This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4333 Views
  • 0 replies
  • 3 Likes

Resolved! GlobalProtect App Log Collection - Determining Disconnected Agents

Is there a way to automate the sending of GlobalProtect app logs to SLS? Based on the following I have only found ways to enable the end user to manually send logs to SLS: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-app-log-collection-for-troubleshooting/set-up-globalprotect-connectivity-to-cortex-d...

nohash4u by L3 Networker
  • 1595 Views
  • 3 replies
  • 0 Likes

Detect user who moved a folder using XDR and XQL

Hi everyone, I need help identifying which user moved a specific folder from a network share to another location. The only information I currently have is: The old folder path (e.g., \\server\share\oldfolder) The new folder path (e.g., \\server\users\john\newfolder) Access to Cortex XDR endpoint data only — no file server logs or QRadar correla...

tlmarques by L4 Transporter
  • 756 Views
  • 1 replies
  • 0 Likes

Cortex XDR "The target location already contains a file named" problem

Hi, I have a problem after installing the XDR Cortex agent. Windows 10,11. When trying to copy any file to the network share (Synology), which was created on the workstation after the agent installation, I receive the message "The destination already has a file..." For some reason, the system sees a file with the same name in the folder with a ...

Full disk access requirement on macos agent

Hi team A couple of questions here: 1) Is full disk access required for agents running on macOS Sonoma and Sequoia? 2) What is the meaning of "Requires full disk access: False" in the "cytool status" output? (screenshot attached)The endpoint we ran this command on showed as "Fully protected" through the console. It is running 8.7.1.2855 on...

tmeksik by L2 Linker
  • 1827 Views
  • 2 replies
  • 0 Likes

Resolved! Cortex XDR file quarantine

Hi Team, i have two general questions, 1-can i delete a file from multiple endpoints but with different paths from the action centre? 2- i understand that cortex can quarantine a malicious file but is there an option to delete it without my interference?

O.Asha by L0 Member
  • 1353 Views
  • 1 replies
  • 0 Likes

Excluding Pentera Box

I am looking to make an exclusion or suppression of some sort for alerts generated by our Pentera Security Validation Tool. I have a SSL certificate loaded into Pentera so I can filter by that certificate if I can. However for the Vulnerability Scans with Pentera I cant use the SSL cert or any other identifier. Just trying to keep down the noise...

Configuring Exceptions for Different Modules

Hello guys I need to add exceptions for Windows HyperV servers.... and I have 2 questions: Question 1 I need to add exceptions base on extensions...*.bin, *.vhdx, *.avhd.... etc, and exceptions base on process for instance Vmms.exe, VMwp.exe.... etc... Can I configure the both types of exceptions and apply to the unique Profile or Policy...

dhervasg by L0 Member
  • 1111 Views
  • 3 replies
  • 0 Likes

Problems updating the agent

Hello colleagues! I'm having trouble updating my agents to versions 8.7 and 8.8. The current versions are 8.5 and 8.6. When performing the update, the following error appears: "The content package was faulty or could not be downloaded." Checking the retrival support files, the installation log shows the following: "Upgrade state: Not Exe...

C.Labra by L0 Member
  • 1196 Views
  • 1 replies
  • 0 Likes

content update issues on XDR 7.9CE

Hi everyone. Have anyone had issues with 7.9CE version about the content updates? I mean, the agents are not downloading the CUs. I even tried to install the agent on a win 7 VM and it installs indeed but doesn't download content updates. It is weird because I can even access via live terminal and execute scripts via interactive mode. i tri...

MarcoMJ by L1 Bithead
  • 817 Views
  • 1 replies
  • 0 Likes

User Message on IOC trigger

Hi, We have enabled user notifications in agent profile settings, when an event like malware detection occurs it is displayed to the user immediately. However, it does not show a notification for an IOC. Can we make a message appear for an IOC event ? Any help would be appreciated. Regards,

Toutrial: Detecting Tor Traffic in XSIAM

Hi Everyone, Some members in the community have recently been exploring ways to detect Tor traffic within their environments. I’ve spent some time working on a solution to this challenge, and I wanted to turn that work into a dedicated post so more people can benefit from it. Why This Matters ? Detecting communication with Tor exit nodes gi...

A.Elzedy by L2 Linker
  • 1405 Views
  • 2 replies
  • 0 Likes

Find USB mounted storage devices on Windows and macOS

Hi All, looking for some help here. We've been using a query a colleague wrote to find computers with USB's mounted. This is the query: // Description: Show drive mount activity dataset = xdr_data | filter event_type = ENUM.MOUNT | alter mount_point = action_mount_device_info -> storage_device_mount_point | alter storage_device_class_name...

Repeated False Incidents with Unknown Verdicts

Hi everyone, I’m currently facing an issue with Cortex XDR where I regularly receive incidents flagged as suspicious, This particular one shows: WF (WildFire) Verdict: Unknown VT (VirusTotal): 0/64 detections Every week, I keep seeing similar incidents, often related to legitimate services or vendors (e.g., Tata CLiQ Luxury in this case)...

  • 2593 Posts
  • 97 Subscriptions
Top Solution Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks