Cortex XDR Discussions

The compliance violation dashboard is empty.

Good morning, team,

I wanted to ask a technical question. We currently have five Linux hosts in our tenant, but when I log into the dashboard to see the compliance violations for these hosts, I don't see any information.

To see the compliance viola

Dashboard refresh time

Hi,

I have noticed that Cortex XDR is not refreshing dashboards on its own and it requires to press the refresh button. Is it possible to set the refresh time somewhere in the configuration settings?

How to Filter Incidents by Creation Time in XQL Within a Specific Timeframe?

I need to write an XQL query for a fortnightly report. The query I currently use is shown below, but it's incorrect for my purpose:

get_incidents filter by status question

Hi all!

I see the docs (https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Incidents) for get_incidents lists only eq/neq operators for the field 'status' and when implementing a new filter model for this endpoint I noticed we a

Cortex XDR-Extensions Policy Rules

Hello Everyone,

He have a policy management in the extension policy rules to Block the USB in the workstation. Now we find a issue with samsung mobile, when the device is connected and mass storage is allowed it skips the policy and for some reason

Adding batch and Powershell scripts to XDR blocklist

Considering PE, PE64 and macro enabled Word and Excel documents are allowed to be entered to blocklist, does it make any sense to add a .bat or a powershell PS1 file to the XDR blocklist Cortex XDR  

Bitlocker + Intune + XDR

Good morning everybody,

I would like to ask you about the Disk Encryption Visibility tab in Cortex XDR.  When the endpoint is managed by Microsoft Intune and the Bitlocker function is managed also from there, I would like to see a proper Encryption s

High Memory Usage Due to Cortex Telemetry Backlog

I'm experiencing high memory usage issues on some endpoints, and about 99% of it appears to be caused by Cortex.

Why does this happen?
Cortex consumes telemetry in real time. However, if it fails to send the telemetry from the machine to the Cortex ga

Rule hidden_imgs

Hello Everyone,

The cortex agent is blocking a legitimite file which is hidden. What is the solution of this. The alarm is also not generated in cortex xdr.
Thanks for your help

Cortex xdr agent distributed network scan

Hi Team,

We have enabled the Cortex XDR agent's distributed network scan, and we are getting successful results in the XDR Management Console. Our question is: Which port is used by the XDR agent to identify unmanaged assets

BIOC Rule Through XQL vs Builder

Here is my BIOC Rule using XQL. 

dataset = xdr_data
| filter event_type = ENUM.FILE
| filter agent_hostname = "XXXXX"
| filter action_file_path = "D:\XX\YY\*"
| filter event_sub_type = ENUM.FILE_RENAME OR event_sub_type = ENUM.FILE_REMOVE OR event_sub_