Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
About KRisselada
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About KRisselada
01-30-2021
29Posts
6Likes
2Solutions
Jan 30, 2021Last Visited
User
Activity
User
Profile
Latest posts by KRisselada
| Subject | Views | Posted |
|---|---|---|
| 826 | 01-28-2021 02:24 PM | |
| 622 | 01-06-2021 11:42 AM | |
| 1002 | 01-05-2021 06:13 AM | |
| 1049 | 01-04-2021 08:53 AM | |
| 809 | 01-04-2021 08:49 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 01-28-2021 02:24 PM | |
| 1 Like | 01-05-2021 06:13 AM | |
| 1 Like | 01-04-2021 08:53 AM | |
| 1 Like | 07-22-2020 11:35 AM | |
| 1 Like | 07-02-2020 10:11 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like | |||
| 2 Likes | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 03-24-2020 12:08 PM |
| Date Last Visited | 01-30-2021 02:41 PM |
| Posts | 29 |
| Total Likes Received | 6 |
01-28-2021
02:24 PM
1 Kudo
@KanwarSingh01 my apologies if I missed it, but is there a central location or notification of what the list of BTP rules looks like? What is their contents? When were they applied, etc? Perhaps I am totally missing it, but I don't know where to find that. Weather its for this particular one or ANY BTP rule (Behavioral threat detected (rule: bioc.syscall.entrypoint_patching) OR Behavioral threat detected (rule: heuristic.agb.5637) OR Behavioral threat detected (rule: accessibility_feature_escalation), etc I mean the name has some clue to what its doing but is there insight as a Cortex XDR admin, you have of them and the BTP list looks like? What they do, when they were last changed or had updates to them? thank you
... View more
01-05-2021
06:13 AM
1 Kudo
No, that access is via the Cortex XDR HUB (https://apps.paloaltonetworks.com) You apply the role access you would to a user via the Cortex Hub, but in order for a user to be visible to manage, they need their Palo Alto User Account, associated with a customer and that is in the Palo Alto CSP. At least that has been my experience. I would request others that have different experience to share here and correct as needed.
... View more
01-04-2021
08:53 AM
1 Kudo
To leverage 2FA for your Palo Alto user account, I find you can select the following if you wish to require all your Company Account users to require to use it: 1. In Palo Alto CSP (Customer Support Portal, aka https://support.paloaltonetworks.com) 2. Account Management > Account Details 3. Select the Security Settings "Enable 2 Factor Authentication" Or select this individually for users via Members > Manage Users
... View more
01-04-2021
08:49 AM
I find that as of 17 Dec, there was at least two different BIOC Rules that were added. Are you seeing those in your instances? SunBurst domain access SunBurst Module loaded
... View more
12-31-2020
03:44 PM
also I should note that this LIVEcommunity discussion area seems to create a new avatar for discussions, if you happen to use a different browser, (but the same Palo Alto CSP account)
... View more
10-21-2020
01:38 PM
Would also love to hear or see more about this question. Responding to it in hopes it will pop on the top of the queue for more folks to see and perhaps share info or resources
... View more
09-30-2020
12:18 PM
RE: 'Apache Tomcat WebSocket Denial-of-Service Vulnerability' generated by PAN NGFW detected on host foo-wrkXXX involving user foo\User.Name -- Unique Threat ID: 59026 I am wondering if others are seeing this Alert generated due to what appears to be mostly client updates of OneNote (and perhaps other cloud apps). Looking at the threat ID, I see it was released on 13 Aug and as of today, there has not been an update to it. Have a client that since 17 Aug, has generated 54 Incidents in Cortex. As we do not manage or have access client Panorama to change Profile and perhaps disable this alert for outbound client connectivity, wondering if perhaps others have seen it and have a PCAP sent to PANW so that they can update the signature to be more effective?
... View more
08-16-2020
03:11 PM
if I can add my other 2cents to this, what I have found is that when app has not been signed by the vendor (which this one is not), its very much likely that WildFire is going to default to considering it Malware, unless a Verdict review is submitted. I have been told by PA TAC/Support folks that the best way to ensure WF has better results, is to ensure and we all request our software vendors to ensure they sign their files.
... View more
08-16-2020
03:00 PM
Hello @thejackal were you not able to get a reply when submitting it as a WildFire Verdict review? I normally find this process works pretty well, if the item in question created a Incident in Cortex. The process I normally am able to use is mentioned in this thread: https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/submit-a-revision-about-false-positive-malware-in-cortex/m-p/336489#M188 Apologies if done this already or this is not relevant to the issue your posting on.
... View more
08-05-2020
07:46 AM
thanks so much @dfalcon I did indeed create a request within the Support team and currently its been escalated to Engineering. For those that might have / want a reference of this, its PAN Support Case 01544546. I will share here updates if applicable.
... View more
07-31-2020
10:46 AM
I should also note I find this in the Cortex XDR Pro Administrators Guide: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/cortex-xdr-alerts Which doesn't seem to entirely mesh with what have been seeing. Is the Guide correct or is the Production environment of Cortex correct?
... View more
07-31-2020
09:43 AM
Hello, beginning on or about 20 July, began to see MANY more Incidents created in Cortex XDR that looked similar to this: Incident Description: 'Threat ID #' generated by PAN NGFW detected on host <hostName> involving xyz\UserName (note, there is NOTHING after the "#" sign) Incident Sources: PAN NGFW When looking at the Alert that caused this Cortex Incident, what you see is: Category: "URL Filtering" Alert Name: "Threat ID #" I should not that I believe BEFORE this apparent change or bug, within Cortex XDR Alerts page we would see something like this: Category: "URL Filtering (10082)" Alert Name: "Threat ID #9999" Are others noticing this too? Is this the desired / expected behavior of Cortex XDR? It seems like there has been a CHANGE in the way Cortex presents these Alerts and Incidents Is there knowledge and expectations its operating this way? See attached screenshots
... View more
07-22-2020
11:35 AM
1 Kudo
Received update on the Support case I opened and Support team had escalated to Engineering, the answer back was: Per Engineering - The reason why the customer does not see the incident in Hash, because we are filtering and show only open incident (new/under investigation). It is expected behavior. So at least this is now answered. I also asked to have a Enduser Enhancement request put in that would more clearly indicate that this Filtering is taking place on this Hash View page and if possible, even expose the ability to apply a DIFFERENT filter than the one that is being "invisibly" applied currently.
... View more
07-21-2020
03:35 PM
hello @PKhemarith perhaps I am not understanding your question or task requirement, but is this what is being asked? "Retrive Files from an Endpoint" https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoints/retrieve-files-from-an-endpoint.html#idaedd753c-d76f-42a7-a381-ebdad39e16b2 I found the above in the Cortex XDR Pro Administrators Guide https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin.html
... View more
LEGAL NOTICES
Copyright 2007 - 2021 - Palo Alto Networks
