Microsoft SQL Server exceptions/exclusions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft SQL Server exceptions/exclusions

L4 Transporter

Hello dear community, 

 

how do you handle MSSQL Server exceptions/exclusions with Cortex XDR (Pro)?

Are there any issues a MSSQL Server with two or more instances with more than 5 databases?

 

Is there any vendor specific recommendation? 

 

BR

 

Rob

 

 

1 REPLY 1

L3 Networker

Hi Rob, 

 

When any process is launched, Cortex XDR seamlessly inserts agent inject libraries immediately after the operating system initiates a process created. Please refer to the following model:

 

mfakhouri_0-1664213084010.png

 

 

Exceptions can disable any relevant exploit modules configured with the agent that is running MSSQL and can be found in Policy Management > Prevention Profiles > Create new profile or edit existing profile for exceptions > Process exceptions. With the case of the model demonstrated, this would require an exception to disable injections. However, an accurate deployment for your needs would vary depending on your existing configuration. The “Select Modules” dropdown will list all available exploit protection modules that you would like to create an exception for from your baseline policy. 



mfakhouri_1-1664213084027.png

 



Also, exclusions function differently than exceptions. Exclusions will suppress a subset of defined alerts from Cortex XDR. This can be configured in Incident Response > Incident Configuration > Alert Exclusions. You can explore around with alert filtering if you would like to suppress MSSQL related alerts from specific endpoints. For additional details, please refer to the documentation posted below.

 

I am unable to confirm/deny any documented issues regarding running a MSSQL Server with two or more instances running more than 5 databases alongside the agent. This would likely vary based on your available computing resources. If you do happen to run into any issues with running the agent alongside your MSSQL database instances, we highly recommend contacting our TAC team at support.paloaltonetworks.com 

 

Finally, there are no particular recommendations for any specific vendor. If you are looking to integrate a database connection to directly query from Cortex XDR, the Database Collector supports the MySQL, PostgreSQL, MSSQL, and Oracle connection types. 



References: 



Exceptions:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/exception...

 

Exclusions:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...

 

Configure the Database Collector:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/...

  • 3354 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!