https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-sql-server-exceptions-exclusions/m-p/515730#M2877 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>how do you handle MSSQL Server exceptions/exclusions with Cortex XDR (Pro)?</P> <P>Are there any issues a MSSQL Server with two or more instances with more than 5 databases?</P> <P>&nbsp;</P> <P>Is there any vendor specific recommendation?&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Sep 2022 18:28:50 GMT RFeyertag 2022-09-22T18:28:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-sql-server-exceptions-exclusions/m-p/515730#M2877 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>how do you handle MSSQL Server exceptions/exclusions with Cortex XDR (Pro)?</P> <P>Are there any issues a MSSQL Server with two or more instances with more than 5 databases?</P> <P>&nbsp;</P> <P>Is there any vendor specific recommendation?&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Sep 2022 18:28:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-sql-server-exceptions-exclusions/m-p/515730#M2877 RFeyertag 2022-09-22T18:28:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-sql-server-exceptions-exclusions/m-p/515961#M2906 <P><SPAN>Hi Rob,&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>When any process is launched, Cortex XDR seamlessly inserts agent inject libraries immediately after the operating system initiates a process created. Please refer to the following model:</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mfakhouri_0-1664213084010.png" style="width: 759px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44151i7394411DE1FA8D17/image-dimensions/759x186/is-moderation-mode/true?v=v2" width="759" height="186" role="button" title="mfakhouri_0-1664213084010.png" alt="mfakhouri_0-1664213084010.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Exceptions can disable any relevant exploit modules configured with the agent that is running MSSQL and can be found in Policy Management &gt; Prevention Profiles &gt; Create new profile or edit existing profile for exceptions &gt; Process exceptions. With the case of the model demonstrated, this would require an exception to disable injections. However, an accurate deployment for your needs would vary depending on your existing configuration. The “Select Modules” dropdown will list all available exploit protection modules that you would like to create an exception for from your baseline policy.&nbsp;</SPAN></P> <P><BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mfakhouri_1-1664213084027.png" style="width: 608px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44152iB8DE56B5EAF3C57C/image-dimensions/608x450/is-moderation-mode/true?v=v2" width="608" height="450" role="button" title="mfakhouri_1-1664213084027.png" alt="mfakhouri_1-1664213084027.png" /></span></P> <P>&nbsp;</P> <P><BR /><BR /></P> <P><SPAN>Also, exclusions function differently than exceptions. Exclusions will suppress a subset of defined alerts from Cortex XDR. This can be configured in Incident Response &gt; Incident Configuration &gt; Alert Exclusions. You can explore around with alert filtering if you would like to suppress MSSQL related alerts from specific endpoints. For additional details, please refer to the documentation posted below.</SPAN></P> <P>&nbsp;</P> <P><SPAN>I am unable to confirm/deny any documented issues regarding running a MSSQL Server with two or more instances running more than 5 databases alongside the agent. This would likely vary based on your available computing resources. If you do happen to run into any issues with running the agent alongside your MSSQL database instances, we highly recommend contacting our TAC team at support.paloaltonetworks.com&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Finally, there are no particular recommendations for any specific vendor. If you are looking to integrate a database connection to directly query from Cortex XDR, the Database Collector supports the MySQL, PostgreSQL, MSSQL, and Oracle connection types.&nbsp;</SPAN></P> <P><BR /><BR /></P> <P><SPAN>References:&nbsp;</SPAN></P> <P><BR /><BR /></P> <P><SPAN>Exceptions:</SPAN></P> <P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/exceptions-security-profiles" target="_blank"><SPAN>https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/exceptions-security-profiles</SPAN></A></P> <P>&nbsp;</P> <P><SPAN>Exclusions:</SPAN></P> <P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/alert-exclusions" target="_blank"><SPAN>https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/alert-exclusions</SPAN></A></P> <P>&nbsp;</P> <P><SPAN>Configure the Database Collector:</SPAN></P> <P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/activate-the-database-collector" target="_blank"><SPAN>https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/activate-the-database-collector</SPAN></A></P> Mon, 26 Sep 2022 17:42:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-sql-server-exceptions-exclusions/m-p/515961#M2906 mfakhouri 2022-09-26T17:42:39Z