Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Change in the way URL Filtering alerts are presented in Cortex XDR?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Change in the way URL Filtering alerts are presented in Cortex XDR?

L2 Linker

Hello, beginning on or about 20 July, began to see MANY more Incidents created in Cortex XDR that looked similar to this:

Incident Description: 'Threat ID #' generated by PAN NGFW detected on host <hostName> involving xyz\UserName

(note, there is NOTHING after the "#" sign)

Incident Sources: PAN NGFW

 

When looking at the Alert that caused this Cortex Incident, what you see is:
Category: "URL Filtering"
Alert Name: "Threat ID #"

 

I should not that I believe BEFORE this apparent change or bug, within Cortex XDR Alerts page we would see something like this:
Category: "URL Filtering (10082)"
Alert Name: "Threat ID #9999"

 

Are others noticing this too?
Is this the desired / expected behavior of Cortex XDR?
It seems like there has been a CHANGE in the way Cortex presents these Alerts and Incidents

Is there knowledge and expectations its operating this way?

See attached screenshots

 

4 REPLIES 4

L2 Linker

I should also note I find this in the Cortex XDR Pro Administrators Guide:

KRisselada_0-1596217511434.png

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...

Which doesn't seem to entirely mesh with what have been seeing.  Is the Guide correct or is the Production environment of Cortex correct?

L4 Transporter

Hi @KRisselada-

 

There very well may be adjustments to rules (analytics, bioc, etc) with each release.  For the behavior you are describing, this should not be typical.  In this instance, I recommend reaching out to support/TAC to allow our engineers to take a look. 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

thanks so much @dfalcon I did indeed create a request within the Support team and currently its been escalated to Engineering.
For those that might have / want a reference of this, its PAN Support Case 01544546.  I will share here updates if applicable.

Hi @KRisselada-

 

I can see that Jacqueline escalated the case to engineering.  I will subscribe to the case as well.


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
  • 7005 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!