Cortex XDR

What is it?

Cortex XDR is threat detection and response software from Palo Alto Networks.

How does it work?

Much like people, computer programs exhibit certain behaviors when engaged in malicious activities. XDR protects against threats (malware, viruses, etc.) by monitoring our workstations and flagging any process that exhibits those behaviors. When a process is flagged as a potential threat, XDR prevents it from running and generates a security event which is sent to CISL's Cybersecurity Program Office. On Windows and MacOS clients, an alert is displayed to the end-user as well.

When a security event is generated on a HAO workstation, a security engineer contacts CSMT with the name of the workstation and any steps that should be taken to mitigate the threat. A CSMT team member then contacts the user of the workstation to ensure that those steps are taken.

False Positives

In rare cases, Cortex XDR will identify a benign process as a threat. After determining that a flagged process is benign, CSMT will notify a security engineer of the false positive. The process can then be whitelisted and allowed to run on the computer in question and any other client running the same software.

How do I know it’s working?

To confirm that XDR is functioning properly, open the Cortex XDR console and verify that protection status is "Enabled".

Organizations:

Topics: