- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-19-2024 09:47 AM
Hello dear community!
what could we or PA setup in PA Cortex XDR to prevent us from such a disaster which happened to CrowdStrike?
Are there any settings or recommendations which can be shared?
BR
Rob
07-22-2024 02:05 AM
Hi @RFeyertag ,
What I recommend, and what I have implemented in my XDR, is the agents only perform auto-updates after 7 days (on settings you can see agent upgrade).
If there is an urgent update, I go to the tenant and force all devices to upgrade.
This way, the risk of problematic software is reduced.
07-22-2024 02:43 AM - edited 07-22-2024 02:44 AM
@tlmarques In a case like CrowdStrike's last week, this approach doesn't solve the issue. The faulty update was caused by a content update and not an agent update. However, you thankfully have the option with Cortex XDR to delay content updates through agent settings profile: Add a New Agent Settings Profile • Cortex XDR Prevent Administrator Guide • Reader • Palo Alto Netwo...
We deploy content updates on 10% of the endpoints immediately and delay the remaining 90% for 2 days to make sure our business is not paralyzed by a faulty update.
07-22-2024 03:06 AM
Hi @Rocky-25 , thanks for correction.
I've say agent only, but our rule is apply for both options (agent and content).
08-20-2024 12:26 AM
To prevent issues similar to CrowdStrike, we can utilize the delay auto updates configuration mechanism available on the PANW Cortex XDR platform console:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!