Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cortex XDR

L0 Member

Hi Community ,

i Had Came Across Some of the Questions Regarding Cortex Xdr , Hope you'll help me with Narrow Down The Rabbit Hole 

1. Why the Cortex scanning the files on the Endpoints that has the benign Verdicts in the Scanning Phase .

2. There are Few Factors on that we can Decide that File is Malicious or Benign 

          i. Based On the Execution Location of the File

         ii. Wildfire Verdict

         iii. Virustotal Verdict

Other than the Above factors can we have any Methods  to Decide is it True of False Positive 

3. why there is Benign with Low Confidence when there is already Benign Verdict 

                       i. On the scale of the 1-10 where the Benign with Low Confidence Lies

4. is there any way to change the Account Admin Role to Specific without Deleting the Users 

5. if the Agent is gone Connection Lost then after a long time User Check-in , is it going to Create two entries in the Cortex Console 

6. in the Agent Audit Logs in the Monitoring Category agent Service is been Stopped and Result is N/A and the Description was XDR Service cyserver Stopped on the XYZ Endpoint . 

                  i. is it Beacause of the Shuting Down the Machine or There are any Other Reasons Apart from this 

7. in the Agent Audit Logs in the Monitoring Category , Type = Agent Subtype= Quota Exceeded, what is the Meaning of the Quota Exceeded

8. what will the Appropriate Scanning Period that has Around 5000 Endpoints 

Note : In the Scanning Policy XDR Repeatedly scans that File that has been Already Resolved , Why is Such Behaviour 

1 accepted solution

Accepted Solutions

L4 Transporter

Hello @Yayati 

 

Thanks for reaching out on LiveCommunity!

It tried to answer the questions provided by you. Please find below the answers.

  1. During scan files are only scanned once. Thereafter files get scanned when they are executed. The purpose of scanning files again during execution is to reevaluate the verdict which may have changed since we scanned it last time.
  2. Apart from the factors that you have mentioned, Machine learning based detectors and analytics are the avenues that help to analyze an activity. However if you want to have additional checks then you can use file metadata provided by XDR to check on various other open source avenues available.
  3. Benign with low confidence settings provide you insight about how confident XDR is for the given verdict. For example, a file by a trusted signer or a file that was tested manually gets a high confidence Benign score, whereas a file that did not display any suspicious behavior at the time of testing gets a lower confidence Benign score. To add an additional verification method to such files, enable this setting. Then, when Cortex XDR receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile settings you currently have in place (Run local analysis to determine the file verdict, Allow, or Block).
  4. Settings->Configurations->Access management->Roles->Right click “Account Admin” and select “Save as new role”. Now you can modify the role as per your requirements and save it with a different name.
  5. Once an endpoint is disconnected it will be in connection lost state for 30 days (default) and after 180 days the agent data is deleted. If an agent tries to connect to Cortex XDR during the 180 days period, the agent can resume connection and maintain its agent ID. After the 180 days period, the agent ID is deleted alongside all the associated data.
  6. Cyserver service stops mostly for system restarts. Additinally administrator can stop it using cytool command “cytool runtime stop”.
  7. XDR agent is assigned a default storage quota when it is installed. If this quota exceeds, XDR starts removing oldest data from its storage to make space for new data. You receive this log when the storage quota is full.
  8. Once a scan is initiated, XDR do not scan files repeatedly even if the scan is interrupted. Next time when scan resumes, it will scan the remaining files on the system.

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

View solution in original post

1 REPLY 1

L4 Transporter

Hello @Yayati 

 

Thanks for reaching out on LiveCommunity!

It tried to answer the questions provided by you. Please find below the answers.

  1. During scan files are only scanned once. Thereafter files get scanned when they are executed. The purpose of scanning files again during execution is to reevaluate the verdict which may have changed since we scanned it last time.
  2. Apart from the factors that you have mentioned, Machine learning based detectors and analytics are the avenues that help to analyze an activity. However if you want to have additional checks then you can use file metadata provided by XDR to check on various other open source avenues available.
  3. Benign with low confidence settings provide you insight about how confident XDR is for the given verdict. For example, a file by a trusted signer or a file that was tested manually gets a high confidence Benign score, whereas a file that did not display any suspicious behavior at the time of testing gets a lower confidence Benign score. To add an additional verification method to such files, enable this setting. Then, when Cortex XDR receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile settings you currently have in place (Run local analysis to determine the file verdict, Allow, or Block).
  4. Settings->Configurations->Access management->Roles->Right click “Account Admin” and select “Save as new role”. Now you can modify the role as per your requirements and save it with a different name.
  5. Once an endpoint is disconnected it will be in connection lost state for 30 days (default) and after 180 days the agent data is deleted. If an agent tries to connect to Cortex XDR during the 180 days period, the agent can resume connection and maintain its agent ID. After the 180 days period, the agent ID is deleted alongside all the associated data.
  6. Cyserver service stops mostly for system restarts. Additinally administrator can stop it using cytool command “cytool runtime stop”.
  7. XDR agent is assigned a default storage quota when it is installed. If this quota exceeds, XDR starts removing oldest data from its storage to make space for new data. You receive this log when the storage quota is full.
  8. Once a scan is initiated, XDR do not scan files repeatedly even if the scan is interrupted. Next time when scan resumes, it will scan the remaining files on the system.

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

  • 1 accepted solution
  • 427 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!