About NathanBradley

Thanks, did that and it worked Can the other numerical values for the other event sub types be shared? ... View more

Thanks, It does get what im needing But it didnt replace the numerical value Also where did you get the numerical values for event_sub_type   ... View more

This isn't specific to Endpoints Can I supply a list to any available field that i can filter on Example below: i want to only show 13 separate applications listed. It appears that I have to type one application and then hit the little blue arrow to drop it down, then type another application hit the blue arrow...etc 13 times Can I just paste in, supply a list of the 13 applications, txt file, something so I don't have to type it in 13 times Maybe a feature request if not available   ... View more

I can currently query and get a list of services using xql Using that query im building a correlation rule to save to a new dataset   Im stuck on how to build a new rule to alert when a service has been added   config case_sensitive = false | dataset = host_inventory | filter services != null | arrayexpand services | alter Display_Name=json_extract(services, "$.display_name") | alter Path_Name=json_extract(services, "$.path_name") | alter Service_Name=json_extract(services, "$.service_name") | alter UserName=json_extract(services, "$.start_user_name") | alter Start_Mode=json_extract(services, "$.start_mode") | alter Started=json_extract(services, "$.started") | alter State=json_extract(services, "$.state") | alter Service_Type=json_extract(services, "$.service_type") | alter Accept_Pause=json_extract(services, "$.accept_pause") | alter Accept_Stop=json_extract(services, "$.accept_stop") | alter Delayed=json_extract(services, "$.delayed") | alter Desktop_Interact=json_extract(services, "$.desktop_interact") | alter state = replace(replace(replace(replace(replace(replace(replace(state, "1", "Start_Pending"),"2", "Stop_Pending"), "3", "Running"), "4", "Continue_Pending"), "5", "Pause_Pending"), "6", "Paused"), "0", "Stopped") | alter start_mode = replace(replace(replace(replace(replace(start_mode, "4", "Disabled"),"2", "Automatic"),"0", "Boot"),"1", "System,"),"3", "Manual") | fields host_name,Display_Name,Service_Name,Path_Name,UserName,Start_Mode,Started,Service_Type,state,Accept_Pause,Accept_Stop, Delayed, Desktop_Interact | sort asc Display_Name | filter (host_name contains """NameofHost""") ... View more

thanks that works for me these are the 2 lines added | alter state = replace(replace(replace(replace(replace(replace(replace(state, "1", "Start_Pending"),"2", "Stop_Pending"), "3", "Running"), "4", "Continue_Pending"), "5", "Pause_Pending"), "6", "Paused"), "0", "Stopped") | alter start_mode = replace(replace(replace(replace(replace(start_mode, "4", "Disabled"),"2", "Automatic"),"0", "Boot"),"1", "System,"),"3", "Manual") ... View more

I recently opened a ticket and worked with support again. They stated its currently working as designed, XDR looks at the NIST database for the version only This time they opened an "internal ticket to explain the issue to the backend team" and gave me the ticket ID Suggested i reach out to my sales rep to get improvement followups with the feature I assume the more customers the better ... View more

We worked with our SE and support previously, we never received an acceptable resolution\explanation.     ... View more

is there a list of windows event logs thats are collected? i was not aware powershell event logs are available in cortex ... View more