About nsinghvirk

Hello @aghesse    Thanks for reaching out to us. Yes, this is possible. Please follow below steps. 1. Go to Broker-B, right click and select configure. 2. Scroll down to "Proxy Server" option. 3.You can configure Broker-A as a proxy server for this Broker-B by selecting the HTTP type. When selecting HTTP to route Broker VM communication, you need to add the IP Address and Port number (set when activating the Agent Proxy) of Broker-A. This designates the Broker-A as a proxy for this Broker-B. Leave User and Password fields empty. 4. Save the configuration.   Reference-> https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Set-up-and-configure-Broker-VM   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @DopedWafer    Thanks for reaching out on LiveCommunity! Please check if you meet all the prerequisites for vulnerability assessment. Requirement Description Licenses and Add-ons Cortex XDR Pro per Endpoint license. Host Insights Add-on. Supported Platforms Windows Cortex XDR agent 7.1 or a later release. Cortex XDR lists only CVEs relating to the operating system, and not CVEs relating to applications provided by other vendors. Cortex XDR retrieves the latest data for each CVE from the NIST National  Vulnerability  Database as well as from the Microsoft Security Response Center (MSRC). Cortex XDR collects KB and application information from the agents but calculates CVE only for KBs based on the data collected from MSRC and other sources For endpoints running Windows Insider, Cortex XDR cannot guarantee an accurate CVE  assessment . Cortex XDR does not display open CVEs for endpoints running Windows releases for which Microsoft no longer fixes CVEs. Linux Cortex XDR agent 7.1 or a later release. Cortex XDR collects all the information about the operating system and the installed applications, and calculates CVE based on the the latest data retrieved from the NIST. MacOS Cortex XDR agent 7.1 or a later release. Cortex XDR collects only the applications list from MacOS without CVE calculation. If Cortex XDR doesn't match any CVE to its corresponding application, an error message is displayed, "No CVEs Found". Setup and Permissions Ensure Host Inventory Data Collection is enabled for your Cortex XDR agent. Limitations Cortex XDR calculates CVEs for applications according to the application version, and not according to application build numbers. ... View more

Hello @LeandroKopke    Thanks for reaching out on LiveCommunity! Please try below query. This will filter out password reset events less than 48 hours ago and list failed login attempts. dataset = xdr_data | filter action_evtlog_event_id = 4724 | alter interval = timestamp_diff(current_time(),_time,"HOUR") | filter interval > 48 | filter action_evtlog_event_id = 4625   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @paIoaItonetworks    Thanks for reaching out on LiveCommunity! This looks like a break fix issue which requires logs analysis to drive any conclusion. Please open TAC support case and provide them with necessary logs to investigate the issue. ... View more

Hello @RFeyertag    Thanks for reaching out on LiveCommunity! Please refer below URL to learn how XDR leverage AI technology to provide threat prevention. https://www.paloaltonetworks.com/cortex/10-must-have-for-detection-and-response-forbes#see_it_for_yourself_form     ... View more

Hello @J.Gammara    Thanks for reaching out on LiveCommunity! With BIOC rules, you can configure custom prevention rules to terminate the causality chain of a malicious process according to the Action Mode defined in the associated Restrictions Security Profile and trigger Cortex XDR Agent behavioral prevention type alerts in addition to the BIOC rule detection alerts. For example, if you configure a custom prevention rule for a BIOC Process event, apply it to the Restrictions profile with an action mode set to Block, the Cortex XDR agent: Blocks a process at the endpoint level according to the defined rule properties. Triggers a behavioral prevention alert you can monitor and investigate in the Alerts table.   For more information on how to create a BIOC rule, please refer below doc. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Create-a-BIOC-rule   You will find information on how to make a customer prevention rule using BIOC under heading "Configure a custom prevention rule".   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @F.Alsalem    Thanks for reaching on LiveCommunity! The XQL query must at a minimum filter on the event_type field in order for it to be a valid BIOC rule. In addition, you can create BIOC rules using the xdr_data and cloud_audit_log datasets and presets for these datasets. Currently, you cannot create a BIOC rule on customized datasets and only the filter stage, alter stage, and functions without any aggregations are supported for XQL queries that define a BIOC.    Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @RFeyertag    Thanks for reaching out on LiveCommunity! You can create a custom roles for server os team and client os team. You can configure permissions for them for device control settings accordingly as shown in screenshot. Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @cylusaragao    Thanks for reaching out on LiveCommunity! The "endpoints" dataset is the one which list all the endpoints that have XDR agent installed on them. To find out the endpoints which do not have XDR agent, you need to compare the endpoint list in "endpoints" dataset with datasets with your active directory data, Network mapper etc.  Example dataset = PANW_Network_Mapper_raw  | filter lowercase(name) not in (dataset=endpoints| filter endpoint_status in (ENUM.CONNECTED , ENUM.DISCONNECTED )| alter hostn = lowercase(endpoint_name )| fields hostn)   Alternatively , you can simply go to Assets->Asset inventory->All asset Then apply filter on column "Has XDR agent".   Please click Accept as Solution to acknowledge that the answer to your question has been provided.   ... View more

Hello @I.Naseer    Thanks for reaching out on LiveCommunity! For condition one you can create notification and then choosing Agent audit logs as log type. Then apply below conditions to trigger an email notification. Category = Status Type = Agent status Sub type = Stop   For condition 2 and 3, you can write correlation rule based on below XQL query and building out your use case further. Then email notifications can be configured based on alerts. dataset = xdr_data | filter event_type = ENUM.AGENT_STATUS and event_sub_type = ENUM.AGENT_STATUS_AGENT_SHUTDOWN   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @KanwarSingh01    Thanks for reaching out on LiveCommunity! You can use correlation rules which will help you analyse correlations of multi-events from multiple sources by using the Cortex Query Language (XQL) based engine for creating scheduled rules. Alerts can then be triggered based on these correlation rules with a defined time frame and set schedule, including every X minutes, once a day, once a week, or a custom time. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Create-a-correlation-rule Then you can create automation rules to respond with endpoint scripts as per your use case. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Automation-rule-actions?tocId=Nju8rTlaDtpJAGTzhJwIBw   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @soc_ISC    Thanks for reaching out on LiveCommunity! If i understand correctly you want to install XDR agent on the actual Linux server where you are hosting ESXi environment. Yes you can deploy Cortex XDR on the Linux server. On the other hand, there is no requirement to install XDR agent on the Broker VM itself because it is a security harden VM with its sole purpose to run broker services.   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @zhouming    Thanks for reaching out on LiveCommunity! Please verify endpoint OS compatibility and resource requirement using below links. If issue is not related these then please open a TAC support case to troubleshoot. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Compatibility-Matrix/Windows https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.5/Cortex-XDR-Agent-Administrator-Guide/Cortex-XDR-Agent-for-Windows-Requirements   ... View more