Cortex XDR Known Issues
Known issues with the Cortex XDR app.
The following table describes known issues in the
Cortex
XDR
app.Issue ID | Description |
|---|---|
CRTX-57553 | When setting up the Broker VM on Google Cloud
Platform (GCP) and a GCP image is imported using the G Cloud CLI,
the following command fails.
Until
this is resolved as a workaround, use the following command.
|
CRTX-41336 | A Database Connection applet
on a broker VM that is deployed in a Cortex XDR FedRAMP environment
cannot connect to MySQL and MSSQL. |
XDR-55313 | When exporting Restriction type profile with
custom indicator rules and then importing those back, the rules
are no longer available. |
XDR-52891, XDRSUP-11158 Addressed
in Cortex XDR 3.3 release | When remotely connecting to a broker VM directly from
the Cortex XDR console or via SSH, the admin user is not automatically
granted edit permissions to the static network route configuration
file, /etc/network/routes . Therefore, the admin
user must be granted the necessary permissions to edit the file
via Palo Alto Networks support. |
XDRSUP-9288 Addressed in Cortex
XDR agent 7.5.1 version | Fixed an issue where mismatching time units
can cause a policy delay period calculation to be incorrect. |
XDR-42320 | When building a query in XQL Search to view events
generated by a Windows machine using the host_firewall_events dataset,
you must filter for both os_type = NULL and os_type = ENUM.Windows values
to include events generated prior to version 3.1.
All
events generated after version 3.1 are available when filtering
for events with only setting os_type = ENUM.Windows .
|
XDR-42000 Addressed in Cortex
XDR 3.3 release | When using the broker VM applets for a Files
and Folders Collector in Batch mode
or FTP Collector to collect logs from files
and folders, a maximum file size of 500 MB is supported. |
CPATR-15036 | Cortex XDR only
supports stitching login Windows Event Logs into stories for a Windows
8.1 or later machine. |
XDRSUP-6171, CPATR-14895 Addressed
in the following releases: Cortex XDR 7.5.1 Hotfix 1, Cortex XDR
7.4.3 Hotfix 1, Cortex XDR 7.3.4 Hotfix 1, Traps 6.1.8 Hotfix 1,
Traps 6.1.7 Hotfix 1, and Traps 5.0.12 Hotfix 1 | Cortex XDR agents running without trusting certificates
“GlobalSign Root CA” may encounter issues downloading upgrade packages
and content updates, and may also affect large scans verdict retrieval.
|
XDR-26202 | Events from Windows Event Forwarding (WEF) clients,
which are added after you receive a notification for renewing your
WEC CA certificate, will not be collected by the server until the
WEC certification renewal process is complete. As a result, we recommend
that you do not add any new WEF clients after you receive a notification
and until the WEC certificates are renewed. |
XDR-36171 Addressed in Cortex
XDR 3.0 release | Whenever the CSV Collector in the broker VM checks
for new CSV files in the Windows directory, the applet appends the
data to the dataset, as opposed to replacing the data. This will
be fixed in an upcoming release. |
XDR-30122 | When your XQL query includes a filter with
a result that is an exponential number, the filter can sometimes
not work as expected, including not returning any results. |
XDR-29975 Addressed in Cortex
XDR 2.8 release | Creating a featured user from an AD group does not
support partial (NT) format domain name. |
XDR-29668 Addressed in Cortex
XDR 2.7 release | Datasets that use field names with XQL reserved
keywords cause parsing issues. If a field name is a reserved keyword,
surround the field name with back ticks when using it in a query.
For example:
The
UI autocomplete feature for the XQL Search screen will add back
ticks for you as necessary. |
XDR-29691 | Cortex XDR calculates
CVEs for applications according to the application version, and
not according to application build numbers. |
XDR-28822 Addressed in Cortex
XDR 2.7 release | When you build an XQL Search query and try
to use the
helper
to add a date or time filter to your query, the app begins a new
filter line instead of adding the selected date and time. |
XDR-26222 Addressed in Cortex
XDR 2.7 release | The Incident by Severity widget does not display the
time frame of the collected incidents. |
XDR-26045 | In rare cases, the process event server and
agent timestamp values are not aligned thus preventing Cortex XDR from displaying time information
in the Causality View. |
XDR-24917 Addressed in Cortex
XDR 2.9 release | When you edit a BIOC rule but introduce invalid logic,
Cortex XDR does not validate the logic and saves the invalid BIOC.
As a result, Cortex XDR cannot
raise BIOC alerts using the rule. |
XDR-26677 Addressed in Cortex
XDR 2.9 release | For MSSPs, when navigating across pages in
the Cortex XDR management
console, the selected tenant reverts back to the default parent tenant. |
XDR-21780 | Backwards scan is not supported when generating
a BIOC from the Native Search. |
CPATR-10766 | After a Microsoft Windows patch (KB) is uninstalled from
the endpoint, the Cortex XDR agent continues to report this KB to
Cortex XDR. As a result, the CVEs list for the endpoint in Vulnerability Management cannot
be updated to include the CVEs addressed by the uninstalled KB. |
