- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-31-2020 09:43 AM
Hello, beginning on or about 20 July, began to see MANY more Incidents created in Cortex XDR that looked similar to this:
Incident Description: 'Threat ID #' generated by PAN NGFW detected on host <hostName> involving xyz\UserName
(note, there is NOTHING after the "#" sign)
Incident Sources: PAN NGFW
When looking at the Alert that caused this Cortex Incident, what you see is:
Category: "URL Filtering"
Alert Name: "Threat ID #"
I should not that I believe BEFORE this apparent change or bug, within Cortex XDR Alerts page we would see something like this:
Category: "URL Filtering (10082)"
Alert Name: "Threat ID #9999"
Are others noticing this too?
Is this the desired / expected behavior of Cortex XDR?
It seems like there has been a CHANGE in the way Cortex presents these Alerts and Incidents
Is there knowledge and expectations its operating this way?
See attached screenshots
07-31-2020 10:46 AM
I should also note I find this in the Cortex XDR Pro Administrators Guide:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...
Which doesn't seem to entirely mesh with what have been seeing. Is the Guide correct or is the Production environment of Cortex correct?
08-05-2020 07:20 AM
Hi @KRisselada-
There very well may be adjustments to rules (analytics, bioc, etc) with each release. For the behavior you are describing, this should not be typical. In this instance, I recommend reaching out to support/TAC to allow our engineers to take a look.
08-05-2020 07:46 AM
thanks so much @dfalcon I did indeed create a request within the Support team and currently its been escalated to Engineering.
For those that might have / want a reference of this, its PAN Support Case 01544546. I will share here updates if applicable.
08-05-2020 08:00 AM
Hi @KRisselada-
I can see that Jacqueline escalated the case to engineering. I will subscribe to the case as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!