Hi Rob,
When any process is launched, Cortex XDR seamlessly inserts agent inject libraries immediately after the operating system initiates a process created. Please refer to the following model:
Exceptions can disable any relevant exploit modules configured with the agent that is running MSSQL and can be found in Policy Management > Prevention Profiles > Create new profile or edit existing profile for exceptions > Process exceptions. With the case of the model demonstrated, this would require an exception to disable injections. However, an accurate deployment for your needs would vary depending on your existing configuration. The “Select Modules” dropdown will list all available exploit protection modules that you would like to create an exception for from your baseline policy.
Also, exclusions function differently than exceptions. Exclusions will suppress a subset of defined alerts from Cortex XDR. This can be configured in Incident Response > Incident Configuration > Alert Exclusions. You can explore around with alert filtering if you would like to suppress MSSQL related alerts from specific endpoints. For additional details, please refer to the documentation posted below.
I am unable to confirm/deny any documented issues regarding running a MSSQL Server with two or more instances running more than 5 databases alongside the agent. This would likely vary based on your available computing resources. If you do happen to run into any issues with running the agent alongside your MSSQL database instances, we highly recommend contacting our TAC team at support.paloaltonetworks.com
Finally, there are no particular recommendations for any specific vendor. If you are looking to integrate a database connection to directly query from Cortex XDR, the Database Collector supports the MySQL, PostgreSQL, MSSQL, and Oracle connection types.
References:
Exceptions:
Exclusions:
Configure the Database Collector:
