Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4453 Views
  • 0 replies
  • 3 Likes

Cortex XDR greatly affects C++ build performance

I have a C++ project that I build using Visual Studio 2022. When I build it on a PC with Cortex XDR installed, the build takes more than 3 hours. It looks as if Cortex XDR is analyzing every .obj file generated during the build process. Without Cortex XDR, the same build takes slightly less than 1 hour. The Cortex XDR application and its configu...

How to Query WildFire Malware Prevention Events Not Generated as Issues

Hello We are currently operating approximately 4,800 agents. During the initial deployment, a large number of false positives were generated by WildFire Malware events, so we applied an exception to prevent these events from being generated as Issues. However, we have recently received user reports of cases suspected to be blocked by this policy...

.522643 by L1 Bithead
  • 103 Views
  • 1 replies
  • 0 Likes

I just received this alert "Script Activity - 245655498" with this description "Suspicious script with keywords written in a non-standard way." in Cor

I just received this alert "Powershell Activity - 2390140751 " with this description "Suspicious script with keywords written in a non-standard way." in Cortex multiple times related to PowerShell script execution on a developer machine. The executed scripts were different and I don't know why Cortex is blocking such executions. There is also no...

Resolved! Case resolution center - no recommendations

Hello. I have never seen any recommendations in the resolution center when reviewing cases. Respective playbooks are configured and enabled; however, there's nothing. Our Palo SME stated it might be an XSIAM thing and not and XDR Pro thing, but I feel like something should be there. Anyone have any insight to this or tips? Thank you.

no incidents generated since May 20?

Our Cortex XDR instance stopped generating incidents when detecting malware and other threats. (Somewhat similar to "Cortex XDR - Blocked Hashes on newer systems do not show in Incidents" - except in our case, this is across the board on all devices, for all threats and behaviors.) (If we initiate a malware scan on the affected device, an incide...

Resolved! Orphaned Cortex XDR Agent enforcing USB read-only on personal laptop

Hello, I have a personal Windows 11 Pro laptop with Cortex XDR Agent 9.2.0 installed. The agent is no longer connected to any management server and the GUI shows: Connection: No connection to server However, Device Control is still active. Every time I connect my Samsung T7 Shield external SSD, I receive the notification: "Cortex XDR | Device Co...

XQL to get details of endpoint connection time

Hello Team, I need to create a report in Cortex XDR to identify endpoint connection activity within a specific time window. The requirement is not to know when the endpoint was first registered in Cortex, so `first_seen` does not apply here. What I need is to identify: 1. Endpoints that changed from DISCONNECTED to CONNECTED during the selected ...

Resolved! Cortex XDR Tenant Auto-Upgrade 3.17 → 5.0: UI mixed theme, AI pages stuck loading, Marketplace/Playbook Catalog empty + ingestion quota warning

I tried to open a Support case, but none of the available issue categories allowed me to create a case and I was redirected to Live Community for assistance. I’m posting here to get guidance on the likely root cause and recommended next steps. After an automated upgrade from 3.x to 5.0, multiple UI and feature issues appeared. Pages look like ...

XDR Agent Quota Exceeded

Hello, We receive numerous alerts of "XDR agent quota exceeded on ****" I understand this means that the default storage is being exceeded but what exactly does that entail? 1. Are the old logs not being overwritten in time causing the alert to set off since the space has been exceeded? is it actually going over the default space or is ther...

Resolved! Not seeing Cortex MCP Server Download

Hi all the Cortex MCP Server download under Settings → Configurations shows on commercial tenants but is missing entirely on our FedRAMP / Federal tenant (not a permissions issue). Is it on the roadmap for Federal environments, and is there an expected timeline for rollout? Thanks!

Resolved! Cortex XDR agent protection after 90 days of inactive

Hello Everyone. I need your opinion to this topic. What will happen to the agent protection for the endpoint after 3 months of inactive. Correct me if im wrong. Cortex XDR agent will delete permanently from management console and database after default deletion which is 90 days. if i enable all the module in day 1 for an endpoint, then af...

Resolved! Cortex XDR and Microsoft Defender Coexistence and Performance

Hello Cortex XDR Community,We recently were asked to have official guidance regarding the coexistence of Cortex XDR Agent and Microsoft Defender on Windows endpoints. My questions to the community and experts is: - Is the coexistence of Cortex XDR and Microsoft Defender Antivirus officially supported? - Is the coexistence of Cortex XDR and Micr...

DLP (DataPatrol) signed DLL injection into Word blocked by agent — permanent exception?

Our DLP watermarks documents by injecting a signed DLL into WINWORD.EXE on print. The Cortex agent blocks the injection — page prints with no watermark, DLL never loads. Works fine with the agent removed. Persists in Report mode, generates no alert/prevention event. Tried a Disable Prevention rule (signer + thumbprint, all modules, global) — no ...

Resolved! Protection Mode for Linux Modules

When configuring Reverse Shell Protection and Malicious Child Process Protection there's an option to configure the protection mode. Default is "normal" but we could choose "aggressive" too. There's no documentation. Does anyone know the difference of protection modes for these Linux modules? Is it the same as in the ransomware protection modu...

micomi_0-1782802979178.png
micomi by L3 Networker
  • 219 Views
  • 1 replies
  • 0 Likes
  • 2630 Posts
  • 98 Subscriptions
Top Liked Authors