Repeated False Incidents with Unknown Verdicts

Hi everyone,

I’m currently facing an issue with Cortex XDR where I regularly receive incidents flagged as suspicious,

This particular one shows:

• WF (WildFire) Verdict: Unknown

• VT (VirusTotal): 0/64 detections

Every week, I keep seeing similar in

Notifications Cortex XDR Pro / missing in the settings

Hello dear community, 

is there a way you can send this notifactions through mail? I can't find anything in the management or agent logs. 

BR

Rob

Understanding ENUM Constants in Cortex XSIAM XDR Data XQL

Hi Everyone, 

I’ve seen a lot of questions lately about the usage of constant ENUMs in Cortex XDR/XSIAM, especially after Unit42 released some IOC detection queries. These queries often contain clauses like:

Cortex XDR API requests

Hi everyone,

There is an problem im facing with. The problem is -- Some of API requests are not shown in "Management Audit Logs". There is another API's which ones can be shown in "Management Audit Logs". Is there other option for this case? To col

Wildfire API for scanning before upload

Hi,

I want to scan files before they get processed or uploaded to a linux server, if the file is malicious it is blocked from being uploaded, if clean then it gets uploaded and processed.

Cortex XDR Prevent has on-write feature for windows only. I

Cortex XDR Device Control Violation Query

Hi Team,

How can I check device control violations using an XQL query? I have tried the query preset = device_controlbut I am only seeing details for USB device violations. I am expecting to see Bluetooth violations as well. Is this possible? If yes,

Questions about IOC/BIOC Suppression rules

We are doing a (somewhat rushed) Cortex XDR implementation, and I am new to EDR things (in general). 

I created an IOC/BIOC Supp rule today for an issue with running the Guardian Browser (I'll let you know if it works), and while there I see 52 Sys

XQL Query - look for any local administrator account on endpoint

Hi,

I would like to create Cortex XQL query that can let me to have a list of local administrator account on endpoint (Windows)., it is possible? 

Thank you. 

How to remove Old versions of Cortex Agent

Hello everyone,

We're facing issues upgrading older versions of the Cortex agent on Windows endpoints — particularly versions 7.x and in some cases 8.x. These agents fail to upgrade both automatically and manually.

Requesting a cleaner for each min

Adding an Error condition to a failed playbook run question

Hi All,

so I have some playbooks that when triggered, sends my incident/alert json payloads to an external webhook every time a new incident is triggered.

I have defined an error condition task that sends an email to an email addr when this fails (we

Port scan alert

Hi everyone,

There is some situation in our case.

For example there is 2 windows host. Host1 and Host2. Host1 have XDR. But Host2 not. If Host2 executes port scan action (it doesn't matter which tool is using -- nmap, zenmap and etc) to Host1 in

Possible to View the XQL Query of Widgets?

Hi All,

So XSIAM has a bunch of built in widgets and I want to amend some of these.. is there a way to determine the Query used within so that i can use this to adapt to my custom query?

thanks in adv