Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Discussions

Sorted by:

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

Blocking Bluetooth

Hello,

I want to block blueotooth activities on endpoints in Cortex XDR. Is there any way or rule to do this? If yes, can you write rule?

Thanks in advance.

Resolved! Is it possible to limit CPU and memory consumption of the Cortex agent?

Hello everybody.
If you have any doubts about the community's help story, my Cortex agent is installed on my Windows servers but often consumes a lot of CPU and memory resources from my VMs, this ends up creating many alerts in my monitoring, I would

...

Resolved! Best way to restrict software by digital signer

hey guys, i'm not clear how to block the running (installing) of certain software using XDR by restricting by digital signer.

Is it possible to cerate a BIOC and apply to a restricted profile? If not, what would you say is the best way to go about th

...

BIOC Block executables based field "Process_File_Info"

Hello,

I would like to know if any of you have struggled with support and technical cases with the need I show below.

I would like to know what you can tell me or give me your opinion of blocking executables based on static metadata using the “Proces

...

XDR Policy Baseline/Comparison Tool

Is there a method/tool available that anyone is aware of to better manage multiple policies or quickly/easily identify those policies which may have/need slightly different configurations?

For example, if we have 2 dozen policies and there's a new

...

Abnormal Recurring Communications to a Rare IP

We are receiving multiple alerts from the rule below. All alerts are legitimate Microsoft IPs:

Abnormal Recurring Communications to a Rare IP

Could there have been any recent changes on the Cortex end that might be triggering this?
Cortex XDR

Behavioral threat detected (rule: bioc.sync.critical_termination) Triggered By Known Good Files

Over the past two weeks we have been seeing detections/blocks from the following rule "Behavioral threat detected (rule: bioc.sync.critical_termination)" for known good files 7z2301-x64.exe (7-zip install) and PhotosService.exe (part of built-in Wind

...

XDR AGENT ALL DEVICES

Hi everyone,

Does anyone know of or have an automation to periodically check if all devices in the company have the Cortex XDR Agent installed

I currently use Mapper, but my network is large, with over 35k devices (including computers, printers, a

...

Resolved! XQL Help - Any AI tools, query library?

Wondering if there are plans to help build queries? Something as simple as looking for a file called "testfile" requires the query with the below code:

|preset = xdr_file
|filter action_file_name contains "testfile"

Another example that we are current

...

Cortex XDR Generate Alert when Device is Online

There's many situations where it would be convenient to receive a notification when a device is online. We often run into this when a device is isolated and we are unable to contact a user. Since there is no native ability to trigger an alert or n

...

Broker VM

Hi,

I have downloaded Broker VM OVA file and installed it on my VMvare. I just wonder about with the following issues. As you know Broker has two IP one for public and one for private.

In this part, if i go static, will I be configuring internal o

...

Resolved! XDR on-write exclusions

Hi,

Is it possible to exclude certain executables and their hashes from on-write protection on Cortex XDR ??

General Cortex XQL questions

Hello,

I have been unable to confirm the following information in the online guidance I have been looking through.

How far back can we run an "All Actions" query in XQL? For example, can we search for file hashes going back 3 months or longer?

Also

...

BIOC that will close web browser while opening certain websites

I want to create a BIOC rule that will close web browser (ex. chrome) when I open certain websites (ex. facebook.com and instagram.com). I'm using Network BIOC and I managed to create BIOC rule that applies only to one website (remote host) but I don

...