Initial Coverage for Cortex XDR Agent on Linux#148
Initial Coverage for Cortex XDR Agent on Linux#148blb142857 wants to merge 1 commit intotsale:mainfrom
Conversation
|
Hi @tsale, |
|
Thanks for the Linux submission. Since this is the initial Linux entry, documentation alone is not sufficient to mark telemetry as supported. For the initial baseline, we need observable and queryable evidence (for example, screenshots or sample telemetry) to validate each category marked as Yes. Items backed only by documentation will remain No for now and can be revisited once supporting telemetry is provided. If there’s any uncertainty about what evidence is needed, or if you’d like to discuss this in more detail, feel free to reach out to me directly. Thanks for understanding. |
tsale
added
waiting for info
|
Sure @tsale , Here are the telemetry evidences where you had only doc ones: Process Activity -> Process Creation Process Activity -> Process Termination File Activity -> File Creation: File Activity -> File Modification (this screenshot shows creation and then alter of a specific file): File Activity -> File deletion: User Activity -> User Logon: User Activity -> User Logoff ( action_evtlog_event_id = 4 is logout event ): User Activity -> Failed Logon ( This is the same query from user logon with additional fields to highlight the failure) Network Activity -> Network Connection: Network Activity -> Network Socket Listener I think this covers the ones that were only mentioning the documentation @tsale. Let me know if you need anything else for that one. Thanks. |
|
Hi @tsale |
2 participants
EDR Telemetry Pull Request
Contribution Details
This is the initial proposal for coverage of the Palo Alto Networks Cortex XDR agent running on Linux
Telemetry Validation
This contribution will be validated either by official documentation of XQL queries. Details will be provided for each suggestion in the Additional Notes.
Documentation or Evidence:
Type of Contribution
Validation Details
EDR Product Information
Testing Methodology
Systems are live machines with no specific activities
Additional Notes
Process Activity -> Process Creation : Initial Coverage suggestion: Yes
Evidence: EDR data collected in Linux from above documentation
Process Activity -> Process Termination: Initial Coverage suggestion: Yes
Evidence: EDR data collected in Linux from above documentation
File Activity -> File Creation: Initial Coverage suggestion: Yes
Evidence: EDR data collected in Linux from above documentation
File Activity -> File Modfication: Initial Coverage suggestion: Yes
Evidence: EDR data collected in Linux from above documentation
File Activity -> File deteltion: Initial Coverage suggestion: Yes
Evidence: EDR data collected in Linux from above documentation
User Activity -> User Logon: Initial Coverage suggestion: Yes
Evidence: EDR data collected in Linux from above documentation
User Activity -> User Logoff: Initial Coverage suggestion: Yes
Evidence: EDR data collected in Linux from above documentation
User Activity -> Failed Logon: Initial Coverage suggestion: Yes
Evidence: EDR data collected in Linux from above documentation
Network Activity -> Network Connection: Initial Coverage suggestion: Yes
Evidence: EDR data collected in Linux from above documentation
Network Activity-> Network Socket Lister: Initial Coverage suggestion: Yes
Evidence: EDR data collected in Linux from above documentation
Driver/Module Activity -> Image Load: Initial Coverage Suggestion: Yes
Evidence: Below screenshot shows a XQL query of an image load
EDR Sysops -> Agent Start: Initial Coverage Suggestion: Yes
Evidence: Below screenshot shows a XQL query of an agent start
Hash Algorithms -> MD5 & SHA: Initial Coverage Suggestion for both: Yes
Evidence: Below screenshot shows a XQL query exhibiting MD5 and SHA256
All other suggestions are currently set to No but will likely have some updates in the future
Thanks