Cortex XDR Discussions

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

Resolved! Defender remains running on Windows 11

Hi Everony

We've noticed that under Windows 11 the MS Defender Antivirus remains running in passive mode even after Cortex XDR is installed. The Cortex integration in Windows security center works, but Defender services are still running.

Does an

...

API BLOCK LIST

Hello,

By doing or achieving different automations I have managed to add hashes to the block list in the action center section via API, but as in this console I see that it is blocked with 15,000 entries, let me explain when adding 15,000 hashes I un

...

Unable to parse the time stamp

I have tried to create a new field with an existing string field (createdDate), which is already in an ISO 8601 format. unable to parse it

sample value of feild createdDate=2019-08-29T10:10:26.608Z

Here below the query I have used

| alter filedate

...

Unable to parse the time stamp

I have trying to create a new field with existing string field (cretedDate) which is already in a ISO 8601 format but. unable to parse it

sample value of feild createdDate=2019-08-29T10:10:26.608Z

here below the query i have used

| alter filedate

...

Cloud Identity Engine: New Agent Version Alert

Hi Team,

We have installed two Cloud Identity Engines in two different domains. Currently, we are seeing an alert on the Palo Alto hub page regarding the availability of a new agent version for the Cloud Identity Engine. We have a question: will th

...

Netskope and Mimecast Integration To XDR

Anyone done the mimecast and Netskope log integration to Cortex XDR. Unable to find document for integration.

Please share any doc or integration methods.

Malicious Hash detected as Adminstrative Hash exception

Hi Team,

On analysing an ransomware incident, i have block the hash of malicious file and added the file path of malicious file into IOCs. However i can see the alerts for malicious hash in the Critical alert (IOCs based) and Low alert - Administr

...

Veeam Server high CPU Cortex XDR

Hello,

We have a server with Veeam Backup, and we are noticing high CPU usage from Cortex.

We have seen that some exceptions might need to be applied:

https://www.veeam.com/kb1999

Would this apply to Cortex?

Best regards.

Resolved! Finding if a URL was visited using XQL in Cortex

We wanted to see if we could use XQL to query for if a URL was visited in our environment. Is there a way to structure a working query for this using XQL? We've tried unsuccessfully so far, so we are turning to you, the community.

Thank you for any

...

Cortex XDR Incidents

Hi Team,

How can I create a BIOC rule for large upload activities of more than 1 GB of data in external storage? Please share your input.

Resolved! Detect delete agent with XQL.

I kindly ask for your assistance with an XDR XQL query language script to identify devices in the network that do not have the XDR agent installed. Additionally, it would be helpful if the users could be identified from AD or through the DHCP on the

...

Resolved! XQL For Silent Log Source

below is the query so far but what we are trying to do is get a silent log source detection. For example, one of the log source names has not sent a log in x number of hours then alert. Any suggestions?

dataset = panw_ngfw_traffic_raw | fields log_sou

...

Custom widget similar to the standard "Vulnerabilities On All Endpoints Over Time"

Hi,

Is it possible to obtain a custom widget like "Vulnerabilities On All Endpoints Over Time" via XQL?

We would like to filter out some endpoint

Is there a dataset with detailed history information?

Thanks

Resolved! There is no alert severity in the SIEM logs.

Hi. We send Cortex XDR syslog to SIEM. When I check Notification (Settings - Configurations - Notifications) settings, Severity field is available. But on SIEM logs, there is not severity of alert.

Resolved! Azure AD and InTune

Hi Palo Live Community, I'm hoping that someone has worked with Cortex XDR and Azure InTune.

I'm trying to find a dynamic way to apply an extension profile (block USB), in Cortex XDR, targeting specific endpoints that reside in Azure InTune.

Bef

...

Discussions

Welcome to the Cortex XDR Discussions!

Rules and Best Practices

Resolved! Defender remains running on Windows 11

API BLOCK LIST

Unable to parse the time stamp

Unable to parse the time stamp

Cloud Identity Engine: New Agent Version Alert

Netskope and Mimecast Integration To XDR

Malicious Hash detected as Adminstrative Hash exception

Veeam Server high CPU Cortex XDR

Resolved! Finding if a URL was visited using XQL in Cortex

Cortex XDR Incidents

Resolved! Detect delete agent with XQL.

Resolved! XQL For Silent Log Source

Custom widget similar to the standard "Vulnerabilities On All Endpoints Over Time"

Resolved! There is no alert severity in the SIEM logs.

Resolved! Azure AD and InTune

Can Cortex XDR fully substitute for Microsoft Defender Attack Surface Reduction (ASR) rules?

Evasion Technique - 1244315488

Other Network Source Checkpoint,Fortinet Cortex can auto stich

Cortex XDR - API Automation

Cortex not allowing specific Bluetooth devices to connect

Re: Rare Login Query Not Working

Upgrade 4.X Cortex Tenant

alert creation when live terminal is launch

Re: new feature in the Cortex XDR agent 8.3, Agent Certificates

Unlock your full community experience!

Rules and Best Practices

Resolved! Defender remains running on Windows 11

Resolved! Finding if a URL was visited using XQL in Cortex

Resolved! Detect delete agent with XQL.

Resolved! XQL For Silent Log Source

Resolved! There is no alert severity in the SIEM logs.

Resolved! Azure AD and InTune