User Message on IOC trigger

Hi,

We have enabled user notifications in agent profile settings, when an event like malware detection occurs it is displayed to the user immediately. However, it does not show a notification for an IOC. Can we make a message appear for an IOC even

Toutrial: Detecting Tor Traffic in XSIAM

Hi Everyone, 

Some members in the community have recently been exploring ways to detect Tor traffic within their environments. I’ve spent some time working on a solution to this challenge, and I wanted to turn that work into a dedicated post so mor

Find USB mounted storage devices on Windows and macOS

Hi All, looking for some help here. We've been using a query a colleague wrote to find computers with USB's mounted. 

This is the query: 

// Description: Show drive mount activity

dataset = xdr_data

| filter event_type = ENUM.MOUNT

| alter mount_po

Repeated False Incidents with Unknown Verdicts

Hi everyone,

I’m currently facing an issue with Cortex XDR where I regularly receive incidents flagged as suspicious,

This particular one shows:

• WF (WildFire) Verdict: Unknown

• VT (VirusTotal): 0/64 detections

Every week, I keep seeing similar in

Is there a documentation available for Cortex XDR related to event_type and event_sub_type?

Hi, 

Is there available documentation for ENUM numeric values in event_type and event_sub_type in XDR? Trying it in a query and it asks for the numeric value (Example: event_type = 1; PROCESS). 

Thanks!

Notifications Cortex XDR Pro / missing in the settings

Hello dear community, 

is there a way you can send this notifactions through mail? I can't find anything in the management or agent logs. 

BR

Rob

Understanding ENUM Constants in Cortex XSIAM XDR Data XQL

Hi Everyone, 

I’ve seen a lot of questions lately about the usage of constant ENUMs in Cortex XDR/XSIAM, especially after Unit42 released some IOC detection queries. These queries often contain clauses like:

Cortex XDR API requests

Hi everyone,

There is an problem im facing with. The problem is -- Some of API requests are not shown in "Management Audit Logs". There is another API's which ones can be shown in "Management Audit Logs". Is there other option for this case? To col

Wildfire API for scanning before upload

Hi,

I want to scan files before they get processed or uploaded to a linux server, if the file is malicious it is blocked from being uploaded, if clean then it gets uploaded and processed.

Cortex XDR Prevent has on-write feature for windows only. I

Cortex XDR Device Control Violation Query

Hi Team,

How can I check device control violations using an XQL query? I have tried the query preset = device_controlbut I am only seeing details for USB device violations. I am expecting to see Bluetooth violations as well. Is this possible? If yes,

Questions about IOC/BIOC Suppression rules

We are doing a (somewhat rushed) Cortex XDR implementation, and I am new to EDR things (in general). 

I created an IOC/BIOC Supp rule today for an issue with running the Guardian Browser (I'll let you know if it works), and while there I see 52 Sys