Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About KRisselada
About KRisselada
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
6 hours ago
16Posts
3Likes
2Solutions
Aug 10, 2020Last Visited
User
Activity
User
Profile
Latest posts by KRisselada
| Subject | Views | Posted |
|---|---|---|
| 147 | Wednesday | |
| 723 | a week ago | |
| 800 | a week ago | |
| 220 | 3 weeks ago | |
| 323 | 3 weeks ago |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 3 weeks ago | |
| 1 | 07-02-2020 10:11 AM | |
| 1 | 07-09-2020 03:01 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 3 | |||
| 3 |
User Badges
Public Statistics
| Date Registered | 03-24-2020 12:08 PM |
| Date Last Visited | 6 hours ago |
| Total Messages Posted | 18 |
| Total Likes Received | 3 |
Wednesday
thanks so much @dfalcon I did indeed create a request within the Support team and currently its been escalated to Engineering. For those that might have / want a reference of this, its PAN Support Case 01544546. I will share here updates if applicable.
... View more
a week ago
I should also note I find this in the Cortex XDR Pro Administrators Guide: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/cortex-xdr-alerts Which doesn't seem to entirely mesh with what have been seeing. Is the Guide correct or is the Production environment of Cortex correct?
... View more
a week ago
Hello, beginning on or about 20 July, began to see MANY more Incidents created in Cortex XDR that looked similar to this: Incident Description: 'Threat ID #' generated by PAN NGFW detected on host <hostName> involving xyz\UserName (note, there is NOTHING after the "#" sign) Incident Sources: PAN NGFW When looking at the Alert that caused this Cortex Incident, what you see is: Category: "URL Filtering" Alert Name: "Threat ID #" I should not that I believe BEFORE this apparent change or bug, within Cortex XDR Alerts page we would see something like this: Category: "URL Filtering (10082)" Alert Name: "Threat ID #9999" Are others noticing this too? Is this the desired / expected behavior of Cortex XDR? It seems like there has been a CHANGE in the way Cortex presents these Alerts and Incidents Is there knowledge and expectations its operating this way? See attached screenshots
... View more
3 weeks ago
1 Kudo
Received update on the Support case I opened and Support team had escalated to Engineering, the answer back was: Per Engineering - The reason why the customer does not see the incident in Hash, because we are filtering and show only open incident (new/under investigation). It is expected behavior. So at least this is now answered. I also asked to have a Enduser Enhancement request put in that would more clearly indicate that this Filtering is taking place on this Hash View page and if possible, even expose the ability to apply a DIFFERENT filter than the one that is being "invisibly" applied currently.
... View more
3 weeks ago
hello @PKhemarith perhaps I am not understanding your question or task requirement, but is this what is being asked? "Retrive Files from an Endpoint" https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoints/retrieve-files-from-an-endpoint.html#idaedd753c-d76f-42a7-a381-ebdad39e16b2 I found the above in the Cortex XDR Pro Administrators Guide https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin.html
... View more
3 weeks ago
just a quick update to this discussion. I spoke with support and this bounced a bit around support but ended up in " Endpoint Security Support" team. They setup a quick zoom call to confirm (and also record what was being seen) And have since escalated the question and discussion to Engineering, via a Engineering Escalation. Will update once have additional info. Interested if others within the LIVEcommunity also see this behavior in their Cortex instance
... View more
3 weeks ago
Hello LIVEcommunity, I am wondering if anyone else is using Hash View in Cortex XDR and finding that even if a Key Artifacts of a Incident lists a hash, when you view that detail in Hash View (right click on the artifact, bring up the Hash View screen) the area where one might think there would reflect a "Related Incident" is blank? I have opened a Support case to report what seems to be a bug, but wondered if others had seen this also.
... View more
3 weeks ago
I should update this post to state that we found the following (see step 4, ie: "... exclude Cortex XDR services from decryption..." ) that may have been updated a few days before this original post, but we were not aware of it at the time. https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/get-started-with-cortex-xdr-pro/set-up-endpoint-protection/enable-access-to-cortex-xdr.html
... View more
07-09-2020
03:01 PM
1 Kudo
thanks for the reply @PBurns Actually while both I and my client were looking into this today (he has also had a case opened) and they mentioned some of the items (and others) that you mentioned, but none seem to be the trick. What we did see, when I was looking in the trapsd.log in the Support Files collection, I found THIS URL: https://panw-xdr-installers-prod-us.storage.googleapis.com/windows/7.1.1.49751 Even though we had asked several times, there was no one that mentioned THIS one that we should make sure is whitelisted and not decrypted NGFW/PrismaAccess. Once this was added to the other already included URL's the upgrades worked. This appears to be a NEW URL that some clients may need to whitelist. I am putting it here in the LIVEcommunity because it was not seen or identified in any documentation my client has been provided with, even though he explicitly asked if URL's other than the ones he been informed of earlier were required. Hope this is helpful also to others as something to try, until PAN can put out additional documentation of what may need to be whitelisted.
... View more
07-09-2020
08:30 AM
Several Windows XDR Agents on 6.0.1 or 7.x and getting the following in the trapsd.log. Attempting update to current release 7.1.1 (InstallUpdate):} <Error> Failed to verify upgrade package signature (InstallUpdate):} <Error> Error executing upgrade action with error code -99 (InstallUpdate):} <Error> Agent action with ID 5adc67fce34d491a81b2bc3e8b0036d8 execution failed with -99 Has anyone else experienced this or know what error code -99 indicates. Not found reference or discussion regarding this error code.
... View more
07-06-2020
01:22 PM
How do I report or provide feedback regarding the Cortex Alert named "Digium Asterisk WebSocket Frame Empty Payload Denial-of-Service Vulnerability" that are being generated by the PAN NGFW, with the Initiator CMD of: "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12827.20182.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca" We have had this alert generate 9 times since 7 May 2020. Always with the same category of "Vulnerability", same Description "Vulnerability Exploit Detection" and most every time the same CGO of sihost.exe (or possibly another MS Office app such as Excel) I believe it to be a false positive
... View more
07-02-2020
10:11 AM
1 Kudo
Hello @CJP-PALOALTO I find that if you open up the specific Incident, in the Key Artifacts area, there should be the file itself and then under the Threat Intelligence there is "WF Benign" or "WF Malicious" (for example) and near it an icon that allows you to click and present the Wildfire Report. From there select the icon on the top right corner of the WF Analysis Report screen and should present workflow to "Report Verdict as Incorrect". (see screenshot for details) Hope this helps and I didn't misunderstand what you are requesting.
... View more
06-29-2020
02:23 PM
Thanks for the quick reply @hisingh Is there any review of the underlying process that seems to allow what appears to be a rather common file to be flagged like this in the last few months? Is there any known updates to reduce these sort of false positives? Its likely not a question you can answer, but I did want to ensure its out there to be seen and commented on perhaps in the future
... View more
06-29-2020
12:37 PM
Hello @Sonu_Singh if you have access to Panorama, PAN Support indicates the following can be done. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3aCAC In this case, I don't have access to this in the particular customer that had this occur. This was seen in Cortex XDR Incidents which Cortex is the only access we have to this customer. Hoping that PAN Threats team simply deactivates the AV Signature as soon as possible so that next daily A/V Threat update, it will be applied. In the mean time, if you have Panorama configuration access, you should be able to put in a Virus Threat exception. It seems this file triggered Virus alerts back in April also.
... View more
06-29-2020
11:27 AM
Hello, Are seeing the following in Cortex XDR 'Threat ID #348815361' generated by PAN NGFW detected on host 10.x.x.x involving user ZZZZ\first.last Threat ID: 2418537 Current Release: 3394 (2020-06-28 UTC) First Release: 3394 (2020-06-28 UTC) SHA256: 1d279269b17d9282b061be59ba23a0fadecae6e44e12ea4054d4637ae736d748 Unfortunately it seems that its not at all uncommon for OneDriveSetup.exe to be flagged by PAN AntiVirus Threats as a generic W32 Virus. Seen this happen in June, also back in April. Is there a known reason why PAN A/V Threats continue to "misfire" on this? @hisingh is this anything you have already heard or been aware of? I see you were involved in a prior discussion of this False Positive, back in April History of this in the instance of Cortex XDR that I currently have access to from my customer. I do not have access to their Panorama or their NGFW configs, thus can not obtain capture at this time.
... View more
05-20-2020
11:48 AM
Any way a feature like "Export" would be available to " Disk Encryption Visibility" output??
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
