https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/kernel-privilege-escalation-generated-by-xdr-agent-detected-on/m-p/366974#M407 <P>Hi AsifSid,</P><P>&nbsp;</P><P>I'd recommend starting by gathering more information about the alert by viewing the Causality Chain, which details the activities involved in suspicious behavior. This can be accessed by right-clicking on an alert, hovering over "Investigate Causality Chain," and choosing a resulting option.</P><P>&nbsp;</P><P>After determining whether the alert is a true- or false-positive, you can take your next steps:</P><P>&nbsp;</P><UL><LI>If a true-positive, ensure that the activity was blocked by the Cortex XDR Agent and follow your company's incident response procedures further.</LI><LI>If a false-positive, the next step would be to tune Cortex XDR to allow this behavior type.</LI></UL><P>&nbsp;</P><P>In general, creating rule exceptions is discussed <A href="https://live.paloaltonetworks.com/t5/cortex-xdr-walkthroughs/exceptions-in-tms-and-cortex-xdr/ta-p/306384" target="_self">here</A> (Skip to 2:41 of the video.) However, given the information you've provided, you'll likely create a Java Deserialization exception as documented <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/exceptions-security-profiles/add-a-global-endpoint-policy-exception.html" target="_self">here.</A></P><P>&nbsp;</P> Thu, 03 Dec 2020 01:19:44 GMT gjenkins 2020-12-03T01:19:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/kernel-privilege-escalation-generated-by-xdr-agent-detected-on/m-p/363535#M375 <P>Hi All</P><P>&nbsp;</P><P>We are receiving large number of alerts in our cortex xdr console, The alert is as below, (hostname and user name I have kept as XYZ for privacy)</P><P>&nbsp;</P><P>'Kernel Privilege Escalation' generated by XDR Agent detected on host XYZ involving user XYZ"</P><P>&nbsp;</P><P>In all the alerts the process involved is "java."</P><P>&nbsp;</P><P>I need to understand this alert and the steps to be followed next.</P><P>&nbsp;</P><P>Please share you knowledge on this.</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks &amp; Regards</P><P>Asif Siddiqui</P> Tue, 17 Nov 2020 14:15:28 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/kernel-privilege-escalation-generated-by-xdr-agent-detected-on/m-p/363535#M375 AsifSid 2020-11-17T14:15:28Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/kernel-privilege-escalation-generated-by-xdr-agent-detected-on/m-p/366974#M407 <P>Hi AsifSid,</P><P>&nbsp;</P><P>I'd recommend starting by gathering more information about the alert by viewing the Causality Chain, which details the activities involved in suspicious behavior. This can be accessed by right-clicking on an alert, hovering over "Investigate Causality Chain," and choosing a resulting option.</P><P>&nbsp;</P><P>After determining whether the alert is a true- or false-positive, you can take your next steps:</P><P>&nbsp;</P><UL><LI>If a true-positive, ensure that the activity was blocked by the Cortex XDR Agent and follow your company's incident response procedures further.</LI><LI>If a false-positive, the next step would be to tune Cortex XDR to allow this behavior type.</LI></UL><P>&nbsp;</P><P>In general, creating rule exceptions is discussed <A href="https://live.paloaltonetworks.com/t5/cortex-xdr-walkthroughs/exceptions-in-tms-and-cortex-xdr/ta-p/306384" target="_self">here</A> (Skip to 2:41 of the video.) However, given the information you've provided, you'll likely create a Java Deserialization exception as documented <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/exceptions-security-profiles/add-a-global-endpoint-policy-exception.html" target="_self">here.</A></P><P>&nbsp;</P> Thu, 03 Dec 2020 01:19:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/kernel-privilege-escalation-generated-by-xdr-agent-detected-on/m-p/366974#M407 gjenkins 2020-12-03T01:19:44Z