Professional Documents
Culture Documents
Cortex XDR Handson Workshop Lab Guide
Cortex XDR Handson Workshop Lab Guide
Warranty
The information contained in this document is subject to change without notice. Palo Alto
Networks makes no warranty of any kind with respect to this information. Palo Alto
Networks specifically disclaims the implied warranty of the merchantability and fitness for a
particular purpose. Palo Alto Networks shall not be liable for any direct, indirect, incidental,
consequential, or other damage alleged in connection with the furnishing or use of this
information.
Trademark
Unit42®, CORTEX XDR®, XSOAR®, XPanse® and XSIAM® are trademarks of Palo Alto
Networks.
After walking through the workshop steps, you will be asked to complete a questionnaire (Google Form). With questions around
the knowledge gained in the workshop.
Terminology
Tab: refers to the different tabs appearing at the top of each screen in the UI. Could also refer to
the different tabs that appear in information sections that help to organize the information.
Sub-Tab: refers to the options associated with each “Tab” found in the left-hand column on
each screen.
Node or Icon: refers to the different images that can be selected in the visualizations that
appear in the User Interface.
Important notes
1. This workshop uses a user with ‘Viewer’ permissions, so keep in mind that some of the actions cannot be performed using
that user although they are presented in the workshop guide
2. This lab is intended to give users an understanding of how the product works, and not a recommendation of how to use
the product.
3. We encourage you to use the documentation at any step to better understand and dig deeper
Note:
Always follow your instructor, who will provide slides that will walk you through the login process. The steps below are
documented for reference only.
Description
Accessing the workshop XDR tenant via the Cortex Gateway
Clicking on the arrow icon will expose the sub sections for
each topic
The filter is saved and shared with the users in the tenant,
this capability is called ‘Shared Filters’
Spear-Phish
● The Adversary will utilize Spear-Phishing of targeted users to introduce an exploit or Remote
Access Trojan (RAT) to establish initial Command & Control (C&C, C2) within the organization.
● Initial reconnaissance will be performed on the compromised host before making any lateral
moves.
Establish Additional Beachheads
● The adversary will want to entrench themselves by establishing multiple beachheads. This
way, if one compromised host is discovered or goes offline, the adversary can still operate
within the organization without having to re-compromise other users.
● One or more of these compromised hosts will be utilized as “Sacrificial Lambs” for any motions
that may raise detection alerts. If an Adversary loses one of the Sacrificial Lambs, they may
“Go Dark” for a time to see if any other compromised hosts are discovered.
Lateral Move Towards Mission Objective(s)
● Once persistence and redundancy have been established, the Adversary will work to complete
their mission.
● Enumerating Active Directory, identifying databases and other data stores or systems to target
for destructive operations will be key to the threat actors achieving their objectives through the collection and use of
additional information gathering efforts
1 - Incidents list
This panel provides the user with the capability to
navigate between incidents whether they are new,
under investigation, or closed.
2 - Incident Information
This page provides the user with the chosen incident
details, the details that can be found includes:
- incident metadata (owner, status, notes and
more)
Let’s see which parts are included in the screen and what is
the contribution of each part.
Before expanding the mapping tick the check box that says
‘Include Incident Insights’
7. Click on the ‘+’ sign next to the event that you are
interested in, this action will open a side window which
shows the alerts that this part is talking about
This list can suggest what was the attack flow and
which executables contributed to the attack.
1. Navigate to the ‘Alerts & Insights’ tab, in this tab you can
find all the alerts and insights that XDR found as related to
the same activity and as a result they have been grouped to
the same incident.
2. The bottom of the screen will show the alerts and insights
in a table, click on the three dots icon in the top right of the
table to organize the screen based on your triaging
methodology.
Your top alert should be the latest and the last alert should
be the first alert grouped into the incident.
Focusing on the File Event topic, where we can see that the
file created on the disk is
‘C:\Users\ccollier\AppData\Local\Temp\7zO401A0FD5\Avenge
rs Endgame Gag Reel.mp4.exe’
Great, now we know what file been dropped on the disk and
on which host
Clicking on the alert and going through the data shows that
this alert pointing to the file we saw dropped to the disk
‘Avengers Endgame Gag Reel.mp4.exe’.
When looking at the alerts we can see again shift in the host
which is confusing let’s use the right click option on the PC2
field and then click on “Show rows with ‘PC2’’
10. Now we can see that the filter on the alerts table is
applied and as a result only the alerts from ‘PC2’ are visible.
Clicking on the ‘Host = PC2’ icon will open the filter options
for your convenience.
Clicking on the trash can icon will remove the filter and as a
result all the alerts should be visible.
At this point few questions are raised, let’s try to answer two
of them:
1. Why do we only see one alert coming from PC3? Is
there an agent installed on that host?
2. This remote address looks familiar, where did I see it
before?
13. Going further with the triaging we can see more the
attack evolves on the network.
Those are the key findings you can triage just by scrolling
the alerts table:
1. The attack goes to another endpoint ‘WS-IT10’
Focus on the correlation alert row and look to the right, you
will see quick actions icons which provide actions on the
alert.
4. In the results table you can see more events from that
database, in our case you can see a login event from the
host “172.16.20.110” to the database prior to the backup.
Can you find which host is the host with that IP address in
that timeframe?
2. Copy the following query to the query writer and click ‘Run’:
config timeframe = 1Y case_sensitive = false
| dataset = xdr_data
| filter event_type = ENUM.PROCESS and agent_hostname
= "pc1"
| limit 100
While the query is running let’s break the query into the
stages it got, each stage is separated with a pipeline (|)
Important note: in the query’s filter stage you can see a field
called event_type followed by ENUM.PROCESS, the event
type field helps to choose which action collected by the agent
Let’s try to make the query results a bit more accurate with
the ‘fields’ stage.
4. Copy the query with the news ‘fields’ stage and run it:
This query will return files created on the system with an “exe”
extension in the last 3 months and will present the process
that created the file, the file path and the username.
Looking at the events list that is opened we can see which file
activity XDR collects.
This query will show you the total bytes that been sent from
each zone the firewall have
This query will show you the total bytes of sessions in the
‘Internal’ zone grouped by destination port
Google Forms:
User A
User B
User C