Cortex XDR Known Issues

Known issues with the Cortex XDR app.
The following table describes known issues in the Cortex XDR app:
Issue ID
Description
XDR-21681
Same collector appears several times in the Asset Management . Each IP address is listed in a separate lineregardless if it is associated with the same hostname.
XDR-21780
Backwards scan is not supported when generating a BIOC from the Native Search.
XDR-20310
For MSSPs, when using the Query Builder to search across multiple tenants, Cortex XDR enforces the following limitations:
  • You can query up to 100 tenants.
  • Cortex XDR returns up to 10,000 total results and divides the number of results across the queried tenants.
XDR-15321
If a syslog server goes to an invalid status due to a connection issue, the Cortex XDR management console continues to display the status as invalid after the connection resumes.
XDR-14624
Currently, firewall data with
session_id=0
is causing a discrepancy between the Cortex XDR Query Builder and Explore App.
XDR-13232
Addressed in May 2020 release.
Currently, you cannot define a Cortex XDR Host Firewall rule to allow or block any type of communication protocol in both directions (i.e. an "any-any" rule). When you try to configure such a rule, the Create button remains disabled. To overcome this issue and create a rule, define at least one of the following: Local/Remote Address, Local/Remote Port, or Path.
XDR-12480
Addressed in May 2020 release.
Currently, Cortex XDR does not validate the MAC address format you enter in the Query Builder search. To ensure you enter correct values:
  • For Microsoft Windows endpoints, use a hyphen (-) as a separator
  • For Mac and Linux endpoints, use a colon (:) as a separator
XDR-11279
In the Analytics Management page, inconsistent display of whether traffic logs exist between the
System
and
Log
tabs.
MAG-5708
Hostnames with Non ASCII-7 characters are ignored by the app.
MAG-5614
IPv6 address ranges are ignored as internal IP addresses.
MAG-5590
In a Pathfinder scan, the tunneling process detector does not show Process Connections or Process Executions.
MAG-5429
Processes associated with an alert will show only for seven days after the alert is triggered.
MAG-5386
The file name includes only the short path and not the full path.
MAG-5075
For devices protected by Traps,
Creation Time
and
Modification Time
columns are always N/A in the Network Prevalence forensics table.
MAG-4934
The Pathfinder VM attempts to engage its own docker network interface instead of the specified docker subnet.
MAG-4881
The Destinations page in the Networks menu shows incorrect success data for Nmap scans.
MAG-4173
If a network segment with a Per-Asset Pathfinder configuration is deleted from the
Network Segments
configuration, the matching (per-asset) Pathfinder configuration is not automatically deleted.
MAG-3970
The session count displayed for New Administrative Behavior alerts is N/A if the alert was triggered prior to Sept 13, 2018.
MAG-2868
The traffic throughput displayed in the IP Ranges Report and on the Panorama ACC Network Activity tab might not match.
MAG-2353
In the DNS Queries table for an alert, the values displayed in the number of requests are higher than the number of responses and resolved successfully, when it should be the same. For example, there might be a higher number of DNS responses than the number of DNS requests.
MAG-1679
In steady-state operation, Cortex XDR – Analytics takes 50 minutes to process data and fire alerts based on it. However, at midnight UTC, due to daily calculations, Cortex XDR – Analytics opens with an additional lag of 60 additional minutes, making the alerts up to 110 minutes old. After the app has been running for a few hours, the lag reduces to the usual 50 minutes.
MAGNA-21151, PB-140
Layer 4 traffic volume, which is presented in the various tables (e.g. in columns such as
Sent Data
,
Received Data
), is approximated from layer 2 traffic volume. This can cause failed connection attempts to show some received data, even though it was actually 0 at layer 4. It also does not match the number reported by the Palo Alto Networks firewalls or by Panorama, because they report L2 traffic volume.
MAL-821 / PB-283
All HTTP sessions show as failed.
PB-263
Endpoint Profile forensic tables do not display devices covered by Traps.

Recommended For You