About nsinghvirk

Hello @RichardChou    Thanks for reaching out on LiveCommunity! Delay in alert notification can be due to multiple external and internal factors. A delay in alert data being sent to XDR, delay in stitching of data points by XDR, delay due to communication lag between XDR and log server, grouping timeframe window etc. To find the cause please confirm whether the delay is only in the email/syslog notification you receive or is it also that alerts are getting delayed to reach the XDR console itself? Occasional delay can be expected due to some external factors but if the delay is consistent please open a support case to investigate the cause and rectify it.   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @Fadli_T    Thanks for reaching out on LiveCommunity! This is happening because in your final query the filter is getting checked against individual datasets not a combination of 3. In order to combine datasets you need to use 'join' stage. But it can join two datasets at a time. Below is the reference document for join stage. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Join   By the way why are you creating four different datasets since all are made from same dataset. ... View more

Hello @Vinothkumar_SBA ,   Thanks for reaching out on LiveCommunity! If I understood your query correctly you are asking about how to block Near Field Communication using XDR. Unfortunately this feature is not supported yet. Please let me know if I misunderstood your query and also let us know what kind of use cases you want to achieve if this feature is available. ... View more

Hello @antony.lamsdell    Thanks for reaching out on LiveCommunity. Unfortunately XDR do not provide detailed visibility inside WSL workloads. We support WSL with limited set of capabilities including ransomeware protection, Limited analytics detectors on process based actions and basic process activities. Heuristic modules like BTP are not available.   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @frank.f.lu    Thanks for reaching out on LiveCommunity! Unfortunately SHA1 is not supported by Cortex XDR because Wildfire only support MD5 and SHA256 as hash types. Hence XDR can only provide verdict for MD5 and SHA256 hash types only.  ... View more

Hello @JahidAliyev    Thanks for reaching out on LiveCommunity! In order for Windows Event Collector to receive logs you need to configure a Windows Event Forwarder which can be a windows server or a domain controller. If you want to collect logs from a number of computers then you need to configure your WEF(server/DC) to collect logs from these sources and then send them to WEC. There is no such restriction to config DC as WEF.   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @JahidAliyev    Thanks for reaching out on LiveCommunity! Possible reasons behind this can be following. 1. Stability of your internet connection. 2. Whether all the required XDR resources are allowed on your firewall. Below is the list of required XDR resources. Please make sure you have allowed them. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access 3. SSL decryption- If you are using SSL decryption in your firewalls then please add the above mentioned FQDNs in SSL decryption exclusion list in order to avoid any interruption.    Please open a TAC case if issue persists after all the above checks.   Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more

Hello @Yayati    Thanks for reaching out on LiveCommunity! It tried to answer the questions provided by you. Please find below the answers. During scan files are only scanned once. Thereafter files get scanned when they are executed. The purpose of scanning files again during execution is to reevaluate the verdict which may have changed since we scanned it last time. Apart from the factors that you have mentioned, Machine learning based detectors and analytics are the avenues that help to analyze an activity. However if you want to have additional checks then you can use file metadata provided by XDR to check on various other open source avenues available. Benign with low confidence settings provide you insight about how confident XDR is for the given verdict. For example, a file by a trusted signer or a file that was tested manually gets a high confidence Benign score, whereas a file that did not display any suspicious behavior at the time of testing gets a lower confidence Benign score. To add an additional verification method to such files, enable this setting. Then, when Cortex XDR receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile settings you currently have in place (Run local analysis to determine the file verdict, Allow, or Block). Settings->Configurations->Access management->Roles->Right click “Account Admin” and select “Save as new role”. Now you can modify the role as per your requirements and save it with a different name. Once an endpoint is disconnected it will be in connection lost state for 30 days (default) and after 180 days the agent data is deleted. If an agent tries to connect to Cortex XDR during the 180 days period, the agent can resume connection and maintain its agent ID. After the 180 days period, the agent ID is deleted alongside all the associated data. Cyserver service stops mostly for system restarts. Additinally administrator can stop it using cytool command “cytool runtime stop”. XDR agent is assigned a default storage quota when it is installed. If this quota exceeds, XDR starts removing oldest data from its storage to make space for new data. You receive this log when the storage quota is full. Once a scan is initiated, XDR do not scan files repeatedly even if the scan is interrupted. Next time when scan resumes, it will scan the remaining files on the system. Please click Accept as Solution to acknowledge that the answer to your question has been provided. ... View more