Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-12-2022 03:46 AM - edited 05-12-2022 03:48 AM
Hello,
My question is what are the capabilities of Cortex XDR without endpoint agents and just with PANOS firewall integration? As the Palo Alto firewall can forward its logs to the XDR for extra checks what are the features that XDR can provide like just an NDR solution?
Also without SSL decryption I am wondering if the XDR can do like machine learning network profiling as for example other NDR solutions ask you mark the hosts that are AD controllers (or it even auto detects which hosts are the AD controllers by sniffing the network traffic and applies special machine learning models to them) as for the NDR to know and apply special checks to those hosts if for example the AD controller will not do web browsing or outbound start LDAP?
So basically can the PANOS firewall act like an NDR sensor (using the interface TAP for example) and if there is a need for PANOS license as the NDR license could be enough?
05-12-2022 07:18 AM
Hi @nikoolayy1
Here is a noteworthy write up on NDR / Network Traffic Analysis (NTA) to provide an overview / insights. In a firewall-only deployment where the Cortex XDR agent is not installed on your endpoints, you can use of Pathfinder to monitor endpoints. Pathfinder scans unmanaged hosts, servers, and workstations for malicious activity. The Analytics Engine can also analyze the Pathfinder data collector in combination with other data sources to increase coverage of your network and endpoints, and to provide more context when investigating alerts.
To provide greater coverage and accuracy, you can enable Enhanced Application Logging (EAL) on your Palo Alto Networks firewalls. EAL are collected by the firewall to increase visibility into network activity for Palo Alto Networks apps and services, like Cortex XDR .
I hope this information provides you with a path forward.
05-12-2022 06:34 AM
Hi @nikoolayy1
cortex xdr is designed to work with the xdr agents in the endpoints. The more log sources you integrate of the type: FW, servers, Enhanced Data Collection, AD logs, etc, the better to be able to spot malicious activity.
If you disable the agents or uninstall them, you will stop blocking any malware on the endpoint leaving them unprotected.
Imagine that you detect on your network/fw logs a malicious connection, this means that at that moment your EPs are already compromised. If the agent is up and running full capabilities the agent will block the attack and report it.
There is no much sense on buying an expensive KR, tool and disabling it. Or maybe I didnt fully get your point
KR,
Luis
05-12-2022 07:18 AM
Hi @nikoolayy1
Here is a noteworthy write up on NDR / Network Traffic Analysis (NTA) to provide an overview / insights. In a firewall-only deployment where the Cortex XDR agent is not installed on your endpoints, you can use of Pathfinder to monitor endpoints. Pathfinder scans unmanaged hosts, servers, and workstations for malicious activity. The Analytics Engine can also analyze the Pathfinder data collector in combination with other data sources to increase coverage of your network and endpoints, and to provide more context when investigating alerts.
To provide greater coverage and accuracy, you can enable Enhanced Application Logging (EAL) on your Palo Alto Networks firewalls. EAL are collected by the firewall to increase visibility into network activity for Palo Alto Networks apps and services, like Cortex XDR .
I hope this information provides you with a path forward.
05-12-2022 11:03 AM - edited 05-12-2022 11:15 AM
Hello,
Thanks for the reply as some clients use other EDR solutions and having 2 agents on the same workstation is not a good option, also the XDR I know can trigger a xsoar playbook that can block the bad users AD accounts or contact the 3rth party EDR to isolate the workstation and etc.
The thing about enabling EAL sugggests to me that even if the firewall is deployed as a TAP what licenses should have like Threat Prevention and Wildfire and URL filtering enabled (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/subscriptions/enhanced-application-logs) as this will provide more info to the XDR.
The other thing I don't see to be mentioned in a palo alto article is if without an XDR agent the XDR autodetects, using the firewall logs which hosts are the AD controllers as I don't think there is a host field like the type of the host (workstation, ad controller). I have worked with other NDR solutions where the AD controller ip addresses are configured, so that the NDR to be able apply special monitoring to those hosts as I mentioned an AD controller will not try to access facebook for example, so this is a cause for an alarm and this adds extra accuracy to the NDR if the domain controllers are specified during a deployment of the NDR. I see that Palo Alto XDR has some alarms for the domain controllers but I see that an agent seems to be needed. Still there is a service like the Windows Event Collector (WEC) and maybe it can compensate for an XDR agent not being installed but I can't say.
05-21-2022 12:23 AM
I asked around about people that have a lot of expiriance with XDR and without an XDR agent the detections are limited as when the agent is installed then the XDR autodetects the host's function like if they are AD controllers but without an agent the detections are limited, so maybe in the future the XDR without an Agent and just firewall integration (like NDR) will be able to do more detections expecially related to the Active Directory domain controller traffic but we will see.
05-24-2022 10:05 PM
In addition to the information and replies, I would like to add the reference below. You can add third party ingestion sources which can provide added analytics detection. Also by adding more external data ingestion, you can build and create your own correlation rule alerts. Basically you can build your own analytics or alerts based out of these ingested data using XQL.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
