Cortex blocking hashes in allowed list
Hello ,
Just wondering why does cortex block hashes that are already part of allow list sometimes ?
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.
Hello ,
Just wondering why does cortex block hashes that are already part of allow list sometimes ?
Hi all
I have a question regarding a certain alert: Multiple user accounts deleted
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/multiple-user-accounts-were-deleted
1) Is
...
Hey dear Cortex XDR Admins and Users,
when a KB was not installed in march and replaced with another KB from april like here:
https://administrator.de/forum/windows-server-2012-r2-windows-updates-2627286719.html
Is the best way to exclude the CVE in
...
Hello dear Cortex XDR Community,
I tested today some incident creations. In summary I can say, from about 10 executions, 3 Incidents were created under severity high.
Under severity critical none.
This is my BIOC:
No of alerts
Exections when I execu
...
Reason for Query:
LOLBINs are used quite extensively in attacks, in some cases LOLBINs are renamed and then used to bypass behavior based detection rules. Hence, the query is built to hunt for renamed process execution eg; cmd.exe renamed to xyz.exe a
...
Is it possible to create an arrayexpand the action_evtlog_data_fields
the below fails to run
dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG
| arrayexpand action_evtlog_data_fields
| alter Username=json_extract(action_evtlog_data_fields, "$.Targe
Hi all, I have a problem with the agent - I have one agent that is not communicating with the xdr server after installation. The host in question had it's agent uninstalled via the xdr server, and then re-installed by the IT team. However now the hos
...
Hello,
My question is what are the capabilities of Cortex XDR without endpoint agents and just with PANOS firewall integration? As the Palo Alto firewall can forward its logs to the XDR for extra checks what are the features that XDR can provide
...
Wanted to share a useful XQL query we have setup as a correlation rule in case anyone else finds it beneficial. This query requires that you have PAN-OS firewall URL logs available within XDR datasets, for example being sent to Cortex Data Lake. The
...
Can we use a script or command line to install Cortex XDR agent for Mac? Please advise.
Hello, we are using Cortex in a Citrix PVS environment.
We installed the agent with the VDI flag on the master vDisk. When we try to generate a scan on the new version of the vDisk, it always stuck on this file:
\\?\GLOBALROOT\Device\HardiskVolume3\S
...
Hi Community!
Can anyone tell me when PAN will support Cortex XDR Agent on Microsoft Azure Stack HCI Os,
that is based on Windows Server 2019/2022?
https://azure.microsoft.com/en-us/products/azure-stack/hci/#overview
OS is out now for 1,5 years and no
...
I would like to determine how to view the identity of the user who resolved an incident in Cortex XDR. Presently the only artifact available is a "Resolved Timestamp". This however tells you WHEN an incident was resolved not WHO resolved it.
Is there
...
Hi all,
Can you please guide me that how to activate Cortex XDR tenant account?
Thanks in advance!
Really appreciate the help.
Subject | Likes |
---|---|
3 Likes | |
2 Likes | |
2 Likes | |
1 Like | |
1 Like |