Cortex XDR Discussions

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

Resolved! Cortex XDR Pro Per GB License

Hello：

Does anyone know if XDR Pro Per GB license can operate alone?
If I only want to analyze Firewall events, can I just buy a Per GB License?
Is there any documentation that can explain this?

Thank you

XDR - Printing delay all documents

Hi,
Has anyone had a delay in W11 with Cortex XDR , when trying to print, for example, a PDF
In my case, to print a simple 1mb pdf... edge opens the pdf by default... and when we do CRTL+P, we wait 1 to 2 minutes, until the preview appears and we can p

...

How to detect Cortex XDR agent stoppage if agent audit logs are being forwarded to SIEM ?

I am currently ingesting XDR agent audit logs to MS sentinel. Is there a way to identify if someone/adversary has managed to stop/disable the XDR agent ? I also want to avoid False positives by filtering out scenarios where the Host itself is powered

...

ingested data retention - 30 days

Hi guys,

I've purchased PAN-XDR-PRO-GB SKU and i've noticed we get 30 days of ingested data retention and 180 days of incident or alert retention.

Can we keep ingested data for more than 30 days? and/or incident alert retention for more than 180

...

Resolved! Policies at risk - how to accept these?

Hello dear all!

How can I accept the risk of policies, which would be needed somewhere in the future?

I do not want to delete them. Just accept the risk.

BR

Rob

Resolved! Large Upload(Generic) Microsoft Teams alerts

Hi Team,

We are receiving more alerts 'Large Upload (Generic)' generated by XDR Analytics from Microsoft Teams (ms-teams.exe) and i checked the IPs - Microsoft Corporation (ISP) and Domain -microsoft.com.

I need an answer to the following question

...

Local Malware Analysis

Hello,

Could we know the frequency with which the hosts are scanned to identify alerts in local malware analysis module?

Resolved! How can I see Agent Script Library on Cortex XDR

I would like to have the option for the Agent Script Library on my dashboard. Is it possible that higher privileges are required to access it?

some of endpoints might be exposed to risk due to report-only policies

Dear Team,

While login my Organizational XDR Console, their is attention message display - Image added.

If you guys having answer Please share to me - Thanks

Using XDR Asset Inventory and XQL to report of machines without Cortex installed

Hello All

I would like to use Asset Inventory to provide a list of each machine with os Windows and without Cortex agent installed.

The goal is to use the result in a widget for the dashboard if possible. Even better would be an api to use it with

...

USB Drives Are Blocked - Want to Enable for Certain Endpoints

Hello,

We are very new to having XDR and our onboarding was not very well done. They ended up doing everything on their own and struggling with it all; having mulitple people on the call to show our onboarder how to do things, etc... It was not ver

...

Cortex XDR XQL Query

Hi Team,

Could you please provide us with the XQL query to retrieve the reasons behind the "Agent Disconnected" and "Connection Lost" statuses from Cortex XDR? I have attempted to create a query, but I haven't obtained any results. Please assist me

...

Resolved! Summarise XQL results by hostname

Is it possible to group\count\summarise results from an XQL query by hostname rather than seeing every entry for every event?

for example:

dataset = xdr_data
| filter event_type = FILE and
actor_process_image_name contains "Something"

is there som

...

Cortex XDR Pro - 8.2.0.46438 - Agents Disconnected - service state "stopping" how to monitor that?

Hello dear community,

today I ran into some issues with the version mentioned above. I know it got hotfixed, but when you cannot install an upgrade and cannot uninstall the agent, I get challanged 

You need to uninstall it directly after restart,

...

Cortex XDR VM Broker Cluster and External Load Balancer

Hi All,

I have 3 Broker VMs deployed in my Google Cloud project and I want to create a cluster from them. I also want to put a load balancer in front of the cluster as mentioned in the documentation "For "active/active" applets that require load b

...

Discussions

Welcome to the Cortex XDR Discussions!

Rules and Best Practices

Resolved! Cortex XDR Pro Per GB License

XDR - Printing delay all documents

How to detect Cortex XDR agent stoppage if agent audit logs are being forwarded to SIEM ?

ingested data retention - 30 days

Resolved! Policies at risk - how to accept these?

Resolved! Large Upload(Generic) Microsoft Teams alerts

Local Malware Analysis

Resolved! How can I see Agent Script Library on Cortex XDR

some of endpoints might be exposed to risk due to report-only policies

Using XDR Asset Inventory and XQL to report of machines without Cortex installed

USB Drives Are Blocked - Want to Enable for Certain Endpoints

Cortex XDR XQL Query

Resolved! Summarise XQL results by hostname

Cortex XDR Pro - 8.2.0.46438 - Agents Disconnected - service state "stopping" how to monitor that?

Cortex XDR VM Broker Cluster and External Load Balancer

Cortex XDR - API Automation

Cortex not allowing specific Bluetooth devices to connect

XDR Agent on CIE server

Regarding the End of Life for Broker VM

Stopped services Cortex 8.9.0.136780

Re: Cortex XDR - API Automation

XDR Agent on CIE server

Re: Exploits Protection interfering with browser launch

Re: monitor command line on powershell or cmd with XQL

Re: Cortex not allowing specific Bluetooth devices to connect

Unlock your full community experience!

Rules and Best Practices

Resolved! Cortex XDR Pro Per GB License

Resolved! Policies at risk - how to accept these?

Resolved! Large Upload(Generic) Microsoft Teams alerts

Resolved! How can I see Agent Script Library on Cortex XDR

Resolved! Summarise XQL results by hostname