Hello, beginning on or about 20 July, began to see MANY more Incidents created in Cortex XDR that looked similar to this:
Incident Description: 'Threat ID #' generated by PAN NGFW detected on host <hostName> involving xyz\UserName
(note, there is NOTHING after the "#" sign)
Incident Sources: PAN NGFW
When looking at the Alert that caused this Cortex Incident, what you see is:
Category: "URL Filtering"
Alert Name: "Threat ID #"
I should not that I believe BEFORE this apparent change or bug, within Cortex XDR Alerts page we would see something like this:
Category: "URL Filtering (10082)"
Alert Name: "Threat ID #9999"
Are others noticing this too?
Is this the desired / expected behavior of Cortex XDR?
It seems like there has been a CHANGE in the way Cortex presents these Alerts and Incidents
Is there knowledge and expectations its operating this way?
See attached screenshots
I should also note I find this in the Cortex XDR Pro Administrators Guide:
Which doesn't seem to entirely mesh with what have been seeing. Is the Guide correct or is the Production environment of Cortex correct?
There very well may be adjustments to rules (analytics, bioc, etc) with each release. For the behavior you are describing, this should not be typical. In this instance, I recommend reaching out to support/TAC to allow our engineers to take a look.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!