Confluence Server and Data Center - CVE-2022-26134

Wondering where Cortex is at with this Critical vuln from Atlassian? We are actively moving forward with mitigations, but would like Cortex to be able to take action as well if needed. 

Confluence Security Advisory 2022-06-02 | Confluence Data Center

Cortex Linux Agent Debian Package messed up

Hi,

Starting with Version 7.7 the downloadable Package is still named *.deb, in fact it is a tar.gz containing the following:

-config file

-readme

-deb-file

Which means, you cannot just install the so-called "deb package", but you have to create a directo

CVE-2022-30190 - Microsoft Support Diagnostic Tool Vulnerability

Does Cortex XDR Prevent protect against CVE-2022-30190 (Microsoft Support Diagnostic Tool Vulnerability)?

Thank you!

Cortex does not block Windows binaries

To mitigate cve-2022-30190 i wanted to add the file hashes of the msdt.exe binary to the blocklist; but with no effect until now.
The hashes occure in the logfile of the agent below hashcontrol as enabled, but verdict has a value "0".
Is it possible, t

XQL - Hunt for Possible Spring4Shell Vulnerable Application

Brief:

Spring4Shell Vulnerability Exists in the Spring Framework. Java based application are developed using this framework, we would not see direct installation of spring framework on the system but as part of a Java application. (At least what I hav

A large number of port scans

Hi guys! 

Recently, we often encounter incidents associated with a large number of port scans in Cortex XDR. We assume that this started after the last update. Does anyone else have something similar?

Thank you!

Cortex blocking hashes in allowed list

Hello ,

Just wondering why does cortex block hashes that are already part of allow list sometimes ?

Analytics BIOC Rule, Identity analytics

Hi all

I have a question regarding a certain alert: Multiple user accounts  deleted

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/multiple-user-accounts-were-deleted

1) Is

Cortex XDR Pro - Vulnerability Assessment Replaced KBs

Hey dear Cortex XDR Admins and Users, 

when a KB was not installed in march and replaced with another KB from april like here:

https://administrator.de/forum/windows-server-2012-r2-windows-updates-2627286719.html

Is the best way to exclude the CVE in

Incident creation not working good at the moment

Hello dear Cortex XDR Community, 

I tested today some incident creations. In summary I can say, from about 10 executions, 3 Incidents were created under severity high. 

Under severity critical none. 

This is my BIOC:

No of alerts

Exections when I execu

XQL - Hunting Renamed LOLBINs Process Execution

Reason for Query:

LOLBINs are used quite extensively in attacks, in some cases LOLBINs are renamed and then used to bypass behavior based detection rules. Hence, the query is built to hunt for renamed process execution eg; cmd.exe renamed to xyz.exe a

Cortex xdr agent not checking in after install

Hi all, I have a problem with the agent - I have one agent that is not communicating with the xdr server after installation. The host in question had it's agent uninstalled via the xdr server, and then re-installed by the IT team. However now the hos

Query Share: XDR/PAN-OS URL Category Stitched Correlation Alert

Wanted to share a useful XQL query we have setup as a correlation rule in case anyone else finds it beneficial. This query requires that you have PAN-OS firewall URL logs available within XDR datasets, for example being sent to Cortex Data Lake. The