Change in the way URL Filtering alerts are presented in Cortex XDR?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Change in the way URL Filtering alerts are presented in Cortex XDR?

Hello, beginning on or about 20 July, began to see MANY more Incidents created in Cortex XDR that looked similar to this:

Incident Description: 'Threat ID #' generated by PAN NGFW detected on host <hostName> involving xyz\UserName

(note, there is NOTHING after the "#" sign)

Incident Sources: PAN NGFW

 

When looking at the Alert that caused this Cortex Incident, what you see is:
Category: "URL Filtering"
Alert Name: "Threat ID #"

 

I should not that I believe BEFORE this apparent change or bug, within Cortex XDR Alerts page we would see something like this:
Category: "URL Filtering (10082)"
Alert Name: "Threat ID #9999"

 

Are others noticing this too?
Is this the desired / expected behavior of Cortex XDR?
It seems like there has been a CHANGE in the way Cortex presents these Alerts and Incidents

Is there knowledge and expectations its operating this way?

See attached screenshots

 

L2 Linker

I should also note I find this in the Cortex XDR Pro Administrators Guide:

KRisselada_0-1596217511434.png

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...

Which doesn't seem to entirely mesh with what have been seeing.  Is the Guide correct or is the Production environment of Cortex correct?

Highlighted
L4 Transporter

Hi @KRisselada-

 

There very well may be adjustments to rules (analytics, bioc, etc) with each release.  For the behavior you are describing, this should not be typical.  In this instance, I recommend reaching out to support/TAC to allow our engineers to take a look. 


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 
Highlighted
L2 Linker

thanks so much @dfalcon I did indeed create a request within the Support team and currently its been escalated to Engineering.
For those that might have / want a reference of this, its PAN Support Case 01544546.  I will share here updates if applicable.

Highlighted
L4 Transporter

Hi @KRisselada-

 

I can see that Jacqueline escalated the case to engineering.  I will subscribe to the case as well.


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!