topic Re: Ransomware isolation automation in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ransomware-isolation-automation/m-p/595096#M7079 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/112301">@CraigV123</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>The Automation Rules are the way to isolate the endpoints on a critical event like this. You need to create the rule as detailed as possible, like Severity = High or Critical &amp; Category contains Malware + you can add the Mitre Tactics and Techniques usually used for this kind of malware.</P> <P>Of course the best option is to have an alert about this kind of malware and create the filter using the current findings.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Fri, 16 Aug 2024 12:56:15 GMT jmazzeo 2024-08-16T12:56:15Z Ransomware isolation automation https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ransomware-isolation-automation/m-p/595045#M7076 <P>Hi everyone.</P> <P>Have XDR Pro. Looking for an "easy" way to automatically isolate a device when ransomware-like behaviors are detected. Looking through the automation configurations, it doesn't appear to be that easy. I obviously don't want to be isolating a ton of devices on false positives either.</P> <P>&nbsp;</P> <P>Any suggestions from the community?</P> <P>&nbsp;</P> <P>Thanks in advance.</P> Thu, 15 Aug 2024 20:13:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ransomware-isolation-automation/m-p/595045#M7076 CraigV123 2024-08-15T20:13:55Z Re: Ransomware isolation automation https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ransomware-isolation-automation/m-p/595096#M7079 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/112301">@CraigV123</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>The Automation Rules are the way to isolate the endpoints on a critical event like this. You need to create the rule as detailed as possible, like Severity = High or Critical &amp; Category contains Malware + you can add the Mitre Tactics and Techniques usually used for this kind of malware.</P> <P>Of course the best option is to have an alert about this kind of malware and create the filter using the current findings.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Fri, 16 Aug 2024 12:56:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ransomware-isolation-automation/m-p/595096#M7079 jmazzeo 2024-08-16T12:56:15Z