04-02-2022 12:49 PM
I have seen alerts screenshot on internet where an alert triggered after matching a Yara rules.
(Fourth Screenshot)
Does Cortex XDR uses Yara Rules? I mean the screenshot answers it but how? Do we need to upgrade on a specific version of XDR agent? Can we build our own custom yara rules?
https://www.paloaltonetworks.com/cortex/cortex-xdr
Would love to understand how it works.
04-04-2022 06:42 PM
Hi @KanwarSingh01 Cortex XDR uses several protection modules both on the agent as well as on the tenant-side, including integrations with Wildfire as well as other integrations (e.g. VirusTotal) that you may have added to your tenant. They range from behavioral techniques (BTPs/BIOCs), ML models, malware and exploit protection modules, YARA signatures, sandboxes, local analysis etc. These protection modules are both pre-execution and post-execution in nature, as well as both detective/preventative in nature.
Customers are not able to tune YARA rules in XDR as that is entirely evolving in the backend and is managed by dedicated Threat Hunters, malware researchers and exploit researchers.
Lastly, your tenant modules are seamlessly upgraded to respond to evolving threats and attacks as observed by the relevant domain experts. On the agent side, please ensure that the CU's are rolled out ASAP while being inline with your organizational security policies. The agents themselves should also be regularly updated to address the vulnerabilities/capability improvements that are packaged with each new minor/maintenance release.
Please go through this article that talks about XDR's capabilities with recent malware in-the-wild that touches upon the various levels of protection within XDR.
04-04-2022 06:42 PM
Hi @KanwarSingh01 Cortex XDR uses several protection modules both on the agent as well as on the tenant-side, including integrations with Wildfire as well as other integrations (e.g. VirusTotal) that you may have added to your tenant. They range from behavioral techniques (BTPs/BIOCs), ML models, malware and exploit protection modules, YARA signatures, sandboxes, local analysis etc. These protection modules are both pre-execution and post-execution in nature, as well as both detective/preventative in nature.
Customers are not able to tune YARA rules in XDR as that is entirely evolving in the backend and is managed by dedicated Threat Hunters, malware researchers and exploit researchers.
Lastly, your tenant modules are seamlessly upgraded to respond to evolving threats and attacks as observed by the relevant domain experts. On the agent side, please ensure that the CU's are rolled out ASAP while being inline with your organizational security policies. The agents themselves should also be regularly updated to address the vulnerabilities/capability improvements that are packaged with each new minor/maintenance release.
Please go through this article that talks about XDR's capabilities with recent malware in-the-wild that touches upon the various levels of protection within XDR.
04-05-2022 01:30 PM
Thanks @bbarmanroy are there any plans of integrating Custom Yara Rules in the future?
04-05-2022 07:07 PM
We are discussing this internally to see what can be done. On a tactical basis, if you're having any issues with any detections, please raise a support ticket.
04-05-2022 10:25 PM
Not having issues just questions.
Thank you.
06-26-2023 10:11 AM
We have a need for custome Yara rules as well.
Other vendors like Trend Micro do have this already implemented.
Any news from internal discussions @bbarmanroy?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
