As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to download Cobalt Strike on one of your servers. Days later, you learn about a massive ongoing supply chain attack. Using Cortex XDR you recognize that your server was compromised by the attack and that Cortex XDR prevented it. What steps can you take to ensure that the same protection is extended to all your servers?
To ensure the same protection is extended to all your servers, you should enable Behavioral Threat Protection (BTP). Behavioral Threat Protection continuously monitors endpoint activity for malicious causality chains and can prevent threats from spreading by blocking malicious behavior. Enabling it across all servers using the `cytool` command ensures that the protection mechanism is uniformly applied and helps prevent similar attacks in the future.
Please provide a reference for your claim im2ca. I have not been able to find any supporting documentation for this. Probably you are talking about custom prevention rules, which are basically BIOC rules that you add to restriction profiles see [1], but BTP Rules are something else and their database is not available to the public [2]. [1]: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BIOC-Rule [2]: https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/td-p/395977
Correct is A: You can create BTP Rules in Cortex XDR .
About BTP rules: Prevents sophisticated attacks that leverage built-in OS executables and common administration utilities by continuously monitoring endpoint activity for malicious causality chains. You are not able to create these - only create exceptions and turn them off so A cannot be correct. C can also not be correct since IOCs lead to detections, and do not prevent the file from running. My guess would be B
To configure the Global Behavioral Threat Protection Rules: Define the Action mode to take when the Cortex XDR agent detects malicious causality chains: Block (default)—Block all processes and threads in the event chain up to the CGO. Report—Allow the activity but report it to Cortex XDR. Disabled—Disable the module and do not analyze or report the activity.
I had seen about 4 questions from this site, that are very similar and can't really confirm which is the best answer. I keep coming up with a similar solution would be to create a BIOC rule for this situation but that is not one of the choices, it is different from a BTP rule, which to my research does not allow creation of rules to the general public. I had wondered if they possibly got the question mistranscribed from the source. Anyone have any other sources? C looks like it could be a good choice except as, 9smiles has suggested it is detection, not prevention, and the question asks for prevention.