Cortex XDR Known Issues

Known issues with the Cortex XDR app.
The following table describes known issues in the Cortex XDR app:
Issue ID
Same collector appears several times in the Asset Management . Each IP address is listed in a separate lineregardless if it is associated with the same hostname.
Backwards scan is not supported when generating a BIOC from the Native Search.
For MSSPs, when using the Query Builder to search across multiple tenants, Cortex XDR enforces the following limitations:
  • You can query up to 100 tenants.
  • Cortex XDR returns up to 10,000 total results and divides the number of results across the queried tenants.
If a syslog server goes to an invalid status due to a connection issue, the Cortex XDR management console continues to display the status as invalid after the connection resumes.
Currently, firewall data with
is causing a discrepancy between the Cortex XDR Query Builder and Explore App.
Addressed in May 2020 release.
Currently, you cannot define a Cortex XDR Host Firewall rule to allow or block any type of communication protocol in both directions (i.e. an "any-any" rule). When you try to configure such a rule, the Create button remains disabled. To overcome this issue and create a rule, define at least one of the following: Local/Remote Address, Local/Remote Port, or Path.
Addressed in May 2020 release.
Currently, Cortex XDR does not validate the MAC address format you enter in the Query Builder search. To ensure you enter correct values:
  • For Microsoft Windows endpoints, use a hyphen (-) as a separator
  • For Mac and Linux endpoints, use a colon (:) as a separator
In the Analytics Management page, inconsistent display of whether traffic logs exist between the
Hostnames with Non ASCII-7 characters are ignored by the app.
IPv6 address ranges are ignored as internal IP addresses.
In a Pathfinder scan, the tunneling process detector does not show Process Connections or Process Executions.
Processes associated with an alert will show only for seven days after the alert is triggered.
The file name includes only the short path and not the full path.
For devices protected by Traps,
Creation Time
Modification Time
columns are always N/A in the Network Prevalence forensics table.
The Pathfinder VM attempts to engage its own docker network interface instead of the specified docker subnet.
The Destinations page in the Networks menu shows incorrect success data for Nmap scans.
If a network segment with a Per-Asset Pathfinder configuration is deleted from the
Network Segments
configuration, the matching (per-asset) Pathfinder configuration is not automatically deleted.
The session count displayed for New Administrative Behavior alerts is N/A if the alert was triggered prior to Sept 13, 2018.
The traffic throughput displayed in the IP Ranges Report and on the Panorama ACC Network Activity tab might not match.
In the DNS Queries table for an alert, the values displayed in the number of requests are higher than the number of responses and resolved successfully, when it should be the same. For example, there might be a higher number of DNS responses than the number of DNS requests.
In steady-state operation, Cortex XDR – Analytics takes 50 minutes to process data and fire alerts based on it. However, at midnight UTC, due to daily calculations, Cortex XDR – Analytics opens with an additional lag of 60 additional minutes, making the alerts up to 110 minutes old. After the app has been running for a few hours, the lag reduces to the usual 50 minutes.
MAGNA-21151, PB-140
Layer 4 traffic volume, which is presented in the various tables (e.g. in columns such as
Sent Data
Received Data
), is approximated from layer 2 traffic volume. This can cause failed connection attempts to show some received data, even though it was actually 0 at layer 4. It also does not match the number reported by the Palo Alto Networks firewalls or by Panorama, because they report L2 traffic volume.
MAL-821 / PB-283
All HTTP sessions show as failed.
Endpoint Profile forensic tables do not display devices covered by Traps.

Recommended For You