This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4358 Views
  • 0 replies
  • 3 Likes

XDR 7.6.1 seems to ignore exception

Hi, Cortex XDR Local Analysis Malware module stops a process called "ClientConsole.exe" (I guess it's a false positive) I've created a global exception for that issue and checked-in client but XDR still blocks this executable. In client log I read these rows: 2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartb...

Faber by L0 Member
  • 3173 Views
  • 2 replies
  • 0 Likes

[Cortex] How to Block Multiple C2 IP Addresses Using Cortex XDR

Dear Everyone, My customer has a requirement: they would like the Cortex XDR Agent to detect and block multiple specified C2 IP addresses.I would like to ask if anyone has encountered a similar case or has any relevant experience to share. Currently, I am aware that this can be achieved by configuring Host Firewall Rules, which fulfills the requ...

bulk broker vm modifications

Hello, we did a tenant migration and for some reason a lot of broker VM settings are still pointing to the old one. We were wondering if it was possible to change the settings for it in bulk. Thank you for your inputs.

Liosan by L0 Member
  • 746 Views
  • 2 replies
  • 0 Likes

Cortex XDR Get Incident API function 'hosts':None

I'm currently testing the api for Cortex XDR, in particular the 'get_all_incidents' function under '/public_api/v1/incidents/get_incidents' url. Reference : https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Incidents While testing, i realized while testing the 'hosts' field is empty, while in the reference page, it mention...

WKhoo001823_1-1745914049548.png
WKhoo001823_3-1745914126725.png
WKhoo001823_0-1745914000945.png

Resolved! Delay in launching in-house apps

Our users have noticed there are delay in launching in-house developed apps (20+ apps) for the first time, the delay would take 10-20 seconds, once the app initally launched, the later, it would take 2-3 seconds to launch. The apps are located from shared folder z:\ and local c:\, the symptop is the same. 1) is there reason why this happened? I ...

Resolved! Help with fine tuning a query using $arguments and enclosing them in "quotes"

I have the below query, and my issue is at the end, when the user puts in the argument for $Serial it needs to have quotes around it. I think it's because the JSON object it is looking at comes in "quotes" and that's how it filters. In other queries when I use $user it put quotes in the query for me. If I write "$Serial" it doesn't allow the arg...

J.Suter by L2 Linker
  • 2235 Views
  • 2 replies
  • 0 Likes

XQL Incident Count Doesn’t Match UI Incident Count — Same Date Range

Hi everyone, I’m working on a report using Cortex XQL to count incidents created between March 15 and March 31, 2025. Here’s the query I’m using: config timeframe between "2025-03-15 00:00:00" and "2025-03-31 23:59:59" | dataset = incidents | filter creation_time >= "2025-03-15 00:00:00" and creation_time < "2025-03-31 23:59:59" | fie...

Chamindu by L1 Bithead
  • 1021 Views
  • 1 replies
  • 0 Likes

Cortex XDR Process Exclusions

We are deploying Cortex XDR to Windows servers initially in Report only mode and seeing memory Utiliziation on some servers ranging 500 MB- 1.2 GB. Is this considered to be normal? Advise we receive was that we don't need to exclude ceritan processes or file path similar to how Application vendors requested to be Whitelist. Does anyone have ex...

Namalw by L1 Bithead
  • 1208 Views
  • 1 replies
  • 0 Likes

Code signed executables

A colleague raised a query with regards code signing certificates? For example if files are created, remodified and recompiled, the Sha256 will change every time, and these would need to be Whitelisted every time. The question asked is if we are able to code sign any executable with our own code signing certificate, can a whitelist rule be a...

custom scan with xdr agent for linux

Hi, i would like to know if it's possible to do a custom scan for a specific file like we can with the cortex agent for windows but i would like to do it for linux. I just see how to launch a global scan under linux but not a specific file. Thanks for your help Guillaume

Groche by L0 Member
  • 705 Views
  • 1 replies
  • 0 Likes

ERROR MESSAGE: This email is already registered with an account

Dear Team,I recently created some users, but I made some mistakes with data entry, so I deleted 1 user, leaving me with 2 users to be deleted. I would like to recreate the deleted user with the right information. But I'm experiencing some issues with error message "This mail is already registered with an account" Please i can i resolve this

A.Efobi by L0 Member
  • 1185 Views
  • 1 replies
  • 0 Likes

Cortex XDR on Windows 10 LTSC

Hello,We have not been able to install cortex XDR on a windows 10 LTSC machine. It starts to install but then fails. Is there a separate installation for Windows 10 LTSC machines?

M.Mills by L0 Member
  • 797 Views
  • 1 replies
  • 0 Likes

Split nested JSON

I have a field named "ModifiedProperties" and it has values like this below, I cant for the life of me figure out how XQL splits these up, Splunk uses SPAN or MVexpand and it works like a champ but i cant figure out what function does the same thing in XQL. THANK YOU! [ { "Name": "StrongAuthenticationRequirement", "NewValue": "[]", ...

  • 2599 Posts
  • 98 Subscriptions
Top Solution Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks