Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Discussions

Sorted by:

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

Security Test / poor result

Hello dear Community!

Does this result reflect the strenght of PA Cortex XDR?

https://papers.vx-underground.org/papers/Malware%20Defense/AV%20Tech/An%20Empirical%20Assessment%20of%20Endpoint%20Security%20Systems%20Against%20Advanced%20Persistent%2

...

Correlation Rule for services

Is it possible to create a correlation rule to identify when new services are present on an endpoint

For example,

Create a correlation rule ,using a query that returns all services on an endpoint, that creates a new data set of the results..say there a

...

Resolved! Move newly installed agents(hosts) to a specific endpoint group automatically without admin intervention

Hi All,

We are trying to move around 2000+ hosts to cortex XDR. We have started installing agents in a phase-wise approach not all at once.

Also, have created a specific endpoint group with customized prevention policies.

Now the problem is that the a

...

Resolved! Specific Cortex XDR Alert

Hello PA community ,

Please could you clarify a doubt ?

In Cortex XDR is there any way to alert if the endpoint is disconnected?

From my knowledge . i can confirm that we can retrieve disconnected agent by creating a filter from endpoint administrati

...

Cortex XDR with Citrix App Layering and MCS

We're in the process of installing a new setup with Citrix App Layering (Full User layers) and MCS. I've followed the suggestions here on non-persistent installation (VDI_ENABLED=1); even though our setup technically is sort of persistent (because of

...

Endpoint Connection Lost

Hi all,

Some of our endpoints in our Cortex XDR Console shows a "Connection Lost" Status but the endpoint is still active.

The cytray shows disabled and no connection. We also checked the control panel and upon checking, The installed Cortex XDR Agen

...

Resolved! XQL query Host Inventory numerical values Services

When running xql queries against host inventory i have 2 questions

Is there documentation that states what each field means in the array

The example below " start mode" and "state" are numerical

It appears start mode3= "Service Manual Start" but i nee

...

Resolved! How to query XDR for all incidents that relate to a device group

The Get Incidents API allows you to filter based on an incident_id_list, but not a list of endpoint_ids much less endpoint group. The Get Alerts API allows you to filter on an alert_id_list, but not a list of endpoint_ids much less endpoint group.

...

Resolved! Cortex XDR - Endpoint/Incident API Limit (100) - PowerBI Query

I am attempting to pull in endpoint/incident data using the appropriate API in PowerBI. However, there's a limit of 100 . I tried adding a separate custom column anticipated that my total number of incidents would be let's say "x" value, but that jus

...

Cortex XDR disk encryption

Hello,

I can't turn off disk encryption. I disabled the disk encryption policy for an endpoint, then the encryption status returned as not configured. But I can still see bitlocker on the endpoint is ON. How can I turn off bitlocker on endoint not ma

...

Citrix PVS servers consuming multiple Cortex XDR licenses

Hi all,

We're having an issue where Citrix PVS servers running Cortex XDR consume a new XDR license every time they reboot. I don't fully know how PVS works, but essentially from what I can gather is upon booting up, it pulls a copy of an image from

...

Does Pathfinder require an agent to be installed on the endpoint?

No, Pathfinder uses an agentless endpoint analysis service, running its own code on suspicious endpoints to collect information about running processes on the endpoint and determine if the processes are malware or greyware.

Cloudflare logs to Cortex Data Lake

Is it possible to send logs from Cloudflare to Cortex Data Lake? If possible how can i send? Anyone tried something like this before?

Thanks!

How to get the list of alerts/incidents for a particular list of hosts?

Hi,

I need to know how can we get alerts for particular hosts/ a specific group ( Ex: 1000 agents ) in the Cortex XDR console -> Incident Response -> Incidents -> Alerts table. I have tried from filter option but it doesn't work. We can't add all the

...

CIDR Lookup or Join for IP Enrichment

I would like to use some custom datasets to enrich some of our XQL searches. It could be our subnets from our IPAM or in this example the ASN information. I have used lookups and joins in the past to accomplish this in others tools and would like t

...

User

Count

User

Likes Count

2 Likes

1 Likes

Cortex XDR Discussions

Discussions

Welcome to the Cortex XDR Discussions!

Rules and Best Practices

Security Test / poor result

Correlation Rule for services

Resolved! Move newly installed agents(hosts) to a specific endpoint group automatically without admin intervention

Resolved! Specific Cortex XDR Alert

Cortex XDR with Citrix App Layering and MCS

Endpoint Connection Lost

Resolved! XQL query Host Inventory numerical values Services

Resolved! How to query XDR for all incidents that relate to a device group

Resolved! Cortex XDR - Endpoint/Incident API Limit (100) - PowerBI Query

Cortex XDR disk encryption

Citrix PVS servers consuming multiple Cortex XDR licenses

Does Pathfinder require an agent to be installed on the endpoint?

Cloudflare logs to Cortex Data Lake

How to get the list of alerts/incidents for a particular list of hosts?

CIDR Lookup or Join for IP Enrichment

Rare Login Query Not Working

Help with fine tuning a query using $arguments and enclosing them in "quotes"

Details regarding %PROGRAMDATA%\Cyvera\ folders

How to check powershell version at cortex XDR

Cortex VM Broker SNMP monitoring

[Cortex XDR] Are there any How-To video recordered about Windows Event Collector applet for the broker VM?

Re: Cortex XDR 8.2+ Not Able to Uninstall - Not Showing In Programs (Windows)

Re: Cortex XDR Get Incident API function 'hosts':None

Re: Rare Login Query Not Working

Re: Cortex XDR 8.2+ Not Able to Uninstall - Not Showing In Programs (Windows)

Unlock your full community experience!

Cortex XDR Discussions

Rules and Best Practices

Resolved! Move newly installed agents(hosts) to a specific endpoint group automatically without admin intervention

Resolved! Specific Cortex XDR Alert

Resolved! XQL query Host Inventory numerical values Services

Resolved! How to query XDR for all incidents that relate to a device group

Resolved! Cortex XDR - Endpoint/Incident API Limit (100) - PowerBI Query