This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About afurze

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
afurze
‎04-12-2024
since ‎05-11-2022
L4 Transporter
User Activity
User Profile
Latest posts by afurze
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎05-11-2022 01:29 PM
Date Last Visited ‎04-12-2024 12:43 PM
Posts 112
Total Likes Received 37

Re: Forensics add-on || How-to get the most out of it

by in Cortex XDR Discussions
‎04-21-2023 07:48 AM
3 Kudos
‎04-21-2023 07:48 AM
3 Kudos
Hi Justin_smi,   First, please check how many forensic licenses your organization purchased and verify that you are only deploying the live collection (configured in your Agent Settings profile) to as many hosts as you are licensed for.  You can't deploy this organization wide if you only purchased, say, 50 licenses.  Enabling the live collection in the Agent Settings profile is a simple matter of checking the "Monitor and Collect Forensics Data" checkbox and then selecting the artifacts you want to gather and upload.   In addition to live collection of forensics data, you can perform one time forensics triage actions and upload the data into the XDR console to use in the forensics analysis UI.  You can trigger an online triage by running the Forensics Triage action in the Action Center and selecting a Triage configuration to use, results will be automatically uploaded into the XDR console from the endpoint.  To gather a triage package offline, you can go to Incident Response -> Forensics -> Triage -> Configurations, and right-click the package you want to use for triage and clicking the download for either 32-bit or 64-bit collector.  Once you run this collector on the endpoint, you need to manually get the resulting package and use the "Import Offline Triage" button in the Configurations page to upload and process the collected triage package.   As to the usage of the data collected by the forensics module, this is an exercise left to trained forensics analysts.  XDR does not perform any analysis of the forensics data (beyond putting it into the appropriate views based on artifact type) and it is up to the trained forensics analyst to understand and interpret the data being presented. ... View more

Re: High RAM usage reaching up to 600 mb on Microsoft Windows Server 2019 Datacenter

by in Cortex XDR Discussions
‎04-21-2023 07:22 AM
1 Kudo
‎04-21-2023 07:22 AM
1 Kudo
Apata_Biswajit,   This is still considered within the normal range of XDR agent resource utilization.  Generally, resource utilization will scale linearly along with the workload of the system starting from around 300 MB up to 2 GB potentially, again based on the workload of the system.  I'll emphasize that, for most systems, a "normal" range is usually between 300 and 500 MB, but if you have larger systems with high workloads it's normal to exceed this as stated above. ... View more

Re: Cortex XDR - method of installation

by in Cortex XDR Discussions
‎04-19-2023 07:58 AM
2 Kudos
‎04-19-2023 07:58 AM
2 Kudos
Hi Joe_Carissimo,   This is a perfectly acceptable method of doing agent deployment.  As with anything else, it matters that you do it properly to avoid issues.  After you install the agent in your golden image, you will want to either stop the agent and then remove the agent.id and hardware.id files (paths below), or once you actually do a deployment of the golden image to a new device, run cytool reconnect force.  The issue you want to avoid is agents having the same ID when checking in to the console, this will cause you significant issues.   The agent.id and hardware.id files are located in  %programdata%\Cyvera\LocalSystem\OsPersistence\agent.id %programdata%\Cyvera\LocalSystem\OsPersistence\hardware.id If you remove those files, do not restart the agent or reboot the golden image again before converting it to the iso, or the agent will reconnect and assign new IDs, thus you will have to repeat the process.  If you instead want to run cytool reconnect force, do this as soon as you boot a new device from the golden image, you will have to ensure this is done every time without fail, else you will run into issues with agent ID duplication. ... View more

Re: XDR Baseline document

by in Cortex XDR Discussions
‎04-17-2023 07:13 AM
‎04-17-2023 07:13 AM
Shashanksinha,   We do not have a "baseline" configuration, the configuration of XDR is highly customizable for each customer's unique environment.  The only recommendation would be to have all protection modules set to "Block" for production use, however, this too can be customized based on the customer's environment and needs. ... View more

Re: Vulnerability Assesment

by in Cortex XDR Discussions
‎04-17-2023 07:10 AM
‎04-17-2023 07:10 AM
RamyashreeMada,   Our vulnerability database is regularly updated from the National Vulnerability Database from NIST (https://nvd.nist.gov), these updates are delivered silently in the background via content updates.  As to your second question, I'm not sure what you are asking, can you please clarify? ... View more

Re: Compatiblity Check2

by in Cortex XDR Discussions
‎04-17-2023 07:08 AM
‎04-17-2023 07:08 AM
RamyashreeMada,   Please contact your account team to obtain this type of documentation. ... View more

Re: Notification to user if thier machine is isolated

by in Cortex XDR Discussions
‎04-14-2023 08:01 AM
2 Kudos
‎04-14-2023 08:01 AM
2 Kudos
See below      ... View more

Re: Notification to user if thier machine is isolated

by in Cortex XDR Discussions
‎04-14-2023 07:10 AM
‎04-14-2023 07:10 AM
Hi Shahwaz_Md,   You can configure a persistent isolation notification in your Agent Settings profile under the User Interface section.  By default, this is disabled, however, you can enable it and configure a customized notification. ... View more

Re: High resource consumption

by in Cortex XDR Discussions
‎04-14-2023 07:00 AM
‎04-14-2023 07:00 AM
Hi MSOjeda,   Without more concrete information on what consumption you are seeing it's difficult to tell.  We don't break down consumption by feature, that's very difficult to do, and components running on the agent cannot be disabled by XDR administrators.  Disabling the protection modules in your profiles only stops alerts and prevention actions, the components are still running within the agent. ... View more

Re: Cortex XDR collects usage metrics

by in Cortex XDR Discussions
‎04-07-2023 01:18 PM
‎04-07-2023 01:18 PM
Aiman_Fathima,   Can you elaborate on your question?  What metrics are you referring to? ... View more

Re: URL Exception

by in Cortex XDR Discussions
‎04-04-2023 06:59 AM
‎04-04-2023 06:59 AM
Sahil_arora,   While this article was written specifically for PAN-OS 9.0, the process is very much the same for later versions as well, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCtYCAW&lang=en_US%E2%80%A9 ... View more

Re: Compatiblity Check

by in Cortex XDR Discussions
‎04-04-2023 06:57 AM
‎04-04-2023 06:57 AM
Hi RamyashreeMada,   Generally devices classified as virtual appliances are using some customizations from the vendor or even a custom kernel and don't generally support other vendor software.  Your question would be best posed to Qualys to determine whether or not they support installing 3rd party software on their virtual appliance and what sorts of customizations have been applied. ... View more

Re: XQL Query: Hunting Supply Chain Attack for 3CX

by in Cortex XDR Discussions
‎03-30-2023 01:12 PM
‎03-30-2023 01:12 PM
Hi KanwarSing01,   Thanks for putting this together!  It's worth noting that Cortex XDR blocked this attack out-of-the-box with our In-process Shellcode Protection Module.  Check out this write up by Unit 42. ... View more

Re: How to block Excel macros

by in Cortex XDR Discussions
‎03-30-2023 07:00 AM
‎03-30-2023 07:00 AM
Hi ThendralMandu,   We do not support blocking this capability.  Cortex XDR is designed to prevent malicious applications and behaviors from running on your endpoints, it is not designed to be an endpoint control application. ... View more

Re: Which agent version to be installed on Operating system Windows Server 2008 Version 6.0(Build 6003:Service Pack2)

by in Cortex XDR Discussions
‎03-13-2023 08:14 AM
‎03-13-2023 08:14 AM
Hello, Shashanksinha!   Windows Server 2008 SP2 is still a supported operating system for XDR, you can install version 5.0.11 of the XDR agent on this operating system, no special instructions are required, just follow the normal installation documentation.  Please bear in mind that our normal end-of-support policy for Windows operating systems is Microsoft end-of-support plus three years, so no future versions of the agent will support this operating system and support for the 5.0 XDR agent will end June 1, 2024. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎04-12-2024 12:43 PM
Latest Tags
No tags yet
Likes Given To
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks