- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-02-2026 09:11 AM
Our Cortex XDR instance stopped generating incidents when detecting malware and other threats. (Somewhat similar to "Cortex XDR - Blocked Hashes on newer systems do not show in Incidents" - except in our case, this is across the board on all devices, for all threats and behaviors.)
(If we initiate a malware scan on the affected device, an incident is generated 🟢 for the same file that was previously blocked by Cortex with no incident. I.e. this tells us the incident creation system is not broken - rather, the usual mechanism of creating incident upon detection or blocking is not working for some reason.)
The first assumption is that something has changed on our side - i.e. we accidentally created a policy (or deleted or disabled an existing policy) - which killed the incident generation mechanism.
The 2nd - that something has changed on the back end w/o our involvement resulting in the above change of behavior.
This seems to have occurred sometime in May 2026.
In either case - where do we go to try to figure out what happened, when, and how to fix it? (Please be gentle and patient - Cortex XDR is just a small part of things on my plate, and I will likely not understand something like "go fix your BIOCs".)
Thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

