Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Discussions

Sorted by:

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

Resolved! Web applications

Is XDR capable to protect web applications and how

File retrieval in user context

Hello,

Is it possible to retrieve a file which is only accessible in user's context? I have an incident which user opened a file from a network mapped drive. That drive might not be accessible by anyone except for the user.

Which user context is us

...

Resolved! XQL - Time alteration

Hello,

Here is the scenario:

I have a table lookup looking for a specific event.

dataset = xdr_data

| filter event_type = SOME EVENT

| alter TimeOfIntereset = _time

Now I want to join this again with the dataset table to enrich it and perform furthe

...

XDR Collector DNS

Does anyone know if there is a native DNS collector, similar to the DHCP Collector Agent, for Cortex XDR ? My goal is to enrich XDR with more DNS-related information.

Mac Cortex XDR Upgrade causing Device Freezing

Hello,

My organisation is currently running Cortex XDR 8.6.0 on Sequoia. We're finding that when performing upgrades of the application via the Console or by Jamf that the who device will freeze for 15+ seconds.

We're in an environment where we'r

...

Resolved! XQL query for incident report

I like to get a hint how i can build simple xql query for overtime timeframe for incidents. I need to filter that data, but that kind report that i can show example monthly base report for customer. where there are data for each day

Why there are no related alerts on scanned malicious files.

Hi, we have recently malware scanned an endpoint and upon checking the results, it appears that there were 3 malicious files on the host.

Now, I tried to right click and view related alerts on the 3 malicious files and it just shows nothing. What's

...

2023-06-10 15_39_58-Action Center - Cortex XDR.png

Discrepancy Between Connected Endpoints and License Usage in Cortex XDR

Hi Team,

We have observed that the Cortex XDR management console shows a total of 385 connected and disconnected endpoints. However, the Cortex XDR license usage is showing 348. How is this possible? Please explain.

Zulu Time and Convert

so my goals is to convert a jsonextract of a few time stamps:
I want to combine them and make a total hours. so start time and expiration time = how many hours total. I cant seem to get the time formatting from a string or I am doing something wrong

...

Resolved! Best way to detect endpoints that do not yet have Cortex XDR Agent installed

Hey guys,

I am curious about if there is a way to find out which Endpoints in certain environment do not yet have XDR Agent installed.

I still two options, but had no practical experience in testing it:

1. Directory Sync with Cortex XDR. Would it dete

...

Creating a stacked bar chart using XQL

I am creating a stacked bar chart that shows the number of alerts per data source per day.
Is it possible to display the data source in the displayed graph?

The stacked bar I created shows the time.
※Whatever I select for the X-axis will be displayed

...

XQL query for vulnerability

Hi. i need to do monthly report for vulnerabilities. So how to create like a trend report for 30 days

here is just example for get count, but how to do trend report?

dataset = va_cves
| filter severity >Medium
| filter affected_hosts_count >1
| fields

...

Resolved! Study guide for PSE Professional - Cortex (XDR)

Does anyone have any kind of "study guide" or something similar that might be helpful to study for the exam?

how to uninstall a package using rescue mode in Debian

my debian server crushed, wa are unable to acces the server(VM on OVH baremetal) using ssh(hard disc), we can usig rescue mode using the root user. after investigation we found that, it is a network problem due to Cortex, now my question is is there

...

Resolved! Initiate Script on Endpoint via API call

Hi Everyone,

I've been running Powershell scripts on my endpoints from Action Center > Run Endpoint Script > Execute Commands in the XDR interface. It works well, however I need to specify a manual query to target the endpoints I want each time i.e

...