What are the capabilities of Cortex XDR without endpoint agents and just with PANOS firewall integration like an NDR solution?

cancel
Showing results for 
Search instead for 
Did you mean: 

What are the capabilities of Cortex XDR without endpoint agents and just with PANOS firewall integration like an NDR solution?

Cyber Elite
Cyber Elite

Hello,

 

 

My question is what are the capabilities of Cortex XDR without endpoint agents and just with PANOS firewall integration? As the Palo Alto firewall can forward its logs to the XDR for extra checks what are the features that XDR can provide like just an NDR solution?

 

Also without SSL decryption I am wondering if the XDR can do like machine learning network profiling as for example other NDR solutions ask you mark the hosts that are AD controllers (or it even auto detects which hosts are the AD controllers by sniffing the network traffic and applies special machine learning models to them) as for the NDR to know and apply special checks to those hosts if for example the AD controller will not do web browsing or outbound start LDAP?

 

 

So basically can the PANOS firewall act like an NDR sensor (using the interface TAP for example) and if there is a need for PANOS license as the NDR license could be enough?

1 ACCEPTED SOLUTION

Accepted Solutions

L3 Networker

Hi @nikoolayy1 

 

Here is a noteworthy write up on NDR / Network Traffic Analysis (NTA) to provide an overview / insights.  In a firewall-only deployment where the Cortex XDR agent is not installed on your endpoints, you can use of Pathfinder to monitor endpoints. Pathfinder scans unmanaged hosts, servers, and workstations for malicious activity. The Analytics Engine can also analyze the Pathfinder data collector in combination with other data sources to increase coverage of your network and endpoints, and to provide more context when investigating alerts.

 

To provide greater coverage and accuracy, you can enable Enhanced Application Logging (EAL)  on your Palo Alto Networks firewalls. EAL are collected by the firewall to increase visibility into network activity for Palo Alto Networks apps and services, like Cortex XDR .

 

I hope this information provides you with a path forward. 

View solution in original post

5 REPLIES 5

L4 Transporter

Hi @nikoolayy1 

cortex xdr is designed to work with the xdr agents in the endpoints. The more log sources you integrate of the type: FW, servers, Enhanced Data Collection, AD logs, etc, the better to be able to spot malicious activity. 

If you disable the agents or uninstall them, you will stop blocking any malware on the endpoint leaving them unprotected. 

Imagine that you detect on your network/fw logs a malicious connection, this means that at that moment your EPs are already compromised. If the agent is up and running full capabilities the agent will block the attack and report it. 

There is no much sense on buying an expensive KR, tool and disabling it. Or maybe I didnt fully get your point

 

KR,

Luis

 

L3 Networker

Hi @nikoolayy1 

 

Here is a noteworthy write up on NDR / Network Traffic Analysis (NTA) to provide an overview / insights.  In a firewall-only deployment where the Cortex XDR agent is not installed on your endpoints, you can use of Pathfinder to monitor endpoints. Pathfinder scans unmanaged hosts, servers, and workstations for malicious activity. The Analytics Engine can also analyze the Pathfinder data collector in combination with other data sources to increase coverage of your network and endpoints, and to provide more context when investigating alerts.

 

To provide greater coverage and accuracy, you can enable Enhanced Application Logging (EAL)  on your Palo Alto Networks firewalls. EAL are collected by the firewall to increase visibility into network activity for Palo Alto Networks apps and services, like Cortex XDR .

 

I hope this information provides you with a path forward. 

Hello,

 

 

Thanks for the reply as some clients use other EDR solutions and having 2 agents on the same workstation is not a good option, also the XDR I know can trigger a xsoar playbook that can block the bad users AD accounts or contact the 3rth party EDR to isolate the workstation and etc.

 

 

The thing about enabling EAL sugggests to me that even if the firewall is deployed as a TAP what licenses should have like Threat Prevention and Wildfire and URL filtering enabled (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/subscriptions/enhanced-application-logs) as this will provide more info to the XDR.

 

The other thing I don't see to be mentioned in a palo alto article is if without an XDR agent the XDR autodetects, using the firewall logs which hosts are the AD controllers as I don't think there is a host field like the type of the host (workstation, ad controller). I have worked with other NDR solutions where the AD controller ip addresses are configured, so that the NDR to be able apply special monitoring to those hosts as I mentioned an AD controller will not try to access facebook for example, so this is a cause for an alarm and this adds extra accuracy to the NDR if the domain controllers are specified during a deployment of the NDR. I see that Palo Alto XDR has some alarms for the domain controllers but I see that an agent seems to be needed. Still there is a service like the Windows Event Collector (WEC) and maybe it can compensate for an XDR agent not being installed but I can't say.

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-...

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/...

 

I asked around about people that have a  lot of expiriance with XDR and without an XDR agent the detections are limited as when the agent is installed then the XDR autodetects the host's function like if they are AD controllers but without an agent the detections are limited, so maybe in the future the XDR without an Agent and just firewall integration (like NDR) will be able to do more detections expecially related to the Active Directory domain controller traffic but we will see.

In addition to the information and replies, I would like to add the reference below. You can add third party ingestion sources which can provide added analytics detection. Also by adding more external data ingestion, you can build and create your own correlation rule alerts. Basically you can build your own analytics or alerts based out of these ingested data using XQL. 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!