02-09-2026 09:07 AM
Cortex Cortex XDR 5.0 tenant. What's your opinion
02-09-2026 10:58 AM
Hello @tlmarques ,
Greetings for the day.
Branding Change:
Upon upgrading to version 5.0, the tenant branding and GUI may change from Cortex XDR to Cortex Cloud. This change is often tied to specific license associations.
Unified Platform:
Version 5.0 is part of the Unified Platform (versions 4.x and higher). This platform is distinct from the Legacy Platform (version 3.x).
Automatic Upgrade for 4.x Tenants:
Management Console upgrades to version 5.0 are performed automatically by Palo Alto Networks for tenants already running on the Unified Platform (4.x).
Legacy Tenants (3.x):
Tenants currently on version 3.x cannot upgrade directly to version 5.0 through standard automated rollouts. These tenants must first undergo a platform migration to transition to the Unified Platform (4.x) before becoming eligible for version 5.0.
Multi-tenant / MSSP Environments:
Multi-tenant and MSSP environments are prioritized for the version 5.0 upgrade regardless of endpoint count. Smaller standalone tenants (typically under 2,000 endpoints) may remain on version 3.17 for an extended period.
Initial Performance Issues:
Shortly after the initial rollout of version 5.0, some customers experienced Web UI loading failures, degraded performance in the Cases and Incidents views, and HTTP 400 (Bad Request) errors.
Resolution:
These issues were identified as server-side problems related to the 5.0 upgrade. A fix was deployed on January 25th, restoring normal UI functionality and performance.
No Manual Upgrade Trigger:
Tenant-level upgrades are fully managed by Palo Alto Networks and delivered through phased rollout waves. There is no manual upgrade option available to customers.
Upgrade Notification:
When an upgrade is scheduled, a banner appears in the management console. Administrators can select View Upgrade Details to see the scheduled window or Upgrade Now if an upgrade window has been pre-allocated.
Cortex XDR 5.0 introduces a transition to the Cortex Cloud unified interface. While early rollout phases encountered UI performance issues, these were resolved through server-side updates. The most important factor in determining upgrade eligibility and timing is whether the tenant is on the Legacy Platform (3.x) or the Unified Platform (4.x).
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-09-2026 11:16 AM
Hi @susekar ,
I think some of the new features, like AI and agents, are interesting. However, the navigation has become more “complex” and it’s now harder to see the logs and understand what actually happened.
In version 3.X, there were simpler menus that made it easier to view things without too many clicks.
This is when you want to see detailed logs or the event in more detail.
It’s true that now, on the first screen, we can immediately get a macro view of what triggered the alert, but to get to the important logs and all the steps that were taken, there are more clicks.
02-10-2026 01:31 AM
Either there is an issue with the upgrade on my tenants or it is a seriously incomplete version.
On some pages, the old UI and the new UI are overlapping. It gets stuck on the AI Loading screen and won't open. Playbooks and Marketplace are there, but there's nothing predefined inside them.
Also, my tenant was on version 3.x. I received an update to version 5 without ever seeing version 4. I think it was a very rushed transition.
02-10-2026 05:22 AM
Hello @tlmarques ,
Thank you for the response.
The evolution of the Cortex XDR interface from version 3.X to the current platform design focuses on a drill-down philosophy intended to provide a macro-level overview for immediate triage while housing deep forensic data within specific investigation views. While this may initially feel like it requires more clicks, several features are specifically designed to streamline access to logs and the overall “story” of an event.
To reduce clicks and maintain context while investigating, customers should utilize the following interface capabilities:
Mailbox (Detail) View:
This layout splits the incident screen into two panes. The left pane lists incidents, while the right pane displays the details of the selected incident. This allows analysts to view incident context, alerts, and summaries without navigating away from the main list.
Forensics Highlights:
In the Causality Card view, the Forensics Highlight screen acts as a visual tool to categorize and emphasize the most critical artifacts such as alerts, files, domains, URLs, and IP addresses. This prevents analysts from having to search through complex process graphs for key data points.
Quick Launcher:
Available as an in-context shortcut from anywhere in the console, it allows users to search for information and perform common investigation tasks without manual menu navigation.
To understand the specific steps an actor took (the micro view), analysts should leverage the following paths:
Causality Chain:
Instead of manually correlating individual log entries, Cortex XDR automatically connects events into a causality chain. This presents the sequence of activity—such as process execution, network connections, and file modifications—that led to an alert.
Alert Insights vs. Raw Data:
The Alert Insights page provides a simplified summary for rapid triage.
To access detailed telemetry or “important logs,” analysts can right-click an alert and select Investigate Causality Chain or View Correlated Events to jump directly into the raw XQL event data.
Debug Alert (Advanced):
For the most granular technical details, analysts can hold the Alt key while right-clicking an alert and selecting Debug Alert to view the underlying JSON structure.
The current interface is built around the concept of causality, with the goal of presenting security events as a coherent story. By aggregating large volumes of telemetry into incidents and causality chains, the platform minimizes noise and helps analysts focus only on data that is relevant to the investigation.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-10-2026 06:02 AM
Some tried to use live-terminal?
We now have to enter a "reasons" otherwise the Connect buton is greyed out.
I get it, audit purposes and all. BUT.
By trial and error I found out that you need at least 20 characters to unlock the Connect buton.
Thank me later...
02-10-2026 06:57 AM
There is a new option for making live terminal reason optional.
Settings > Configuration > Agent Configuration
Go to bottom of the page
There is "Require Reason for Live Terminal" option. I didn't try to disable it but I think this will fix your issue.
02-10-2026 10:33 AM
You can try and check the result.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-14-2026 02:04 AM
Disastrous and raw update.
Not to mention that it broke case creation and BIOCs (we've created support tickets on that), but it seems than no one who actually use Cortex XDR has tested user experience of the new version.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
