This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4319 Views
  • 0 replies
  • 3 Likes

Palo Alto Cortex IIS API Query

Hello Everyone, We ingest IIS logs by querying Cortex using a custom-built sensor utility. Recently, we've started encountering a NullPointerException. Upon investigating in our test environment, we found that the issue is related to a field in the query result that represents the API query cost, which we use internally for debug logging. P...

Cortex XDR Linux Agnet version 8.7.0.131661

Hi Team, We tried to install the XDR agent version 8.7.0.131661 on a Linux machine. The installation was successful, but the XDR services are all in a "stopped" status. We attempted to start all services using the command cytool runtime start all, but no error was found after entering this command. However, we still see that all services are i...

VSCode Very Slow with Cortex XDR installed

Hey all, We deployed Cortex XDR a few months ago and since then our developers have been very frustrated with the performance of VSCode. When VSCode is launched the Cortex XDR Service on the system spikes heavily with CPU usage, and VSCode takes an absolute age to start. If we disable protection with Cortex (or just uninstall), VSCode is sn...

JNester by L0 Member
  • 1343 Views
  • 2 replies
  • 0 Likes

Child(?) Broker VM Setup

We are a semi-isolated environment with no internet connectivity, and have a customer requirement of having minimal network traffic between our environment and one with internet connectivity. We are looking at implementing Cortex XDR on our environment, and tying into the Broker VM (Broker-A) that the internet connected environment utilizes. ...

aghesse by L0 Member
  • 694 Views
  • 1 replies
  • 0 Likes

cortex xdr custom xql query to view server operational status

hi, Most of the customer who uses paloalto cortex xdr want to visualize the server operational status in a dashboard in that case use below query as follows, "dataset = endpoints | filter operating_system contains "windows server" or operating_system contains "ubuntu" | fields endpoint_name as endpoint_name, operating_system as operating_syste...

The compliance violation dashboard is empty.

Good morning, team, I wanted to ask a technical question. We currently have five Linux hosts in our tenant, but when I log into the dashboard to see the compliance violations for these hosts, I don't see any information. To see the compliance violations on the Linux hosts, do I need to have a minimum number of hosts or meet some other requirem...

Dashboard refresh time

Hi, I have noticed that Cortex XDR is not refreshing dashboards on its own and it requires to press the refresh button. Is it possible to set the refresh time somewhere in the configuration settings?

How to Filter Incidents by Creation Time in XQL Within a Specific Timeframe?

I need to write an XQL query for a fortnightly report. The query I currently use is shown below, but it's incorrect for my purpose: config timeframe between "2025-03-01 00:00:00 +0000" and "2025-03-15 23:59:59 +0000" | dataset = incidents | filter status in (ENUM.RESOLVED_FALSE_POSITIVE, ENUM.RESOLVED_TRUE_POSITIVE) Although I have defined t...

Chamindu by L1 Bithead
  • 1683 Views
  • 2 replies
  • 0 Likes

get_incidents filter by status question

Hi all! I see the docs (https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Incidents) for get_incidents lists only eq/neq operators for the field 'status' and when implementing a new filter model for this endpoint I noticed we are successfully using the 'in' operator: {'field': 'status', 'operator': 'in', 'value': ['new', '...

Cortex XDR-Extensions Policy Rules

Hello Everyone, He have a policy management in the extension policy rules to Block the USB in the workstation. Now we find a issue with samsung mobile, when the device is connected and mass storage is allowed it skips the policy and for some reason it is not being applied, for the rest of the devices (apple, xiomi, pixel) these are blocked. I ...

Bitlocker + Intune + XDR

Good morning everybody, I would like to ask you about the Disk Encryption Visibility tab in Cortex XDR. When the endpoint is managed by Microsoft Intune and the Bitlocker function is managed also from there, I would like to see a proper Encryption status - Compliant. Or find a way how to match settings done by Intune and properly detected by XD...

  • 2582 Posts
  • 95 Subscriptions
Top Solution Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks