initial profiling?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

initial profiling?

L1 Bithead

when you first install the Cortex XDR agent on a new server (and reboot if on Windows), is it immediately 'active' and blocking suspicious processes? I was told that it ran in 'passive' mode for 30-days as it built a profile of "normal" activity for that agent. I ask because we are starting to use immutable servers which are recreated from-scratch on a regular basis.


L4 Transporter

Hi there-


For malware, exploits, and most threats - those are blocked immediately based on your malware / exploit profile settings under the endpoint management section.


The profiling you are referencing refers to the analytics component.  That feature is essentially learning the behavior of the environment based on the computer and user entity.  It is learning who is supposed to be doing what — it raises an alert when suspicious behavior is detected based on the behavior not matching that entity.  The profiling ranges anywhere from a few days to 4 weeks based on the collector type. 



David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

Thanks, David! So, in general, the agent is 'active' and protected the server immediately -- but with some delay for the "analytics" portion?


Also, I have now learned that there are 3 Cortex XDR licenses and we probably have just the base license (not "Pro"). So we are not getting EUBA or Network-Traffic Analytics. Was one of those the 'analytics' module to which you were referring? Or, is there also such a module in the base license?

HI @TonyTovar ,


Yes, that is correct.  If you are using Prevent, the profiling component is not part of that offering.  You have all included protections available immediately.  

David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

Is 'Prevent' the base-level license?

Hi @TonyTovar,


Yes. Prevent protects from malware, exploits, advanced threats.  It does not include the analytics and some of the other EDR features. 

David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!