This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4322 Views
  • 0 replies
  • 3 Likes

Warning on malware profile being set to report only

Is anyone else seeing warning being generated on malware profiles and and their associated policies please? For a couple of weeks, all of our Windows policies have been in a warning state. Investigating this we found that the malware profile was generating the warning due to PowerShell and VBScript detections being disabled. This includes the ...

Resolved! CIE Data Sync Alert Across Customers – XDR Console

Hi Team, We are experiencing the same issue across all customers on the date 10-07-2025. In the XDR Management Console, we are seeing a notification stating that the CIE data is not synced. However, we have verified the following: The Palo Alto Hub sync status shows success with no errors. The "Last Change Detected" timestamp is up to date. ...

Resolved! Parsing and Mapping 3rd party log source logs

Hi, We’re in the process of ingesting logs from multiple third-party systems into Cortex XDR, but the current documentation on user-defined parsing rules and dataset mapping isn’t clear enough. Is it possible to get a detailed step-by step plan on how to properly: Define and register a new dataset (dell_powerprotect_data_manager). Write and a...

PARSING RULE.png

Cortex scan report

Hello all, I am a new user of Cortex XDR and I noticed that upon scanning a host, the malicious files identified by the scan are so difficult to find. I was expecting a proper scan report, where I can actually see the name and path of the identified malicious files (not to mention some more enrichment, such as a file SHA or proper verdict). Fo...

XQL Query Assets XSOAR

Hi everyone,I need your help.I'm trying to create a CMDB using a playbook in Cortex XSOAR , pulling data from the Cortex XDR tab Asset Inventory (XDR-managed devices as well as others collected via mappers and IoT firewalls).My idea is collect all asset information using XQL, but I haven't been able to identify which dataset contains this infor...

tlmarques by L4 Transporter
  • 1146 Views
  • 3 replies
  • 0 Likes

Resolved! Get Data Per Week within a Month

Hello, I would like to ask how to retrieve dat per-week within a month. My current query is like: config timeframe = 30d| dataset = incidents | bin creation_time span = 7d ..... but i don't think its working properly, could you please help me to fix or improve it 🙂 Thank You....

G.Anshar by L1 Bithead
  • 759 Views
  • 1 replies
  • 0 Likes

Resolved! GlobalProtect App Log Collection - Determining Disconnected Agents

Is there a way to automate the sending of GlobalProtect app logs to SLS? Based on the following I have only found ways to enable the end user to manually send logs to SLS: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-app-log-collection-for-troubleshooting/set-up-globalprotect-connectivity-to-cortex-d...

nohash4u by L3 Networker
  • 1571 Views
  • 3 replies
  • 0 Likes

Detect user who moved a folder using XDR and XQL

Hi everyone, I need help identifying which user moved a specific folder from a network share to another location. The only information I currently have is: The old folder path (e.g., \\server\share\oldfolder) The new folder path (e.g., \\server\users\john\newfolder) Access to Cortex XDR endpoint data only — no file server logs or QRadar correla...

tlmarques by L4 Transporter
  • 747 Views
  • 1 replies
  • 0 Likes

Cortex XDR "The target location already contains a file named" problem

Hi, I have a problem after installing the XDR Cortex agent. Windows 10,11. When trying to copy any file to the network share (Synology), which was created on the workstation after the agent installation, I receive the message "The destination already has a file..." For some reason, the system sees a file with the same name in the folder with a ...

Full disk access requirement on macos agent

Hi team A couple of questions here: 1) Is full disk access required for agents running on macOS Sonoma and Sequoia? 2) What is the meaning of "Requires full disk access: False" in the "cytool status" output? (screenshot attached)The endpoint we ran this command on showed as "Fully protected" through the console. It is running 8.7.1.2855 on...

tmeksik by L2 Linker
  • 1793 Views
  • 2 replies
  • 0 Likes
  • 2587 Posts
  • 95 Subscriptions
Top Solution Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks