What are the capabilities of Cortex XDR without endpoint agents which ingest Logs and data From third EDR like MDE ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What are the capabilities of Cortex XDR without endpoint agents which ingest Logs and data From third EDR like MDE ?

L1 Bithead

Hello,

 

I'd like to hear from people who have worked with Cortex XDR without the Cortex XDR agent.

 

The scenario is as follows:
The machines (workstations and servers) are protected by a third-party EDR solution (e.g. Micrsoft Defender for Endpoint).
we'd like to add the XDR layer for greater visibility.

 

So what are the capabilities of Cortex XDR without EDR?

- Can it detect threats?
- Can it perform investigation and remediation?


If so, how?

Could you please provide me with useful links and references ?

 

Is it possible to envisage this scenario where endpoints are running with
Microsoft Defender Endpoint (MDE) and send their data to the Cortex XDR layer?

 

What could be the limits and disadvantages of this type of scenario?

 

Thanks in advance

1 accepted solution

Accepted Solutions

Keep in mind that you need to look at the capabilities of Cortex XDR holistically and not just for a single use case.  The Pro per GB license gives you the ability to ingest data from any 3rd party source (3rd party here having the meaning of anything that isn't the Cortex XDR agent).  If you have Palo Alto Networks firewalls, you can ingest that data and surface alerts and also get Analytics Alerts from our ML based anomaly detection engine.  With the add-on Identity Threat Detection and Response license, you can apply the analytics engine to data from M365, Azure, AWS, Dropbox, and other SaaS solutions to detect things like privilege misuse, insider threat, data exfiltration and more with OOTB alerts.

 

You can chat with your account team to get more information about the capabilities of Cortex XDR with and without deploying the agent.

View solution in original post

9 REPLIES 9

L4 Transporter

Hi AndreFOTSO,

 

The capabilities of Cortex XDR are heavily dependent on the types of data you provide and whether or not the agent is deployed.  Since you have specifically called out not deploying the agent I'll talk about using Cortex XDR to provide alerting from 3rd party data sources.  If you have Palo Alto Networks Next Generation Firewalls (NGFW) you can ingest these logs and our analytics engine can build anomaly based detections based on this data.  Additional supported data sources can also build additional detections from Windows Event Logs, Microsoft 365 audit logs, Azure/AWS/GCP Audit logs, Okta, and others.  You can also build custom correlations against these datasets to surface alerts that the platforms themselves surface (for example, IdP alerts from Azure AD) or create your own alerts.

 

As to your question about running a 3rd party endpoint protection solution and integrating with Cortex XDR, we simply do not receive the necessary telemetry from other EDRs to provide detection and response capabilities, so you won't get any OOTB detections or alerts based on this data.  You will also have to rely on the management platforms for your 3rd party solution to perform any response actions like endpoint isolation, agent scripts, live terminal, etc, these actions cannot be performed from within Cortex XDR without the XDR agent present on the endpoint.

 

Make no mistake, Cortex XDR can be deployed without the XDR agent and provide detection capabilities as well as an investigation and threat hunting platform for your 3rd party logs and other Palo Alto Networks solutions like NGFW and Prisma Access, but if you are wanting to use it for endpoint detection and response, you will see little value without deploying the Cortex XDR agent.

L1 Bithead

HI Afurze

 

Thank you for your previous response. You said that Cortex do not receive the necessary telemetry from other EDRs to provide detection and response capabilities, so you won't get any OOTB detections or alerts based on this data.  

 

It is confused for me because in this link, Ingest Logs from Microsoft Office 365 • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Netw...

 

It seems that Cortex XDR can ingest the following logs and data from Microsoft Office 365 Management Activity API and Microsoft Graph API using the Office 365 data collector and Microsoft 365 alerts from Microsoft Graph Security API are available for different products included Microsoft 365 defender,  Microsoft Defender for Endpoint.

 

Can you confirm me if Cortex can really ingest Alerts and data from Microsoft Defender for Endpoint or Microsoft 365 Defender ?

 

Regards

AndreFOTSO,

 

That is correct, Cortex XDR (with a Pro per GB license) is able to ingest data from Microsoft 365 through the Management API and Graph API, including alerts from the various Defender products which log events there.  You can then create a correlation rule in XDR to surface these as alerts within the Cortex console.  This is, however, vastly different from what you were asking about, i.e. consuming the raw EDR telemetry and generating our own detections from the data, which is not possible.  As I previously said, you will also need to pivot to other platforms to perform response actions without the XDR agent being present.

L1 Bithead

to sum up, if I've understood correctly,

1. Cortex XDR without the XDR agent can ingest alerts from Microsoft Defender for Endpoint and Microsoft 365 Defender.

2.  It cannot ingest raw logs.

 

 can it also ingest data ?  Which data?

 

I understand that remediation and response actions won't be possible without other solutions.

 

Regards

Can you please clarify what you mean by "data"?  We have already identified that XDR can ingest the alerts, but not the raw EDR logs from Defender, I'm not sure what other data you're referring to.

L1 Bithead

In the link I've provided, the word data is mentioned at the same time as logs. I'm trying to understand why the documentation refers to data. Which data? e.g: When Cortex XDR begins receiving logs, the app creates a new dataset for the different types of logs and data that you are collecting

Ah, understood.  In this case, the documentation is referring to the data coming from the Management API and Graph API.  I'll have to refer you to Microsoft to see exactly what is in those APIs, however, they generally contain audit events for various Microsoft 365 apps, as well as Azure AD itself, plus any alerts that are generated by Microsoft security products like Azure AD Identity Protection, and the various Defender products (including endpoint).  Depending on which products you select when setting up the integration within Cortex XDR, you can elect to receive audit data from SharePoint, Exchange, DLP as well as general M365 and Azure AD audit logs.

L1 Bithead

thank you for this clarification. I think it is not a good scenario to get only Cortex XDR without agent and ingest Alerts from MDE. It is not make sense for me.

Keep in mind that you need to look at the capabilities of Cortex XDR holistically and not just for a single use case.  The Pro per GB license gives you the ability to ingest data from any 3rd party source (3rd party here having the meaning of anything that isn't the Cortex XDR agent).  If you have Palo Alto Networks firewalls, you can ingest that data and surface alerts and also get Analytics Alerts from our ML based anomaly detection engine.  With the add-on Identity Threat Detection and Response license, you can apply the analytics engine to data from M365, Azure, AWS, Dropbox, and other SaaS solutions to detect things like privilege misuse, insider threat, data exfiltration and more with OOTB alerts.

 

You can chat with your account team to get more information about the capabilities of Cortex XDR with and without deploying the agent.

  • 1 accepted solution
  • 3244 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!