Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Discussions

Sorted by:

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

Cortex XDR agent on Domain Controller

Dear all,

May I have a chance to find with you palo guidelines regarding Cortex XDR agent installation on Domain Controller.

Any comments ?

Resolved! XQL Query Help

I am trying to create a rule for the case of creating a new user in the admin role. Where's my mistake?
I am grateful for your help.

dataset = xdr_data
| filter action_evtlog_event_id = 4720

| alter Direct_Role = arrayindex(regextract(action_evtlog_me

...

Resolved! An endpoint with the Cortex XDR installation intermittently creates a huge file and writes to the hard drive at C:\Windows\System32\PaloNull

Dear Live Community Members,

One of my customers noticed that some endpoints with the Cortex XDR installation sometimes creates a huge file that grows in size with time.

On several VMs equipped with the Cortex Agent (version 7.7.1, but we also noti

...

high priority 'Behavioral Threat' alert for smss.exe (system)?

Every few weeks or so getting a high priority alert:

'Behavioral Threat' generated by XDR Agent detected on host <some_WS2019_server> involving user system

Priority: High
Behavioral Threat
Source: XDR Agent

Behavioral threat detected (rule: sync.vul

...

Resolved! Cortex XDR Prevent and "Identity Analytics" Module - licensing confusion

Good day, I am running in circles trying to figure out whether or not I have the access to the "Identity Analytics" module. I'm looking to alert on several Kerberos related alerts, and a few of them require this detection module. Is this module inclu

...

Resolved! Retetion Time - cortex xdr

Hi, I want to know what is the retetion time for the incidents in the cortex xdr tenant.

After how long are the console incidents cleared?

thank you

Resolved! create BIOC rules via Cortex XDR API

Hi community,
I'd like to enquire whether Cortex XDR can create BIOC rules via Cortex XDR API.
I could not find any description about creating BIOC rules on the following Cortex-XDR-API-Reference.

Cortex XDR API Overview | Cortex XDR (stoplight.io)

Problemas de compatibilidad Broker OVA con VCLOUD

Saben si el formato de OVA del broker es compatible con VCLOUD o en que formato lo tendria que generar para poder montarlo?

Resolved! block vulnerable applications from running

Hi community,

I am attempting with restricting the execution of vulnerable applications.

Is it possible to block a specific application version using BIOC associated with restriction profile?
(Or if there's another easy way to do this please let m

...

managing incident from dynamic emails using MSGRAPH integration

Hello everyone,

I am looking for a solution to handle a specific situation related to incident activation from an email, using the MSGRAPH integration.

Typically, to activate an incident, I classify it based on a static email subject. Then, I configu

...

Cortex XDR activation - sub-domain tenant

Hi Team,

I'm trying to activate palo alto xdr tenant and unfortunately asking for Tenant Sub-domain. Any advice?

Resolved! XDR Agent version naming convention

Hi all,

I am a bit confused with the new Agent version numbers. So to be sure:

Taking the naming convention into account, isn't the XDR Agent version 8.5.0.624. higher and newer then version 8.5.0.3639?

8.5.0.3639 is recently released to suppor

...

Resolved! Is it safe to rename Agent Installations in Cortex and retain Connection?

I was going to delete them all and start over with a new naming convention for my admins, so they are easier to find and use. But when I tried to delete them, I was warned it would disconnect anything that was installed using the generated files.

Ques

...

Cortex XDR Agent certificate enforcement

Hi Team,

I have enabled the Cortex XDR agent settings for certificate enforcement. However, endpoints are showing as only partially protected, and the Operational Status Details indicate that certificate enforcement is disabled against policy (Failed

...

Add large IOC to block list

Guys,

I need your help, I need to upload 500 IOCs to the block list.
Is there any option to upload IOCs in bulk or I have upload one by one?

Cortex XDR

User

Count

User

Likes Count

2 Likes

1 Likes

Cortex XDR Discussions

Discussions