This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XDR Discussions
Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.
About Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Please note: All postings in LIVEcommunity are visible to other users; please keep your network secure by refraining from posting live IP address’s or domain names here. Contact your Customer Success team for network-specific questions.

Discussions

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4321 Views
  • 0 replies
  • 3 Likes

Resolved! OS Fingerprinting feature in Distributed Network Scan (Pro version)

Hi All,We are using XDR Pro version with agent version 8.2. I am curious about this OS fingerprinting feature under Distributed Network scan setting in Agent profile. I have already configured Network Location Configuration and also configured other things as shown in the attached screenshot. I was hoping it would return the OS type/version of o...

XDR Screenshot.png
network loc config.png

cyvrtrap.dll causing spoolsv.exe crashes?

We updated Cortex XDR agent on a number of VMs and on some of them the Print Spooler service (spoolsv.exe) started crashing repeatedly, causing disruptions to operations. Is this a known issue? Are there available workarounds or ways to resolve it short of downgrading the agent? Sample events: Log Name: Application Source: Applicat...

kindzma by L2 Linker
  • 5390 Views
  • 9 replies
  • 2 Likes

Partially Protected - Operational Status Data

Hi! I have a machine with Operational Status Data as: Xdr Data Collection Not Running Or Not Sent Module is disabled by Adaptive Policy Btp Not Working Module is disabled by Adaptive Policy How can I remediate this machine so that its status will be back to Protected? Thanks!

ndrmndz by L0 Member
  • 10866 Views
  • 4 replies
  • 0 Likes

From the Incidents page to the Alerts table, can you use/share those filters to make Automation rules?

I have created some filters (via the Alerts table) while doing some investigations. It ended up being useful and needing an automation rule. However, when I went to the automation page and looked at the filters, they were blank. I shared the filters within the Alerts table, and they still weren't there. Is there a way to share/Import or copy ...

A.Duscio by L0 Member
  • 1144 Views
  • 1 replies
  • 0 Likes

Resolved! XDR Log and Quarantine Disk Space Retention

Hello- Does anyone know the following details to how the product manages the retention for logs and quarantine?I understand you can set the log quota to a specific size. This will leverage that on local disk. What I am not clear on are the following items.What types of log data are included in this quota (some or all)?How does the product "cle...

Cortex XDR XQL Query

Hi, I wanna sort my query as operational_status in (UNPROTECTED, PARTIALLY_PROTECTED) everyday (Like from Monday to Sunday Statistics) My query looks like this config case_sensitive = false | dataset = endpoints | filter operational_status in (UNPROTECTED, PARTIALLY_PROTECTED) | comp count(endpoint_name) as Number_of_endpoints

XQL Query to find all Mac_OS endpoints and return the version of Netskope installed on the hosts.

I am new to using xql and I am having trouble getting the information I need using a search query. I need to pull a list of all Mac_OS hosts and then within the applications field return the version of NetSkope installed on the client. I have started with the following query which returns the basic data, but I am lost as to how to extract the in...

Resolved! LSASS creating a cache1.bin on appdata

We have an alert on 2 different device that LSASS is creating a cache1.bin on app data. All are created by NT\SYSTEM Location detected C:\Users<my username>\AppData\Local\Microsoft\Windows\SFAP\cache1.bin C:\Windows\ServiceProfiles\UIFlowService\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pilogsrvX64\AppDa...

Winget Command

Hello dear Community, I have the following problem: I can’t use the Win-Get command on the XDR terminal in Cortex. Can someone help me to make this command executable on the PowerShell XDR terminal.

FRafuna_0-1723637086115.png
F.Rafuna by L0 Member
  • 3052 Views
  • 3 replies
  • 1 Likes

Cloud Identity Engine

Hi Community, We have integrated the Cloud Identity Engine into the environment. Currently, the Palo Alto Hub page shows the Cloud Identity certificate expiring in a month. We checked the Palo Alto article https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/manage-the-cloud-identity-agent/manage-cloud-ident...

Resolved! json_extract_array do not return result

I've got json like below and trying to extract each key_name via json_extract_array but getting empty column vendor query is dataset = host_inventory | fields application as aps | alter vendor = json_extract_array(to_json_string(aps),"$.key_name") [ { "identifier": null, "install_date": "2021-01-12", "installed_for_sid": "global"...

XDR Agent 8.5.0.2457 on macos 14.5

Hi community, After my laptop upgrade to the last version of xdr agent i get the following: Randomly the system looks as if it's loading and after a few seconds it's back to normal. the machine doesn't crash but the mouse keeps showing the hourglass (as if it's doing something) and the prompt is no longer active. anyone with this issue ?

LEYA-DSI by L1 Bithead
  • 1721 Views
  • 4 replies
  • 0 Likes
  • 2586 Posts
  • 95 Subscriptions
Top Solution Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks