The Cortex XDR not installed still incident getting generated

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

The Cortex XDR not installed still incident getting generated

L0 Member

We have observed incident on the server in which Cortex XDR is not installed. The system is only present in the asset inventory. How is this possible, on what basis incident is getting generated?

Incident Name: Multiple Rare LOLBIN Process Executions by User

 

Thanks in advance.

1 REPLY 1

L3 Networker

Hello  Shinde_Dipak,

 

'Multiple Rare LOLBIN Process Executions by User' alert is generated by XDR Analytics were detected. Reference Multiple Rare LOLBIN Process Executions by User • Cortex XDR Analytics Alert Reference

 

The source for this detection is data collected from the XDR Agent with Identity Analytics enabled. However, customers can take advantage of analytics network or identity detectors on a host in the absence of the XDR agent if additional network and identity data sources (Cloud Identity Engine, Azure etc.) are onboarded directly into Cortex XDR. 

 

For example, in addition to the agent, Cortex XDR can ingest PAN NGFW Enhanced application logs (EAL) and Third-party authentication service logs with the Pro GB or Cloud license to detect threats by collecting and analyzing cloud logs. Its analytics detectors examine cloud audit, flow, and identity logs to baseline behavior.

 

Reference 

Ingest Data from Next-Generation Firewall • Cortex XDR Pro Administrator Guide • Reader • Palo Alto ...

Visibility of Logs and Alerts from External Sources • Cortex XDR Pro Administrator Guide • Reader • ...

Analytics • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal

 

To investigate, concerning the endpoint data collection gathered to stitch an alert, review the Debug alert data collected from the event for analysis:

 

Collect Debug data from Incidents Tab

  1. Go To Incidents Tab and select the Incident that you want to Debug.
  2. Alt+ Right Click on the Incident and select Download Debug Data
 
 

jtalton_3-1701120088857.png

 

Collect Debug Alert data From Alerts page

  1.  Go to the Alert and press Alt+ Right Click to select Debug Alert

jtalton_4-1701120135457.png

  1. It will open another window with Debug logs. Click on 'Copy Log' and view the logs for analysis.

If you found this answer helpful, please select Accept as Solution.

 

Thank you!

If you found this answer helpful, please select Accept as Solution.
  • 786 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!