Cortex XDR Discussions

Threat Hunting Scenerios

I would like to set the alert to detect the following scenerios

How can I config the XQL/Query in BIOC to detect: Cortex XDR 

1. Login of local admin user (user with local administrators privilege)
2. Stop of a windows service e.g “abc.exe” while the endp

Is there a documentation available for Cortex XDR related to event_type and event_sub_type?

Hi, 

Is there available documentation for ENUM numeric values in event_type and event_sub_type in XDR? Trying it in a query and it asks for the numeric value (Example: event_type = 1; PROCESS). 

Thanks!

Incident creation latency

Hi all,

I have seen a few cases like that in recent days:

There was an alert by name ""Failed Connections" generated by XDR Anaytics" and inside that incident there was only one alert named "Failed connections" and alert source was XDR Analytics. B

XQL Query Help

Hello All,

I am trying to build a correlation rule for palo alto traffic logs to have local to remote traffic logs but I am unable to put that condition in the XQL query. Can someone please help me with the condition if you have already built one?

It

Exception with Windows Environment Variable

Dear Community,

Seeking for validation. I was under the impressions that we could create exception with the Windows environmental variables.

There's recent XDR alert says otherwise, the alert reappeared even after applied the exception. (With Windo

Need help sorting my applications and endpoint names using an XQL query

I want to sort my endpoint based on all application, like which application are using which specific endpoint? using an XQL query.
Cortex XDR #xql_query

Cortex XDR support intune to deploy on enduser machines

the Cortex XDR support Intune to deploy agents on end-user machine.

Process for ready the package and deploy to machine and test the package.

Asset inventory not updating for anything without the XDR agent. Last observed date is November 25th.

This was working before November 25th.  Nothing changed in the configuration, network location is set and Distributed Network Scan is enabled.

We are running Pro.

I opened a case but wondered if anyone else sees this?

Thanks

How to get XDR Wildfire API key?

As you can see that there is no data in wildfire api key. So where is it because I want to integrate my XDR Wildfire to other products. So How can i find it or How can I generate it? Please explain me well.

XDR BIOC Rules

Hi All,

We have a few Palo Alto BIOCs that are disabled in our console, does Palo alto disables those rules by themselves if yes where can we find more details about it like why it was disabled in the first place.

Regards,

Shahwaz

Deploying Cortex XDR agent with intune using variables such as endpoint tags

Hi all,

My client is facing issues deploying the agent with intune, the agent gets deployed as expected but additional arguments such as ENDPOINT_TAGS="blah" added to msiexec seem to be lost as they can't see them post install when browsing through

Cortex XDR memory consumption and management on Linux

Hello team,

I have query regarding Cortex XDR Linux agent memory consumption and management.

We have seen multiple cases where Cortex XDR memory consumption is high, however whenever we raise a case we got to know that memory consumption is norma