https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-most-decisions-are-made-by-cortex-xdr/m-p/469984#M1600 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/210067">@Balaraju</a>&nbsp;this depends on the configuration of your Malware profiles.</P><P>Assuming your profile is configured with Wildfire (WF) analysis enabled and configured to blocl/report for known samples or run Local Analysis for unknown verdicts, your explanation is correct for both points. However, this does not include the reaction of post-execution modules like Behavioral Threat Protection, ransomware, NPI etc. Even if WF verdicts are benign, post-execution modules will continue to operate independently and can mitigate threats in-flight.&nbsp;</P><P>&nbsp;</P><P>I don't have any statistical data at hand - but again, it depends on the tenant configuration. Some organizations might have WF disabled, and thus, solely depend on Local Analysis verdicts. Verdicts can vary between industry verticals, types of software used, internet access control (air-gapped systems vs direct internet exposure), administrative rights of endpoint user, firewall configurations and the list goes on. So,&nbsp;<EM>it depends!</EM></P><P>&nbsp;</P><P>Please refer to this detailed documentation on Cortex XDR file analysis and protection flows:&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/analysis-and-protection-flow.html#idc8514e04-490b-498a-b9ca-b68dfc5be3d4" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/analysis-and-protection-flow.html#idc8514e04-490b-498a-b9ca-b68dfc5be3d4</A></P> Thu, 03 Mar 2022 04:56:09 GMT bbarmanroy 2022-03-03T04:56:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-most-decisions-are-made-by-cortex-xdr/m-p/469818#M1599 <P>Greetings ,</P><P>&nbsp;</P><P>I am using Cortex XDR Prevent and keen to know how most decisions are made by Cortex XDR about File/process/macro being malicious or not ?&nbsp; So assume there are no Hash exceptions and need to know if below is true :</P><P>- First Wildfire cache is checked and if verdict for sample is&nbsp; available ,its used&nbsp; and it becomes final&nbsp;</P><P>-Second if sample is not in Wildfire cache then&nbsp; static analysis is done and its decision is used and parallelly sample is sent for WildFire analysis and once verdict is received it takes priority over static analysis&nbsp; and if WildFire verdict is 'Unknown' then Static Analysis verdict is final . Also till the time verdict is received from Wildfire the local analysis verdict is valid .</P><P>&nbsp;</P><P>Can somebody confirm if above is true understanding or if Iam wrong anywhere ?</P><P>Secondly will appreciate if any statistical information is shared about above like in most cases whose verdict is used in most cases ? between Static Analysis and Wildfire .</P><P>Thirdly need to know how often are verdicts different and are they same in most cases ?&nbsp;</P><P>Thanks in advance .&nbsp;</P> Wed, 02 Mar 2022 15:37:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-most-decisions-are-made-by-cortex-xdr/m-p/469818#M1599 Balaraju 2022-03-02T15:37:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-most-decisions-are-made-by-cortex-xdr/m-p/469984#M1600 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/210067">@Balaraju</a>&nbsp;this depends on the configuration of your Malware profiles.</P><P>Assuming your profile is configured with Wildfire (WF) analysis enabled and configured to blocl/report for known samples or run Local Analysis for unknown verdicts, your explanation is correct for both points. However, this does not include the reaction of post-execution modules like Behavioral Threat Protection, ransomware, NPI etc. Even if WF verdicts are benign, post-execution modules will continue to operate independently and can mitigate threats in-flight.&nbsp;</P><P>&nbsp;</P><P>I don't have any statistical data at hand - but again, it depends on the tenant configuration. Some organizations might have WF disabled, and thus, solely depend on Local Analysis verdicts. Verdicts can vary between industry verticals, types of software used, internet access control (air-gapped systems vs direct internet exposure), administrative rights of endpoint user, firewall configurations and the list goes on. So,&nbsp;<EM>it depends!</EM></P><P>&nbsp;</P><P>Please refer to this detailed documentation on Cortex XDR file analysis and protection flows:&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/analysis-and-protection-flow.html#idc8514e04-490b-498a-b9ca-b68dfc5be3d4" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/analysis-and-protection-flow.html#idc8514e04-490b-498a-b9ca-b68dfc5be3d4</A></P> Thu, 03 Mar 2022 04:56:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-most-decisions-are-made-by-cortex-xdr/m-p/469984#M1600 bbarmanroy 2022-03-03T04:56:09Z