This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4356 Views
  • 0 replies
  • 3 Likes

Analytics BIOC Rule, Identity analytics

Hi all I have a question regarding a certain alert: Multiple user accounts deletedhttps://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/multiple-user-accounts-were-deleted 1) Is it normal I can't find it in the Analytics BIOC list? 2) Is it possible to view the query behind...

Cortex XDR Pro - Vulnerability Assessment Replaced KBs

Hey dear Cortex XDR Admins and Users, when a KB was not installed in march and replaced with another KB from april like here: https://administrator.de/forum/windows-server-2012-r2-windows-updates-2627286719.html Is the best way to exclude the CVE in Cortex XDR? Can Cortex XDR rearrange this by itself? BR Rob

Cyber1985 by L3 Networker
  • 5086 Views
  • 6 replies
  • 1 Likes

Incident creation not working good at the moment

Hello dear Cortex XDR Community, I tested today some incident creations. In summary I can say, from about 10 executions, 3 Incidents were created under severity high. Under severity critical none. This is my BIOC: No of alertsExections when I execute the BIOC manually : How can this be? I can reproduce it.There is no incident creation. What a...

Cyber1985_0-1653689586767.png
Cyber1985_1-1653689651167.png
Cyber1985_2-1653689783067.png
Cyber1985 by L3 Networker
  • 2035 Views
  • 2 replies
  • 0 Likes

XQL - Hunting Renamed LOLBINs Process Execution

Reason for Query:LOLBINs are used quite extensively in attacks, in some cases LOLBINs are renamed and then used to bypass behavior based detection rules. Hence, the query is built to hunt for renamed process execution eg; cmd.exe renamed to xyz.exe and then executed. Short Explanation:Before we being, we first base lined all the processes runnin...

KanwarSingh01_0-1653042890911.png

Resolved! Expanding action_evtlog_data_fields

Is it possible to create an arrayexpand the action_evtlog_data_fieldsthe below fails to run dataset = xdr_data| filter event_type = ENUM.EVENT_LOG| arrayexpand action_evtlog_data_fields| alter Username=json_extract(action_evtlog_data_fields, "$.TargetUserName")| alter IP_Address=json_extract(action_evtlog_data_fields, "$.IpAddress")| fields IP_A...

Cortex xdr agent not checking in after install

Hi all, I have a problem with the agent - I have one agent that is not communicating with the xdr server after installation. The host in question had it's agent uninstalled via the xdr server, and then re-installed by the IT team. However now the host shows an "Uninstalled" status and there's no communication between the host and the server. Wha...

Resolved! What are the capabilities of Cortex XDR without endpoint agents and just with PANOS firewall integration like an NDR solution?

Hello, My question is what are the capabilities of Cortex XDR without endpoint agents and just with PANOS firewall integration? As the Palo Alto firewall can forward its logs to the XDR for extra checks what are the features that XDR can provide like just an NDR solution? Also without SSL decryption I am wondering if the XDR can do like ma...

Query Share: XDR/PAN-OS URL Category Stitched Correlation Alert

Wanted to share a useful XQL query we have setup as a correlation rule in case anyone else finds it beneficial. This query requires that you have PAN-OS firewall URL logs available within XDR datasets, for example being sent to Cortex Data Lake. The query will return all hits from the firewall on a specific URL category, and then check to see if...

Scan stuck on \\?\GLOBALROOT\Device\HardiskVolume3\System Volume Information\tracking.log

Hello, we are using Cortex in a Citrix PVS environment.We installed the agent with the VDI flag on the master vDisk. When we try to generate a scan on the new version of the vDisk, it always stuck on this file: \\?\GLOBALROOT\Device\HardiskVolume3\System Volume Information\tracking.log We know that tracking.log a file responsible of the ntfs ch...

fred.l by L0 Member
  • 6128 Views
  • 5 replies
  • 0 Likes

Support for Azure Stack HCI OS

Hi Community! Can anyone tell me when PAN will support Cortex XDR Agent on Microsoft Azure Stack HCI Os,that is based on Windows Server 2019/2022?https://azure.microsoft.com/en-us/products/azure-stack/hci/#overview OS is out now for 1,5 years and no support from PAN!I did not find it on the list:https://docs.paloaltonetworks.com/compatibility-ma...

PMBTTSI by L1 Bithead
  • 5947 Views
  • 8 replies
  • 0 Likes

Determining WHO Resolved An Incident In Cortex XDR

I would like to determine how to view the identity of the user who resolved an incident in Cortex XDR. Presently the only artifact available is a "Resolved Timestamp". This however tells you WHEN an incident was resolved not WHO resolved it. Is there anyway to view this information - WHO resolved an incident?

  • 2599 Posts
  • 98 Subscriptions
Top Solution Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks