eXtended Threat Hunting (XTH) Module

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

eXtended Threat Hunting (XTH) Module

L3 Networker

Hi team,

Got a renewal quotation with new XTH module.

Heard eXtended Threat Hunting (XTH) Module is about query the raw data for threat hunting.

Still not so sure what is the new module is used for?

What is the use case to purchase this lic in addition to XDR Pro.

Without the XTH, what is limited when comparing with XTH lic on?

Regards,

SDG

Life is full of surprise,
Just embrace it!
6 REPLIES 6

L5 Sessionator

Hi @SeanDeHarris ,

 

The XTH module will ensure ingestion of additional data metrics which can be used for detailed investigation events. This module will ensure you have the agent collecting all the necessary data required for threat hunting events related to process, network and user entity based activities that can be collectively leveraged for effective threat hunting events. 

 

It also ensures to get high fidelity alerts on basis of UEBA data which is not part of the normal XDR Pro agent. Also, that essentially makes you get some extra detectors that we have with Pro+ XTH.

 

Hope this helps!

 

Please mark the response as "Accept as Solution" if it answers your query

L4 Transporter

Hi SeanDeHarris,

 

Just to add some additional color on this, you will not miss any attacks or decrease your protection capabilities by not purchasing the new XTH module.  The vast majority of analytics alerts will still work, and those that do not are being actively evaluated by our research and product teams to determine if any changes can be made to ensure they work with the data uploaded by the new base Pro EP offering.

 

The goal of splitting out some EDR data collection is to keep our existing protection and detection capabilities largely intact while reducing the bandwidth consumption for customers that don't want or need the detailed log collection for threat hunting.  You will, of course, get all relevant data uploaded when an alert is triggered on the agent, but the real-time data uploading is more limited otherwise.  

 

I would recommend you reach out to your account team for detailed information on what events are and are not collected without the XTH license, and to have an additional discussion around how we are continuing to provide the same great detection and response capabilities regardless of your licensing.

L1 Bithead

Hello, where can I "see" this module? Are there additional steps or actions that need to be taken to make sure this add-on is working as expected? If anyone can provide a link to an article providing more information, that would be greatly appreciated. 

I have the same issue, there is not much documentation on this module other than the analytics alert reference guide, however I don't see any of these alerts in my tenant. 

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/XDR-Agent-eXtended-T... 

Hi @bkedmunds ,

 

Maybe this doc helps. It outlines the type of logs which require XTH module for data collection and enhanced telemetry:

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Da...

Thank you @neelrohit this is exactly what I was looking for.

  • 3722 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!