Cortex XDR Known Issues

Known issues with the Cortex XDR app.
The following table describes known issues in the Cortex XDR app:
Issue ID
When building a query in XQL Search to view events generated by a Windows machine using the
dataset, you must filter for both
os_type = NULL
os_type = ENUM.Windows
values to include events generated prior to version 3.1.
dataset = host_firewall_events | filter os_type = NULL and os_type = ENUM.Windows
Code copied to clipboard
Unable to copy due to lack of browser support.
All events generated after version 3.1 are available when filtering for events with only setting
os_type = ENUM.Windows
dataset = host_firewall_events | filter os_type = ENUM.Windows
Code copied to clipboard
Unable to copy due to lack of browser support.
When using the broker VM’s
Files and Folders Collector
FTP Collector
applets to collect logs from files and folders, a maximum file size of 500 MB is supported.
Cortex XDR only supports stitching login Windows Event Logs into stories for a Windows 8.1 or later machine.
XDRSUP-6171, CPATR-14895
Cortex XDR agents running without trusting certificates “GlobalSign Root CA” may encounter issues downloading upgrade packages and content updates, and may also affect large scans verdict retrieval.
  • Manual workaround: Add the certificates “GlobalSign Root CA" to the trusted root on the endpoint.
  • Server workaround: Provide the endpoint details to the Cortex XDR support team.
Events from Windows Event Forwarding (WEF) clients, which are added after you receive a notification for renewing your WEC CA certificate, will not be collected by the server until the WEC certification renewal process is complete. As a result, we recommend that you do not add any new WEF clients after you receive a notification and until the WEC certificates are renewed.
Addressed in Cortex XDR 3.0 release
Whenever the CSV Collector in the broker VM checks for new CSV files in the Windows directory, the applet appends the data to the dataset, as opposed to replacing the data. This will be fixed in an upcoming release.
When your XQL query includes a filter with a result that is an exponential number, the filter can sometimes not work as expected, including not returning any results.
Addressed in Cortex XDR 2.8 release
Creating a featured user from an AD group does not support partial (NT) format domain name.
Addressed in Cortex XDR 2.7 release
Datasets that use field names with XQL reserved keywords cause parsing issues. If a field name is a reserved keyword, surround the field name with back ticks when using it in a query. For example:
dataset = okta_sso_raw | filter `target` = abc
Code copied to clipboard
Unable to copy due to lack of browser support.
The UI autocomplete feature for the XQL Search screen will add back ticks for you as necessary.
Cortex XDR calculates CVEs for applications according to the application version, and not according to application build numbers.
Addressed in Cortex XDR 2.7 release
When you build an XQL Search query and try to use the helper to add a date or time filter to your query, the app begins a new filter line instead of adding the selected date and time.
Addressed in Cortex XDR 2.7 release
The Incident by Severity widget does not display the time frame of the collected incidents.
In rare cases, the process event server and agent timestamp values are not aligned thus preventing Cortex XDR from displaying time information in the Causality View.
When you edit a BIOC rule but introduce invalid logic, Cortex XDR does not validate the logic and saves the invalid BIOC. As a result, Cortex XDR cannot raise BIOC alerts using the rule.
For MSSPs, when navigating across pages in the Cortex XDR management console, the selected tenant reverts back to the default parent tenant.
Backwards scan is not supported when generating a BIOC from the Native Search.
Currently, firewall data with
is causing a discrepancy between the Cortex XDR Query Builder and Explore App.
After a Microsoft Windows patch (KB) is uninstalled from the endpoint, the Cortex XDR agent continues to report this KB to Cortex XDR. As a result, the CVEs list for the endpoint in
Vulnerability Management
cannot be updated to include the CVEs addressed by the uninstalled KB.

Recommended For You