About afurze

1) This is a feature of Threat Intelligence Management from Cortex XSOAR, you can ingest lists from Palo Alto Networks and other 3rd party sources and pass them in to Cortex XDR.  You can reach out to your account/sales team for details   2) Cortex XDR BIOCs as well as Analytics BIOCs are already tested against well known, safe, activity to reduce false positives, there is no action required for most out of the box Windows systems.  If you are encountering false positives related to known trusted Windows processes, you can utilize the concepts discussed in the alert tuning webinar to implement appropriate exceptions/exclusions ... View more

Hi CraigV123,   With Cortex XDR Prevent, only the XDR Agent information can be ingested into XDR console, an XDR Pro license allows you to ingest alerts from 3rd party sources (including NGFW) and a Pro per TB license allows you to ingest the raw logs.  Please refer to this doc page with detailed information on capabilities per license type (https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/cortex-xdr-overview/cortex-xdr-licenses/features-by-cortex-xdr-license-type#features-by-cortex-xdr-license-type).   Correction: You can use the AD integration feature to bring in data from AD for alerts and incidents.  It's the Identity Analytics that you won't be able to utilize.  Check out https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/get-started-with-cortex-xdr-pro/set-up-cloud-identity-engine for information on configuring this. ... View more

Hi Cyber,   Please reach out to your SE/Account Team to get this feature request submitted for you!  It isn't 100% relevant to that particular view since that lists all artifacts involved in an incident, not necessarily the response that was taken for them as that is instance/endpoint specific (which is why it shows up in the Executions tab), but it may still be something that could be summarized in that view. ... View more

You can add an OR to the filter and use parenthesis to group your operators, like so:   | filter (action_local_ip = "10.130.130.34" and action_local_port != 445) or action_local_ip != "10.130.130.34"   This selects either logs where the local IP is 10.130.130.34 and the source port is not 445, or logs where the local IP is not 10.130.130.34. ... View more

Hi Mgreer,   Cortex XDR does not natively support ingesting Duo admin/auth logs, however, the Duo log sync utility does support sending via CEF.  You can deploy the Broker VM and enable the Syslog Collector applet (https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/external-data-ingestion/additional-log-ingestion-methods-for-cortex-xdr/ingest-logs-from-a-syslog-reciever) and configure to receive CEF logs.  Cortex XDR will automatically create a data set for you and you can then search logs, as well as create BIOCs, IOCs, and correlation rules.  ... View more

Hi Cyber1985,   There's some Windows nuance happening here which is tripping you up.  When you used CMD to launch Powershell, Cortex examined the command line arguments passed to powershell (i.e. powershell.exe wget [site_url]) and was able to match "wget", however, when you type "wget" into an interactive Powershell window, there are no command line arguments to examine, it all happens within the interactive shell without spawning a subprocess as was the case with CMD.   To detect this, you will need to have Powershell logging enabled shown here from Microsoft, https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.2.   Assuming you have Cortex XDR Pro per Endpoint, Windows Event logs are ingested and can be searched. ... View more