https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/application-fingerprinting/m-p/1254006#M9335 <P>Hello Susekar,</P> <P>&nbsp;</P> <P>Thanks for replying. I want to understand if i can prepare "Allow List" using Cortex platform. If yes what will be the approach?? I have tried obtaining the list using XQL but the telemetry that is ingested in cortex only covers the running applications or files with .exe extension. The query does not returns dormant application or silent .exe files. I want to parse and dedup all the .exe files available.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks and Regards</P> Thu, 14 May 2026 05:17:19 GMT S.Jagushte774563 2026-05-14T05:17:19Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/application-fingerprinting/m-p/1253464#M9309 <P>Hello Community,</P> <P>&nbsp;</P> <P>I want to understand if application fingerprinting can be achieved in cortex. If yes, what is the approach of achieving default block for all the unknown application.&nbsp;</P> <P>&nbsp;</P> <P>Thanks and Regards.</P> <P>&nbsp;</P> Tue, 05 May 2026 12:30:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/application-fingerprinting/m-p/1253464#M9309 S.Jagushte774563 2026-05-05T12:30:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/application-fingerprinting/m-p/1253546#M9315 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/417995851">@S.Jagushte774563</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P data-end="165" data-start="0">Cortex XDR identifies and "fingerprints" applications primarily through unique identifiers such as SHA-256 file hashes, digital signers (signatures), and file paths.</P> <P data-end="165" data-start="0">&nbsp;</P> <P data-end="406" data-start="167">While Cortex XDR is primarily a threat prevention platform, you can achieve a "Zero Trust" or "Default Deny" application control posture where all unknown applications are blocked by default and only approved ones are permitted to execute.</P> <H4 data-end="463" data-start="408" data-section-id="13kdnck">(Approaches for Default Block of Unknown Applications)</H4> <P data-end="571" data-start="465">There are two primary methods to implement a default block posture for unknown applications in Cortex XDR:</P> <H4 data-end="654" data-start="573" data-section-id="1qlkqtr">1. The Restriction Profile &amp; Legacy Exceptions Approach (Strict Allowlisting)</H4> <P data-end="739" data-start="655">This is the most common method for implementing a strict application control policy.</P> <UL data-end="1267" data-start="741"> <LI data-end="882" data-start="741" data-section-id="1lo24t0"><STRONG data-end="781" data-start="743">Step 1: Create a broad block rule.</STRONG><BR data-end="784" data-start="781" />Create a Restrictions Profile and add a broad wildcard (e.g., <CODE data-end="851" data-start="848">*</CODE> or <CODE data-end="862" data-start="855">*.exe</CODE>) to the Block List.</LI> <LI data-end="1103" data-start="884" data-section-id="9stwsx"><STRONG data-end="931" data-start="886">Step 2: Explicitly define approved items.</STRONG><BR data-end="934" data-start="931" />Use the Allow List within the Restrictions Profile or create Legacy Agent Exceptions to permit specific trusted applications based on their file path, hash, or signer.</LI> <LI data-end="1267" data-start="1105" data-section-id="ram0w9"><STRONG data-end="1120" data-start="1107">Priority:</STRONG><BR data-end="1123" data-start="1120" />The agent prioritizes the Allow List over the Block List, ensuring that approved applications run even if they match the broad wildcard block.</LI> </UL> <H4 data-end="1320" data-start="1269" data-section-id="782pha">2. The Malware Profile "Block Unknown" Approach</H4> <P data-end="1453" data-start="1321">This method relies on WildFire threat intelligence to determine if an application is known to the environment or Palo Alto Networks.</P> <UL data-end="1966" data-start="1455"> <LI data-end="1598" data-start="1455" data-section-id="1fulu73"><STRONG data-end="1479" data-start="1457">Action on Unknown:</STRONG><BR data-end="1482" data-start="1479" />Within the Malware Security Profile, set the configuration <EM data-end="1584" data-start="1543">Action when file is unknown to WildFire</EM> to <STRONG data-end="1597" data-start="1588">Block</STRONG>.</LI> <LI data-end="1791" data-start="1600" data-section-id="12io3h6"><STRONG data-end="1612" data-start="1602">Logic:</STRONG><BR data-end="1615" data-start="1612" />When an application attempts to run, the agent calculates its SHA-256 hash. If WildFire does not have a verdict (Benign or Malware) for that hash, the application is blocked.</LI> <LI data-end="1966" data-start="1793" data-section-id="hij54q"><STRONG data-end="1806" data-start="1795">Caveat:</STRONG><BR data-end="1809" data-start="1806" />This approach can be high-impact, as new legitimate files or temporary DLLs (e.g., from .NET updates) might be blocked until they are analyzed by WildFire.</LI> </UL> <H4 data-end="2004" data-start="1968" data-section-id="y1e4j">Best Practices and Considerations:</H4> <UL data-end="2548" data-start="2006"> <LI data-end="2188" data-start="2006" data-section-id="sxpaaw"><STRONG data-end="2024" data-start="2008">High Impact:</STRONG><BR data-end="2027" data-start="2024" />Strict allowlisting is a high-impact configuration. It is recommended to test these policies on a small group of non-critical systems before a broader rollout.</LI> <LI data-end="2395" data-start="2190" data-section-id="151rig"><STRONG data-end="2223" data-start="2192">Fingerprinting via Signers:</STRONG><BR data-end="2226" data-start="2223" />To avoid manually managing hashes for every software update, you can use signer-based allowlisting (e.g., allowing all applications signed by "Microsoft Corporation").</LI> <LI data-end="2548" data-start="2397" data-section-id="exoh6z"><STRONG data-end="2422" data-start="2399">Identifying Hashes:</STRONG><BR data-end="2425" data-start="2422" />To obtain the SHA-256 "fingerprint" of a specific file locally for a block/allow rule, you can use the following command:</LI> </UL> <P>&nbsp;</P> <DIV class="relative w-full mt-4 mb-1"> <DIV class=""> <DIV class="relative"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="border border-token-border-light border-radius-3xl corner-superellipse/1.1 rounded-3xl"> <DIV class="h-full w-full border-radius-3xl bg-token-bg-elevated-secondary corner-superellipse/1.1 overflow-clip rounded-3xl lxnfua_clipPathFallback"> <DIV class="relative"> <DIV class="pe-11 pt-3"> <DIV class="relative z-0 flex max-w-full"> <DIV id="code-block-viewer" class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼd ͼr" dir="ltr"> <DIV class="cm-scroller"> <PRE class="cm-content q9tKkq_readonly m-0"><CODE><SPAN>cytool file query [PATHTOFILE]</SPAN></CODE></PRE> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking <STRONG>like</STRONG> and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Wed, 06 May 2026 18:52:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/application-fingerprinting/m-p/1253546#M9315 susekar 2026-05-06T18:52:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/application-fingerprinting/m-p/1253880#M9333 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/241098">@susekar</a>&nbsp;</P> <P>Is this a theoretical interpretation, or a confirmed and established approach with known practical use?</P> <P>Thanks.&nbsp;</P> Wed, 13 May 2026 05:36:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/application-fingerprinting/m-p/1253880#M9333 maximk 2026-05-13T05:36:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/application-fingerprinting/m-p/1254006#M9335 <P>Hello Susekar,</P> <P>&nbsp;</P> <P>Thanks for replying. I want to understand if i can prepare "Allow List" using Cortex platform. If yes what will be the approach?? I have tried obtaining the list using XQL but the telemetry that is ingested in cortex only covers the running applications or files with .exe extension. The query does not returns dormant application or silent .exe files. I want to parse and dedup all the .exe files available.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks and Regards</P> Thu, 14 May 2026 05:17:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/application-fingerprinting/m-p/1254006#M9335 S.Jagushte774563 2026-05-14T05:17:19Z