This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

initial profiling?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

initial profiling?

TonyTovar
L1 Bithead

‎07-21-2020 04:23 PM

when you first install the Cortex XDR agent on a new server (and reboot if on Windows), is it immediately 'active' and blocking suspicious processes? I was told that it ran in 'passive' mode for 30-days as it built a profile of "normal" activity for that agent. I ask because we are starting to use immutable servers which are recreated from-scratch on a regular basis.

0 Likes Likes
5 REPLIES 5

dfalcon
L4 Transporter

‎07-21-2020 04:36 PM - edited ‎07-21-2020 05:24 PM

Hi there-

 

For malware, exploits, and most threats - those are blocked immediately based on your malware / exploit profile settings under the endpoint management section.

 

The profiling you are referencing refers to the analytics component.  That feature is essentially learning the behavior of the environment based on the computer and user entity.  It is learning who is supposed to be doing what — it raises an alert when suspicious behavior is detected based on the behavior not matching that entity.  The profiling ranges anywhere from a few days to 4 weeks based on the collector type. 

 

 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
0 Likes Likes

TonyTovar
L1 Bithead
In response to dfalcon

‎08-14-2020 01:48 PM

Thanks, David! So, in general, the agent is 'active' and protected the server immediately -- but with some delay for the "analytics" portion?

 

Also, I have now learned that there are 3 Cortex XDR licenses and we probably have just the base license (not "Pro"). So we are not getting EUBA or Network-Traffic Analytics. Was one of those the 'analytics' module to which you were referring? Or, is there also such a module in the base license?

0 Likes Likes

dfalcon
L4 Transporter
In response to TonyTovar

‎08-17-2020 10:20 AM

HI @TonyTovar ,

 

Yes, that is correct.  If you are using Prevent, the profiling component is not part of that offering.  You have all included protections available immediately.  


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
0 Likes Likes

TonyTovar
L1 Bithead
In response to dfalcon

‎08-17-2020 10:27 AM

Is 'Prevent' the base-level license?

0 Likes Likes

dfalcon
L4 Transporter
In response to TonyTovar

‎08-17-2020 11:40 AM

Hi @TonyTovar,

 

Yes. Prevent protects from malware, exploits, advanced threats.  It does not include the analytics and some of the other EDR features. 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
0 Likes Likes
  • 4081 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks