Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4436 Views
  • 0 replies
  • 3 Likes

Understanding Inline Cloud Analysis C2 Detections and False Positives in Cortex XDR

Hi everyone, I am currently investigating several Cortex XDR incidents that originate from Palo Alto Networks Firewall Security Profiles, specifically detections related to Inline Cloud Analysis, Anti-Spyware C2 classifications. What I am trying to better understand is why a relatively large amount of legitimate-looking web traffic is being clas...

Partialy protected

Hello everyone, I'm having issues with my Cortex XDR agent. The operational status is partially protected, with the following details:1. The OS I'm using is Ubuntu 24.04.02. I'm using the latest agent installer, version 9.2.0.1193. The operational status details generally state that the Linux kernel cannot be loaded. Is there a solution I can tr...

Cortex XDR Device Control Violation Alerts

Hi All, We enabled device configurations to block external devices connecting to endpoints in the organization and its work fine. In the Cortex XDR console, I can see the device control violations. We want to create alerts to detect the Device Control Violation based on a BIOC rule, as this is the only available option. I tried several...

Suspicious executable detected Microsoft Store Purchase App

Hello everyone, Has anyone seen this process appear in Cortex XDR? C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_22603.1401.4.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe It’s showing up on an endpoint, but Cortex XDR isn’t providing any additional details, alerts, or related events. Before I dismiss it, I want to confirm whether thi...

Getting Cortex Copilot

Hello Team, I have been researching the Cortex Copilot functionality and would like to clarify a few points regarding availability, licensing, and compatibility. Currently, we have a Cortex XDR Pro license, and I would like to understand: How can we obtain or enable the Cortex Copilot functionality? Is there any additional license, subscription...

Cortex XDR MITRE ATT&CK v16 -- We're Now on v19. Can We Talk About This?

Hey LIVEcommunity, I have been sitting on this for a while and finally decided to write it up because I am pretty sure I am not the only one running into this. If you are a detection engineer or SOC analyst building BIOCs in Cortex XDR and leaning on MITRE ATT&CK to organize your detection coverage, this one is for you. So Here Is What Ha...

D.Ogle by L0 Member
  • 1098 Views
  • 2 replies
  • 4 Likes

Need XdrAgentCleaner.exe for Cortex XDR agent version 7.9.1 - Anti-Tampering enabled

Hi everyone, I'm an IT technician and I'm trying to uninstall Cortex XDR agent version 7.9.1.26645 from a Windows 11 workstation. Unfortunately, I'm facing the following issues: - The standard uninstall from Programs & Features fails with: "Anti-Tampering is enabled. Please disable Anti-Tampering and retry the operation." - cytool protec...

Resolved! After more than 2 years Linux vulnerability reporting is still useless.

It is about 2 years ago that the Linux vulnerabilities reporting issues where announced to Palo Alto.It's still not fixed. 😞It looks like Cortex does not look beyond the dash in the version numbers of installed applications. For example; Cortex is reporting a vulnerable zlib 1.2.11The one actually installed was: zlib.x86_64 1.2.11-40.el9which ...

Resolved! Local Analysis and Exceptions

Hey,we are struggling with the following Case with understanding local Analysis, Macros and writing a useful exceptions. Local Analysis is alerting on a WinWord.exe with "Macro(s) in Winword.exe". The Macro is only mentioned by hash. Exception with Disable Prevention Rules for local analysis on the macro hashes are not working, similarly on Wi...

J.Motz by L0 Member
  • 388 Views
  • 1 replies
  • 0 Likes

Reports no longer shows the source of an incident

Hello, One of our customers pointed out that since the 5.0 update of the Cortex console, the report output has changed.Before the update, the reports always displayed the source of the incident (as highlighted in the “Before.png” file). Since the 5.0 update, as you can see in the “Now.png” file, the source of the incident is not always displayed...

C.PAPET by L0 Member
  • 429 Views
  • 1 replies
  • 0 Likes

XDR Not Recognising Hotpatches

We've started deploying WIndows Enterprise Hotpatches to speedup the adoption of patches and reducing the number of reboots required. Howver, XDR doesn't recognise the Hotpatches and is telling us that the endpoints are still vulnerable. This is a known "limitation" according to support. What are others doing in this space please?

Resolved! Local Analysis Malware - Signed exe

Hello, we have following case: The "Local Analysis Malware" module blocks a self-developed, unsigned tool. However, after signing the tool with our own certificate, it is no longer blocked—even though we have not added or configured this certificate in any of the policies. How can this behavior be explained? Does Cortex integrate with or ref...

M.Wempen by L1 Bithead
  • 580 Views
  • 2 replies
  • 0 Likes

On-write file examination / cross-platform examination for Linux

Dear LIVEcommunity Has anyone been able to test out the new Linux / MacOS cross-platform examination module? I created a new Linux Malware Profile and set the "On-write File Examination" for "Portable executable files (Windows)" to Enabled, applied it to a policy for my Linux endpoint, waited for the policy to apply and then copied a WildFire ...

andreal by L1 Bithead
  • 405 Views
  • 2 replies
  • 0 Likes
  • 2625 Posts
  • 98 Subscriptions