- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-18-2024 02:39 PM - edited 09-18-2024 04:18 PM
Hi Community,
I've managed to transform Palo Alto Networks' Cortex XDR into an effective application control solution for Linux based on the hashes of the files.
Has anyone else tried this method previously?
09-19-2024 04:26 AM
Hi @rafael
Thank you for reaching out to the Live community!
Basically, CortexXDR has features like Hash control ,Restriction policies (Phase2 & 3 ) & BIOCs etc,.. that can be used to manage files and applications effectively.
But generally speaking, transforming XDR solution into solely an application control solution may not be good idea since App control is a legacy control solution that leaves companies open to supply chain attacks, lolbins, and much more...
Please click Accept as Solution to acknowledge If this answer added value to your question.
09-19-2024 08:49 AM
It is true that BIOC rules allow you to detect behaviour, this functionality of Application control with cortex restricts Linux Servers to use files that aren´t whitelisted by you. I dont agree since it could be a great use for restricted servers with important information.
09-19-2024 12:49 PM
Custom BIOC rules can be added to the restriction profile to restrict the file execution and to have more granular control than just detection, could be used as an application control over restricted servers or on servers that have tight hardening which are not exposed to outside infra easily but the point I was making is to effectively use XDR solution for the purpose it is built for than just using it as legacy App control solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!