Cortex XDR Known Issues

Known issues with the Cortex XDR app.
The following table describes known issues in the
Issue ID
When setting up the Broker VM on Google Cloud Platform (GCP) and a GCP image is imported using the G Cloud CLI, the following command fails.
gcloud compute images import <VMDK image> --os=ubuntu-1804 --source-file="gs://<image path>" --network=<network_name> --subnet=<subnet_name> --zone=<region> --async
Until this is resolved as a workaround, use the following command.
gcloud compute images import <VMDK image> --data-disk --source-file="gs://<image path>" --network=<network_name> --subnet=<subnet_name> --zone=<region> --async
Database Connection
applet on a broker VM that is deployed in a Cortex XDR FedRAMP environment cannot connect to MySQL and MSSQL.
When exporting Restriction type profile with custom indicator rules and then importing those back, the rules are no longer available.
XDR-52891, XDRSUP-11158
Addressed in Cortex XDR 3.3 release
When remotely connecting to a broker VM directly from the Cortex XDR console or via SSH, the admin user is not automatically granted edit permissions to the static network route configuration file,
. Therefore, the admin user must be granted the necessary permissions to edit the file via Palo Alto Networks support.
Addressed in Cortex XDR agent 7.5.1 version
Fixed an issue where mismatching time units can cause a policy delay period calculation to be incorrect.
When building a query in XQL Search to view events generated by a Windows machine using the
dataset, you must filter for both
os_type = NULL
os_type = ENUM.Windows
values to include events generated prior to version 3.1.
dataset = host_firewall_events | filter os_type = NULL and os_type = ENUM.Windows
All events generated after version 3.1 are available when filtering for events with only setting
os_type = ENUM.Windows
dataset = host_firewall_events | filter os_type = ENUM.Windows
Addressed in Cortex XDR 3.3 release
When using the broker VM applets for a
Files and Folders Collector
mode or
FTP Collector
to collect logs from files and folders, a maximum file size of 500 MB is supported.
only supports stitching login Windows Event Logs into stories for a Windows 8.1 or later machine.
XDRSUP-6171, CPATR-14895
Addressed in the following releases: Cortex XDR 7.5.1 Hotfix 1, Cortex XDR 7.4.3 Hotfix 1, Cortex XDR 7.3.4 Hotfix 1, Traps 6.1.8 Hotfix 1, Traps 6.1.7 Hotfix 1, and Traps 5.0.12 Hotfix 1
Cortex XDR agents running without trusting certificates “GlobalSign Root CA” may encounter issues downloading upgrade packages and content updates, and may also affect large scans verdict retrieval.
  • Manual workaround: Add the certificates “GlobalSign Root CA" to the trusted root on the endpoint.
  • Server workaround: Provide the endpoint details to the Cortex XDR support team.
Events from Windows Event Forwarding (WEF) clients, which are added after you receive a notification for renewing your WEC CA certificate, will not be collected by the server until the WEC certification renewal process is complete. As a result, we recommend that you do not add any new WEF clients after you receive a notification and until the WEC certificates are renewed.
Addressed in Cortex XDR 3.0 release
Whenever the CSV Collector in the broker VM checks for new CSV files in the Windows directory, the applet appends the data to the dataset, as opposed to replacing the data. This will be fixed in an upcoming release.
When your XQL query includes a filter with a result that is an exponential number, the filter can sometimes not work as expected, including not returning any results.
Addressed in Cortex XDR 2.8 release
Creating a featured user from an AD group does not support partial (NT) format domain name.
Addressed in Cortex XDR 2.7 release
Datasets that use field names with XQL reserved keywords cause parsing issues. If a field name is a reserved keyword, surround the field name with back ticks when using it in a query. For example:
dataset = okta_sso_raw | filter `target` = abc
The UI autocomplete feature for the XQL Search screen will add back ticks for you as necessary.
calculates CVEs for applications according to the application version, and not according to application build numbers.
Addressed in Cortex XDR 2.7 release
When you build an XQL Search query and try to use the helper to add a date or time filter to your query, the app begins a new filter line instead of adding the selected date and time.
Addressed in Cortex XDR 2.7 release
The Incident by Severity widget does not display the time frame of the collected incidents.
In rare cases, the process event server and agent timestamp values are not aligned thus preventing
from displaying time information in the Causality View.
Addressed in Cortex XDR 2.9 release
When you edit a BIOC rule but introduce invalid logic, Cortex XDR does not validate the logic and saves the invalid BIOC. As a result,
cannot raise BIOC alerts using the rule.
Addressed in Cortex XDR 2.9 release
For MSSPs, when navigating across pages in the
management console, the selected tenant reverts back to the default parent tenant.
Backwards scan is not supported when generating a BIOC from the Native Search.
After a Microsoft Windows patch (KB) is uninstalled from the endpoint, the Cortex XDR agent continues to report this KB to Cortex XDR. As a result, the CVEs list for the endpoint in
Vulnerability Management
cannot be updated to include the CVEs addressed by the uninstalled KB.

Recommended For You