Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Cortex XDR - All Actions export

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR - All Actions export

L0 Member

Greeting to all!

I have faced an interesting use case with Cortex XDR and I haven't seen solution to it ever before. 

Short description of the situation - We have a successful vulnerability exploitation event. We know for sure, that it was exploited and data was stolen. Now we need to investigate logs from impacted endpoint for at least last 30 days (ideally deeper) to understand history of an attack and see if any literal movement was made. Also for historical purposes we need to save those logs and make sure they would be deleted. 

Problem: To find all logs related to machine is easy task - just to use "All actions" query in query builder. But Cortex's console Query builder has a limitation of 10.000 entries to display at a time (obviously in this situation we have much more logs then 10.000). And when you export those logs to a file it doesn't export even all those 10.000 entries (I've tried it twice and have 4000-6000 exported entries).

Question: How I can export all logs related to one host from Cortex console for a given time range (at least 30 days)?

Thanks in advance for all advices!

1 REPLY 1

L4 Transporter

Hi Andrei.Barysau,

 

Cortex XDR is designed to facilitate investigations by providing a robust query language which allows you to search your logs through the platform, it is not designed to just be a log dumper.  Since you are using the GUI based search, it is limited to 10,000 results, however, if you write your own XQL queries you can return up to 1,000,000 results.  That being said, this is still not designed for "log dumping" and exporting this many results may or may not be successful.  You should conduct your investigation within Cortex XDR and look at specific presets or stories to look for the actions you are interested in finding.

 

As an aside, your license comes with 30-days of raw log storage, if you want to purchase additional hot or cold storage, you can do so in one month increments.  Please contact your account team for additional details and pricing.

  • 1457 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!