Security Operations
Post questions, provide answers, share best practices, and connect with peers and experts in this area dedicated to Cortex XDR, XSOAR, and Xpanse discussions.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Security Operations
Post questions, provide answers, share best practices, and connect with peers and experts in this area dedicated to Cortex XDR, XSOAR, and Xpanse discussions.

Browse the Community

Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

2623 Posts

Cortex XSOAR Discussions

Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.

1304 Posts

Cortex Xpanse Discussions

Cortex Xpanse builds a system of record that is the authoritative source for an organization’s global Internet assets; it knows your attack surface so you can own it before someone else.

10 Posts

Cortex XSIAM Discussions

Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.

169 Posts

Cortex Cloud Discussions

Share ideas and post questions related to Cortex Cloud — the industry's most comprehensive cloud native security platform — and the compute capabilities available within it in this forum.

479 Posts

Activity in Security Operations

Open Telemetry - OTLP

Has any XSIAM tenant had a plan to utilize OpenTelemetry Collectors to populate data into a VM Broker or any other method to utilize logs sourced via OTLP? Technically could convert the OTLP to syslog out to VMBroker but not sure yet what is lost in that.

no incidents generated since May 20?

Our Cortex XDR instance stopped generating incidents when detecting malware and other threats. (Somewhat similar to "Cortex XDR - Blocked Hashes on newer systems do not show in Incidents" - except in our case, this is across the board on all devices, for all threats and behaviors.) (If we initiate a malware scan on the affected device, an incide...

Cortex XDR and Microsoft Defender Coexistence and Performance

Hello Cortex XDR Community,We recently were asked to have official guidance regarding the coexistence of Cortex XDR Agent and Microsoft Defender on Windows endpoints. My questions to the community and experts is: - Is the coexistence of Cortex XDR and Microsoft Defender Antivirus officially supported? - Is the coexistence of Cortex XDR and Micr...

Orphaned Cortex XDR Agent enforcing USB read-only on personal laptop

Hello, I have a personal Windows 11 Pro laptop with Cortex XDR Agent 9.2.0 installed. The agent is no longer connected to any management server and the GUI shows: Connection: No connection to server However, Device Control is still active. Every time I connect my Samsung T7 Shield external SSD, I receive the notification: "Cortex XDR | Device Co...

Resolved! Not seeing Cortex MCP Server Download

Hi all the Cortex MCP Server download under Settings → Configurations shows on commercial tenants but is missing entirely on our FedRAMP / Federal tenant (not a permissions issue). Is it on the roadmap for Federal environments, and is there an expected timeline for rollout? Thanks!

DLP (DataPatrol) signed DLL injection into Word blocked by agent — permanent exception?

Our DLP watermarks documents by injecting a signed DLL into WINWORD.EXE on print. The Cortex agent blocks the injection — page prints with no watermark, DLL never loads. Works fine with the agent removed. Persists in Report mode, generates no alert/prevention event. Tried a Disable Prevention rule (signer + thumbprint, all modules, global) — no ...

Resolved! Protection Mode for Linux Modules

When configuring Reverse Shell Protection and Malicious Child Process Protection there's an option to configure the protection mode. Default is "normal" but we could choose "aggressive" too. There's no documentation. Does anyone know the difference of protection modes for these Linux modules? Is it the same as in the ransomware protection modu...

micomi_0-1782802979178.png
micomi by L3 Networker
  • 138 Views
  • 1 replies
  • 0 Likes

Anyone else having XDR communication problems?

Starting later in the day on June 24, we started seeing endpoints show 'No connection to server' when opening the Cortex console on the endpoint. Endpoint tasks like collect firewall logs, pause protection and live terminal all fail. Some systems shows that they ARE connected to our tenant but trying to live terminal into them fails.

Cortex XDR and Sandboxie

Hello, We have installed Cortex XDR on a VM that also runs a sandbox tool (Sandboxie). As long as Cortex XDR is enabled, processes cannot be started within the sandbox (e.g., msedge.exe, cmd.exe, explorer.exe). It only works if I create a "Disable Injection and Prevention" rule for these processes. How can I resolve this permanently? I suspect...

M.Wempen by L1 Bithead
  • 228 Views
  • 2 replies
  • 0 Likes

Any specific post-installation procedure / configuration required to make sure the protection running on Mac without affecting performance ?

Dear All, Having a few MacOS devices (iMac, MacBook Pro) installed with Cortex XDR agent v9.2.0 for piloting (procedure follow through https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/9.2/Cortex-XDR-Agent-Administrator-Guide/Install-the-Cortex-XDR-Agent-Manually) They are running on monitoring (without blocking on "malware profile" and ...

Operational Exception without Case

We are currently facing an issue with a Windows service. This service only functions properly after we add a specific executable (.exe) to the Operational Agent Exceptions . We haven’t seen any corresponding case or alert in the console, meaning Cortex XDR is not actively blocking anything. This raises the following questions: 1) Wildcards in Op...

M.Wempen by L1 Bithead
  • 355 Views
  • 1 replies
  • 0 Likes

Resolved! XDR agent disconnected after automatic upgrade

After automatic upgrade is performed an endpoint now is disconnected with this message: XDR Agent failed to upgrade from version 9.1.0.20483 to version 9.2.0.120 on 79433PC with error: The content package was faulty or could not be downloaded. Is there a way to reconnect it to XDR console?