Cortex XDR Known Issues
Known issues with the Cortex XDR app.
The following table describes known issues in the Cortex XDR app:
Same collector appears several times in the Asset Management . Each IP address is listed in a separate lineregardless if it is associated with the same hostname.
Backwards scan is not supported when generating a BIOC from the Native Search.
For MSSPs, when using the Query Builder to search across multiple tenants, Cortex XDR enforces the following limitations:
If a syslog server goes to an invalid status due to a connection issue, the Cortex XDR management console continues to display the status as invalid after the connection resumes.
Currently, firewall data with
session_id=0is causing a discrepancy between the Cortex XDR Query Builder and Explore App.
Addressed in May 2020 release.
Currently, you cannot define a Cortex XDR Host Firewall rule to allow or block any type of communication protocol in both directions (i.e. an "any-any" rule). When you try to configure such a rule, the Create button remains disabled. To overcome this issue and create a rule, define at least one of the following: Local/Remote Address, Local/Remote Port, or Path.
Addressed in May 2020 release.
Currently, Cortex XDR does not validate the MAC address format you enter in the Query Builder search. To ensure you enter correct values:
In the Analytics Management page, inconsistent display of whether traffic logs exist between the
Hostnames with Non ASCII-7 characters are ignored by the app.
IPv6 address ranges are ignored as internal IP addresses.
In a Pathfinder scan, the tunneling process detector does not show Process Connections or Process Executions.
Processes associated with an alert will show only for seven days after the alert is triggered.
The file name includes only the short path and not the full path.
For devices protected by Traps,
Modification Timecolumns are always N/A in the Network Prevalence forensics table.
The Pathfinder VM attempts to engage its own docker network interface instead of the specified docker subnet.
The Destinations page in the Networks menu shows incorrect success data for Nmap scans.
If a network segment with a Per-Asset Pathfinder configuration is deleted from the
Network Segmentsconfiguration, the matching (per-asset) Pathfinder configuration is not automatically deleted.
The session count displayed for New Administrative Behavior alerts is N/A if the alert was triggered prior to Sept 13, 2018.
The traffic throughput displayed in the IP Ranges Report and on the Panorama ACC Network Activity tab might not match.
In the DNS Queries table for an alert, the values displayed in the number of requests are higher than the number of responses and resolved successfully, when it should be the same. For example, there might be a higher number of DNS responses than the number of DNS requests.
In steady-state operation, Cortex XDR – Analytics takes 50 minutes to process data and fire alerts based on it. However, at midnight UTC, due to daily calculations, Cortex XDR – Analytics opens with an additional lag of 60 additional minutes, making the alerts up to 110 minutes old. After the app has been running for a few hours, the lag reduces to the usual 50 minutes.
Layer 4 traffic volume, which is presented in the various tables (e.g. in columns such as
Received Data), is approximated from layer 2 traffic volume. This can cause failed connection attempts to show some received data, even though it was actually 0 at layer 4. It also does not match the number reported by the Palo Alto Networks firewalls or by Panorama, because they report L2 traffic volume.
MAL-821 / PB-283
All HTTP sessions show as failed.
Endpoint Profile forensic tables do not display devices covered by Traps.
Recommended For You
Recommended videos not found.