Cortex XDR Known Issues

Known issues with the Cortex XDR app.
The following table describes known issues in the
Cortex
XDR
app.
Issue ID
Description
CRTX-57553
When setting up the Broker VM on Google Cloud Platform (GCP) and a GCP image is imported using the G Cloud CLI, the following command fails.
gcloud compute images import <VMDK image> --os=ubuntu-1804 --source-file="gs://<image path>" --network=<network_name> --subnet=<subnet_name> --zone=<region> --async
Until this is resolved as a workaround, use the following command.
gcloud compute images import <VMDK image> --data-disk --source-file="gs://<image path>" --network=<network_name> --subnet=<subnet_name> --zone=<region> --async
CRTX-41336
A
Database Connection
applet on a broker VM that is deployed in a Cortex XDR FedRAMP environment cannot connect to MySQL and MSSQL.
XDR-55313
When exporting Restriction type profile with custom indicator rules and then importing those back, the rules are no longer available.
XDR-52891, XDRSUP-11158
Addressed in Cortex XDR 3.3 release
.
When remotely connecting to a broker VM directly from the Cortex XDR console or via SSH, the admin user is not automatically granted edit permissions to the static network route configuration file,
/etc/network/routes
. Therefore, the admin user must be granted the necessary permissions to edit the file via Palo Alto Networks support.
XDRSUP-9288
Addressed in Cortex XDR agent 7.5.1 version
.
Fixed an issue where mismatching time units can cause a policy delay period calculation to be incorrect.
XDR-42320
When building a query in XQL Search to view events generated by a Windows machine using the
host_firewall_events
dataset, you must filter for both
os_type = NULL
and
os_type = ENUM.Windows
values to include events generated prior to version 3.1.
dataset = host_firewall_events | filter os_type = NULL and os_type = ENUM.Windows
All events generated after version 3.1 are available when filtering for events with only setting
os_type = ENUM.Windows
.
dataset = host_firewall_events | filter os_type = ENUM.Windows
XDR-42000
Addressed in Cortex XDR 3.3 release
.
When using the broker VM applets for a
Files and Folders Collector
in
Batch
mode or
FTP Collector
to collect logs from files and folders, a maximum file size of 500 MB is supported.
CPATR-15036
Cortex
XDR
only supports stitching login Windows Event Logs into stories for a Windows 8.1 or later machine.
XDRSUP-6171, CPATR-14895
Addressed in the following releases: Cortex XDR 7.5.1 Hotfix 1, Cortex XDR 7.4.3 Hotfix 1, Cortex XDR 7.3.4 Hotfix 1, Traps 6.1.8 Hotfix 1, Traps 6.1.7 Hotfix 1, and Traps 5.0.12 Hotfix 1
.
Cortex XDR agents running without trusting certificates “GlobalSign Root CA” may encounter issues downloading upgrade packages and content updates, and may also affect large scans verdict retrieval.
  • Manual workaround: Add the certificates “GlobalSign Root CA" to the trusted root on the endpoint.
  • Server workaround: Provide the endpoint details to the Cortex XDR support team.
XDR-26202
Events from Windows Event Forwarding (WEF) clients, which are added after you receive a notification for renewing your WEC CA certificate, will not be collected by the server until the WEC certification renewal process is complete. As a result, we recommend that you do not add any new WEF clients after you receive a notification and until the WEC certificates are renewed.
XDR-36171
Addressed in Cortex XDR 3.0 release
.
Whenever the CSV Collector in the broker VM checks for new CSV files in the Windows directory, the applet appends the data to the dataset, as opposed to replacing the data. This will be fixed in an upcoming release.
XDR-30122
When your XQL query includes a filter with a result that is an exponential number, the filter can sometimes not work as expected, including not returning any results.
XDR-29975
Addressed in Cortex XDR 2.8 release
.
Creating a featured user from an AD group does not support partial (NT) format domain name.
XDR-29668
Addressed in Cortex XDR 2.7 release
.
Datasets that use field names with XQL reserved keywords cause parsing issues. If a field name is a reserved keyword, surround the field name with back ticks when using it in a query. For example:
dataset = okta_sso_raw | filter `target` = abc
The UI autocomplete feature for the XQL Search screen will add back ticks for you as necessary.
XDR-29691
Cortex
XDR
calculates CVEs for applications according to the application version, and not according to application build numbers.
XDR-28822
Addressed in Cortex XDR 2.7 release
.
When you build an XQL Search query and try to use the helper to add a date or time filter to your query, the app begins a new filter line instead of adding the selected date and time.
XDR-26222
Addressed in Cortex XDR 2.7 release
.
The Incident by Severity widget does not display the time frame of the collected incidents.
XDR-26045
In rare cases, the process event server and agent timestamp values are not aligned thus preventing
Cortex
XDR
from displaying time information in the Causality View.
XDR-24917
Addressed in Cortex XDR 2.9 release
.
When you edit a BIOC rule but introduce invalid logic, Cortex XDR does not validate the logic and saves the invalid BIOC. As a result,
Cortex
XDR
cannot raise BIOC alerts using the rule.
XDR-26677
Addressed in Cortex XDR 2.9 release
.
For MSSPs, when navigating across pages in the
Cortex
XDR
management console, the selected tenant reverts back to the default parent tenant.
XDR-21780
Backwards scan is not supported when generating a BIOC from the Native Search.
CPATR-10766
After a Microsoft Windows patch (KB) is uninstalled from the endpoint, the Cortex XDR agent continues to report this KB to Cortex XDR. As a result, the CVEs list for the endpoint in
Vulnerability Management
cannot be updated to include the CVEs addressed by the uninstalled KB.

Recommended For You