Access additional information relating to an issue, including related files and memory content analysis.
To help you with issue analysis, Cortex Cloud can provide related files and memory content analysis.
From the Issues page, locate the issue for which you want to retrieve information.
Right-click anywhere in the issue, and select one of the following options:
Retrieve Additional Data: Cortex Cloud can provide related files and additional analysis of the memory contents when an exploit protection module raises an issue.
Select Retrieve issue data and analyze to retrieve issue data consisting of the memory contents at the time the issue was raised. You can also enable Cortex Cloud to automatically retrieve issue data for every relevant issue. After Cortex Cloud receives the data and performs the analysis, it issues a verdict for the issue. You can monitor the retrieval and analysis progress from the Action Center (pivot to view Additional data). When the analysis is complete, it displays the verdict in the Advanced Analysis field.
Retrieve related files: To further examine files that are involved in an issue, you can request the agent send them to the Cortex Cloud tenant. If multiple files are involved, the tenant supports up to 20 files and 200MB in total size. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the Action Center for up to one week.
→ : For issues ingested from third-party vendors, this option pivots to the issue in the third-party system.
To enable this feature, ensure that Cortex Cloud has a correlation rule that contains the External URL field. For more information, refer to Create a correlation rule.
(For PAN NGFW source type issues) Download triggering packet: Download the session PCAP containing the first 100 bytes of the triggering packet directly from Cortex Cloud. To access the PCAP, you can download the file from the Issues table, Cases, or Causality view.
Navigate to + → to view the retrieval status.
Download the retrieved files locally.
In the Action Center, wait for the data retrieval action to complete successfully. Then, right-click the action row and select Additional Data. From the Detailed Results view, right-click the row and select Download Files. A ZIP folder with the retrieved data is downloaded locally.
Tip
If you require assistance from Palo Alto Networks support to investigate the issue, make sure to provide the downloaded ZIP file.