Is there a good (and quick) explanation out there of how Cortex XDR works on systems?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is there a good (and quick) explanation out there of how Cortex XDR works on systems?

L3 Networker

Hello. I'm looking for a 10,000 foot overview explanation that people may have used in the past or anything written up by Palo Alto? We have a lot of people who are used to the way legacy AV systems work and relied heavily on setting recommended exclusions from 3rd party vendors. Exclusions, I believe, are sort of a last resort but I can't seem to convey that properly to the audience questioning why their exclusions aren't placed. Thank you in advance. 


Accepted Solutions

L3 Networker

L3 Networker

L3 Networker

Thank you for the response. I'll see if I can slim down those explanations any bit. It's been incredible to see the negative reactions from these folks when you tell them that exceptions aren't being placed unless it is the last resort. 

Hi @CraigV123 ,


In my opinion, Exceptions are not a last resort. They can certainly be use as such, but they can be used in many other use cases. You need to remember that normal exceptions will disable security capabilities, among other things. 


One of the cases where you would need a Support Exception, is to handle Exploit Alerts as the Exploit profile does not provide any way to add whitelist. The only way to do is to retrieve the Alert data, allow XDR to analyze it, if if XDR cannot provide an Exception, you need to open a TAC case, upload the alert data file and they will be able to debug it. TAC will be able to tell you if the Exploit alert is a false/true positive. If it is a false positive, they will provide a Support Exception that will take care of the compatibility issue on that specific Exploit module.


I hope this makes Exceptions a bit more clear.


Thanks for the additional insight to the exceptions. Our old AV system had exceptions for everything it seemed and made the platform look like swiss cheese with all of the security "holes" in it. XDR has been a total 180 to that system but we still have users that insist on having the vendor recommended exceptions in place as a "comfort blanket." Not because they're being blocked but because of how they remember legacy AV systems operate... still working on that culture change I guess you can say. Anyways, thank you again for your help. 

L3 Networker

Hi @CraigV123 ,


PANW provides already a set of compatibility policies in the form of Content Updates, which are provided weekly/biweekly automatically to every customer's tenant and automatically to all XDR agents.


Anyway, thank you for your interest in our product, and please keep coming back here whenever you have any doubts or seeking advice.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!