About afurze

Hi Seth_Sakshi,   I'm having trouble understanding exactly what your use case is, can you please clarify?  I believe you are saying you want to block a specific application called Otter.ai, but I'm not clear exactly where this is deployed, is the application on your workstations, or on your mobile endpoints (i.e. Android, iOS)?   If the application is on Android endpoints, you can add the hash of the APK to your Block List and it will be blocked on those devices.  Unfortunately, iOS does not offer this capability so you won't be able to block the app on those devices. ... View more

AndreFOTSO,   That is correct, Cortex XDR (with a Pro per GB license) is able to ingest data from Microsoft 365 through the Management API and Graph API, including alerts from the various Defender products which log events there.  You can then create a correlation rule in XDR to surface these as alerts within the Cortex console.  This is, however, vastly different from what you were asking about, i.e. consuming the raw EDR telemetry and generating our own detections from the data, which is not possible.  As I previously said, you will also need to pivot to other platforms to perform response actions without the XDR agent being present. ... View more

JLewis12,   For information about specific malware or exploit coverage, please submit a TAC case. ... View more

Hi Shivsingh85,   Cortex XSIAM does not currently support multi-tenancy, however, your account team can provide more details on when this may be supported in the future. ... View more

Hi RajeshPremSing,   The Cloud Identity Agent is designed just to bring in object data from an identity provider (whether that be Azure AD, on-prem ActiveDirectory, Okta, etc.).  It ingests information about users, groups, computers, etc. that are then available for use within Cortex XDR and other Palo Alto Networks products, it does not collect any event data like Windows Event logs.   Collection of data about login events and other AD related activities, comes from either the XDR agent being installed on your Domain Controllers, or through collection of Windows Event logs via the XDR Collector or Windows Event Collection on a Broker VM.  This data is then stitched in to the XDR dataset and searchable via a query like the one below.   preset = xdr_event_log | filter action_evtlog_event_id = 4624 ... View more

Hi Zeinab_Abdallah,   Unfortunately, this is not possible at the present time. ... View more

Hi Myu06kkn,   Since you have a Pro per TB license, you can ingest your Microsoft DHCP logs which will help improve this data (assuming that the endpoint in question is receiving an IP address assignment from DHCP).  These logs can be ingested with the XDR Collector and configuring it to ingest Microsoft DHCP log files. ... View more

Hi Andrei.Barysau,   Cortex XDR is designed to facilitate investigations by providing a robust query language which allows you to search your logs through the platform, it is not designed to just be a log dumper.  Since you are using the GUI based search, it is limited to 10,000 results, however, if you write your own XQL queries you can return up to 1,000,000 results.  That being said, this is still not designed for "log dumping" and exporting this many results may or may not be successful.  You should conduct your investigation within Cortex XDR and look at specific presets or stories to look for the actions you are interested in finding.   As an aside, your license comes with 30-days of raw log storage, if you want to purchase additional hot or cold storage, you can do so in one month increments.  Please contact your account team for additional details and pricing. ... View more

Hi AndreFOTSO,   The capabilities of Cortex XDR are heavily dependent on the types of data you provide and whether or not the agent is deployed.  Since you have specifically called out not deploying the agent I'll talk about using Cortex XDR to provide alerting from 3rd party data sources.  If you have Palo Alto Networks Next Generation Firewalls (NGFW) you can ingest these logs and our analytics engine can build anomaly based detections based on this data.  Additional supported data sources can also build additional detections from Windows Event Logs, Microsoft 365 audit logs, Azure/AWS/GCP Audit logs, Okta, and others.  You can also build custom correlations against these datasets to surface alerts that the platforms themselves surface (for example, IdP alerts from Azure AD) or create your own alerts.   As to your question about running a 3rd party endpoint protection solution and integrating with Cortex XDR, we simply do not receive the necessary telemetry from other EDRs to provide detection and response capabilities, so you won't get any OOTB detections or alerts based on this data.  You will also have to rely on the management platforms for your 3rd party solution to perform any response actions like endpoint isolation, agent scripts, live terminal, etc, these actions cannot be performed from within Cortex XDR without the XDR agent present on the endpoint.   Make no mistake, Cortex XDR can be deployed without the XDR agent and provide detection capabilities as well as an investigation and threat hunting platform for your 3rd party logs and other Palo Alto Networks solutions like NGFW and Prisma Access, but if you are wanting to use it for endpoint detection and response, you will see little value without deploying the Cortex XDR agent. ... View more

License compliance is a requirement for all license types.  Prevent license customers also have a small grace period for overage, after which enforcement action can be expected.  Please contact your account team for additional information and to acquire an appropriate amount of endpoint licenses. ... View more

Shahwaz_Md,   It is usually not a good idea to be pausing or disabling protection services unless it is to troubleshoot the agent itself.  XDR should not be interfering with normal user or administrator activity and, if it is, appropriate alert tuning actions should be taken to address this.  If users or administrators have the capability to disable the agent, it becomes much less likely that you will be able to identify and protect against insider threats. ... View more

MatthiasBehn,   Please submit a TAC case for assistance on this issue. ... View more