Cortex XDR Discussions

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

How to use interactive script mode Run Kansa investigation powershell

Hi

does anyone know

How to add investigation powershell to the Agent script Library of XDR Action Center. That I can choose it to do incident investigation when using XDR interactive script mode

Tracking Cortex XDR Corrupted Agents

Dear Community,

When I first started the Cortex XDR Project and started installing the agents, I made a mistake and deleted the outdated installation packages from the portal.

After that I started getting a lot of disconnected agents as if they try

...

Resolved! Cannot edit custom role

Resolved! Details Regarding XDR Query Fields: server_creation_time and creation_time

Hello Everyone,

We use below endpoint to collect the alerts:

/public_api/v1/alerts/get_alerts

Currently, we use creation_time to query alerts. But recently with the help of community answers only we found that creation_time is the time when an a

...

Allow users to change the Timezone

Hello,

We have users from different places and different timezone. We noticed that it is not possible for a user to change their timezone if they don't have the General Configuration View/edit permission. Is there any other way to allow a user to c

...

Resolved! Users may experience account lockouts due to XDR services.

Dear Community,

After modifying the password for a Windows user, the user account is continually locked out.
Using Process Monitor, it was discovered that the XDR service (cyserver.exe) read cached credentials(C:\ProgramData\Cyvera\LocalSystem\Python\

...

Help creating a Cortex XDR alert when a user is added to a privileged group in Active Directory

Hello,

I am looking to create a Cortex XDR alert when a user is added to a privileged group in Active Director. I can get the alerts when a user is added to any group, but I am looking for only privileged groups.

Resolved! Can't find logged in users from Endpoint Asset View

Hello all,

I find it strange that I cannot easily check the connected or previously logged in users on an endpoint. For example on Asset View or from Endpoints view I cannot see that.

There is the possibility to see it only on an incident I guess. But

...

Host Insights - Functionality limitation through license

Hello dear community,

we had not enough host insights licenses. About 13 agents are not available in the module system information.

Where is the trigger to say one or more of them should now gather or send the informations to Host Insights?

Thi

...

Resolved! Detail Description of Alert Log Fields XDR API

Hello Everyone,

We are pulling alerts from the XDR API using below endpoint:

/public_api/v1/alerts/get_alerts

We query based on creation time which is shown as detection_timestamp in the log.

I am looking for clarity on below points:

1. what

...

Resolved! Requesting Clarity on XDR XQL API Logging

Hello Everyone,

For one of the client, we need to fetch logs from XDR API using XQL. Currently, the ask is for windows event logs only, but later they want IIS logs as well.

Any help in below queries would be appreciated:

1. There are two queri

...

Cortex XDR. How to create an custom report only for wild fire information visibility

Hello Everyone ,

Do you know if there is an option to create an custom report in XDR only for wild fire information visibility ?

Thank you in advance.

Custom XDR query to show a user login and log out daily

Hi,

I'm trying to find a good query to pull not only the user login time but also a user logout in AD/AZ AD. I've been able to get the login data easy enough but I can't seem to pull a log OUT time/date or timeout.

Does anyone have any suggestions

...

Cortex XDR 3.6 How to remove several profiles at once

Hello Everyone,

Do you know if XDR supports option for removing several profiles for the console at the same time.

There is an option for manual removal profile y profile, but i have to make a clean up on environment with several hundred and som

...

Check Cortex XDR Agent status

Is it still possible to check the status of Cortex agent in registry? I want to check the status on the client side periodically. I know it is possible via cytool but i need to do this periodically on a lot of computers.

I know there was a way on Tra

...

Discussions

Welcome to the Cortex XDR Discussions!

Rules and Best Practices

How to use interactive script mode Run Kansa investigation powershell

Tracking Cortex XDR Corrupted Agents

Resolved! Cannot edit custom role

Resolved! Details Regarding XDR Query Fields: server_creation_time and creation_time

Allow users to change the Timezone

Resolved! Users may experience account lockouts due to XDR services.

Help creating a Cortex XDR alert when a user is added to a privileged group in Active Directory

Resolved! Can't find logged in users from Endpoint Asset View

Host Insights - Functionality limitation through license

Resolved! Detail Description of Alert Log Fields XDR API

Resolved! Requesting Clarity on XDR XQL API Logging

Cortex XDR. How to create an custom report only for wild fire information visibility

Custom XDR query to show a user login and log out daily

Cortex XDR 3.6 How to remove several profiles at once

Check Cortex XDR Agent status

Force XDR Agent

I want to block commands and special operations that require administrator privileges on Windows.

Can Cortex XDR fully substitute for Microsoft Defender Attack Surface Reduction (ASR) rules?

Evasion Technique - 1244315488

Other Network Source Checkpoint,Fortinet Cortex can auto stich

Re: Force XDR Agent

Re: Cortex XDR – Unable to Assign Read/Write Permissions for Mobile Device (Detected as CD-ROM) in Permanent Exceptions

Force XDR Agent

Re: I want to block commands and special operations that require administrator privileges on Windows.

Re: I want to block commands and special operations that require administrator privileges on Windows.

Unlock your full community experience!

Rules and Best Practices

Resolved! Cannot edit custom role

Resolved! Details Regarding XDR Query Fields: server_creation_time and creation_time

Resolved! Users may experience account lockouts due to XDR services.

Resolved! Can't find logged in users from Endpoint Asset View

Resolved! Detail Description of Alert Log Fields XDR API

Resolved! Requesting Clarity on XDR XQL API Logging