Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-21-2024 12:18 PM
Hello, dear Community,
I need a list of Windows event IDs required for BIOC and other Cortex XDR rules to work effectively.
For example, when we performed a Kerberos user enumeration attack using Kerbrute, it was not detected initially. Cortex XDR requires event ID 4768 to be enabled to detect such an attack. After enabling this event ID and testing the attack simulation again, it was successfully detected.
I am now wondering which event IDs are crucial to enable in order to maximize detection opportunities for Cortex XDR. It would be great to get a list of these event IDs.
Thanks.
06-23-2024 11:02 PM
Hello @agsaqqal
Thanks for writing to live community.
Yes, you are right.
First the event has to be generated and present on the machine in order for XDR Agent to be able to collect it and forward to XDR cloud servers.
For more details on what data XDR collect, you may refer https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Da...
I hope that answers your question.
Please mark this as answer if you found it helpful.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
