User Added to Local Administrators Group XQL Query

Hi Family , 
I want to create a Cortex XDR query that generates an alert when a user creates a local account and adds it to the administrators group.


dataset = xdr_data
|filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id in (4732, 4728)

here

Cortex XDR 8.2+ Not Able to Uninstall - Not Showing In Programs (Windows)

TLDR; Cortex dashboard shows EOL agents on Windows machines but upgrades fail, uninstalls fail, and Cortex is not showing as an installed program. However, Cytool can be disabled/enabled.

-----

We have a few machines with outdated agents. Using the C

SLS is required for Ingesting NGFW logs?

Hello all,

I have Pro per GB in my Cortex XDR and wish to gain more visablity in Network.
Is it compulsory to have Strata Logging Service license in order to make this works?
does Strata Logging Service license comes with my Firewall subscription or do

NGFW alerts to Cortex XDR

Hi team,

I have a technical cuestion but could not find the answer in the documentation.
I assume that to ingest NGFW alerts into Cortex a Pro Per GB license is needed. The cuestion is: Is there any way to configure the ingestion of the panw_ngfw_thre

Process Explorer Triggering Cortex XDR Alert – Clarification Needed

Hi,

When our system administration team uses Process Explorer (Microsoft version), Cortex XDR  does not block the execution, but it generates alerts/incidents.

Alert Details:

• Alert Name: Impair Defenses - 3645069560

• Description: A tampering-capable

XDR 7.6.1 seems to ignore exception

Hi, Cortex XDR Local Analysis Malware module stops a process called "ClientConsole.exe" (I guess it's a false positive)

I've created a global exception for that issue and checked-in client but XDR still blocks this executable.

In client log I read th

[Cortex] How to Block Multiple C2 IP Addresses Using Cortex XDR

Dear Everyone,

My customer has a requirement: they would like the Cortex XDR Agent to detect and block multiple specified C2 IP addresses.
I would like to ask if anyone has encountered a similar case or has any relevant experience to share.

Currently,

Cortex xdr agent distributed network scan

Hi Team,

We have enabled the Cortex XDR agent's distributed network scan, and we are getting successful results in the XDR Management Console. Our question is: Which port is used by the XDR agent to identify unmanaged assets

bulk broker vm modifications

Hello,

we did a tenant migration and for some reason a lot of broker VM settings are still pointing to the old one.

We were wondering if it was possible to change the settings for it in bulk.

Thank you for your inputs.

Cortex XDR Get Incident API function 'hosts':None

I'm currently testing the api for Cortex XDR, in particular the 'get_all_incidents' function under '/public_api/v1/incidents/get_incidents' url.

Reference : https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Incidents

While test

XQL Incident Count Doesn’t Match UI Incident Count — Same Date Range

Hi everyone,

I’m working on a report using Cortex XQL to count incidents created between March 15 and March 31, 2025.

Here’s the query I’m using:

Cortex XDR Process Exclusions

We are deploying Cortex XDR to Windows servers initially in Report only mode and seeing memory Utiliziation on some servers ranging 500 MB- 1.2 GB. Is this considered to be normal?

Advise we receive was that we don't need to exclude ceritan process