topic Is there a good (and quick) explanation out there of how Cortex XDR works on systems? in Cortex XDR Discussions

Is there a good (and quick) explanation out there of how Cortex XDR works on systems?

CraigV123 — Wed, 01 Dec 2021 20:13:43 GMT

Hello. I'm looking for a 10,000 foot overview explanation that people may have used in the past or anything written up by Palo Alto? We have a lot of people who are used to the way legacy AV systems work and relied heavily on setting recommended exclusions from 3rd party vendors. Exclusions, I believe, are sort of a last resort but I can't seem to convey that properly to the audience questioning why their exclusions aren't placed. Thank you in advance.

Re: Is there a good (and quick) explanation out there of how Cortex XDR works on systems?

fmoixsante — Wed, 01 Dec 2021 20:20:19 GMT

Hi @CraigV123

I think something like this is what you are looking for.

File Analysis and Protection Flow (paloaltonetworks.com)

Protection Capabilities (paloaltonetworks.com)

Re: Is there a good (and quick) explanation out there of how Cortex XDR works on systems?

CraigV123 — Thu, 02 Dec 2021 11:33:56 GMT

Thank you for the response. I'll see if I can slim down those explanations any bit. It's been incredible to see the negative reactions from these folks when you tell them that exceptions aren't being placed unless it is the last resort.

Re: Is there a good (and quick) explanation out there of how Cortex XDR works on systems?

fmoixsante — Thu, 02 Dec 2021 21:48:00 GMT

Hi @CraigV123 ,

In my opinion, Exceptions are not a last resort. They can certainly be use as such, but they can be used in many other use cases. You need to remember that normal exceptions will disable security capabilities, among other things.

One of the cases where you would need a Support Exception, is to handle Exploit Alerts as the Exploit profile does not provide any way to add whitelist. The only way to do is to retrieve the Alert data, allow XDR to analyze it, if if XDR cannot provide an Exception, you need to open a TAC case, upload the alert data file and they will be able to debug it. TAC will be able to tell you if the Exploit alert is a false/true positive. If it is a false positive, they will provide a Support Exception that will take care of the compatibility issue on that specific Exploit module.

I hope this makes Exceptions a bit more clear.

Re: Is there a good (and quick) explanation out there of how Cortex XDR works on systems?

CraigV123 — Fri, 03 Dec 2021 12:22:15 GMT

Thanks for the additional insight to the exceptions. Our old AV system had exceptions for everything it seemed and made the platform look like swiss cheese with all of the security "holes" in it. XDR has been a total 180 to that system but we still have users that insist on having the vendor recommended exceptions in place as a "comfort blanket." Not because they're being blocked but because of how they remember legacy AV systems operate... still working on that culture change I guess you can say. Anyways, thank you again for your help.

Re: Is there a good (and quick) explanation out there of how Cortex XDR works on systems?

fmoixsante — Fri, 03 Dec 2021 15:57:46 GMT

Hi @CraigV123 ,

PANW provides already a set of compatibility policies in the form of Content Updates, which are provided weekly/biweekly automatically to every customer's tenant and automatically to all XDR agents.

Anyway, thank you for your interest in our product, and please keep coming back here whenever you have any doubts or seeking advice.