when you first install the Cortex XDR agent on a new server (and reboot if on Windows), is it immediately 'active' and blocking suspicious processes? I was told that it ran in 'passive' mode for 30-days as it built a profile of "normal" activity for that agent. I ask because we are starting to use immutable servers which are recreated from-scratch on a regular basis.
For malware, exploits, and most threats - those are blocked immediately based on your malware / exploit profile settings under the endpoint management section.
The profiling you are referencing refers to the analytics component. That feature is essentially learning the behavior of the environment based on the computer and user entity. It is learning who is supposed to be doing what — it raises an alert when suspicious behavior is detected based on the behavior not matching that entity. The profiling ranges anywhere from a few days to 4 weeks based on the collector type.
Thanks, David! So, in general, the agent is 'active' and protected the server immediately -- but with some delay for the "analytics" portion?
Also, I have now learned that there are 3 Cortex XDR licenses and we probably have just the base license (not "Pro"). So we are not getting EUBA or Network-Traffic Analytics. Was one of those the 'analytics' module to which you were referring? Or, is there also such a module in the base license?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!