This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4361 Views
  • 0 replies
  • 3 Likes

Resolved! Best way to restrict software by digital signer

hey guys, i'm not clear how to block the running (installing) of certain software using XDR by restricting by digital signer. Is it possible to cerate a BIOC and apply to a restricted profile? If not, what would you say is the best way to go about this?Our scenario is we'd like to block the use / installation of a certain piece of software, and ...

BIOC Block executables based field "Process_File_Info"

Hello, I would like to know if any of you have struggled with support and technical cases with the need I show below. I would like to know what you can tell me or give me your opinion of blocking executables based on static metadata using the “Process_File_Info” field in the BIOC. My intention is to block executables and not based on the executa...

agirones by L1 Bithead
  • 1693 Views
  • 2 replies
  • 1 Likes

XDR Policy Baseline/Comparison Tool

Is there a method/tool available that anyone is aware of to better manage multiple policies or quickly/easily identify those policies which may have/need slightly different configurations? For example, if we have 2 dozen policies and there's a new security module we are implementing for the environment, I would like to be able to see which pol...

Behavioral threat detected (rule: bioc.sync.critical_termination) Triggered By Known Good Files

Over the past two weeks we have been seeing detections/blocks from the following rule "Behavioral threat detected (rule: bioc.sync.critical_termination)" for known good files 7z2301-x64.exe (7-zip install) and PhotosService.exe (part of built-in Windows Photos app). We only see the detections on a few systems, many systems have these same files...

jdbst56 by L1 Bithead
  • 2107 Views
  • 3 replies
  • 0 Likes

XDR AGENT ALL DEVICES

Hi everyone, Does anyone know of or have an automation to periodically check if all devices in the company have the Cortex XDR Agent installed I currently use Mapper, but my network is large, with over 35k devices (including computers, printers, access points, and other equipment). How do you manage XDR coverage in your infrastructure? Do you ...

tlmarques by L4 Transporter
  • 1947 Views
  • 2 replies
  • 0 Likes

Cortex XDR Generate Alert when Device is Online

There's many situations where it would be convenient to receive a notification when a device is online. We often run into this when a device is isolated and we are unable to contact a user. Since there is no native ability to trigger an alert or notification I had an idea to run a script on an endpoint that will create a file and then create ...

tc0222 by L0 Member
  • 2693 Views
  • 3 replies
  • 0 Likes

Broker VM

Hi, I have downloaded Broker VM OVA file and installed it on my VMvare. I just wonder about with the following issues. As you know Broker has two IP one for public and one for private. In this part, if i go static, will I be configuring internal or public IP? I mean should I just take one static IP from my internal network for example, 192.16...

JahidAliyev_0-1731635966017.png

General Cortex XQL questions

Hello, I have been unable to confirm the following information in the online guidance I have been looking through. How far back can we run an "All Actions" query in XQL? For example, can we search for file hashes going back 3 months or longer?Also, what is the difference between running an "All Actions" query vs using the XQL Search option? W...

BIOC that will close web browser while opening certain websites

I want to create a BIOC rule that will close web browser (ex. chrome) when I open certain websites (ex. facebook.com and instagram.com). I'm using Network BIOC and I managed to create BIOC rule that applies only to one website (remote host) but I don't see the option where I can add multiple websites (remote hosts). Can you help me with that? Ma...

Resolved! Correlation rules create incident

Hey dear sec community! is there a way to setup an correlation rule, which can block and not only detect?I couldn't find a way. I tried the XQL queries from the libary. https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-correlation-rules/create-a-correlation-rul...

Cyber1985 by L3 Networker
  • 7106 Views
  • 7 replies
  • 0 Likes

Resolved! Device connection alert

Hi everyone, I'm kind of new to the Palo Alto Networks ecosystem, and it seems that in Cortex XDR, you can't create your own "alerts", only queries/scheduled queries. My goal here is to find a way to be alerted/informed when a specific device is connected to the internet. For more context, it would more specifically used for stolen laptops, so t...

G.Louhou by L1 Bithead
  • 1928 Views
  • 2 replies
  • 0 Likes

Microsoft 365 email collector

Hi Everyone Regarding the new email collector which ingests email logs and data from Microsoft 365: Ingest logs and data from Microsoft 365 • Cortex XDR Documentation • Reader • Palo Alto Networks documentation portal Has anybody figured out a way to properly test it? Thanks & Best Regards

Rocky-25 by L2 Linker
  • 1539 Views
  • 2 replies
  • 0 Likes

Performance Optimization Strategies

Hello, I have a system running workloads that is sensitive to CPU usage. The primary users have raised an issue that our currently applied XDR profile is causing detrimental delays in job processing. I confirmed this by disabling the agent to observe baseline activity. The current profile/policy has Exploit and Malware prevention set to "monit...

  • 2601 Posts
  • 98 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks