This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4397 Views
  • 0 replies
  • 3 Likes

Toutrial: Detecting Tor Traffic in XSIAM

Hi Everyone, Some members in the community have recently been exploring ways to detect Tor traffic within their environments. I’ve spent some time working on a solution to this challenge, and I wanted to turn that work into a dedicated post so more people can benefit from it. Why This Matters ? Detecting communication with Tor exit nodes gi...

A.Elzedy by L2 Linker
  • 1516 Views
  • 2 replies
  • 0 Likes

Find USB mounted storage devices on Windows and macOS

Hi All, looking for some help here. We've been using a query a colleague wrote to find computers with USB's mounted. This is the query: // Description: Show drive mount activity dataset = xdr_data | filter event_type = ENUM.MOUNT | alter mount_point = action_mount_device_info -> storage_device_mount_point | alter storage_device_class_name...

Repeated False Incidents with Unknown Verdicts

Hi everyone, I’m currently facing an issue with Cortex XDR where I regularly receive incidents flagged as suspicious, This particular one shows: WF (WildFire) Verdict: Unknown VT (VirusTotal): 0/64 detections Every week, I keep seeing similar incidents, often related to legitimate services or vendors (e.g., Tata CLiQ Luxury in this case)...

Resolved! Correlation Rules that detect tor browser

Hello, We have decided to create a correlation rule in Cortex XDR to detect employees using the Tor Browser. However, based on our observations, it is possible to access the Tor Browser through a redirect from the Brave application, which is currently not being detected. We kindly ask for your assistance in reviewing the correlation rule we’ve c...

Understanding ENUM Constants in Cortex XSIAM XDR Data XQL

Hi Everyone, I’ve seen a lot of questions lately about the usage of constant ENUMs in Cortex XDR/XSIAM, especially after Unit42 released some IOC detection queries. These queries often contain clauses like: | filter agent_os_type = ENUM.AGENT_OS_WINDOWS and event_type = ENUM.PROCESS and event_sub_type in (ENUM.PROCESS_START, ENUM.PROCESS_STOP...

xql-enum-conditions.png
A.Elzedy by L2 Linker
  • 6172 Views
  • 3 replies
  • 3 Likes

Cortex XDR API requests

Hi everyone, There is an problem im facing with. The problem is -- Some of API requests are not shown in "Management Audit Logs". There is another API's which ones can be shown in "Management Audit Logs". Is there other option for this case? To collect unseen API logs?

OrkhanM by L1 Bithead
  • 942 Views
  • 1 replies
  • 0 Likes

Wildfire API for scanning before upload

Hi, I want to scan files before they get processed or uploaded to a linux server, if the file is malicious it is blocked from being uploaded, if clean then it gets uploaded and processed. Cortex XDR Prevent has on-write feature for windows only. I was searching and came across Wildfire API which can help with this. Does anyone have info about ...

jannette by L0 Member
  • 940 Views
  • 1 replies
  • 0 Likes

Resolved! Do we need to install XDR Collectors in our servers to Collect Windows Events ?

HI We are using cortex XDR and planning to deploy the XSIAM. We are working on the deployment. While reading the below document for collecting Windows events, XDR Collector Machine Requirements and Supported Operating Systems • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal My question is, We have the brok...

Cortex XDR Device Control Violation Query

Hi Team, How can I check device control violations using an XQL query? I have tried the query preset = device_controlbut I am only seeing details for USB device violations. I am expecting to see Bluetooth violations as well. Is this possible? If yes, please guide me.

Questions about IOC/BIOC Suppression rules

We are doing a (somewhat rushed) Cortex XDR implementation, and I am new to EDR things (in general). I created an IOC/BIOC Supp rule today for an issue with running the Guardian Browser (I'll let you know if it works), and while there I see 52 System Generated rules. The description on them is "Same process triggered BIOC nnn on 100 different...

How to remove Old versions of Cortex Agent

Hello everyone, We're facing issues upgrading older versions of the Cortex agent on Windows endpoints — particularly versions 7.x and in some cases 8.x. These agents fail to upgrade both automatically and manually. Requesting a cleaner for each minor version and sharing the uninstall/disable password with IT support is not only time-consuming ...

  • 2610 Posts
  • 98 Subscriptions
Top Solution Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks