About jtalton

Hi Rob,   An out of the box automation is not available.   However, you may be able to tweak your correlation rule with an XQL query using a Regex expression substitution such as replace. Also, as an example, if you are ingesting the corresponding Windows Event ID for domain name changes (dataset=xdr_data) using the alter stage which assigns a value to a field name based on the returned value of the function, may yield better results.   Reference Alter • Cortex XDR XQL Language Reference • Reader • Palo Alto Networks documentation portal ... View more

Hello Aiman_Fathima,    Blocking files on endpoints is also enforced by the endpoint malware profile. Please ensure that your Malware Security Profile is set to block mode.   In Action Center, on the Block list page, you may select Override Report mode to allow the agent to block hashes even if the Malware Profile is set to Report.   Please check Action Center to confirm the file hash is in the Block List: Incident Response >Response> Action Center > Block List Select Override Report mode to allow the agent to block hashes even if the Malware Profile is set to Report.   If all is configured, please open a support case for troubleshooting.  Reference Endpoint Security Profiles (paloaltonetworks.com) Add a New Malware Security Profile (paloaltonetworks.com)   Thanks ... View more

You may forward Global Protect logs to the Cortex Data Lake for stitching from your PANW firewall. If you need assistance with configuring please open a support case.  ... View more

Hi Faber,    This may be due to this process not being protected by a module. By default, your exploit security profile protects endpoints from attack techniques that target specific processes. Each exploit protection capability protects a different set of processes that Palo Alto Networks researchers determine are susceptible to attack. If there are no protection modules enabled on the process, no is exception needed. Please reference Processes Protected by Exploit Security Policy (paloaltonetworks.com) for more details.   There are other modules where Process Exceptions will still apply, like Anti-Ransomware Protection, Child Process Protection, but for all Exploit Prevention Modules the process exception makes no difference for an unprotected process.    If you're investigation has determined the process is benign, you can add the hash to the Allow List (*best practice is to whitelist by hash) and allow it to be executed on all your endpoints regardless of the WildFire or local analysis verdict.    In the UI, Go to Incident Response, Response, Action Center, + New Action Enter the SHA-256 hash of the file and click    You can add up to 100 hashes at once.  Click Next. Review the summary and click Done.   Reference Manage File Execution (paloaltonetworks.com)   Thanks   ... View more