This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4327 Views
  • 0 replies
  • 3 Likes

Any way to scan for specific Registry DWORD entries with a value of 1 under a targeted Hive?

Im trying to figure out how to write a script to search for the DWORD values of "State" and "RefCount" that = 1 in the sub folders (profiles) in the hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Then show the hostname, and data in the String "ProfileImagePath" in the results of which has a 1 in State or RefCou...

J.Suter by L2 Linker
  • 928 Views
  • 2 replies
  • 0 Likes

XDR Multi tenant MSSP Add on Modules

Does anybody have any details on how add on licenses (eg, Forensics,Host insights, ITDR etc) work within a Multi tenant XDR environment? Does the add on license automatically apply to all child tenants or does it have to be assigned? Does everything have to be configured at the child level or parent level?

User Added to Local Administrators Group XQL Query

Hi Family , I want to create a Cortex XDR query that generates an alert when a user creates a local account and adds it to the administrators group.dataset = xdr_data |filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id in (4732, 4728)here i attached an reference link GitHub - ItamarSafri/CortexXDR-XQL: Cortex XDR XQL Queries Thank Yo...

Cortex XDR 8.2+ Not Able to Uninstall - Not Showing In Programs (Windows)

TLDR; Cortex dashboard shows EOL agents on Windows machines but upgrades fail, uninstalls fail, and Cortex is not showing as an installed program. However, Cytool can be disabled/enabled. ----- We have a few machines with outdated agents. Using the Cortex dashboard and autoupgrades enabled, a handful of devices do not get upgraded but are connec...

SLS is required for Ingesting NGFW logs?

Hello all, I have Pro per GB in my Cortex XDR and wish to gain more visablity in Network.Is it compulsory to have Strata Logging Service license in order to make this works?does Strata Logging Service license comes with my Firewall subscription or do I need to purchase separately? thanksCortex XDR

NGFW alerts to Cortex XDR

Hi team, I have a technical cuestion but could not find the answer in the documentation.I assume that to ingest NGFW alerts into Cortex a Pro Per GB license is needed. The cuestion is: Is there any way to configure the ingestion of the panw_ngfw_threat_raw dataset and not the panw_ngfw_traffic_raw one? Also, I would like to know how Pro Per GB l...

Process Explorer Triggering Cortex XDR Alert – Clarification Needed

Hi, When our system administration team uses Process Explorer (Microsoft version), Cortex XDR does not block the execution, but it generates alerts/incidents. Alert Details: Alert Name: Impair Defenses - 3645069560 Description: A tampering-capable driver with the original name procexp.sys was loaded on the system Source: XDR Agent Modul...

tlmarques by L4 Transporter
  • 2359 Views
  • 1 replies
  • 0 Likes

XDR 7.6.1 seems to ignore exception

Hi, Cortex XDR Local Analysis Malware module stops a process called "ClientConsole.exe" (I guess it's a false positive) I've created a global exception for that issue and checked-in client but XDR still blocks this executable. In client log I read these rows: 2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartb...

Faber by L0 Member
  • 3138 Views
  • 2 replies
  • 0 Likes

[Cortex] How to Block Multiple C2 IP Addresses Using Cortex XDR

Dear Everyone, My customer has a requirement: they would like the Cortex XDR Agent to detect and block multiple specified C2 IP addresses.I would like to ask if anyone has encountered a similar case or has any relevant experience to share. Currently, I am aware that this can be achieved by configuring Host Firewall Rules, which fulfills the requ...

bulk broker vm modifications

Hello, we did a tenant migration and for some reason a lot of broker VM settings are still pointing to the old one. We were wondering if it was possible to change the settings for it in bulk. Thank you for your inputs.

Liosan by L0 Member
  • 708 Views
  • 2 replies
  • 0 Likes

Cortex XDR Get Incident API function 'hosts':None

I'm currently testing the api for Cortex XDR, in particular the 'get_all_incidents' function under '/public_api/v1/incidents/get_incidents' url. Reference : https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Incidents While testing, i realized while testing the 'hosts' field is empty, while in the reference page, it mention...

WKhoo001823_1-1745914049548.png
WKhoo001823_3-1745914126725.png
WKhoo001823_0-1745914000945.png

Resolved! Delay in launching in-house apps

Our users have noticed there are delay in launching in-house developed apps (20+ apps) for the first time, the delay would take 10-20 seconds, once the app initally launched, the later, it would take 2-3 seconds to launch. The apps are located from shared folder z:\ and local c:\, the symptop is the same. 1) is there reason why this happened? I ...

Resolved! Help with fine tuning a query using $arguments and enclosing them in "quotes"

I have the below query, and my issue is at the end, when the user puts in the argument for $Serial it needs to have quotes around it. I think it's because the JSON object it is looking at comes in "quotes" and that's how it filters. In other queries when I use $user it put quotes in the query for me. If I write "$Serial" it doesn't allow the arg...

J.Suter by L2 Linker
  • 2166 Views
  • 2 replies
  • 0 Likes

XQL Incident Count Doesn’t Match UI Incident Count — Same Date Range

Hi everyone, I’m working on a report using Cortex XQL to count incidents created between March 15 and March 31, 2025. Here’s the query I’m using: config timeframe between "2025-03-15 00:00:00" and "2025-03-31 23:59:59" | dataset = incidents | filter creation_time >= "2025-03-15 00:00:00" and creation_time < "2025-03-31 23:59:59" | fie...

Chamindu by L1 Bithead
  • 1000 Views
  • 1 replies
  • 0 Likes
  • 2591 Posts
  • 97 Subscriptions
Top Solution Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks