About mavraham

mavraham · ‎02-02-2023

Hi @VineethArumulla, Thank you for writing to Live Community. Since this this is a public forum I highly suggest you open a ticket in our support portal so that our engineers can take a deeper look at the issue.

mavraham · ‎02-01-2023

Hi @Shashanksinha Thanks for writing to Live Community. Alert tuning is an important process as part of managing XDR, and should be done on a concurrent basis. The way to properly address alert tuning would be depending on the alert source. In general, alert tuning in XDR several alert tuning mechanisms: Agent exceptions Detection rule exceptions Utilizing the global hash allowlist Prevention Module based allow lists Support exceptions For example, if through the process of reviewing an incident you want to suppress future alerts from similar sources you need to create an Alert Exclusion policy based on the alerts in said incident. You can also build alert rules from scratch and use existing alert values to populate your exclusion criteria. If the alert is IOC/BIOC you might want to take action on specific behavior but exclude some of the indicators. Starting with version 3.5, you can also manage exceptions from a central location by adding Legacy Exception rules . We have a great Alert Tuning Video Series over on Live Community which should help you get started on understanding the different sources of alerts and how to address them. Hope this helps!

mavraham · ‎01-31-2023

Hi @Aiman_Fathima, thank you for writing to live community. I'm not sure where you were told that there are drawbacks to scanning on a weekly basis. The scan schedule suggested with Cortex XDR periodic scan is weekly or monthly. In terms of determining the optimal scanning frequency - that is something you should decide based on your organizational needs and internal policies. You can read more about periodic scans here Hope this helps!

mavraham · ‎01-24-2023

Hi @cskoien, Thank you for writing to Live Community. When you go into your CSP account, head over to the bottom of the page and click Email Prefrences (1st screenshot). Please make sure you subscribe to both Traps Content Update Emails, as well as Trap Software Update Emails (as seen in the 2nd attached screenshot). The email should include information about new agent releases (3rd screenshot). Hope this helps!

mavraham · ‎01-24-2023

Hi @RamyashreeMada 1. In the instance the connection is lost between the Endpoint and XDR cloud, but the scan had already started the scan should be completed and report the status back online if it happens within 24 hours. 2. In the instance the machine was shut down halfway through the scan the scan should indeed be cancelled/failed. This information should arrive to the XDR console in around 5-7 seven minutes, as the t he Cortex XDR agent initiates communication with Cortex XDR every five minutes by sending a heartbeat to the server. You can read more about Agent and Server initiated communication here. If this helped, please click 'Accept as Solution'.

Member Since	‎01-05-2021 03:43 AM
Date Last Visited	‎02-07-2023 05:09 AM
Posts	36
Total Likes Received	14

Online Status	Online
Date Last Visited	‎02-07-2023 05:09 AM

About mavraham

Re: Cortex XDR service getting stopped

Re: Alerts on Cortex XDR Console

Re: Weekly Scans in XDR

Re: new Cortex XDR Agent release notifications

Re: Malware Scan on XDR

Re: new Cortex XDR Agent release notifications

Re: Malware Scan on XDR

Re: XDR on AS400 servers

Re: Cortex XDR as part of the golden image

Re: XDR agent install rolls back

Palo Alto Cortex XDR exclusions/exceptions use case example article for solving VPN agent interoperability issues

Adding Endpoint to Dynamic Group by "Installation Package" Name

PoC - Using Cortex XDR to Block Software Installations

Cortex XDR PoC: Monitoring Malicious Chrome Extensions

Re: Cortex XDR service getting stopped

Re: Alerts on Cortex XDR Console

Re: Weekly Scans in XDR

Re: new Cortex XDR Agent release notifications

Re: Malware Scan on XDR