Cortex XDR Discussions

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

Resolved! How to best block portable apps?

Has anyone successfully implemented in their environment? Do you do it by BIOC Restrictions, using digital signatures, file path or executable name?

My "User Login Expiration" settings are not updating

I changed my User Login Expiration settings from 8 to 10 hours to accommodate my workday. After a week it has still not changed. It's small, but bugging me. Has anyone else seen this?

SAML SSO configuration error - JumpCloud (Third-Party IDP Provider)

Hi All,

We have setup SAML SSO but receiving an 'Unauthorized.Error 4014' error.

The following configuration was made:

IDP provider:

Cortex XDR SSO configuration:

Unfortunately we receive the below error:

Would anyone know whats occ

...

Find Endpoint Serial no

Any option to find the endpoint serial no on cortex console currently we are using the cortex pro per endpoint

Blocking Powershell Execution

Hi,

Is it possible to block PowerShell execution on all endpoints through CortexXDR, if possible kindly give the process to do the same?

Thanks

Blocking of Powershell execution

Hello,

We need to block PowerShell executions on the some endpoints. how can we block Powershell dll files so that PowerShell cannot be loaded.

We have created a BIOC rule and it is flagging legitimate Powershell executions also. Can we exclude

...

'Failed Connections' alerts detected by XDR Analytics on 9 hosts involving user nt authority\system

Hi we have multiple failed connections from one host to several local IP

below cmd was in initiator

C:\WINDOWS\System32\svchost.exe -k NetSvcs -p -s iphlpsvc

Resolved! Forensics add-on || How-to get the most out of it

Does anyone have any tips or things they do to get the most out of the add-on? I'm just getting it configured it as my company purchased a few licenses for it. I think I've got it configured correctly in the agent settings but I'm also second guessin

...

High RAM usage reaching up to 600 mb on Microsoft Windows Server 2019 Datacenter

We have a amazon EC2 server with 16GB ram, but the cortex agent is consuming more than 500 mb sometimes.

Can any one answer what is the normal ram usage for cortex agent?

version Cortex XDR 7.9.1.26645

Resolved! How to filter out some information with XQL

Hi Expert ,

I want to filter out some info from dataset such as " message:111.111.111.11" I want to filter just IP-address with regex and remove "message:" how to filter it on XQL

Thank you

Disbaling Agent Notification

Hello Team,

Is there any way to get a report/notification in XDR console whenever a user disables agent on their system. Do let us know if there is any way to track this activity.

How to search for multiple of the same file hashes across multiple field types?

Hello Everyone,

I am trying to find a way to search for multiple of the same file hashes across multiple field types, but can't seem to figure it out. I was thinking it could be something like:

dataset = xdr_data | filter where action_file_sha25

...

Resolved! XQL Using Host Inventory Dataset and joining endpoint DS for Group Names

Hello, I am attempting to write a query in which I display the host inventory applications and the Group Names field from the endpoint dataset. I have used in separate occasions Union and Join On but without success.

What can I do without affecting

...

Content Version Updates

Hello,

How much time does it take for the machines to take a latest content update from the console?

Resolved! Powershell Protected Script Block logging

Hello dear community,

does Cortex XDR Pro handle also the protected event logging?

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.3#enabling-script-block-logging

BR

...

Discussions

Welcome to the Cortex XDR Discussions!

Rules and Best Practices

Resolved! How to best block portable apps?

My "User Login Expiration" settings are not updating

SAML SSO configuration error - JumpCloud (Third-Party IDP Provider)

Find Endpoint Serial no

Blocking Powershell Execution

Blocking of Powershell execution

'Failed Connections' alerts detected by XDR Analytics on 9 hosts involving user nt authority\system

Resolved! Forensics add-on || How-to get the most out of it

High RAM usage reaching up to 600 mb on Microsoft Windows Server 2019 Datacenter

Resolved! How to filter out some information with XQL

Disbaling Agent Notification

How to search for multiple of the same file hashes across multiple field types?

Resolved! XQL Using Host Inventory Dataset and joining endpoint DS for Group Names

Content Version Updates

Resolved! Powershell Protected Script Block logging

monitor command line on powershell or cmd with XQL

How endpoint devices, XDR Broker VM and XSIAM Cloud communicate in case of HA configuration

High Memory Usage by Cortex XDR Agent on Windows Devices

Migrate policies from Carbon Black to Cortex XDR

Quarantined File Automatically Moved to Allow List from Block List after File Restore Action

Re: monitor command line on powershell or cmd with XQL

XQL - "After hours" query

Re: Migrate policies from Carbon Black to Cortex XDR

Re: High Memory Usage by Cortex XDR Agent on Windows Devices

Understanding ENUM Constants in Cortex XSIAM XDR Data XQL

Unlock your full community experience!

Rules and Best Practices

Resolved! How to best block portable apps?

Resolved! Forensics add-on || How-to get the most out of it

Resolved! How to filter out some information with XQL

Resolved! XQL Using Host Inventory Dataset and joining endpoint DS for Group Names

Resolved! Powershell Protected Script Block logging