Cortex XDR Discussions

Cortex XDR allows you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view ALL the alerts from all PANW products in one place, telling the full story of what actually happened in seconds and allows seamless response.

Discussions

Sorted by:

Start a conversation

Welcome to the Cortex XDR Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

Cortex XDR-Extensions Policy Rules

Hello Everyone,

He have a policy management in the extension policy rules to Block the USB in the workstation. Now we find a issue with samsung mobile, when the device is connected and mass storage is allowed it skips the policy and for some reason

...

High Memory Usage Due to Cortex Telemetry Backlog

I'm experiencing high memory usage issues on some endpoints, and about 99% of it appears to be caused by Cortex.

Why does this happen?
Cortex consumes telemetry in real time. However, if it fails to send the telemetry from the machine to the Cortex ga

...

Rule hidden_imgs

Hello Everyone,

The cortex agent is blocking a legitimite file which is hidden. What is the solution of this. The alarm is also not generated in cortex xdr.
Thanks for your help

Cortex xdr agent distributed network scan

Hi Team,

We have enabled the Cortex XDR agent's distributed network scan, and we are getting successful results in the XDR Management Console. Our question is: Which port is used by the XDR agent to identify unmanaged assets

cortex xdr custom xql query to view server operational status

hi,

Most of the customer who uses paloalto cortex xdr want to visualize the server operational status in a dashboard in that case use below query as follows,

"dataset = endpoints | filter operating_system contains "windows server" or operating_syst

...

Cortex XDR along with Defender for endpoint Compatibility

Does anyone have a list of guidelines to follow when running cortex xdr (Report mode) in parallel with defender (active mode) for workstations as well as servers? Do i need to do any exclusions/whitelisting? Do I need to disable any features in XDR t

...

get_incidents filter by status question

Hi all!

I see the docs (https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Incidents) for get_incidents lists only eq/neq operators for the field 'status' and when implementing a new filter model for this endpoint I noticed we a

...

Resolved! XQL Creation time filter

dataset = alerts

I need to filter alerts using XQL. However, when I use the above query in the usual format, it filters alerts based on the last update time. What I actually need is to filter alerts based on their creation time. How can I

...

BIOC Rule Through XQL vs Builder

Here is my BIOC Rule using XQL.

dataset = xdr_data
| filter event_type = ENUM.FILE
| filter agent_hostname = "XXXXX"
| filter action_file_path = "D:\XX\YY\*"
| filter event_sub_type = ENUM.FILE_RENAME OR event_sub_type = ENUM.FILE_REMOVE OR event_sub_

...

Resolved! Join two datasets and count how many times a host appears, even if zero

Let's say I have a dataset with list of hostnames, for ex:

cphost cpcluster_name cphost_role
one.example.com Test Subscriber
two.example.com Test Subscriber
three.example.com Test Subscriber
four.example.com Test Subscriber

And another dataset with R

...

Question around unsigned binaries and Cortex XDR agent detections

Hi folks,

I've been administering Cortex XDR pro for a few years now and just lately in the last 3-4 months we've noticed that unsigned binaries that just got created(usually some of our internal developers testing builds) aren't automatically bloc

...

Monitoring the Cloud Identity Engine

Does anyone have a good method for generating an alert if the Cloud Identity Engine has failed to perform an on-prem or Azure sync in the last 24 hours?