This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Security Operations
Post questions, provide answers, share best practices, and connect with peers and experts in this area dedicated to Cortex XDR, XSOAR, and Xpanse discussions.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Security Operations
Post questions, provide answers, share best practices, and connect with peers and experts in this area dedicated to Cortex XDR, XSOAR, and Xpanse discussions.

Browse the Community

Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

2608 Posts

Cortex XSOAR Discussions

Cortex XSOAR enables SOC analysts to manage alerts across all sources, standardize processes with playbooks, take action on threat intel, and automate response for any security use case.

1302 Posts

Cortex Xpanse Discussions

Cortex Xpanse builds a system of record that is the authoritative source for an organization’s global Internet assets; it knows your attack surface so you can own it before someone else.

10 Posts

Cortex XSIAM Discussions

Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.

162 Posts

Cortex Cloud Discussions

Share ideas and post questions related to Cortex Cloud — the industry's most comprehensive cloud native security platform — and the compute capabilities available within it in this forum.

479 Posts

Activity in Security Operations

life of a case

Hi all, I am trying to figure out the life of a case and run into a question I can't seem to find the documentation about:What happens when a case has been set to resolved but a new matching issue pops up? Is a new case created or is the resolved case re-opened?

Reports no longer shows the source of an incident

Hello, One of our customers pointed out that since the 5.0 update of the Cortex console, the report output has changed.Before the update, the reports always displayed the source of the incident (as highlighted in the “Before.png” file). Since the 5.0 update, as you can see in the “Now.png” file, the source of the incident is not always displayed...

C.PAPET by L0 Member
  • 236 Views
  • 1 replies
  • 0 Likes

XDR Not Recognising Hotpatches

We've started deploying WIndows Enterprise Hotpatches to speedup the adoption of patches and reducing the number of reboots required. Howver, XDR doesn't recognise the Hotpatches and is telling us that the endpoints are still vulnerable. This is a known "limitation" according to support. What are others doing in this space please?

Azure XSIAM

How is on-boarding logs using Microsoft Azure integration different from using the Azure Event hub integration? https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-3.x-Documentation/Onboard-Microsoft-Azure https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Ingest-Logs-from-Microsoft-Azure-Event-H...

IOC Exclusion for when an IOC was denied by the FW

Hi All, so when an IOC is added for an IP address for example in XSIAM, and a FW logs containing this IP is ingested to XSIAM, then XSIAM will auto create an alert for this IOC regardless if dropped or allowed by the FW.. it detect this IOC and creates an alert. has anyone found a solution for IOC not to trigger when the FW action has already...

PA_nts by L4 Transporter
  • 168 Views
  • 2 replies
  • 0 Likes

Resolved! Local Analysis Malware - Signed exe

Hello, we have following case: The "Local Analysis Malware" module blocks a self-developed, unsigned tool. However, after signing the tool with our own certificate, it is no longer blocked—even though we have not added or configured this certificate in any of the policies. How can this behavior be explained? Does Cortex integrate with or ref...

M.Wempen by L0 Member
  • 329 Views
  • 2 replies
  • 0 Likes

analytics bioc tune

Hi, I'm trying to suppress false positives from native XDR Analytics BIOC detections (e.g. "Rare RDP session to a remote host") for specific machines in XSIAM 3.5. The documentation mentions Issue Exclusions under Exception Configuration, but I only see: IOC/BIOC Suppression Rules Disable Injection and Prevention Disable Prevention Rules Where...

On-write file examination / cross-platform examination for Linux

Dear LIVEcommunity Has anyone been able to test out the new Linux / MacOS cross-platform examination module? I created a new Linux Malware Profile and set the "On-write File Examination" for "Portable executable files (Windows)" to Enabled, applied it to a policy for my Linux endpoint, waited for the policy to apply and then copied a WildFire ...

andreal by L1 Bithead
  • 230 Views
  • 2 replies
  • 0 Likes

There is now a command: !setIncident tags="<tags to be added>", which by default adds the tags you specify. One can also add the option appendTags=Fal

There is now a command: !setIncident tags="&lt;tags to be added&gt;", which by default adds the tags you specify. One can also add the option appendTags=False so that the tags are overwritten.So, to remove a tag, we have to check the existing tags, remove them from the list, and then add them with appendTags=False.This is not an atomic operation...

Resolved! bulk close issues

Hello teamI have the following scenario of 16K open issues and I would like to perform mass closure of these open cases. Is there any way to do this? i tried to build a playbook which i give it the excel sheet of all the issues IDs and start bulk resolve but i have problem with it , it is very slow , i mean it takes 24 hours for just close 4K is...

Getting Cortex Copilot

Hello Team, I have been researching the Cortex Copilot functionality and would like to clarify a few points regarding availability, licensing, and compatibility. Currently, we have a Cortex XDR Pro license, and I would like to understand: How can we obtain or enable the Cortex Copilot functionality? Is there any additional license, subscription...

Suspicious executable detected Microsoft Store Purchase App

Hello everyone, Has anyone seen this process appear in Cortex XDR? C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_22603.1401.4.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe It’s showing up on an endpoint, but Cortex XDR isn’t providing any additional details, alerts, or related events. Before I dismiss it, I want to confirm whether thi...

Prisma Cloud defender agent unable to identify Red Hat back ported patches causing false positives

Hello, Wanted to throw this out here to see if anyone has run into this issue and hopefully found a solution. I have been reviewing vulnerabilities identified by the defender agent and have noticed that it is consistently unable to detect when Red Hat has back ported a patch to specific packages. It seems, despite being Certified for Red Hat ...

Redirect URL for Cortex XSOAR integration with DocuSign

When configuring the DocuSign new App and Keys for the integration with Cortex, what Redirect URL should be used? The documentation states the below. Set Redirect URI# Navigate to Additional Settings. Set the Redirect URI to https://localhost. I do get the Allow Access But after clicking I get the error Site con not be reach localhost refu...

dwight_thomas_0-1779967469163.png
dwight_thomas_1-1779967587486.png
Load more
Register or Sign-in
Top Solution Authors
View All
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks