https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/478171#M1835 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163390">@KanwarSingh01</a>&nbsp;Cortex XDR uses several protection modules both on the agent as well as on the tenant-side, including integrations with <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-security-profiles/add-malware-security-profile/wildfire-analysis-concepts" target="_blank">Wildfire</A> as well as other integrations (e.g. VirusTotal) that you may have added to your tenant. They range from behavioral techniques (BTPs/BIOCs), ML models, malware and exploit protection modules, YARA signatures, sandboxes, local analysis etc. These protection modules are both pre-execution and post-execution in nature, as well as both detective/preventative in nature.<BR />Customers are not able to tune YARA rules in XDR as that is entirely evolving in the backend and is managed by dedicated Threat Hunters, malware researchers and exploit researchers.&nbsp;<BR />Lastly, your tenant modules are seamlessly upgraded to respond to evolving threats and attacks as observed by the relevant domain experts. On the agent side, please ensure that the CU's are rolled out ASAP while being inline with your organizational security policies. The agents themselves should also be regularly updated to address the vulnerabilities/capability improvements that are packaged with each new minor/maintenance release.</P><P>&nbsp;</P><P>Please go through <A href="https://www.paloaltonetworks.com/blog/security-operations/cortex-xdr-protections-against-malware-associated-with-ukraine-and-russia-cyber-activity/" target="_blank">this article</A> that talks about XDR's capabilities with recent malware in-the-wild that touches upon the various levels of protection within XDR.</P> Tue, 05 Apr 2022 01:42:26 GMT bbarmanroy 2022-04-05T01:42:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/477735#M1820 <P>I have seen alerts screenshot on internet where an alert triggered after matching a Yara rules.</P><P>&nbsp;</P><P><A href="https://attackevals.mitre-engenuity.org/enterprise/participants/paloaltonetworks?adversary=carbanak-fin7&amp;view=results&amp;scenario=1" target="_blank">https://attackevals.mitre-engenuity.org/enterprise/participants/paloaltonetworks?adversary=carbanak-fin7&amp;view=results&amp;scenario=1</A></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KanwarSingh01_1-1648928772751.png" style="width: 870px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39998i4468255BFFBC365C/image-dimensions/870x50/is-moderation-mode/true?v=v2" width="870" height="50" role="button" title="KanwarSingh01_1-1648928772751.png" alt="KanwarSingh01_1-1648928772751.png" /></span></P><P>(Fourth Screenshot)</P><P>&nbsp;</P><P>Does Cortex XDR uses Yara Rules? I mean the screenshot answers it but how? Do we need to upgrade on a specific version of XDR agent? Can we build our own custom yara rules?</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/cortex/cortex-xdr" target="_blank">https://www.paloaltonetworks.com/cortex/cortex-xdr</A></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KanwarSingh01_0-1648928403368.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39997iA38F3503CDFDC1CD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="KanwarSingh01_0-1648928403368.png" alt="KanwarSingh01_0-1648928403368.png" /></span></P><P>&nbsp;</P><P>Would love to understand how it works.</P> Sat, 02 Apr 2022 19:49:57 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/477735#M1820 KanwarSingh01 2022-04-02T19:49:57Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/478171#M1835 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163390">@KanwarSingh01</a>&nbsp;Cortex XDR uses several protection modules both on the agent as well as on the tenant-side, including integrations with <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-security-profiles/add-malware-security-profile/wildfire-analysis-concepts" target="_blank">Wildfire</A> as well as other integrations (e.g. VirusTotal) that you may have added to your tenant. They range from behavioral techniques (BTPs/BIOCs), ML models, malware and exploit protection modules, YARA signatures, sandboxes, local analysis etc. These protection modules are both pre-execution and post-execution in nature, as well as both detective/preventative in nature.<BR />Customers are not able to tune YARA rules in XDR as that is entirely evolving in the backend and is managed by dedicated Threat Hunters, malware researchers and exploit researchers.&nbsp;<BR />Lastly, your tenant modules are seamlessly upgraded to respond to evolving threats and attacks as observed by the relevant domain experts. On the agent side, please ensure that the CU's are rolled out ASAP while being inline with your organizational security policies. The agents themselves should also be regularly updated to address the vulnerabilities/capability improvements that are packaged with each new minor/maintenance release.</P><P>&nbsp;</P><P>Please go through <A href="https://www.paloaltonetworks.com/blog/security-operations/cortex-xdr-protections-against-malware-associated-with-ukraine-and-russia-cyber-activity/" target="_blank">this article</A> that talks about XDR's capabilities with recent malware in-the-wild that touches upon the various levels of protection within XDR.</P> Tue, 05 Apr 2022 01:42:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/478171#M1835 bbarmanroy 2022-04-05T01:42:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/478483#M1836 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192661">@bbarmanroy</a>&nbsp; are there any plans of integrating Custom Yara Rules in the future?</P> Tue, 05 Apr 2022 20:30:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/478483#M1836 KanwarSingh01 2022-04-05T20:30:58Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/478527#M1837 <P>We are discussing this internally to see what can be done. On a tactical basis, if you're having any issues with any detections, please raise a support ticket.</P> Wed, 06 Apr 2022 02:07:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/478527#M1837 bbarmanroy 2022-04-06T02:07:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/478552#M1839 <P>Not having issues just questions.</P><P>Thank you.</P> Wed, 06 Apr 2022 05:25:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/478552#M1839 KanwarSingh01 2022-04-06T05:25:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/547318#M4646 <P>We have a need for custome Yara rules as well.</P> <P>Other vendors like Trend Micro do have this already implemented.&nbsp;</P> <P>Any news from internal discussions&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192661">@bbarmanroy</a>?</P> Mon, 26 Jun 2023 17:11:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/yara-rules-and-cortex-xdr/m-p/547318#M4646 MarkusMix 2023-06-26T17:11:10Z