This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4361 Views
  • 0 replies
  • 3 Likes

Get results before and after 10 seconds of creation_time field

I need a query which will give me results 10seconds before and 10seconds after the alert creation_time field for investigation from a hostname. So i need to add 10seconds to the alert creation_time field and subtract 10seconds from the creation_time field. Please also add the timezone of GMT +2 For example if the the alert creation time is May 1...

rkumawat by L0 Member
  • 748 Views
  • 1 replies
  • 0 Likes

Change alert (not incident) severity for future same alerts

The severity of "Administrative Hash Exception" alerts (not incidents) is low, and since they are not created as incidents, I want to change the severity of these alerts to medium so that they are created as incidents next time. When I go to Incident Response > Automation > Add Automation Rule, I can't create a rule for these alerts becaus...

Aristooo by L2 Linker
  • 1495 Views
  • 1 replies
  • 0 Likes

Resolved! Palo Alto Cortex Broker Virtual Machine (Broker VM) security understanding

Following my company's compliance guidelines, we are looking for some confirmations about the Palo Alto Cortex Broker Virtual Machine (Broker VM). Could you, please, confirm that we have correct understanding on how the product works?1- It is not possible do an integration with an external authorization/authentication mechanism in Broker VM itse...

M.Sylos by L0 Member
  • 1283 Views
  • 1 replies
  • 0 Likes

RedHat 8/9 XDR client count limited

As I have added clients to my XDR Linux group I have seen a situation where I hit a limit on client count (under 20 BTW). After I have them all added there will be 2 or 3 missing. If I restart the process on a missing client, that one immediately appears, but one of the previous ones drops off. If I restart the process on that one the other one ...

Resolved! [Cortex XDR] Are there any How-To video recordered about Windows Event Collector applet for the broker VM?

Dear, Following the acquisition of the Pro license for GB to collect Windows logs from domain controllers, I saw documentation regarding the configuration of the Windows Event Collector applet from the Broker VM. However, I was wondering if there were any How-To videos as in the case of configuring the Syslog Applet. Do you guys know if there...

F.Ronchi by L1 Bithead
  • 1127 Views
  • 1 replies
  • 1 Likes

XDR Analytics Data source

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/BitLocker-key-retrieval https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Exchange-mailbox-audit-bypass In the Analytics Alert reference guide- there is a reference to "AzureAD Audit Lo...

Cortex XDR-Agent failed to generate support File - Error 13 - Error 109

Greetings, when trying to create a Support File via Agent-GUI or CMD on a Windows Client, the Operation either crashes the Agent-Service (GUI) or Outputs the Error shown in attached Screenshot. - Disk-Space on Client is >100GB - Connection to Cortex-Server is established - Re-Installing the Agent did not fix the Problem Besides this, th...

File upload to open Cloud Applications

HI Team, I'm running a test case in uploading test documents to open source Cloud applications. I was successful, but in xdr_data and Zscaler dataset; the file uploads and file names are being shown as blank or none. Please let me know 1. if this has happened and what is the remediation actions followed 2. any other dataset through which I c...

Alert generation / Test cases/samples for Cortex XDR protection module testing

Hello Team, Could anyone assist with generating alerts and creating test cases or samples for testing the Cortex XDR protection module? We successfully generated an alert using a WildFire PE file, but we now need to generate alerts for each policy module, for example Local Analysis, Behavioral Threat Protection, and Exploit Protection. If you...

Resolved! Test alerts in Cortex xdr

Is there a built-in way to generate a test alert either from an agent installed on a client machine or through the XDR portal itself? I currently have an agent ver 7.6.2 installed on a windows box and I'd like to create a test alert that will be visible in the portal.Thanks.

Unpatched Vulnerabilities Protection

Hi, I see this written in Unpartched vulnerability protection module section "Modify system settings temporarily as a workaround to protect unpatched endpoints from known vulnerabilities". I have searched but found no details regarding this, can anyone please explain how does this work? Also, is there any protection against 0 day vulnerabiliti...

Any way to scan for specific Registry DWORD entries with a value of 1 under a targeted Hive?

Im trying to figure out how to write a script to search for the DWORD values of "State" and "RefCount" that = 1 in the sub folders (profiles) in the hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Then show the hostname, and data in the String "ProfileImagePath" in the results of which has a 1 in State or RefCou...

J.Suter by L2 Linker
  • 967 Views
  • 2 replies
  • 0 Likes

XDR Multi tenant MSSP Add on Modules

Does anybody have any details on how add on licenses (eg, Forensics,Host insights, ITDR etc) work within a Multi tenant XDR environment? Does the add on license automatically apply to all child tenants or does it have to be assigned? Does everything have to be configured at the child level or parent level?

User Added to Local Administrators Group XQL Query

Hi Family , I want to create a Cortex XDR query that generates an alert when a user creates a local account and adds it to the administrators group.dataset = xdr_data |filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id in (4732, 4728)here i attached an reference link GitHub - ItamarSafri/CortexXDR-XQL: Cortex XDR XQL Queries Thank Yo...

Cortex XDR 8.2+ Not Able to Uninstall - Not Showing In Programs (Windows)

TLDR; Cortex dashboard shows EOL agents on Windows machines but upgrades fail, uninstalls fail, and Cortex is not showing as an installed program. However, Cytool can be disabled/enabled. ----- We have a few machines with outdated agents. Using the Cortex dashboard and autoupgrades enabled, a handful of devices do not get upgraded but are connec...

  • 2601 Posts
  • 98 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks