username, action_process_image_name, action_process_image_command_line , _time
| sort d