Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Discussions

Sorted by:

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

Mac Cortex XDR Upgrade causing Device Freezing

Hello,

My organisation is currently running Cortex XDR 8.6.0 on Sequoia. We're finding that when performing upgrades of the application via the Console or by Jamf that the who device will freeze for 15+ seconds.

We're in an environment where we'r

...

Resolved! XQL query for incident report

I like to get a hint how i can build simple xql query for overtime timeframe for incidents. I need to filter that data, but that kind report that i can show example monthly base report for customer. where there are data for each day

Why there are no related alerts on scanned malicious files.

Hi, we have recently malware scanned an endpoint and upon checking the results, it appears that there were 3 malicious files on the host.

Now, I tried to right click and view related alerts on the 3 malicious files and it just shows nothing. What's

...

2023-06-10 15_39_58-Action Center - Cortex XDR.png

Discrepancy Between Connected Endpoints and License Usage in Cortex XDR

Hi Team,

We have observed that the Cortex XDR management console shows a total of 385 connected and disconnected endpoints. However, the Cortex XDR license usage is showing 348. How is this possible? Please explain.

Zulu Time and Convert

so my goals is to convert a jsonextract of a few time stamps:
I want to combine them and make a total hours. so start time and expiration time = how many hours total. I cant seem to get the time formatting from a string or I am doing something wrong

...

Cortex XDR 8.2+ Not Able to Uninstall - Not Showing In Programs (Windows)

TLDR; Cortex dashboard shows EOL agents on Windows machines but upgrades fail, uninstalls fail, and Cortex is not showing as an installed program. However, Cytool can be disabled/enabled.

-----

We have a few machines with outdated agents. Using the C

...

Resolved! Best way to detect endpoints that do not yet have Cortex XDR Agent installed

Hey guys,

I am curious about if there is a way to find out which Endpoints in certain environment do not yet have XDR Agent installed.

I still two options, but had no practical experience in testing it:

1. Directory Sync with Cortex XDR. Would it dete

...

Creating a stacked bar chart using XQL

I am creating a stacked bar chart that shows the number of alerts per data source per day.
Is it possible to display the data source in the displayed graph?

The stacked bar I created shows the time.
※Whatever I select for the X-axis will be displayed

...

XQL query for vulnerability

Hi. i need to do monthly report for vulnerabilities. So how to create like a trend report for 30 days

here is just example for get count, but how to do trend report?

dataset = va_cves
| filter severity >Medium
| filter affected_hosts_count >1
| fields

...

Resolved! Study guide for PSE Professional - Cortex (XDR)

Does anyone have any kind of "study guide" or something similar that might be helpful to study for the exam?

how to uninstall a package using rescue mode in Debian

my debian server crushed, wa are unable to acces the server(VM on OVH baremetal) using ssh(hard disc), we can usig rescue mode using the root user. after investigation we found that, it is a network problem due to Cortex, now my question is is there

...

Resolved! Initiate Script on Endpoint via API call

Hi Everyone,

I've been running Powershell scripts on my endpoints from Action Center > Run Endpoint Script > Execute Commands in the XDR interface. It works well, however I need to specify a manual query to target the endpoints I want each time i.e

...

Malware Scans on Linux Endpoints

Hi Team,

Can you please confirm we can run malware scans on linux servers and linux virtual appliances? We want to create a policy in XDR to run periodic malware scans on the servers (Specially linux servers and linux virtual appliances).

Regards,
Saks

...

The USB Read-Only policy causes the USB drive to fail to mount

I have set a USB Read-Only policy under Policy Management Extensions -> Policy Rules and Profiles. When a USB drive is inserted into an endpoint, Cortex XDR triggers a notification indicating that the USB is mounted as read-only, but in reality, it i

...