Cortex XDR Discussions

Cortex Broker Mapper scans

We’re experiencing an issue with Cortex brokers related to the network mapper.
When we run network scans using the "ICMP Echo" flag, the scan completes successfully and everything works as expected.

However, when performing a "TCP SYN" scan on the foll

Query to see user that launched an EXE and how many times

I've been trying so many different queries and cant seem to make one that shows me what users launched an EXE and when or how many times as a count.

As an example to make it easy:

Search for everyone that executed winword.exe and show me when they did

Cortex XDR-Agent failed to generate support File - Error 13 - Error 109

Greetings,

when trying to create a Support File via Agent-GUI or CMD on a Windows Client, the Operation either crashes the Agent-Service (GUI) or Outputs the Error shown in attached Screenshot.

- Disk-Space on Client is >100GB

- Connection to Cor

File upload to open Cloud Applications

HI Team,

I'm running a test case in uploading test documents to open source Cloud applications.

I was successful, but in xdr_data and Zscaler dataset; the file uploads and file names are being shown as blank or none.

Please let me know

1. if this

XDR Analytics Data source

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/BitLocker-key-retrieval https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Exchange-mailb

Alert generation / Test cases/samples for Cortex XDR protection module testing

Hello Team, 

Could anyone assist with generating alerts and creating test cases or samples for testing the Cortex XDR protection module?

We successfully generated an alert using a WildFire PE file, but we now need to generate alerts for each policy

Unpatched Vulnerabilities Protection

Hi,

I see this written in Unpartched vulnerability protection module section "Modify system settings temporarily as a workaround to protect unpatched endpoints from known vulnerabilities".

I have searched but found no details regarding this, can anyo

Any way to scan for specific Registry DWORD entries with a value of 1 under a targeted Hive?

Im trying to figure out how to write a script to search for the DWORD values of "State" and "RefCount" that = 1 in the sub folders (profiles) in the hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Then show the hostn

XDR CIE

How is CIE configured in XDR MSSP? Is it only on the parent and then shared to child tenants or can it be configured differently on each of the child tenants?

XDR Multi tenant MSSP Add on Modules

Does anybody have any details on how add on licenses (eg, Forensics,Host insights, ITDR etc) work within a Multi tenant XDR environment? Does the add on license automatically apply to all child tenants or does it have to be assigned? Does everything

User Added to Local Administrators Group XQL Query

Hi Family , 
I want to create a Cortex XDR query that generates an alert when a user creates a local account and adds it to the administrators group.


dataset = xdr_data
|filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id in (4732, 4728)

here

Cortex XDR 8.2+ Not Able to Uninstall - Not Showing In Programs (Windows)

TLDR; Cortex dashboard shows EOL agents on Windows machines but upgrades fail, uninstalls fail, and Cortex is not showing as an installed program. However, Cytool can be disabled/enabled.

-----

We have a few machines with outdated agents. Using the C

SLS is required for Ingesting NGFW logs?

Hello all,

I have Pro per GB in my Cortex XDR and wish to gain more visablity in Network.
Is it compulsory to have Strata Logging Service license in order to make this works?
does Strata Logging Service license comes with my Firewall subscription or do

NGFW alerts to Cortex XDR

Hi team,

I have a technical cuestion but could not find the answer in the documentation.
I assume that to ingest NGFW alerts into Cortex a Pro Per GB license is needed. The cuestion is: Is there any way to configure the ingestion of the panw_ngfw_thre