Cortex XDR Discussions

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Resolved! Forensics - Data Collection [A question from a Cortex XDR CS Webinar]

Do I have to collect forensic data all the time? it's sufficient to ingest data just after an incident? *Note: This question was asked during the Cortex XDR Customer Success Webinar: Uncover the Power of Forensics - Part 1

Resolved! A question from the Cortex XDR What's New in 3.7 webinar: Alert Trigger

I tried reg and cmd lines with bcdedit options to set safe mode. They didn't trigger an alert. Also booted into safe mode and didn't trigger. What is the trigger? This question was asked as part of the Cortex XDR Customer Success Webinar: What's New in 3.7

Resolved! A question from Cortex XDR Active Scanning Webinar: Failed attempt alert

Is there an alert for a failed attempt/attempts to stop the Cortex Service on an Endpoint? *Note: This question was asked as part of the Cortex XDR Customer Success Webinar: Active ScanningWe encourage you to review the webinar article for additional resources.

Resolved! A question from Cortex XDR Active Scanning Webinar: Cortex agent scan

Would you consider initiating a Cortex agent scan on a new PC as a best practice? *Note: This question was asked as part of the Cortex XDR Customer Success Webinar: Active ScanningWe encourage you to review the webinar article for additional resources.

Resolved! A question from Customer Success Office Hours: Cortex XDR Exclusions and Exceptions

What are the differences between Exclusions and Exceptions and related best practices? Cortex XDR

Resolved! A question from a Customer Success Office Hours session: Alert Exclusions

How do I filter out excluded=Yes Alerts. I'm getting emails about alerts that are already excluded?

Palo Alto Cortex XDR exclusions/exceptions use case example article for solving VPN agent interoperability issues

Hello to All, I have made an interesting article about Cortex XDR use case for using isolation exclusions/exceptions when having VPN agent that blocks network traffic based on DNS FQDN Domains: https://live.paloaltonetworks.com/t5/general-articles/xdr-isolation-exceptions-and-exclusions-use-case/ta-p/515583

Resolved! A question from the Endpoint Administration Part 2 webinar: Alert ID

We often notice alert_id out of the numerical order, chronologically, sometimes way off. It appears like XDR is detecting something later and assigning an older timestamp but a new alert_id to detection. Can someone provide some detail/explanation on this observed behavior? Note: This question was asked during a customer success webinar: Endpo...

Resolved! A question from the Endpoint Administration Part 2 webinar: Adaptive Policy

What if I want the adaptive policy to never run? Cortex should start up with adaptive_policy disabled Note: This question was asked during a customer success webinar: Endpoint Administration Part 2

Resolved! A question from the Endpoint Administration Part 2 webinar: Adaptive Policy and Agent

Will the adaptive policy cause the agent to go into a enable/disable loop when enabling/disabling components due to resource usage? Note: This question was asked during a customer success webinar: Endpoint Administration Part 2

Resolved! A question from the Endpoint Administration Part 2 webinar: Supervisor Password

Uninstall password is configured when the account is set up, is the supervisor password just our cortex password, and only works if the account has the proper permissions? Note: This question was asked during a customer success webinar: Endpoint Administration Part 2

Resolved! A question from the Endpoint Administration Part 2 webinar: XDR Agent

we have some scenarios where XDR agent services are running and show enabled in endpoints but in XDR console it shows as disconnected. What will be the major workaround for this kind of issue? Note: This question was asked during a customer success webinar: Endpoint Administration Part 2

Resolved! A question from the Endpoint Administration Part 2 webinar: XQL

Is there documentation of the queries for the built-in XQL widgets? I would like to use them as examples for custom XQL widgets for custom dashboards. Note: This question was asked during a customer success webinar: Endpoint Administration Part 2

Resolved! A question from the Endpoint Administration Part 2 webinar: Linux machines & Kernel Updates

There are some instances of Linux machines that are protected previously and then became unprotected or partially protected. As per checking on them, it was because the kernel version was upgraded to the latest version and is still not listed on the supported versions from the KB. Is it safe to say that we should just configure the policy to use...

A question from the Alert Tuning Operations Webinar: Signing level in a child process

We have a mac-device on which even a reinstalled chrome creates child processes (Google Chrome Helper) that are apparently below the signing level of the parent process. Their signatures seem to be valid. Seems like whitelisting the hash of the initiator is not the best idea. What would be the best process if a child's process is blocked due to ...