This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4322 Views
  • 0 replies
  • 3 Likes

Resolved! XQL Query Help

I am trying to create a rule for the case of creating a new user in the admin role. Where's my mistake? I am grateful for your help.dataset = xdr_data | filter action_evtlog_event_id = 4720 | alter Direct_Role = arrayindex(regextract(action_evtlog_message, "Account Type:.*?(\w.*?)\r\n"),0)| filter Direct_Role contains "Admin" or Direct_Role cont...

Resolved! An endpoint with the Cortex XDR installation intermittently creates a huge file and writes to the hard drive at C:\Windows\System32\PaloNull

Dear Live Community Members, One of my customers noticed that some endpoints with the Cortex XDR installation sometimes creates a huge file that grows in size with time. On several VMs equipped with the Cortex Agent (version 7.7.1, but we also noticed this with older versions in the past) sometimes a file called "PaloNull" is created, which gr...

PalNull.png
PaloNull_1.PNG

Resolved! Cortex XDR Prevent and "Identity Analytics" Module - licensing confusion

Good day, I am running in circles trying to figure out whether or not I have the access to the "Identity Analytics" module. I'm looking to alert on several Kerberos related alerts, and a few of them require this detection module. Is this module included by default in Cortex XDR Prevent, or does it require Cortex XDR Pro, or is it an add-on for C...

Resolved! create BIOC rules via Cortex XDR API

Hi community,I'd like to enquire whether Cortex XDR can create BIOC rules via Cortex XDR API.I could not find any description about creating BIOC rules on the following Cortex-XDR-API-Reference. Cortex XDR API Overview | Cortex XDR (stoplight.io)

Resolved! block vulnerable applications from running

Hi community, I am attempting with restricting the execution of vulnerable applications. Is it possible to block a specific application version using BIOC associated with restriction profile?(Or if there's another easy way to do this please let me know)

managing incident from dynamic emails using MSGRAPH integration

Hello everyone, I am looking for a solution to handle a specific situation related to incident activation from an email, using the MSGRAPH integration. Typically, to activate an incident, I classify it based on a static email subject. Then, I configure the "type" to trigger the corresponding playbook. However, this approach seems limited by the ...

MF762 by L1 Bithead
  • 1006 Views
  • 1 replies
  • 0 Likes

Resolved! XDR Agent version naming convention

Hi all, I am a bit confused with the new Agent version numbers. So to be sure: Taking the naming convention into account, isn't the XDR Agent version 8.5.0.624. higher and newer then version 8.5.0.3639? 8.5.0.3639 is recently released to support the Windows 11 24H2. Does this mean that the (higher?) version 8.5.0.624 in fact does not suppo...

AbdBgc by L2 Linker
  • 1884 Views
  • 1 replies
  • 0 Likes

Resolved! Is it safe to rename Agent Installations in Cortex and retain Connection?

I was going to delete them all and start over with a new naming convention for my admins, so they are easier to find and use. But when I tried to delete them, I was warned it would disconnect anything that was installed using the generated files.Question 1: Can I rename them and retain the link to the console on computers that used the previousl...

J.Suter by L2 Linker
  • 2387 Views
  • 3 replies
  • 0 Likes

Cortex XDR Agent certificate enforcement

Hi Team, I have enabled the Cortex XDR agent settings for certificate enforcement. However, endpoints are showing as only partially protected, and the Operational Status Details indicate that certificate enforcement is disabled against policy (Failed to enable certificate enforcement due to local store fallback). Could you please help with this ...

Resolved! Network Configuration - WAN IP

Hi Community, Would it be correct to register the IP addresses of the firewall's WAN interfaces in Cortex's network configuration -> Internal IP range? I ask this question because I have a Fortigate sending the logs to Crotex and always the IP that is in the firewall is treated as an artifact and not the IP that is scanning ports of fire...

  • 2589 Posts
  • 95 Subscriptions
Top Solution Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks