About JohnSmith7732

Not sure the Question or maybe im mistaken by the terminology (BIOC equals Behavioral IOC)? ... View more

I have to go back and visit the 3 again. Thanks for the suggestion ... View more

Im not sure without research of a kali flavor limitation.. I do not see it on the compatibility matrix but that doesn't mean it wont run. That usually means not supported. You found another issue though maybe!   Broker VM / Activate the Agent Proxy for Closed Networks: <Link says Run the installation package on each endpoint according to the endpoint OS. During installation you must configure the IP address of the broker VM and a port number. You can use the default 8888 port or set a custom port. See the Cortex XDR Agent Administrator’s Guide < Link for installation instructions.   When you page down to Linux Configure proxy communication in the second link the example shows: If defined, the agent uses the proxy settings defined in the system environment in /etc/environment. blah blah blah... For example: https_proxy="https://10.196.20.244:8080"   I noted the use of 8080 in your statement. You are probably not using 8080 for the broker VM. Try 8888. Mostly seek consistency of the two (broker and client) ports in your environment with whatever ports you used.   I can see a potential problem in messaging across the documentation as they are usually created in separate efforts. Examples should define default variable throughout but tech writing doesn't require tech comprehension. If it proves to be true just ask Palo Alto to modify the Cortex Docs for consistency in messaging in those locations at the links above. Documentation is a tough job. I'm sure it will be well received suggestion and they will fix.   Good Luck! ... View more

BTP is for actions involving a PE/Macro/DLL and a windows process. I believe that is a simple explanation I can offer.   The detection of an action would involve "real time" scan analysis and be behavioral.   The scanned alerts are specific to "periodic" scanning of a file at rest. That's what you are doing now.   You'll need to set the quarantine on "Portable exe and DLL examination" in the "Malware Analysis Profile" to achieve what you are asking. Its set to disabled by default.   i dont know PA best practice but... Id run the periodic scan at least once before i enabled the quarantine for file types. Let it run across your enterprise and fill your screen with incidents/alerts. You are going to find tons of stuff you probably didnt know existed just laying around. You will see multiple instances of things which can help you isolate spread or unauthorized usage. Remediate them first. What that will do is populate your verdicts in the Wildfire database and enhance your local analysis. Nobody will know you did it and you wont piss off your sysadmins when the quarantine siezes all of their crazy tools. Give em a chance to explain first and you'll make friends 🙂   The existence of BTP and file block options in Cortex is already protecting you in real time. Take your time.     ... View more

thats interesting. I wish i could see it but we havent engaged it yet unfortunately so i will learn from you. I think SEP like many other vendors actually completely disables the windows firewall? You may have in fact been vulnerable. I think the cortex only engages the rules you choose. Can you put some context on things it might block? This one would seem to explain a little possibly?      By default, host firewall profile rules are based on the current location of your device. Configure two sets of rules: a set of  External Rules that apply when the device is located outside the internal organization network, and a set of  Internal Rules that apply when the device is located within the internal organization network. If you disable the  Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location ... View more

well thats not as bad as 130% and we know thats possible. Its probably 100% of allocated space but there are plenty of other reasons for it to appear consumed. Most security products rely on  some kind of certificate recognition to ignore apps. Wouldn't think you'd need to whitelist or exclude anything from scan. ... View more