<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic no incidents generated since May 20? in Cortex XDR Discussions</title>
    <link>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/no-incidents-generated-since-may-20/m-p/1257958#M9410</link>
    <description>&lt;P&gt;Our Cortex XDR instance stopped generating incidents when detecting malware and other threats. (Somewhat similar to "&lt;A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-blocked-hashes-on-newer-systems-do-not-show-in/td-p/1226955" target="_blank" rel="noopener"&gt;Cortex XDR - Blocked Hashes on newer systems do not show in Incidents&lt;/A&gt;" - except in our case, this is across the board on all devices, for all threats and behaviors.)&lt;/P&gt;
&lt;P&gt;(If we initiate a malware scan on the affected device, an incident is generated 🟢 for the same file that was previously blocked by Cortex with no incident. I.e. this tells us the incident creation system is not broken - rather, the usual mechanism of creating incident upon detection or blocking is not working for some reason.)&lt;/P&gt;
&lt;P&gt;The first assumption is that something has changed on our side - i.e. we accidentally created a policy (or deleted or disabled an existing policy) - which killed the incident generation mechanism.&lt;/P&gt;
&lt;P&gt;The 2nd - that something has changed on the back end w/o our involvement resulting in the above change of behavior.&lt;/P&gt;
&lt;P&gt;This seems to have occurred sometime in May 2026.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;The last auto-generated incident was on May 20 with no such incidents since.&lt;/LI&gt;
&lt;LI&gt;Usually we get at least a few incidents a week - so this is unusual.&lt;/LI&gt;
&lt;LI&gt;Several users reported blocking by Cortex XDR in late May and early June - but no incidents.&lt;/LI&gt;
&lt;LI&gt;No known changes that could have resulted in this change of behavior on our side. (That said, can't rule out an accidental change.)&lt;/LI&gt;
&lt;LI&gt;Initiating a malware scan on the machine on which malware was detected or blocked - resulted in incidents generated for the same files that were blocked.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;In either case - where do we go to try to figure out what happened, when, and how to fix it? (Please be gentle and patient - Cortex XDR is just a small part of things on my plate, and I will likely not understand something like "go fix your BIOCs".)&lt;/P&gt;
&lt;P&gt;Thank you!&lt;/P&gt;</description>
    <pubDate>Thu, 02 Jul 2026 16:11:09 GMT</pubDate>
    <dc:creator>Alex.Gerulaitis</dc:creator>
    <dc:date>2026-07-02T16:11:09Z</dc:date>
    <item>
      <title>no incidents generated since May 20?</title>
      <link>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/no-incidents-generated-since-may-20/m-p/1257958#M9410</link>
      <description>&lt;P&gt;Our Cortex XDR instance stopped generating incidents when detecting malware and other threats. (Somewhat similar to "&lt;A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-blocked-hashes-on-newer-systems-do-not-show-in/td-p/1226955" target="_blank" rel="noopener"&gt;Cortex XDR - Blocked Hashes on newer systems do not show in Incidents&lt;/A&gt;" - except in our case, this is across the board on all devices, for all threats and behaviors.)&lt;/P&gt;
&lt;P&gt;(If we initiate a malware scan on the affected device, an incident is generated 🟢 for the same file that was previously blocked by Cortex with no incident. I.e. this tells us the incident creation system is not broken - rather, the usual mechanism of creating incident upon detection or blocking is not working for some reason.)&lt;/P&gt;
&lt;P&gt;The first assumption is that something has changed on our side - i.e. we accidentally created a policy (or deleted or disabled an existing policy) - which killed the incident generation mechanism.&lt;/P&gt;
&lt;P&gt;The 2nd - that something has changed on the back end w/o our involvement resulting in the above change of behavior.&lt;/P&gt;
&lt;P&gt;This seems to have occurred sometime in May 2026.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;The last auto-generated incident was on May 20 with no such incidents since.&lt;/LI&gt;
&lt;LI&gt;Usually we get at least a few incidents a week - so this is unusual.&lt;/LI&gt;
&lt;LI&gt;Several users reported blocking by Cortex XDR in late May and early June - but no incidents.&lt;/LI&gt;
&lt;LI&gt;No known changes that could have resulted in this change of behavior on our side. (That said, can't rule out an accidental change.)&lt;/LI&gt;
&lt;LI&gt;Initiating a malware scan on the machine on which malware was detected or blocked - resulted in incidents generated for the same files that were blocked.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;In either case - where do we go to try to figure out what happened, when, and how to fix it? (Please be gentle and patient - Cortex XDR is just a small part of things on my plate, and I will likely not understand something like "go fix your BIOCs".)&lt;/P&gt;
&lt;P&gt;Thank you!&lt;/P&gt;</description>
      <pubDate>Thu, 02 Jul 2026 16:11:09 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/no-incidents-generated-since-may-20/m-p/1257958#M9410</guid>
      <dc:creator>Alex.Gerulaitis</dc:creator>
      <dc:date>2026-07-02T16:11:09Z</dc:date>
    </item>
  </channel>
</rss>

