02-07-2023 11:05 AM
What is the recommended practice for collecting XDR Broker Virtual Machine logs and sending them to a central repository and performing anti-virus scans? I was advised not to install any software on the Broker VM and if I cannot install software on the Broker VM to handle these security requirements is there a Palo Alto document which states not to and the impact of making any modifications? I've installed 4 Broker VMs using the OVA in VMware Environment.
02-07-2023 07:49 PM
Hi @TestUserAL the Broker VM is a hardened appliance by Palo Alto Networks. It acts as a "broker"/proxy to route traffic related to Cortex XDR from your environment to the Cortex XDR tenant. It can be remotely configured by the XDR administrators and remote access is limited to a low-privileged user with limited capabilities.
For your first question on Broker VM log collection: what specific logs are you referring to and what would be the desired use cases leveraging those logs.
For your second question on running anti-virus scans: I assume you are referring to performing "disk scans". Given the threat model, access control mechanisms, privileges and scope of attack, it is fairly challenging to compromise the Broker VM in a significant manner. PANW threat researchers and Engineering teams continuously monitor and test the ability of newly-discovered techniques against all products, including Broker VM. The product team pushes out updates/patches to improve the security state of Broker VM's if such an artefact is identified. You can consider to either set your Broker VM's to automatically upgrade or leverage a change window to manually perform such actions. It'd be easier if you reached out to your Accounts Team or Customer Success teams and explained regulatory requirements for the same.
Let me know your thoughts.
02-08-2023 08:36 AM
Thank you for the thorough response.
The desired logs are to track Authentication, Authorization, and Accounting (AAA) of sessions, preferably in a central repository and to maintain separation of duties.
I appreciate the guidance and will contact the Account Manager to further the regulatory discussion.
02-08-2023 06:38 PM
Hi @TestUserAL I am assuming you'd not be keen to look for logs that use BVM to send EDR data across every few minutes as well as alert/incident data? Or collectors/syslog receivers? That is trusted system-system communication and it might be out of scope for regulatory requirements.
That'd leave trusted entities like BVM administrators who'd login to BVM (i.e., PAM logs) for administrative tasks. Surely, please discuss this with the Accounts team.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
