About WSeldenIII

Hi @chukaokonkwo, the identity of the user that resolved the incident can be references in the Incident Timeline tab of the incident(s) in question. You may also consider to filter the Management Audit logs as well. The following is an example filter:  Type = Incident Management AND Subtype Contains Change Incident Status AND Description Contains Resolved. ... View more

Hi All,    The alert for the BTP rule mentioned above has been confirmed to be a false positive, and a fix has been implemented in content update version 510-90618. This content version was release on May 11, 2022  around 10:00 AM EST.  Please ensure that you are enable configured to receive the latest content updates by reviewing the Agent Setting Profile - Content Configuration setting applied to your endpoints. If you experience any additional operational impact, then you may raise a support case to determine next steps.  ... View more

Hi @Cyber1985 It appears that you looking for guidance on how to investigate Analytics / Analytics BIOC alert sources. From the Alert Table, you may right-click to "Investigate Causality Chain" to view the event table. In this view and depending on the analytics alert type, then you may have host, endpoint connection status, IP, MAC, account of interest (E.g. Username), Parent process ID located at the top left-hand corner of the causality view. If you click the red icon in the view, then you can view context about the alert. If you hover you mouse over the related processes in the causality, then you can review process and analytics profiles information to support your investigation. If you click on the processes in the casualty view, then you will be presented with all applicable actions (E.g. Process, Network, File, Network Connections).    In the alert table, then you can also leverage "Pivot to View" options to conduct additional analysis on user / asset in scope.  ... View more

Hi @justbekid,  There are a lot of resources for you to leverage in terms of training / enablement of the XDR product in the following:  Live Community - Cortex XDR webinars / How-To videos. Beacon Training - XDR online, self paced training.   If you are looking for something specific beyond what is currently available, then you may need to engage with your Palo Alto Networks POC(s) to determine additional options.  ... View more

Hi @Kevin_Robers, We want to maintain security of environment while reducing operational impact. I believe obtaining some additional context on the alert criteria / scope will assist in determining the most effective path forward.  The following information will help to guide you on determining next steps:  Have you completed vulnerability scans in your environment in the past, or this the first occurrence? If you have complete vulnerability scans without any operational impact, then this may be an opportunity to enhance the alert efficacy with content updates on your Cortex XDR agents. You will need to retrieve the endpoint support file from an endpoint in scope, and raise a support ticket for additional analysis. Do the alerts in questions have a "detection" alert action? If so, then there should not be any change in the behavior of the file / process execution on the endpoint.   Do the alerts in question have a “prevention” alert action?  If so, then you may consider adding the process / file path to an allow list / alert exception to continue operations.  Similar to the first bullet, if the behavior in the alert originated from your vulnerability scanner and it is not a threat, then you can coordinate with support on the next steps (E.g. content update).       ... View more

Hi @OsamaKhan, you have ability to convert your eval license to a production license in order to continue operations. You will need to coordinate with your account team to determine the applicable Cortex XDR license type .  You will also want to ensure that you are tracking the Cortex XDR license expiration date, and aware of the expected behavior.  ... View more

It appears that the uninstall password may have been changed from the default configuration with in the agent setting profile assigned to the policy on the endpoint. You may need to coordinate your XDR admin. in order to obtain the uninstall password, or two assign the endpoint to policy where the anti-tampering agent security has been disabled (see second bullet point in step 1).    If you continue to experience challenges with this process, then you may need to engage with  Support  in order to assist with troubleshooting / remediation. ... View more

Hi @Jordan.Schuld It appears that you seeking a reference to Uninstall the Cortex XDR Agent. The reference link that I provided is for the Windows OS, but on the left-hand side of the tech. doc. you can reference the additional OS types as applicable.    If you continue to experience challenges with this process, then you may need to engage with Support in order to assist with troubleshooting / remediation.  ... View more

Hi @AndrewGalvinGH If you have the host insights add-on, then Search and Destroy can be leveraged dynamically and in real-time with XQL:   Example query:  file_search = existing_files |filter path = "C:\testfile.txt"     Requirements:  endpoint status = Connected, Disconnected AND agent version >= 7.2.0 AND disabled capabilities doesn’t contain File Search and Destroy AND host insights = Enabled AND platform = Windows) OR (endpoint status = Connected, Disconnected AND agent version >= 7.3.0 AND disabled capabilities doesn’t contain File Search and Destroy AND host insights = Enabled AND platform = macOS AND os version >= 10.15.4   There are two actions to consider here. The search and destroy actions can be completed on all endpoints with an XDR agent. In my gif, I am demonstrating the search action on a specific file path, so the query will only return results on endpoints containing the file path in question. If you want to ensure the file in question is completed on all endpoints, then you will want to search and /or destroy on the file hash (e.g. Sha256), because the file could have been modified, moved...etc.   In addition, the "endpoints" dataset includes information in regards to your endpoint administration. You will want to query in the xdr_data dataset, or you may leverage the applicable presets. Your results are going to vary depending on the file access type. Example:   preset = xdr_file | filter action_file_sha256 = "90be1c2c0fc5c36b3e10dcd89a8cda61462cb420a043a5759a7e1e3bba3eee38" and event_sub_type in (ENUM.FILE_CREATE_NEW, ENUM.FILE_OPEN, ENUM.FILE_RENAME, ENUM.FILE_REMOVE, ENUM.FILE_WRITE)   I hope this helps. ... View more

Hi @Daniel_Itenberg, to address the second part of your question, you can monitor device control violations by navigating to Endpoints > Device Control Violations within the XDR App.  ... View more