Multiple detection on Suspicious Network Activity - 3045255237

Hello ,

We are a MSSP and since less than one hour, a new rules appeared in many of our Cortex XDR tenant : Suspicious Network Activity - 3045255237 involving the IP 2.58.113.190. The communication is launched by the process System, like if a rootk

Help with t XQL BIOC/Correlation rule

Hi ALL,

New to XDR world,  

I am have a XQL query against a 2FA log which looks for user login (fail or success) from 2 different countries in 3 hours. 

Query looks like  

dataset in (XXX_raw)
| filter eventType = "User.Login" // look for  login events
|

Batch file creation in MAC to Fore Reconnect Cortex Agent

Hi Everyone,

 I would like to force reconnect the workstation that is in old Cortex Tenant to the new Cortex Tenant we have.

Is is possible to create a batch file for this so it can help us to work easily? is the .bat format applicable in MAC OS?

XQL Query to view the "Incident Name"

Hi People, 

I was wondering if anyone could assist me with XQL Query to display the Incident name. Please refer to the attached photo to get an idea of what I am trying to achieve. I have used the xdr_data dataset, however i cannot find the relevan

XQL query to retrive endpoint data from data lake

Can anyone help me how to retrive endpoint logs from data lake via XQL 

Cortex Agent Best Practice Customization for Terminal servers & DC Servers

Hi,

Is there any Cortex agent customization suggested or best practice docs for Windows Terminal servers and Windows DC Servers

Cannot remove/install xdr agent

Hi everybody !

I would like to find out how to download the XdrAgentCleaner.exe to remove cleanely old xdr cortex agent ? 
We have several computers on which we cannot uninstall the old agent, you will find the message attached.

I have already follow

How to remove Cortex without Management

Existe uma forma de forçar a remoção do Cortex 7.9 do ambiente que eu não tenho mais senhas de gerenciamento ou remoção, já que o parceiro rescindiu o contrato e não forneceu o mesmo.

Integrate the BVM server with SIEM

Hello Team,

We need to change rsyslog.conf file. Please let us know if this file can be changed and is it recommended to integrate the BVM server with the SIEM?

Cortex XDR 8.1 not installing on Windows Server 2008 R2/2012 windows 10_v1607

Hi,

We've a problem with installation cortex xdr 8.1 on Windows Server 2008/2012 and Windows10_v1607....
All machine need the AZURE update https://support.microsoft.com/en-us/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-f

IOC Feed upload via API / disabled IOC overwrite / reactivate

Hello dear community, 

is it possible not to overwrite disabled IOC with API Upload? If the indicator is disabled, it should stay disabled. But atm it isn't like that, the indicator is beeing deleted, written into the ioc table and get's activated