About A.Elzedy

I'm not aware of any log size's metrics for endpoints, but being familiar with the log counts per xdr agent should bring you closer to your goal   dataset = xdr_data | filter _product = "XDR agent" | comp count() as logs by agent_id , agent_hostname | sort desc logs   ... View more

Hi @paIoaItonetworks ,    I'm assuming you're using vm broker because it's landing in unknown_unknown_raw, so in order to adjust that  go to Configurations - > Data Broker -> Broker VMs and then you could assign a custom port ( if you're receiving more than one category on the same port ) , then assign a vendor and product        ... View more

Well, the key advantage of Microsoft Graph. It offers highly granular permissions. Instead of a blanket "full access," you can grant an application specific permissions like Mail.Read (read mail), Mail.ReadWrite (read and write mail), Mail.Send (send mail), and importantly, Mail.Read.Shared (read shared mailboxes) or Mail.ReadBasic.All (read basic mail for all users) and Mail.Read.All (read all mail for all users) when granted as application permissions. This means you can scope down exactly what your integration can do. ... View more

Here are some options/alternatives:   Option 1: Exchange Message Logs with XQL Queries You could be ingesting Exchange message logs into your siem and run XQL queries to search by subject across all organizational email traffic. So you can get a complete historical visibility without API permission constraints   Option 2: Alternative PowerShell Command Switch to EWS Extension Online PowerShell v3 integration with !ews-message-trace-get commands for organization-wide searches. This approach will bypass individual mailbox permission requirements.   Option 3: Microsoft Graph API Integration Switch to the O365 Outlook Mail (Using Graph API) integration with organizational scope. This is Microsoft's preferred direction for email automation workflows. ... View more

Hi @xdrengineer    Microsoft has deprecated the ApplicationImpersonation access type as of February 2025, making the traditional EWS approach increasingly problematic for organization-wide searches. Reference: EWS O365 Integration Documentation   The issue you're encountering is a fundamental access restriction in how the EWS O365 integration operates. When you execute !ews-search-mailbox query="Subject:<anything here>" , the integration can only return emails from mailboxes where the configured service account has explicit access permissions.   Simply: Your search results are limited to emails where the configured Email ID appears in the "To" or "CC" fields You cannot retrieve the complete recipient list for emails across other mailboxes in your organization The EWS integration requires specific mailbox-level permissions to access each user's emails. Even with full_access_as_app permissions and the ApplicationImpersonation role, the integration can only search mailboxes where access has been explicitly granted through Application Access Policies.   ... View more

Thank you @eluis ! ... View more

Alright, after reviewing the logs, there aren't much activities from MAC devices, there could be a policy in place that's blocking them from connecting usb disks    at the time being I have drafted a query that could help monitor usb activities/changes    dataset = xdr_data | filter event_type in (ENUM.DEVICE, ENUM.MOUNT , ENUM.FILE ) | filter action_device_usb_vendor_id != null | sort asc _time | windowcomp first_value(event_timestamp) by agent_hostname, action_device_usb_serial_number sort asc _time as plug_time | windowcomp last_value(event_timestamp) by agent_hostname, action_device_usb_serial_number sort desc _time as unplug_time | dedup agent_hostname, action_device_usb_vendor_id | alter plug_ts = to_timestamp(plug_time, "MILLIS"), unplug_ts = to_timestamp(unplug_time, "MILLIS") | alter plug_time_readable = format_timestamp("%Y-%m-%d %H:%M:%S", plug_ts, "America/New_York"), unplug_time_readable = format_timestamp("%Y-%m-%d %H:%M:%S", unplug_ts, "America/New_York") | alter session_duration_minutes = timestamp_diff(unplug_ts, plug_ts, "MINUTE") | join type = right ( dataset = xdr_data | filter event_type = ENUM.FILE | filter action_device_usb_vendor_id != null | filter actor_effective_username not in ("NT AUTHORITY\SYSTEM") | filter actor_effective_username not contains "\root" | alter op = if(event_sub_type = 1, "New file creation", event_sub_type = 2, "File access/opening", event_sub_type = 3, "File renaming", event_sub_type = 4, "File linking", event_sub_type = 5, "File deletion", event_sub_type = 6, "File modification", event_sub_type = 7, "File attribute changes", event_sub_type = 8, "Directory creation", event_sub_type = 9, "Directory access", event_sub_type = 10, "Directory renaming", event_sub_type = 11, "Directory linking", event_sub_type = 12, "Directory deletion", event_sub_type = 13, "File reparse operations", event_sub_type = 14, "File security changes", event_sub_type = 15, "File permission changes", event_sub_type = 16, "File ownership changes", to_string(event_sub_type)) | alter sanitized_path = replex(action_file_path, "[^a-zA-Z0-9_./\\-]", "") | alter file_op = to_string(concat(op, " : ", sanitized_path)) | comp count() as file_event_count, values(file_op) as file_operations, values(actor_effective_username) as usernames by agent_hostname, action_device_usb_serial_number | alter file_operations_top_100 = arrayrange(file_operations, 0, 100) | fields file_event_count , file_operations_top_100, usernames , agent_hostname , action_device_usb_serial_number ) as file_activity file_activity.agent_hostname = agent_hostname and file_activity.action_device_usb_serial_number = action_device_usb_serial_number | alter vendor_product = concat( action_device_usb_vendor_name , " ", replace(action_device_usb_product_name,"unknown"," ")) | fields agent_os_type, agent_hostname, usernames, vendor_product, plug_time_readable, unplug_time_readable, session_duration_minutes, file_event_count, file_operations_top_100 | sort asc plug_time_readable ... View more

I think you may need to expand the timeframe up to 30d if it was not set to it  also try to run this one too  dataset = xdr_data | comp count() by agent_os_type , action_device_usb_vendor_name , action_device_usb_product_name , action_device_usb_vendor_id ... View more

Hi @aspatil ,    would you be able to share a sample output of the following query, that would help understanding your env better.  dataset = xdr_data | filter event_type = ENUM.DEVICE and event_sub_type = ENUM.DEVICE_PLUG | alter deviceinfo = to_string(actor_process_device_info) | comp count() by deviceinfo   ... View more

Hi @josh_arenas,    Here you go  https://github.com/AbdallaElzedy/Cortex-XSIAM/blob/main/xdr_datamodel_docs.md  ... View more

Thank you @eluis  for your thoughtful reply and for sharing those valuable resources. I’m already familiar with the documentation you linked, and I regularly rely on them during my research and work with XQL. I hope other community members also find them as beneficial as I have. Thanks again for your support and for fostering such a collaborative environment. ... View more

Hi @S.Mulpuru ,   You can work around the 1000-device limit by automating the process using pagination. The API allows you to retrieve up to 1000 devices per request using the  pagelength  parameter. By starting with an  offset  of 0 and increasing it by 1000 with each request, you can loop through all available devices until the response returns fewer than 1000 items. Since the API also enforces a rate limit of 60 requests per minute, try to pace your requests accordingly. You can do this by adding a short delay (e.g., 1 second) between each call or by implementing a rate-limiting mechanism that automatically waits when the limit is approached. so you can ensure your script remains compliant and avoids being throttled or blocked.   ... View more