https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/change-in-the-way-url-filtering-alerts-are-presented-in-cortex/m-p/342227#M230 <P>thanks so much&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/47142">@dfalcon</a>&nbsp;I did indeed create a request within the Support team and currently its been escalated to Engineering.<BR />For those that might have / want a reference of this, its PAN Support Case 01544546. &nbsp;I will share here updates if applicable.</P> Wed, 05 Aug 2020 14:46:53 GMT KRisselada 2020-08-05T14:46:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/change-in-the-way-url-filtering-alerts-are-presented-in-cortex/m-p/341628#M225 <P>Hello, beginning on or about 20 July, began to see MANY more Incidents created in Cortex XDR that looked similar to this:<BR /><BR /><EM><STRONG>Incident Description: 'Threat ID #' generated by PAN NGFW detected on host &lt;hostName&gt; involving xyz\UserName</STRONG></EM></P><P>(note, there is NOTHING after the "#" sign)</P><P>Incident Sources: PAN NGFW</P><P>&nbsp;</P><P>When looking at the Alert that caused this Cortex Incident, what you see is:<BR />Category: "URL Filtering"<BR />Alert Name: "Threat ID #"</P><P>&nbsp;</P><P>I should not that I believe BEFORE this apparent change or bug, within Cortex XDR Alerts page we would see something like this:<BR />Category: "URL Filtering (10082)"<BR />Alert Name: "Threat ID #9999"</P><P>&nbsp;</P><P><FONT face="arial black,avant garde">Are others noticing this too?</FONT><BR /><FONT face="arial black,avant garde" color="#FF0000">Is this the desired / expected behavior of Cortex XDR?</FONT><BR /><FONT face="comic sans ms,sans-serif">It seems like there has been a CHANGE in the way Cortex presents these Alerts and Incidents</FONT></P><P><FONT face="arial black,avant garde" color="#FF0000">Is there knowledge and expectations its operating this way?</FONT></P><P><FONT face="arial,helvetica,sans-serif" color="#000000">See attached screenshots</FONT></P><P>&nbsp;</P> Fri, 31 Jul 2020 16:43:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/change-in-the-way-url-filtering-alerts-are-presented-in-cortex/m-p/341628#M225 KRisselada 2020-07-31T16:43:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/change-in-the-way-url-filtering-alerts-are-presented-in-cortex/m-p/341646#M226 <P>I should also note I find this in the Cortex XDR Pro Administrators Guide:<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KRisselada_0-1596217511434.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27105i457D2F5BE18A9140/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="KRisselada_0-1596217511434.png" alt="KRisselada_0-1596217511434.png" /></span></P><P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/cortex-xdr-alerts" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/cortex-xdr-alerts</A><BR /><BR />Which doesn't seem to entirely mesh with what have been seeing. &nbsp;Is the Guide correct or is the Production environment of Cortex correct?</P> Fri, 31 Jul 2020 17:46:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/change-in-the-way-url-filtering-alerts-are-presented-in-cortex/m-p/341646#M226 KRisselada 2020-07-31T17:46:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/change-in-the-way-url-filtering-alerts-are-presented-in-cortex/m-p/342223#M229 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/136463">@KRisselada</a>-</P><P>&nbsp;</P><P>There very well may be adjustments to rules (analytics, bioc, etc) with each release.&nbsp; For the behavior you are describing, this should not be typical.&nbsp; In this instance, I recommend reaching out to support/TAC to allow our engineers to take a look.&nbsp;</P> Wed, 05 Aug 2020 14:20:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/change-in-the-way-url-filtering-alerts-are-presented-in-cortex/m-p/342223#M229 dfalcon 2020-08-05T14:20:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/change-in-the-way-url-filtering-alerts-are-presented-in-cortex/m-p/342227#M230 <P>thanks so much&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/47142">@dfalcon</a>&nbsp;I did indeed create a request within the Support team and currently its been escalated to Engineering.<BR />For those that might have / want a reference of this, its PAN Support Case 01544546. &nbsp;I will share here updates if applicable.</P> Wed, 05 Aug 2020 14:46:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/change-in-the-way-url-filtering-alerts-are-presented-in-cortex/m-p/342227#M230 KRisselada 2020-08-05T14:46:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/change-in-the-way-url-filtering-alerts-are-presented-in-cortex/m-p/342230#M231 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/136463">@KRisselada</a>-</P><P>&nbsp;</P><P>I can see that Jacqueline escalated the case to engineering.&nbsp; I will subscribe to the case as well.</P> Wed, 05 Aug 2020 15:00:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/change-in-the-way-url-filtering-alerts-are-presented-in-cortex/m-p/342230#M231 dfalcon 2020-08-05T15:00:21Z