This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4361 Views
  • 0 replies
  • 3 Likes

Alert when a XLL was created/read/deleted

Hello dear community, what is the best way to setup a query for bioc to get an alert. Maybe correlation rule is a better place for my project? It should alert, when a XLL File was written or read or deleted. Should I setup a specific file location in my query or is this not neccasary and I can take any file location? I ask because of the resso...

RFeyertag by L4 Transporter
  • 1643 Views
  • 1 replies
  • 0 Likes

Resolved! XQL - New attacks through ZIPs and ISOs

Hello dear Community, has someone of you a ready to implement XQL Query for downloading zip/rar/iso file containing a iso? The source can be outlook, etc. I found a sigma rule based on: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_iso_file_mount.yml I would be appreciate for some examples. BR Rob

RFeyertag by L4 Transporter
  • 5699 Views
  • 6 replies
  • 0 Likes

Automatic status assigning of Incidents

Hello, The Resolved- False Positive incidents are automatically getting assigned to Under Investigation even though there are no updates or alerts regarding the incident. The above keeps on repeating every day. Any idea why this is happening and how do we avoid it? Thanks

Aiman_Fathima_0-1659698513781.png

DTRH: Scripting Anything and Reaping Data

DTRH: Scripting Anything and Reaping Data Overview Customers are always asking for additional capabilities in the product and often times these feature request may come during a POC where having that capability can be the deciding factor in winning the deal. The feature request to delivered into the product can be a long cycle, often time you ...

JEbrahimi_0-1622052573092.png
JEbrahimi_1-1622052573097.png
JEbrahimi_2-1622052573099.png
JEbrahimi_3-1622052573100.png

Resolved! Alert from which source/rule?

Hello! We have some alerts which show us a large upload. My problem is now, I saw other clients uploading a ton of bytes, but this Alert wasn't fired. I also cannot find any Rule for this. Where is it comming from? BR Rob

RFeyertag_0-1659634616953.png
RFeyertag by L4 Transporter
  • 3774 Views
  • 3 replies
  • 0 Likes

Resolved! Cortex XDR block explorer.exe, network interfaces and other programs - PC (Windows) isn't usable

Dear Live Community Members, I have an issue and I'm struggling to find the reason behind it and need your help. To give you some background on the problem at hand, my customer installed the Cortex XDR agent, and it works fine on some machines but on others when the installation process finished the problem occurred immediately and the PC is...

Resolved! XQL query with multiple values

Hello Community, I'm been using the platform for a couple months and recently I'm getting interested in XQL query. My question is how to I simplify the search string if i have multiple values that I need to insert?With the example below, i'm looking to simply the filter section to filter action_device_usb_vendor_name "vendor_A, vendor_B, vendo...

XDR_DATA logs ingestion to splunk

I am thinking of a way to bring in xdr_data dataset logs which we see in xdr query builder to splunk. As of now i am ingesting the alert and incident data from cortex xdr into splunk. Can anyone suggest, how i can achieve this?

Cortex XDR Query Builder

Hello Community,Was wondering whether someone could assit me with an issue.So at the moment i cannot make any search via the "Query Builder".When i move to query center and create a custom query i can only return results when i search "dataset = pan_ngfw"when i enter a search for network story i get results but with barely any information (below...

willh1_0-1659109209207.png
willh1 by L0 Member
  • 2424 Views
  • 1 replies
  • 0 Likes

Resolved! Event_Sub_Type Failed to run

When running this XQL query if I add event_sub_type to the filter it fails to run I can run the query without any filters, and then add the event_sub_type column without issues dataset = xdr_data| filter event_type = ENUM.FILE and (event_sub_type = ENUM.FILE_CREATE_NEW or event_sub_type = ENUM.FILE_WRITE or event_sub_type = enum.FILE_OPEN )| f...

NathanBradley_0-1659458727567.png

Upgrade agents locally

Hello, Is there any option available to upgrade agent from local agent console? (Eg: If local IT team can upgrade agent from endpoint directly) Thanks

NivedaR by L2 Linker
  • 3480 Views
  • 5 replies
  • 0 Likes

Windows defender and calc abuse for dll sideloading

Hello dear community, Has anyone build a xql query for this case: https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ Should this help? https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-hunting-renamed-lolbins-process-execution/m-p/488807#M201...

Cyber1985 by L3 Networker
  • 2407 Views
  • 1 replies
  • 0 Likes

Resolved! Can't register Broker VM

I downloaded and setup the Broker VM Virtual machine in Hyper V on a server 2016 computer, I log into the IP address, go through the setup steps, test my connection to the time server, then click register and paste the token from the page I got the VM download from and a few seconds later I get an error message. Any advice would be appreciated. ...

brokerVMerror.jpg

Resolved! XQL "call" functions from scripts library

Hi Peeps, So XQL has this call function to fetch results from a saved query in the query library. Lets take this for example: call "All appdata executions for the past 30 days" Now, the problem is that my saved query is waiting for a parameter "$hostname". Anyone have any ideas how to pass that parameter through XQL? Or probably point me...

  • 2601 Posts
  • 98 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks