on 03-14-2021 12:49 PM - edited on 05-23-2023 06:22 AM by osoprin
May 23 2023 Release:
May 17 2023 Release:
May 09 2023 Release:
May 01 2023 Release:
Hi @mfranzon, You view the release notes to the Cortex XDR agent conten versions on the customer support portal in the Updates > Dynamic Updates > Traps section.
For this Added Medium Analytics BIOCs:
Is it possible to alert this kind of attack?
No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loade...
the Info that something changed for the better is nice, but it'd be even better if there is a possibility to review the changes made.
To this day I think there isn't a possibility to view Analytics BIOC Rules.
The fact that Cortex XDR isn't a "black box" like other XDR/EDR products, that it's possible to view and alter standard BIOC Rules was the deciding factor for us to take the product into our MSSP program.
Hi @vcotton ,
Could you please provide information on the changes that came with content 700-18331 released on 22 September 2022?
A customer of mine is having issues with their SQL servers since the content version was installed.
Hi @vcotton ,
shouldn't this page be only available to people who login ? as not to give too much information to TAs ? Just thinking.
This page is for the moment available to anybody.
Seeing the same as @NilsGab, multiple alerts after the release of 2023.03.27.1020 on agent 126.96.36.199645.
All from local logins on 192.168.x.x networks, and all Tor exit nodes are blocked for in- and outbound traffic in the firewall using the list from PAN.
Can verify we are also getting flooded with "'A Successful login from TOR' alerts detected by XDR Analytics BIOC" alerts. Can anyone clarify what BIOC needs to be disabled in order to stop these alerts?
We began seeing the '"A Successful login from TOR' generated by XDR Analytics BIOC detected on host XXXX involving user YYYY" incidents at 21:10 UTC in our environment.
Looking into to Parkerjr2's post to turn off Identity Analytics. Anyone else done this (or other temporary mitigation) with success? Thanks.
You can disable the alert by going to this page, finding the rule, right-click 'disable'.
Just fill in the url with your tenant name and region and it should work.
We are getting the same here.... lots of "Successful login from TOR' alerts".
A combination of disabling the BIOC rule and excluding the alerts seems to do the trick. If your tenant has a few thousand endpoints, then you will need to wait whilst it plays catchup and processes all the events.
Given how much Identity Analytics does, I wouldn't disable that feature. It's clear the new content update is flagging BAU traffic as TOR.