Security Operations

Automatic endpoint isolation after an unauthorized attempt to delete an agent.

Hi. Maybe someone know, if there is such an opportunity to create a rule that will automatically isolate the hosts on which attempts have been made to remove the agent in a non-traditional way?

How can i trigger playbook once Indicator has beed added?

Hi,

I need to setup an automatic playbook trigger, when an indicator has added which his type is IP, a specific playbook should run?

Where is the XSAOR 8 CLI Reference?

In the XSOAR 8.x documentation there are examples of CLI commands, including Integration commands, system commands, and information about how to escape specific characters.

However, try as I might, I can't seem to find an authoritative XSOAR CLI refer

RedHat 8/9 XDR client count limited

As I have added clients to my XDR Linux group I have seen a situation where I hit a limit on client count (under 20 BTW). After I have them all added there will be 2 or 3 missing. If I restart the process on a missing client, that one immediately app

[Cortex XDR] Are there any How-To video recordered about Windows Event Collector applet for the broker VM?

Dear, 

Following the acquisition of the Pro license for GB to collect Windows logs from domain controllers, I saw documentation regarding the configuration of the Windows Event Collector applet from the Broker VM.

However, I was wondering if there

Cortex Broker Mapper scans

We’re experiencing an issue with Cortex brokers related to the network mapper.
When we run network scans using the "ICMP Echo" flag, the scan completes successfully and everything works as expected.

However, when performing a "TCP SYN" scan on the foll

xsoar 8.9 on-prem - scheduled activities stop working

After upgraded from xsoar 8.8 to 8.9 , all content pack that have schduled activities stop triggering.

e.g json sample generator, taxii2 feed integration etc. 

can advice? 

thanks

Linking Issues to Cases with Command

Hello Livecomm, 

I am trying to link an issue to a case using CLI/automation or similar. Right-clicking on an issue allows me to assign it to a case, but I have not found an option to do this programmatically. I have tried using the link incident and

XDR Analytics Data source

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/BitLocker-key-retrieval https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Exchange-mailb

Closing an XSOAR 6 incident via API

How do we close a single incident via API? I have seen batch closing API. I'm not trying to close incidents in batch.

Adding a Timestamp/Date to Custom Report Subject

Hola Livecomm,

I have a very trivial question; I want to define a custom subject for my reports to include the date or timestamp of when it runs. I have researched this extensively and have found the Server Configuration Key for this but it does not

API for Update incident in XSOAR 6

Can anyone share the API for updating an incident in XSOAR 6? 

Broker-VM disconnet alert notification

Hi All,

anyi dea how i can generate an alert when a broker-vm gets disconnected?

Has anyone managed to create a correlation rule that will alert if a Broker-VM gets disconnected from XSIAM?

the xsiam documentation states that 'To help you monito