Cortex XDR Known Issues

Known issues with the Cortex XDR app.
The following table describes known issues in the Cortex XDR app:
Issue ID
Description
XDR-42320
When building a query in XQL Search to view events generated by a Windows machine using the
host_firewall_events
dataset, you must filter for both
os_type = NULL
and
os_type = ENUM.Windows
values to include events generated prior to version 3.1.
dataset = host_firewall_events | filter os_type = NULL and os_type = ENUM.Windows
Code copied to clipboard
Unable to copy due to lack of browser support.
All events generated after version 3.1 are available when filtering for events with only setting
os_type = ENUM.Windows
.
dataset = host_firewall_events | filter os_type = ENUM.Windows
Code copied to clipboard
Unable to copy due to lack of browser support.
XDR-42000
When using the broker VM’s
Files and Folders Collector
or
FTP Collector
applets to collect logs from files and folders, a maximum file size of 500 MB is supported.
CPATR-15036
Cortex XDR only supports stitching login Windows Event Logs into stories for a Windows 8.1 or later machine.
XDRSUP-6171, CPATR-14895
Cortex XDR agents running without trusting certificates “GlobalSign Root CA” may encounter issues downloading upgrade packages and content updates, and may also affect large scans verdict retrieval.
  • Manual workaround: Add the certificates “GlobalSign Root CA" to the trusted root on the endpoint.
  • Server workaround: Provide the endpoint details to the Cortex XDR support team.
XDR-26202
Events from Windows Event Forwarding (WEF) clients, which are added after you receive a notification for renewing your WEC CA certificate, will not be collected by the server until the WEC certification renewal process is complete. As a result, we recommend that you do not add any new WEF clients after you receive a notification and until the WEC certificates are renewed.
XDR-36171
Addressed in Cortex XDR 3.0 release
.
Whenever the CSV Collector in the broker VM checks for new CSV files in the Windows directory, the applet appends the data to the dataset, as opposed to replacing the data. This will be fixed in an upcoming release.
XDR-30122
When your XQL query includes a filter with a result that is an exponential number, the filter can sometimes not work as expected, including not returning any results.
XDR-29975
Addressed in Cortex XDR 2.8 release
.
Creating a featured user from an AD group does not support partial (NT) format domain name.
XDR-29668
Addressed in Cortex XDR 2.7 release
.
Datasets that use field names with XQL reserved keywords cause parsing issues. If a field name is a reserved keyword, surround the field name with back ticks when using it in a query. For example:
dataset = okta_sso_raw | filter `target` = abc
Code copied to clipboard
Unable to copy due to lack of browser support.
The UI autocomplete feature for the XQL Search screen will add back ticks for you as necessary.
XDR-29691
Cortex XDR calculates CVEs for applications according to the application version, and not according to application build numbers.
XDR-28822
Addressed in Cortex XDR 2.7 release
.
When you build an XQL Search query and try to use the helper to add a date or time filter to your query, the app begins a new filter line instead of adding the selected date and time.
XDR-26222
Addressed in Cortex XDR 2.7 release
.
The Incident by Severity widget does not display the time frame of the collected incidents.
XDR-26045
In rare cases, the process event server and agent timestamp values are not aligned thus preventing Cortex XDR from displaying time information in the Causality View.
XDR-24917
When you edit a BIOC rule but introduce invalid logic, Cortex XDR does not validate the logic and saves the invalid BIOC. As a result, Cortex XDR cannot raise BIOC alerts using the rule.
XDR-26677
For MSSPs, when navigating across pages in the Cortex XDR management console, the selected tenant reverts back to the default parent tenant.
XDR-21780
Backwards scan is not supported when generating a BIOC from the Native Search.
XDR-14624
Currently, firewall data with
session_id=0
is causing a discrepancy between the Cortex XDR Query Builder and Explore App.
CPATR-10766
After a Microsoft Windows patch (KB) is uninstalled from the endpoint, the Cortex XDR agent continues to report this KB to Cortex XDR. As a result, the CVEs list for the endpoint in
Vulnerability Management
cannot be updated to include the CVEs addressed by the uninstalled KB.

Recommended For You