Cortex XDR Handson Workshop Lab Guide

XDR: Hands-On Workshop
Cortex by Palo Alt

o Networks | XDR | Hands-On Workshop
PALO ALTO NETWORKS All rights reserved
This document contains proprietary information protected by copyright. The software
described in this guide is furnished under a software license or nondisclosure agreement.
This software may be used or copied only in accordance with the terms of the applicable
agreement. No part of this guide may be reproduced or transmitted in any form or by any
means, electronic or mechanical, including photocopying and recording for any purpose
other than the purchaser’s personal use without the written permission of Palo Alto
Networks.
Warranty
The information contained in this document is subject to change without notice. Palo Alto
Networks makes no warranty of any kind with respect to this information. Palo Alto
Networks specifically disclaims the implied warranty of the merchantability and fitness for a
particular purpose. Palo Alto Networks shall not be liable for any direct, indirect, incidental,
consequential, or other damage alleged in connection with the furnishing or use of this
information.
Trademark
Unit42®, CORTEX XDR®, XSOAR®, XPanse® and XSIAM® are trademarks of Palo Alto
Networks.
Cortex by Palo Alto Networks | Hand On Workshop guide

Table of Contents
PALO ALTO NETWORKS All rights reserved 2

Warranty 2
Trademark 2
Unit42®, CORTEX XDR®, XSOAR®, XPanse® and XSIAM® are trademarks of Palo Alto Networks. 2
Table of Contents 3
How To Use This Guide 5
Terminology 5
Important notes 5
Activity 0 – Log in to Cortex XDR 6
Note: 6
Always follow your instructor, who will provide slides that will walk you through the login process. The steps below are
documented for reference only. 6
Activity 1 - Accessing the workshop 6
Step 1 - Cortex Gateway 6
Activity 2 - Getting to know Cortex XDR 8
Step 1 - Dashboard Navigation 8
Step 2 - License Information 13
Step 3 - System Configurations 15
Step 4 - Management Audit Logs 19
Step 5 - Agent Audit Logs 21
Activity 3 - Incident Investigation 23
Step 1 - Incidents list navigation 24
Step 2 - Incident Overview 27
Step 3 - Incident Scoping 32
Step 4 - Incident Triaging 35
Step 5 - Causality\Execution Chain Investigation 44
Step 6 - Root Cause Analysis 48
Step 7 - Exfiltration Analysis 51
Activity 4 - XQL 53

Step 1 - Getting to know XQL 53
Step 2 - Process Queries 56
Step 3 - File Queries 59
Step 4 - Network Queries 61
Activity 5 - Check your knowledge 63

How To Use This Guide
This workshop guide will take you through actions in a ‘view-only’ XDR tenant. In this workshop you will be asked to follow actions
and review data, in a step by step fashion.
After walking through the workshop steps, you will be asked to complete a questionnaire (Google Form). With questions around
the knowledge gained in the workshop.
Terminology
Tab: refers to the different tabs appearing at the top of each screen in the UI. Could also refer to
the different tabs that appear in information sections that help to organize the information.
Sub-Tab: refers to the options associated with each “Tab” found in the left-hand column on
each screen.
Node or Icon: refers to the different images that can be selected in the visualizations that
appear in the User Interface.
Important notes
1. This workshop uses a user with ‘Viewer’ permissions, so keep in mind that some of the actions cannot be performed using
that user although they are presented in the workshop guide
2. This lab is intended to give users an understanding of how the product works, and not a recommendation of how to use
the product.
3. We encourage you to use the documentation at any step to better understand and dig deeper

Activity 0 – Log in to Cortex XDR
Note:
Always follow your instructor, who will provide slides that will walk you through the login process. The steps below are
documented for reference only.
Activity 1 - Accessing the workshop

Fits for
All system users
Description
Accessing the workshop XDR tenant via the Cortex Gateway
Step 1 - Cortex Gateway

Step Instructions Screenshots
1. Open incognito window and navigate to -

https://cortex-gateway.paloaltonetworks.com/

2. Login using the credentials provided to you
for the workshop
3. In the Cortex Gateway click on the

‘latest-how’ tenant icon

Activity 2 - Getting to know Cortex XDR
Description
In this activity we are going to walk through the system’s components, to better understand how to operate the platform. We will
browse through the system while using hands-on best practices, to access and analyze the data in the system for administrative &
investigative operations
Step 1 - Dashboard Navigation

1. By default, you will login to the Dashboard

section. These Dashboards provide high level
information with multiple contexts depending on
the dashboard selected.
In case the default page has changed you can

navigate there with the main menu on the left
side.

2. The dashboards are built from widgets that
represent information related to the unique
dashboard selected.
The dashboard widgets are clickable, and will lead

you to underlying data that fuel the widget.
3. In the ‘Top Hosts’ widget click on one of the

hostnames in the list’, this will navigate you to the
Incidents screen, with a filtered table that shows
which incidents that host took part in.

4. Clicking on the dashboards list, will show the
existing dashboards provided within the product.
Let’s navigate to ‘Data Ingestion Dashboard’ to
see what sources are sending data to the XDR
tenant.
5. Looking at the ‘Daily Consumption’ widget, we

can see which data sources delivered data to XDR
and in what sizes
Hovering on the visual parts of the widget will

uncover the details behind the visualization

6. In the top right corner in the page you can find
the time and date range controls, this can be used
to change the timeframes for the entire
dashboard, each dashboard have a default time
frame which is configured upon dashboard
creation
Let’s choose the ‘Last 24H’ and click ‘Apply’
7. In the lower section you can see another type of

widget which shows data in a table. This table
layout and functionality will return in every part of
the system where there are tables. Let’s see how
we can control it.
7a. Click on the three dots icon on the widget’s top

right, this will open the table control panel which
allows covering\uncovering columns, lock columns
and more capabilities.

7b. In the table click on the ‘Last Day Ingested’
column to sort the values in an ascending \
descending way. Now we can see what amount
each data source sent to the XDR

Step 2 - License Information
1. Using the main menu navigate to ‘Settings’ → ‘Cortex

XDR License’

2. The license view pop-up will appear on the screen.
Cortex XDR displays a tile with your Cortex XDR license

type:
● Total number of concurrent agents permitted by
your license
● Number of installed agents
● Expiration date of your license
The license information will be changed according to the

license components purchased

Step 3 - System Configurations
1. Using the main menu navigate to ‘Settings’ →

‘Configurations’’

2. The system Configurations menu will appear, in this
menu you can find the controls of the system such as
● Server Settings
● Broker Management
● XDR Collectors configurations
● Data Ingestion Settings and Management
Clicking on the arrow icon will expose the sub sections for
each topic
Let’s see some of the functions that can be configured in

the system.
3. Navigate to ‘Server Settings’, in that screen you can

configure server settings such as:
● Keyboard Shortcuts - configure the shortcuts for
opening ‘Artifact and Asses Views’ and ‘Quick
Launcher’
● Timezone
● Timestamp Format
● Email Contacts - who shall be notified
● Automation Rule Notification - email and slack
contacts that will be communicated in case of
automation rule pause
● XQL Configuration - case_sensitive config
● Incidents MTTR - Mean Time To Resolve config

4. Navigate to ‘Integrations’, under this topic you will see
the settings for integrations, you can add to the system.
Now please navigate to ‘Threat Intelligence’ sub page
For example: if your organization uses VirusTotal \

AutoFocus for threat intelligence enrichments, or any
other purpose, you can add the API keys to Cortex XDR
and by doing that the system will enrich the data in
investigation with verdict from that threat intel sources

5. Navigate to ‘API Keys’, on this page you can create api
keys to be used when utilizing the system API’s for
different scenarios.
Creating new keys is disabled In the tenant you are using.

The ”New Key” wizard would look like the one presented
in the image.
In the “New Key” wizard screen you can control which

permissions will apply to the key, the Role drop down will
apply the role permissions to the api key permission
scheme.
6. Navigate to ‘Data Collection > Collection

Integrations’, on this page you can configure a collection
of logs from remote systems such as Okta, Ping, Cloud
providers and more to Cortex XDR.
Each available integration can be onboarded using the

‘+Add Instance’ button which opens a wizard that walks
you through the onboarding of the source; adding new
instances is disabled in the tenant you are using..

Step 4 - Management Audit Logs
1. Using the main menu navigate to ‘Settings’ →

‘Management Audit Logs’
2. In the Management Audit Logs view all the audit

logs of the system in a table view.
Looking at the columns shows that you can filter the

events based on event types, sub types, users, severity
and more

3. Click on the filter icon next to the “TYPE” column and
filter for events generated from ‘Rules’ type. After
checking the box for “Rules”, click anywhere on the
page to refresh the table.
4. In the results you can see multiple events generated

with “Content Update” as the event sub-type, with that
view you can verify the system is updating as expected.

Step 5 - Agent Audit Logs
1. Using the main menu navigate to ‘Settings’ → ‘Agent

Audit Logs’
2. In the opened window you can trace agent audit

activities that are collected from the agents.

3. Filtering the severity column to match High & Medium
severity levels will expose interesting audit events of the
agents activity.
4. Looking at the events shows multiple ‘XDR Service Stop’

events on multiple endpoints.

5. Another important event is the ‘Quota Exceeded’ event
which can lead to misbehaviors on the agent side.
To expose those alerts click on the three dots icon on the

top right corner → ‘Filters’ tab and choose the ‘Quota
Exceeded’ filter
The filter is saved and shared with the users in the tenant,
this capability is called ‘Shared Filters’

Activity 3 - Incident Investigation
Description
In this activity we are going to operate the investigating components the system offers while investigating a real-life use case.
This attack scenario will illustrate several common motions of an adversary upon successfully breaching
into an organization.
Spear-Phish
● The Adversary will utilize Spear-Phishing of targeted users to introduce an exploit or Remote
Access Trojan (RAT) to establish initial Command & Control (C&C, C2) within the organization.
● Initial reconnaissance will be performed on the compromised host before making any lateral
moves.
Establish Additional Beachheads
● The adversary will want to entrench themselves by establishing multiple beachheads. This
way, if one compromised host is discovered or goes offline, the adversary can still operate
within the organization without having to re-compromise other users.
● One or more of these compromised hosts will be utilized as “Sacrificial Lambs” for any motions
that may raise detection alerts. If an Adversary loses one of the Sacrificial Lambs, they may
“Go Dark” for a time to see if any other compromised hosts are discovered.
Lateral Move Towards Mission Objective(s)
● Once persistence and redundancy have been established, the Adversary will work to complete
their mission.
● Enumerating Active Directory, identifying databases and other data stores or systems to target
for destructive operations will be key to the threat actors achieving their objectives through the collection and use of
additional information gathering efforts

Step 1 - Incidents list navigation
1. Using the main menu navigate to ‘Incident

Response’ → ‘Incidents’
This window aggregates the security incidents which

XDR detected\prevented within your organization's
environment.
2. The incident window is built from 2 main

components.
a. Incidents List
b. Incident Information
1 - Incidents list
This panel provides the user with the capability to
navigate between incidents whether they are new,
under investigation, or closed.
The way to navigate is using the filters component.
We will explore that in the next steps.
2 - Incident Information
This page provides the user with the chosen incident
details, the details that can be found includes:
- incident metadata (owner, status, notes and
more)

- Incident artifacts and involved assets
- Incident Timeline
- Alerts that are part of the incident and an
option to dig deeper into interesting alerts and
uncover the chain of execution that caused that
alert to trigger
- Incident management controls such as closing
the incident or merging with another
We will explore that in the next steps
3. In the incidents window use the filter component to

filter based on criteria that you are interested in, it can
be the assigned analyst, the status, timeframes and
more options.
To change the filter you need to click on the filter

criteria.
4. Using the filter component apply a filter that shows

incidents that are assigned to the workshop user
which goes by the name “XDR Labs”.
To add the text to the filter click the blue arrow icon
marked in the screenshot. Then, remove the “Last
Updated” filter by clicking the “x” next to it..
To apply the filter criteria you need to escape the

focus of the filter, you can do that by clicking
somewhere in the screen.

5. In the incident list you will see the incidents that are
assigned to you for the workshop.
The incident that we are going to focus on for that
part is the incident called “Malicious Activity” with
ID-3572.
Looking at the incident entry, you can see multiple

identifiers that contribute to the understanding of
what the incident scope and alert types are.
Clicking on the ‘+’ sign will uncover the hosts\users

that are part of that incident.
Hovering over the product icons will show you which

alert sources took part in the incident.
6. From that point we are going to focus on this

incident (ID-3572), small advice to fully focus on the
incident, click on the arrow icon to fold the incident
list so the incident information page will be focused.

Step 2 - Incident Overview
1. In the incident overview tab you can find information that

helps in understanding of the incident.
Let’s see which parts are included in the screen and what is
the contribution of each part.
2. Focusing on the incident metadata and control pane you

will find which sources alerted, involved hosts, involved
users and wildfire hits, that’s for the metadata.
The control pane will provide actions such as: assigning

incidents to investigators, changing incident status and
more.
** the screenshot is taken from a privileged user session to
show the options
WildFire = Threat Intel and Sandbox service attached to

Palo Alto’s products to identify known threats.

3. In the MITRE mapping pane investigators can see which
tactics and techniques took place in the incident based on
the alerts that are part of the incident.
Before expanding the mapping tick the check box that says
‘Include Incident Insights’
Clicking on the technique will lead you to the ‘Alerts &

Insights’ tab with the appropriate filter.
4. In the timeline pane you can see important timestamps

from the incident life cycle:
Creation, Last alert and assign dates and times.

5. The bottom pane will include three parts:
- The Alerts and severities included in the incident
- The Alert sources
- Assets part of the incident - Hosts and Users

6. Navigating to the ‘Timeline’ tab will expose the chain of
events of the incident.
Clicking on the arrows icon will sort the timeline in

ascending\descending order.
Going through the incident timeline shows that the

incident created by an alert named ‘Malicious Activity’ on
host ‘pc1’
Following the timeline, it shows which alerts are raised on

which hosts, along with artifacts found by Cortex XDR as
part of the alert ( such as hash & IP).
7. Click on the ‘+’ sign next to the event that you are
interested in, this action will open a side window which
shows the alerts that this part is talking about
8. Click on the ‘Additional artifacts found’ and then click

on the HASH that is listed down there.
A small window will pop that window shows the verdict,

filename and verdict of the artifact.

Step 3 - Incident Scoping
1. Navigate to the ‘Key Assets & Artifacts’ tab, this tab

will show you the assets (hosts & users) along with the
artifacts that XDR managed to carve out of the alerts
that construct the incident.
2. In the Artifacts list you can see the executables and

ip addresses that took part in the incident, for each
artifact you can dig deeper and enrich your
investigation with more details.
This list can suggest what was the attack flow and
which executables contributed to the attack.
For example, the following three executables suggest

maybe of what happened:
- 7zFM.exe = archiving utility maybe used to
decompress an archive
- Procdump64.exe = sysinternals utility to
perform memory dumps for processes
- Schatsks.exe = windows utility to query and
manage the system scheduled tasks
3. Locate the artifact called ‘DogBark.exe’ and click

on the document icon next to the WildFire verdict.
This will open the sandbox report from wildfire for

that executable.

You can also download the report for your usage.
4. Going back to the same artifact and clicking on the

three dots icon at the end of the line will provide you
with further actions that XDR supports.
With investigator permissions there are more actions

that can be performed.
The screenshot is from a privileged user.

5. Locate the Assets list, in that list you can find the
hosts and users that XDR found related to the
incident, each asset is marked with the number of
alerts and the corresponding severity.
Clicking on the three dots icon will propose pivot

actions for the specific asset.

Step 4 - Incident Triaging
1. Navigate to the ‘Alerts & Insights’ tab, in this tab you can
find all the alerts and insights that XDR found as related to
the same activity and as a result they have been grouped to
the same incident.
2. The bottom of the screen will show the alerts and insights
in a table, click on the three dots icon in the top right of the
table to organize the screen based on your triaging
methodology.
Using this ordering capability you can:

1. Change the order of the columns
2. Reveal\hide columns
3. Lock columns so they won’t move

3. Order the table in the following way:
1. Timestamp - Locked
2. Alert id
3. Host
4. User name
5. Severity
6. Alert Source
7. Action
8. Category
9. Alert Name
10. Description
11. Initiated By
Your table view should match the screenshot
4. Click on the timestamp column header to sort the

timeline in a descending order.
Your top alert should be the latest and the last alert should
be the first alert grouped into the incident.

5. Everything is set up. Let's go through the alerts and see
what we can understand from scrolling the data.
Starting at the bottom we can see the incident starts with:
- Alert name - ‘Binary file being created to disk with a
double extension’
- Category - ‘File Type Obfuscation’
- Host - PC1
- Initiated by - 7zFM.exe
Clicking on the alert will open a side window that

aggregates the data that the alert includes.
Focusing on the File Event topic, where we can see that the
file created on the disk is
‘C:\Users\ccollier\AppData\Local\Temp\7zO401A0FD5\Avenge
rs Endgame Gag Reel.mp4.exe’
Great, now we know what file been dropped on the disk and
on which host

6. Following the alerts triggered shows that two alerts after
the one we just triaged there is a wildfire alert which
suggests malware detected on the host (Alert id = 5814).
Clicking on the alert and going through the data shows that
this alert pointing to the file we saw dropped to the disk
‘Avengers Endgame Gag Reel.mp4.exe’.
7. Scrolling through the alerts detected on PC1 we can

identify more interesting data such as:
- Activity similar to Quasar RAT
- FW alert tag traffic as Quasar
- Scheduled task created
- Credential Gathering alerts
- Mimikatz detections

- Large upload
8. At that point we know something is wrong for sure, let’s

try to triage more data and see how this malicious activity
spreads to other hosts in the network.
Navigate to Alert id 6183 at this point we can see the attack

shifts towards other hosts in the environment, that alert is
from PC2.
Looking at the alert metadata we can see another wildfire

detection for the same file we saw before but this time from
a different path ‘C:\Windows\Avengers Endgame Gag
Reel.mp4.exe’.

9. Focusing on alerts sourced from PC2 we can see Quasar
mentions again which suggest the same malicious activity is
now initiated from more hosts in the network, furthermore
looking at the user which triggered the alert we can see
now a different user - ‘DEMO-CORP\wsanchez’
When looking at the alerts we can see again shift in the host
which is confusing let’s use the right click option on the PC2
field and then click on “Show rows with ‘PC2’’
10. Now we can see that the filter on the alerts table is
applied and as a result only the alerts from ‘PC2’ are visible.
Clicking on the ‘Host = PC2’ icon will open the filter options
for your convenience.
Clicking on the trash can icon will remove the filter and as a
result all the alerts should be visible.

11. Focusing on the PC2 alerts shows a chain of events similar
to the activity from PC1, this time we can see at the top of
the list that the attacker tried to cover his tracks by clearing
the event logs on the host.

12. Clear the filter on the alerts table and now let’s focus on
the alert that is coming from PC3.
Opening the alert card for that alert shows interesting

information:
1. Alert source = NGFW

2. Alert name = ‘DarkComet.Gen Command And Control
Traffic’
3. Network connection towards 2.2.2.199
4. Username = ‘demo-corp\mrogers’
At this point few questions are raised, let’s try to answer two
of them:
1. Why do we only see one alert coming from PC3? Is
there an agent installed on that host?
2. This remote address looks familiar, where did I see it
before?
13. Going further with the triaging we can see more the
attack evolves on the network.
Those are the key findings you can triage just by scrolling
the alerts table:
1. The attack goes to another endpoint ‘WS-IT10’

2. On host ‘WS-IT10’ the alerts shows that Quasar is
named again
3. Another user credentials found at risk
‘DEMO-CORP\cshadwick’
4. On PC2 we can see that an attack called DCSync took
place

Step 5 - Causality\Execution Chain Investigation
1. Navigate to the ‘Executions tab’ in the incident view,

this window aggregates the execution chains that
triggered alerts on hosts.
The Causality View provides a powerful way to analyze

and respond to alerts. The scope of the Causality View is
the Causality Instance (CI) to which this alert pertains.
The Causality View presents the alert (generated by
Cortex XDR or sent to Cortex XDR from a supported
alert source such as the XDR agent) and includes the
entire process execution chain that led up to the alert.
On each node in the CI chain, Cortex XDR provides
information to help you understand what happened
around the alert.
2. Based on the information we triaged we know that

the malicious activity originated from host PC1, Let’s
expand the PC1 executions.
You will notice that there are multiple casualties on that

host that triggered alerts:
1. 7zFM.exe
2. Analytics alerts
Expand the 7zFM.exe execution chain and let’s analyze

it together.

3. In the new popup window, you can see the execution
chain along with the points that alert triggered at.
Before analyzing the context and actions let’s talk a bit

about what you are seeing in that popup window.
The window is divided into three main parts:

1. Visualization - the graphical presentation of the
execution chain, each node is a process that
spawned by a parent (the process its linked to in
the graphical presentation)
Using the ‘+’ and ‘-’ signs you can zoom in and out
to better see the chain.
2. Process Metadata - this is the dark blue part in

the middle that shows information such as the
hash of the process, the wildfire verdict, the
command line and more.
3. Events Table - The Events table displays up to

100,000 related events for the process node which
matches the alert criteria that were not triggered
in the alert table but are informational. The
Prevention Actions tab displays the actions Cortex
XDR takes on the endpoint based on the threat
type discovered by the agent.
You may encounter icons on top of process nodes,

hovering those icons will explain what they represent.

4. Clicking on the ‘7zFM.exe’ icon and looking at the
command line shows the process loaded a file from the
disk, further verification and checking the events table
shows the file is opened by the archive manager which
means we don’t have the root cause yet…
5. Click on the ‘Avengers Endgame Ga..’ icon and

navigate to ‘Alerts’, in this view you can see all the alerts
that this particular process caused in the incident.

6. Clicking on the firewall appliance icon will expose
details stitched with the firewall data, in our case you
can see few things:
- the rule name that approved a malicious
connection to ‘2.2.2.199’
- Focusing on the ‘connection data’ field you can
see the download\upload statistics
- Firewall version
- AppID
7. Look for ‘PsExec64.exe’ in the child processes of

‘cmd.exe’ and click it, in the command line of that
process we can see two things:
1. Attempt to perform lateral movement actions
2. The user’s username and password is known to
the attacker

Step 6 - Root Cause Analysis
From the actions performed till now, we can see that

the incident evolves over time and a big investigation
effort is needed. Focusing on the beginning of the
incident, we saw that an archive file was loaded using
7zFM.exe and then a malicious file was executed from
the archive.
I want us to focus now on finding the root cause \

infection vector of that threat because we see the file
on the disk, but how did he get there?
1. Navigate to the main menu → ‘Incident Response’ →

‘Query Builder’ → ‘XQL Search’

The query builder screen as its name, is a page to run
queries on the collected data, we are going to use the
XQL syntax.
To find the source of the archive file we will need to

search for all file activities that involve the file path
which is listed in the 7zFM.exe command line.
2. In the XQL query builder we are going to run the

following query:
config timeframe = 1Y
| dataset = xdr_data
| filter action_file_path =
"C:\Users\ccollier\AppData\Local\Temp\pid-6772\Ave
ngers Endgame Gag Reel.mp4.zip"
| fields event_type, event_sub_type ,
actor_process_image_name , action_file_path
This query will return file events on a file located at

‘C:\Users\ccollier\AppData\Local\Temp\pid-6772\Aveng
ers Endgame Gag Reel.mp4.zip’ and will show the
process and action that took place
3. Looking at the result, shows the process which

created the file on the disk, you should see
‘thunderbird.exe’ which suggests that this malicious
archive file entered the host via the mail client installed
on the host.
To better analyze the flow of events Right Click on the

first row that shows ‘FILE_CREATE_NEW’ in the

sub-type field → ‘Investigate Causality Chain’ → ‘Open
Card in new tab’

Step 7 - Exfiltration Analysis
1. Navigate to the ‘Alerts & Insights’ tab and locate the

alert with the alert source ‘Correlation’.
Correlation Rules help you analyze correlations of

multi-events from multiple sources by using the Cortex
Query Language (XQL) based engine for creating
scheduled rules called Correlation Rules. Alerts can then be
triggered based on these Correlation Rules with a defined
time frame and set schedule, including every X minutes,
once a day, once a week, or a custom time.
Focus on the correlation alert row and look to the right, you
will see quick actions icons which provide actions on the
alert.
Click on the ‘Investigate contributing events’ button
2. The pop window opened contains the event that triggers

the rule.
Looking at the event message we can see this is the

MSSQLServer saying a backup for the database occurred,
and the event details shows the amount of data taken,
where the backup file is saved, database name and more

3. In the contributing events window click the ‘Open
drilldown query’ button, this will open the XQL query
builder with a predefined query.
Change the query time frame to include a day before and a

day after and click ‘Run’
4. In the results table you can see more events from that
database, in our case you can see a login event from the
host “172.16.20.110” to the database prior to the backup.
Can you find which host is the host with that IP address in
that timeframe?

Activity 4 - XQL
Description
In this activity we are going to build and execute XQL queries while understanding the different language parts and usages.
For that part you can use the following documentation found in cortex-docs
- Get Started with XQL
- Stages Commands Reference
- Functions Reference
- Schema Overview
Step 1 - Getting to know XQL

1. Navigate to the main menu, locate the Quick Launcher

and type “/xql” and click enter, a popup component will
popup. click enter again and you should see an option to
open the xql query window.
You can bring up the Quick Launcher using the Ctrl-Shift+X

shortcut on Windows, CMD+Shift+X shortcut on macOS, or
by clicking the Quick Launch icon in the top navigation
menu.
For system pages start you query with ‘/’ character

2. In the opened screen you can find multiple components
that may help you through querying the data.
In the screenshot you can find few components:

1. Query writer - a component for writing the queries
and configuring the time frame
2. Query Results
3. XQL Helper - language quick explanations and tips
4. Query Library - library with multiple security related
queries
5. Schema - this tab will hold the dataset schema, when
you change the dataset in the query the schema tab
will present the schema for the written dataset (the
default dataset is xdr_data)
3. Write the following query ‘dataset = endpoints’ and

navigate to the schema tab, you can see there are 72 fields
in the dataset.

4. Remove the query from the editor and bring it back to
blank, the schema should be refreshed to the default with
higher number of fields
5. Write ‘dataset =‘ in the query writer and scroll through

the different datasets available in the system:
- Pan_dss_raw = dataset that holds the Active Directory
information in case the Cloud Identity Engine is
configured
- Agent_auditing = the agent audit logs
- Management_auditing = system audit logs
- host_inventory = dataset that hold inventory
information on hosts connected to XDR

Step 2 - Process Queries
1. Navigate to ‘Incident Response’ -> ‘Query Builder’ -> ‘XQL

Search’
2. Copy the following query to the query writer and click ‘Run’:
config timeframe = 1Y case_sensitive = false
| filter event_type = ENUM.PROCESS and agent_hostname
= "pc1"
| limit 100
While the query is running let’s break the query into the
stages it got, each stage is separated with a pipeline (|)
1. Config - this stage controls the query timeframe which

is set to 1 Year and the fact that this query won’t be a
case sensitive query
2. Dataset - stage to choose the dataset the query will run
upon
3. Filter - this stage is used in order to filter the query
based on the columns the dataset have
4. Limit - limits the amount of results that are coming
back
Important note: in the query’s filter stage you can see a field
called event_type followed by ENUM.PROCESS, the event
type field helps to choose which action collected by the agent

you want to query for and the ENUM values are predefined
values that the system offers, navigate through those.
3. In the query results table we can see that we are getting

back 100 results with multiple columns by default.
Let’s try to make the query results a bit more accurate with
the ‘fields’ stage.
4. Copy the query with the news ‘fields’ stage and run it:

| filter event_type = ENUM.PROCESS and agent_hostname
= "pc1"
| fields action_process_image_name as Process_name,
agent_hostname, action_process_username
| limit 100
Now we can see in the results only the columns that we

wanted to see.
5. After running basic process queries we want to level-up our

querying skills. Copy the following query and click Run

| filter event_type = ENUM.PROCESS and
(action_process_signature_status = ENUM.UNSIGNED or
action_process_signature_status = ENUM.SIGNED_INVALID)
| fields actor_process_image_name as ParentProcess,
action_process_image_name as ChildProcess,

action_process_signature_status as
ChildProcessSignatureStatus, agent_hostname
| dedup ChildProcess | limit 100
The following query will return all of the process execution
events where the process that has been executed is Unsigned
or the signature is invalid, the results will expose the parent &
child process along with the signature status.
6. Now let’s execute a query that will perform some statistical

operations on process execution data. Copy the following
query and click Run:

| filter event_type = ENUM.PROCESS and
action_process_image_path contains "temp"
| comp count() as TempPathExecutions by
action_process_username
| sort desc TempPathExecutions
In this query we introduce the comp stage.

The comp stage performs an aggregation function, such as
sum, min, or max, as well as an approximate aggregate
function, such as approx_count or approx_top.
In our example we used the count function to count the

number of times the user spawned a process from a temp
location.

Step 3 - File Queries

Search’
2. Copy the following query and click Run:

config timeframe = 3MO case_sensitive = false
| filter event_type = ENUM.FILE and event_sub_type =
ENUM.FILE_WRITE and action_file_extension = "exe"
| fields actor_process_image_name as CreatingProcess,
action_file_path as FilePath, actor_effective_username
This query will return files created on the system with an “exe”
extension in the last 3 months and will present the process
that created the file, the file path and the username.
3. Let’s explore the types of file actions XDR monitors, copy

the following query to the query builder:
dataset = xdr_data | filter event_type = ENUM.FILE and
event_sub_type = ENUM.FILE_
Looking at the events list that is opened we can see which file
activity XDR collects.

4. Now let’s use the file operations and the comp stage to do
some statistical analysis.
Copy the following query and click Run:

config timeframe = 1Y case_sensitive = false |
filter event_type = ENUM.FILE and event_sub_type =
ENUM.FILE_OPEN |
comp count() as FileReadPerEndpoint by agent_hostname
|
sort desc FileReadPerEndpoint
This query will count the amount of FILE_OPEN operations

the host performed in the past 1 year, that way we can see if a
machine is acting in a suspicious way

Step 4 - Network Queries

Search’
2. Before we dive a bit more to the data let’s run some

queries to get to know the NGFW activity and details:
config timeframe = 3mo | dataset =
panw_ngfw_traffic_raw | fields from_zone, bytes_sent |
comp count(bytes_sent) as TotalBytes by from_zone
This query will show you the total bytes that been sent from
each zone the firewall have

3. Now let’s find out how many IP addresses operated in the
zone ‘Internal’ in the past 3 months.
config timeframe = 3mo case_sensitive = false | dataset =
panw_ngfw_traffic_raw | filter from_zone = "Internal" |
fields source_ip | dedup source_ip
Looking at the results we can see which IP addresses and

subnets probably are part of that zone
4. Copy the following query and click Run:

config timeframe = 3mo case_sensitive = false | dataset =
panw_ngfw_traffic_raw | filter from_zone = "Internal" |
comp count(bytes_total) as TotalBytesPort by dest_port
This query will show you the total bytes of sessions in the
‘Internal’ zone grouped by destination port

Activity 5 - Check your knowledge
Description
In this activity you are going to access a questionnaire about Cortex XDR, the topics and data is covered in this workshop guide.
There are 3 forms with different types of questions based on your knowledge and job title:
- User A - Sr. Helpdesk, Jr. Security Analyst-tier 1, NOC/SOC analyst.
- User B - Security Analyst-tier 2+, Sr. NOC/SOC analyst
- User C - SOC/NOC Management, IT Management, IT director/Exec
Google Forms:
User A
User B
User C

Cortex XDR Handson Workshop Lab Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cortex XDR Handson Workshop Lab Guide

Uploaded by

Copyright:

Available Formats

XDR: Hands-On Workshop

Cortex by Palo Alt

Cortex by Palo Alto Networks | Hand On Workshop guide

PALO ALTO NETWORKS All rights reserved 2

Cortex by Palo Alto Networks | Hand On Workshop guide

Cortex by Palo Alto Networks | Hand On Workshop guide

Cortex by Palo Alto Networks | Hand On Workshop guide

Activity 1 - Accessing the workshop

Step 1 - Cortex Gateway

1. Open incognito window and navigate to -

Cortex by Palo Alto Networks | Hand On Workshop guide

3. In the Cortex Gateway click on the

Cortex by Palo Alto Networks | Hand On Workshop guide

Step 1 - Dashboard Navigation

1. By default, you will login to the Dashboard

In case the default page has changed you can

Cortex by Palo Alto Networks | Hand On Workshop guide

The dashboard widgets are clickable, and will lead

3. In the ‘Top Hosts’ widget click on one of the

Cortex by Palo Alto Networks | Hand On Workshop guide

5. Looking at the ‘Daily Consumption’ widget, we

Hovering on the visual parts of the widget will

Cortex by Palo Alto Networks | Hand On Workshop guide

Let’s choose the ‘Last 24H’ and click ‘Apply’

7. In the lower section you can see another type of

7a. Click on the three dots icon on the widget’s top

Cortex by Palo Alto Networks | Hand On Workshop guide

Cortex by Palo Alto Networks | Hand On Workshop guide

1. Using the main menu navigate to ‘Settings’ → ‘Cortex

Cortex by Palo Alto Networks | Hand On Workshop guide

Cortex XDR displays a tile with your Cortex XDR license

The license information will be changed according to the

Cortex by Palo Alto Networks | Hand On Workshop guide

Step Instructions Screenshots

1. Using the main menu navigate to ‘Settings’ →

Cortex by Palo Alto Networks | Hand On Workshop guide

Let’s see some of the functions that can be configured in

3. Navigate to ‘Server Settings’, in that screen you can

Cortex by Palo Alto Networks | Hand On Workshop guide

Now please navigate to ‘Threat Intelligence’ sub page

For example: if your organization uses VirusTotal \

Cortex by Palo Alto Networks | Hand On Workshop guide

Creating new keys is disabled In the tenant you are using.

In the “New Key” wizard screen you can control which

6. Navigate to ‘Data Collection > Collection

Each available integration can be onboarded using the

Cortex by Palo Alto Networks | Hand On Workshop guide

1. Using the main menu navigate to ‘Settings’ →

2. In the Management Audit Logs view all the audit

Looking at the columns shows that you can filter the

Cortex by Palo Alto Networks | Hand On Workshop guide

4. In the results you can see multiple events generated

Cortex by Palo Alto Networks | Hand On Workshop guide

1. Using the main menu navigate to ‘Settings’ → ‘Agent

2. In the opened window you can trace agent audit

Cortex by Palo Alto Networks | Hand On Workshop guide

4. Looking at the events shows multiple ‘XDR Service Stop’

Cortex by Palo Alto Networks | Hand On Workshop guide

To expose those alerts click on the three dots icon on the

Cortex by Palo Alto Networks | Hand On Workshop guide

Cortex by Palo Alto Networks | Hand On Workshop guide

1. Using the main menu navigate to ‘Incident

This window aggregates the security incidents which