Cortex XDR report

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR report

L2 Linker

Hello Live community,

 

I have a question about the report on Cortex, i want to know if the “Infected Endpoints” comes as default in Cortex reports or if we need to configure something to show that option?

Do the widgets "incidents by source" or "Top incidents (Top 10) " display the infected Host?

 

I suppose that incidents by source will be the closest thing to infected host.

As i can understand, if the agent has created an event, it s because Cortex has done its job and prevent the host from being infected, so the host is not infected. But will we see it in the Report? Or how can we see it in the report?

 

Thanks in advance for your reply.

 

Best regards.

1 accepted solution

Accepted Solutions

Hi @RomainCouvreur-

 

The XQL xdr_data dataaset does not include alert data.  Until that dataset is exposed, the easiest way to look for the rare cases that need your attention is to filter for XDR agent and post detections in the alert table as shown below.

dfalcon_1-1610507552025.png

 

 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

View solution in original post

3 REPLIES 3

L4 Transporter

Hi @RomainCouvreur-

 

I'm not sure I understand the ask.  Are you looking for a report that shows you malware events (to include the host) that need your attention?  Or do you want to see all hosts that had malware events that also may have had preventions?


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

Hello David,

 

Thank you for your prompt reply.

 

We are looking for a report that shows us malware events (to include the host) that need our attention.

 

Best regards.

 

 

 

Hi @RomainCouvreur-

 

The XQL xdr_data dataaset does not include alert data.  Until that dataset is exposed, the easiest way to look for the rare cases that need your attention is to filter for XDR agent and post detections in the alert table as shown below.

dfalcon_1-1610507552025.png

 

 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
  • 1 accepted solution
  • 3131 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!