topic Re: XDR Acting as Application Control for Linux in Cortex XDR Discussions

XDR Acting as Application Control for Linux

rafael — Wed, 18 Sep 2024 23:18:42 GMT

Hi Community,

I've managed to transform Palo Alto Networks' Cortex XDR into an effective application control solution for Linux based on the hashes of the files.

Has anyone else tried this method previously?

Re: XDR Acting as Application Control for Linux

nar — Thu, 19 Sep 2024 11:26:45 GMT

Hi @rafael

Thank you for reaching out to the Live community!

Basically, CortexXDR has features like Hash control ,Restriction policies (Phase2 & 3 ) & BIOCs etc,.. that can be used to manage files and applications effectively.

But generally speaking, transforming XDR solution into solely an application control solution may not be good idea since App control is a legacy control solution that leaves companies open to supply chain attacks, lolbins, and much more...

Please click Accept as Solution to acknowledge If this answer added value to your question.

Re: XDR Acting as Application Control for Linux

rafael — Thu, 19 Sep 2024 15:49:59 GMT

It is true that BIOC rules allow you to detect behaviour, this functionality of Application control with cortex restricts Linux Servers to use files that aren´t whitelisted by you. I dont agree since it could be a great use for restricted servers with important information.

Re: XDR Acting as Application Control for Linux

nar — Thu, 19 Sep 2024 19:49:00 GMT

Custom BIOC rules can be added to the restriction profile to restrict the file execution and to have more granular control than just detection, could be used as an application control over restricted servers or on servers that have tight hardening which are not exposed to outside infra easily but the point I was making is to effectively use XDR solution for the purpose it is built for than just using it as legacy App control solution.