About Shahwaz_Md

Hi Shahwaz_Md,   XDR utilizes custom BIOC rules where you create BIOC rules based on the set of attribute-value pairs to automatically convert the leads into alerts. Please also reference detections in the XDR analytics alert reference for possible alerts relating uncommon PowerShell commands/ scheduled tasks.    To create a BIOC rule, navigate to Incident Response> Query Builder> then select XQL search. Here, you can enter an XQL query to identify endpoints executing PowerShell. To get started, here is a query to test:   dataset = xdr_data // Using the XDR dataset | filter lowercase(actor_process_image_name) = "powershell.exe"and action_evtlog_username not contains "system"// Filtering for parent process is powershell.exe and filtering out system | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and lowercase(actor_process_image_name) = "powershell.exe" // Filtering for parent process is powershell.exe | alter process_cmd = if(lowercase(action_process_image_command_line) contains "c:\users", replex(lowercase(action_process_image_command_line), "c:\\users\\[a-zA-Z0-9.]*", "c:\\users\\USERNAME"), action_process_image_command_line) // Running an alter command to make sure the functions later ignore differences in user paths | fields action_process_image_name as process_name, action_process_image_command_line as process_cmd, event_id,agent_hostname as hostname, actor_process_image_path as process_path, causality_actor_process_image_path as cgo_path, causality_actor_process_command_line as cgo_cmd // Getting the relevant fields   Once the XQL query is complete, you can create a BIOC rule utilizing its insightful information. BIOC rules can be added via Detection Rules > BIOC > + Add BIOC.   To block, you can add the BIOC rule via a Customer Prevention rule in the Restrictions Profile.   The Restriction profile allows you to apply custom made BIOC's that upon detection will be prevented by the agent, in case you are using the default profiles then no prevention will take place but the detection will happen if the BIOC rule is configured in your BIOC repository (preconfigured or custom made BIOCs).    Here is a walkthrough of the  process Custom  Prevention Rules| Palo Alto Networks   After testing is complete, to narrow the scope, consider applying this BIOC/Restrictions profile to endpoints via a policy applied to an endpoint group.   If you found this response helpful, please like and click Accept as Solution.    Thanks,  Jtalton ... View more

Hi @Shahwaz_Md    Thank you for writing to live community! Default password is associated with the agent uninstall password, so any change in that will update the agent uninstall password.  Note: agent doesn't have any installer password thus its not related.  Please mark the response as "Accept as Solution" if it answers your query. Hope it helps!   ... View more

Hi @Shahwaz_Md ,   If you're trying to uninstall from multiple endpoints it may be good to use a python or powershell script launched from a central location.  You should be able to use cytool to help this process. Here's an excerpt from the Tech Docs that you may find helpful.   Uninstall the Cortex XDR Agent for Windows Using Msiexec Use the following workflow to uninstall the Cortex XDR agent using Msiexec. Use one of the following options to open a command prompt as an administrator: Select   Start   →   All Programs   →   Accessories . Then right-click   Command prompt   and   Run as administrator . Select   Start . In the   Start Search   box, type   cmd . Then, to open the command prompt as an administrator, press   CTRL +   SHIFT +   ENTER . Run the   msiexec   command followed by one or more of the following options or properties: /x < installpath > \ < installerfilename > .msi —Uninstall a package. /l*v   < logpath > \ < logfilename > .txt —Log verbose output to a file. Uninstall and logging options       Here's a link to the Tech Docs where you can also find additional methods for removing the Cortex XDR Agent. I hope you find this information helpful.  Have a great day! ... View more

Hi @Shahwaz_Md Please mark the response as "Accept as Solution" if was able to help.   ... View more

1. Check internal firewall. 2. Check enterprise firewall if any of the pre-requisite url is blocked 3. If brokervm is implemented, check if proxy is set. 4. Check if services is up by > cytool runtime query ... View more