Professional Documents
Culture Documents
Pcdra Study Guide
Pcdra Study Guide
Domain 3 Investigation 39
3.1 Identify the investigation capabilities of Cortex XDR 39
3.1.1 Describe how to navigate the console 39
3.1.2 Identify the remote terminal options 40
Domain 4 Remediation 64
4.1 Describe basic remediation 64
4.1.1 Describe how to navigate the remediation suggestions 64
4.1.2 Distinguish between automatic vs. manual remediations 66
4.1.3 Summarize how/when to run a script 66
4.1.4 Describe how to fix false positives 68
4.1.5 References 68
4.1.6 Sample Questions 68
4.2 Define examples of remediation 69
4.2.1 Define ransomware 69
Domain 6 Reporting 90
6.1 Identify the reporting capabilities of XDR 90
6.1.1 Leverage reporting tools 90
6.1.2 References 90
Overview
The PCDRA program is a formal, third-party-proctored certification. Success on the PCDRA exam shows
that you possess the in-depth skills and knowledge to develop playbooks, manage incidents, create
automations and integrations, and demonstrate the highest standard of deployment methodology and
operational best practices associated with Palo Alto Networks Cortex® XDR™. The exam is not intended
to trick you with its questions or to test obscure detail. However, a nuanced understanding, and the
ability gained through significant experience to make subtle technical distinctions, will help you make
better answer choices.
Exam Format
The test format is 60 multiple-choice items. Candidates will have five minutes to complete the
non-disclosure agreement (NDA), 80 minutes (1 hour, 20 minutes) to complete the questions, and five
minutes to complete a survey at the end of the exam.
The approximate distribution of items by topic (Exam Domain) and topic weightings are shown in the
following table.
Investigation 20
Remediation 15
Threat Hunting 10
Reporting 10
Architecture 15
Total 100%
Preparation Resources
The document is a compilation of key resources to guide exam preparation. These resources cover the
material designated by the exam objectives. To study efficiently, focus on the suggested topics listed for
each resource. Be sure that you have a clear and complete understanding of these topics before taking
the exam.
The terms "“malware” and “exploit” are frequently used interchangeably and can be easily confused.
They are not, however, synonymous and have several distinct differences.
Malware
Malware refers to a file, program, or string of code used for malicious activity, such as damaging devices
and stealing sensitive data.
● It is typically delivered over a network, but it can also be delivered via physical media, and it is
classified according to the payload or malicious action it performs.
● Malware is classified as worms, Trojans, botnets, spyware, and viruses. Although each malware
strain behaves differently, worms are most associated with automated spreading behavior.
● Malware can be delivered via a variety of mediums, including email, social media, and instant
messaging.
We’ve seen multiple cases of compromises in the “software supply chain,” which delivers trusted
software and updates to our systems for execution; and the impact of those compromises has continued
to escalate. Rather than targeting an organization directly through phishing or exploitation of
vulnerabilities, the attackers chose to compromise software developers directly and use the trust we
place in them to access other networks.
Attacks on software supply chains remind us how critical it is to build a well-defended network with
visibility at every stage of the attack lifecycle, as well as the ability to detect and stop activity that is out
of the ordinary.
1.1.4 Outline ransomware threats
Ransomware is a criminal business model that employs malicious software to encrypt valuable files,
data, or information in exchange for a ransom. Victims of ransomware attacks may have their operations
severely harmed or completely shut down.
Ransomware:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTLCA0
1.1.6 Sample Questions
1. Which of the following is not considered malware?
a. virus
b. worm
c. cookies
d. spyware
e. Trojan
The analytics engine can alert on any of the following attack tactics as defined by the MITRE ATT&CK
knowledge base of tactics.
TACTIC DESCRIPTION
After attackers gain a foothold in your network, they can use various
techniques to execute malicious code on a local or remote endpoint. The
Cortex XDR app detects malware and grayware on your network using a
Execution
combination of network activity, Pathfinder data collector for your
unmanaged endpoints, endpoint data from your Cortex XDR agents, and
evaluation of suspicious files using the WildFire® cloud service.
To carry out a malicious action, an attacker can try techniques that
maintain access in a network or on an endpoint. An attacker can initiate
Persistence configuration changes—such as a system restart or failure—that require
the endpoint to restart a remote access tool or open a backdoor that
allows the attacker to regain access on the endpoint.
After an attacker has access to a part of your network, they use
discovery techniques to explore and identify subnets and discover
servers and the services that are hosted on those endpoints. The app
Discovery
detects attacks that use this tactic by looking for symptoms in your
internal network traffic such as increased rates of connections, failed
connections, and port scans.
To expand the footprint inside your network, an attacker uses
lateral-movement techniques to obtain credentials to gain additional
access to more data in the network. The analytics engine detects attacks
Lateral Movement
during this phase by examining administrative operations, file-share
access, and user-credential usage that is beyond the norm for your
network.
The command-and-control tactic allows an attacker to remotely issue
Command and Control commands to an endpoint and receive information from it. The analytics
engine identifies intruders using this tactic by looking for anomalies in
During this stage of the process, the rules of engagement are laid out. This includes:
● Sensor/analytic and defensive capabilities to be tested
● Common adversary behavior to be used
● Rough plan with sequences of actions suggested to verify defensive capabilities
The goal of this scenario is to provide a framework in which the red and blue teams can operate. It
defines the overall goals and plan for the exercise but also leaves room for flexibility and adaptation if
needed.
Step 5: Emulate threat
At this point in the process, the exercise is ready to begin. Based upon the scenarios and framework laid
out in the previous step, the red team begins their assessment of the security of the system under test.
This stage of the process uses the analytics developed earlier. Ideally, the behavioral analytics should be
capable of detecting the attacker activity and narrowing down the list of potentially compromised
machines. From there, the other analytics should enable the blue team to identify the malicious activity.
1.2.4 References
Attack Tactics:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/analytics/analytics-concepts
1.2.5 Sample Questions
1. Which MITRE ATT&CK tactic is being used if the adversary is attempting to communicate with
compromised systems to control them?
a. Exfiltration
b. Command and Control
c. Execution
d. Persistence
e. Lateral Movement
2. Which MITRE ATT&CK tactic is being used if the adversary is trying to run malicious code?
a. Exfiltration
b. Command and Control
c. Execution
Threat
A threat is a possible security condition/violation to exploit the vulnerability of a system/asset. A threat
can arise from any condition—for example, accident, fire incident, environmental (e.g., natural disaster),
or human negligence. The following are types of threats:
● Interruption - An asset of the system becomes lost, unavailable, or unusable.
● Interception - Some unauthorized party has gained access to an asset.
● Fabrication - An unauthorized party inserts spurious transactions into a network communication
system or add records to an existing database.
● Modification - An unauthorized party not only accesses but tampers with an asset.
Attack
An attack is an intended unauthorized action on a system/asset. An attack always has a motivation to
misuse the system and generally waits for an opportunity to occur.
The following are some key distinctions between threats and attacks.
When you identify a threat, you can define specific rules for Cortex® XDR™ to raise alerts. You can
define the following rules:
Correlations rules
Correlations rules you analyze correlations of multi-events from multiple sources by using the Cortex
XDR XQL-based engine for creating scheduled rules called Correlations Rules.
1.3.3 Identify legitimate threats (true positives) vs. illegitimate threats (false
positives)
True positives
A legitimate attack that produces an alarm. For example, you have a brute-force alert, and it triggers. You
investigate the alert and find out that somebody was indeed trying to break into one of your systems via
brute force methods.
False positives
An event that produces an alarm when no attack has taken place. For example, you investigate another
of these brute-force alerts and find out that it was just some user who mistyped their password multiple
times, not a real attack.
Cortex XDR vulnerability assessment enables you to identify and quantify the security vulnerabilities on
an endpoint in Cortex XDR. Relying on the information from Cortex XDR, you can easily mitigate and
patch these vulnerabilities on all endpoints in your organization.
To provide you with a comprehensive understanding of the vulnerability severity, Cortex XDR retrieves
the latest data for each CVE from the NIST National Vulnerability Database, including CVE severity and
metrics. You can use Cortex XDR to evaluate the extent and severity of each CVE in your network, gain
full visibility into the risks to which each endpoint is exposed, and assess the vulnerability status of an
installed application in your network.
1.3.5 References
Vulnerability:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened
-endpoint-security/vulnerability-management
1.3.5 Sample Questions
1. Which statement does not describe an attack?
a. An attacker has a motive and plans the attack accordingly.
b. The chance of damage or information alteration varies from low to very high.
c. An attack cannot be prevented by controlling the vulnerabilities.
d. It is always malicious.
2. You notice that a hardware device is damaged and important data files have been completely
erased from the system. What kind of threat appears to be present here?
a. Interruption
b. Interception
c. Fabrication
d. Modification
Ransomware is a family of malware that attempts to encrypt files on end-user computers and then
demands some form of e-payment to recover the encrypted files. Ransomware is one of the more
common threats in the modern threat landscape.
Prevention:
Step 1: Reduce the attack surface
● Gain full visibility and block unknown traffic.
● Enforce application- and user-based controls.
● Block all dangerous file types.
● Implement an endpoint policy aligned to risk.
By default, all external USB devices are allowed to connect to your Cortex XDR endpoints. To protect
endpoints from connecting USB-connected removable devices—such as disk drives, CD-ROM drives,
floppy disk drives, and other portable devices—that can contain malicious files, Cortex XDR provides
device control.
PROFILE DESCRIPTION
Configuration Profile Allow or block these USB-connected device type groups:
● Disk Drives
● CD-ROM Drives
● Floppy Disk Drives
● (Windows only) Windows Portable Devices
Device Configuration and Device Exceptions profiles are set for each operating system separately. After
you configure a device control profile, apply device control profiles to your endpoints.
2.1.3 References
Ransomware:
https://www.paloaltonetworks.com/cyberpedia/ransomware-prevention-what-your-security-architectur
e-must-do
Device Control:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened
-endpoint-security/device-control.html
In environments where agents communicate with the Cortex XDR server through a system-wide proxy,
you can now set an application-specific proxy for the Traps and Cortex XDR agent without affecting the
communication of other applications on the endpoint. You can set the proxy in one of three ways: during
the agent installation, after installation using Cytool on the endpoint, or from endpoints management in
Cortex XDR as described in this topic. You can assign up to five different proxy servers per agent. The
proxy server that the agent uses is selected randomly and with equal probability. If the communication
between the agent and the Cortex XDR server through the app-specific proxies fails, the agent resumes
communication through the system-wide proxy defined on the endpoint. If that fails as well, the agent
resumes communication with Cortex XDR directly.
Step 1: From Cortex XDR, select Endpoints > Endpoint Management > Endpoint Administration.
● Select the row of the endpoint for which you want to set a proxy.
● Right-click the endpoint and select Endpoint Control > Set Endpoint Proxy.
● You can assign up to five different proxies per agent. For each proxy, enter the IP address and
port number. For Cortex XDR agents 7.2.1 and later, you can also configure the proxy by entering
the FQDN and port number. When you enter the FQDN, you can use either all lowercase letters
or all uppercase letters. Avoid using special characters or spaces.
For example: my.network.name:808,YOUR.NETWORK.COM:888,10.196.20.244:8080.
Rather than targeting an organization directly through phishing or exploitation of vulnerabilities, the
attackers chose to compromise software developers directly and use the trust we place in them to access
other networks.
The attackers research, identify, and select targets that will allow them to meet their objectives.
Attackers gather information through publicly available sources, such as Twitter, LinkedIn, and corporate
websites. They will also scan for vulnerabilities that can be exploited within the target network, services,
and applications, mapping out areas where they can take advantage. At this stage, attackers are looking
for weaknesses from the human and systems perspective.
Cortex XDR provides a multimethod protection solution with exploit protection modules that target
software vulnerabilities in processes that open non-executable files and malware-protection modules
that examine executable files, DLLs, and macros for malicious signatures and behavior. Using this
multimethod approach, the Cortex XDR solution can prevent all types of attacks, whether they are
known or unknown threats.
Phishing is the act of sending fraudulent communications that appear to be from a reputable source. It is
usually done via email. The intention is to steal sensitive data such as credit card and login information,
or to install malware on the victim's machine. Phishing is a common type of cyberattack that everyone
should be aware of in order to stay safe.
Attackers determine which methods to use to deliver malicious payloads. Some of the methods they
might utilize are automated tools, such as exploit kits, spear-phishing attacks with malicious links, or
attachments and malvertizing.
Cortex XDR provides a multimethod protection solution with exploit protection modules that target
software vulnerabilities in processes that open non-executable files and malware protection modules
that examine executable files, DLLs, and macros for malicious signatures and behavior. Using this
The terms “malware” and “exploit” are frequently used interchangeably and can be easily confused.
They are not, however, synonymous and have several distinct differences.
Malware
Malware refers to a file, program or string of code used for malicious activity, such as damaging devices
and stealing sensitive data.
● It is typically delivered over a network, but it can also be delivered via physical media, and it is
classified according to the payload or malicious action it performs.
● Malware is classified as worms, Trojans, botnets, spyware, and viruses. Although each malware
strain behaves differently, worms are most associated with automated spreading behaviour.
● Malware can be delivered via a variety of mediums, including email, social media, and instant
messaging.
Exploit
An exploit is a piece of code or program that takes advantage of a weakness in an application or system.
Exploits can lead to behavior such as arbitrary code execution, privilege escalation, denial of service, or
data exposure.
● Exploits may be categorized into known and unknown (i.e., zero-day) exploits.
● Zero-day exploits generally present a significant threat to an organization as they take advantage
of unreported vulnerabilities for which no software patch is available.
● At times, adversaries may attempt to exploit vulnerabilities via collections or kits hidden on
invisible landing pages or hosted on advertisement networks.
● If a victim lands on one of these sites, the exploit kit will automatically scan their computer to
find out the operating system the computer is using, and the kit will use the appropriate exploit
code and attempt to install and execute malware.
Vulnerability Protection profiles stop attempts to exploit system flaws or gain unauthorized access to
systems. While Anti-Spyware profiles help identify infected hosts as traffic leaves the network,
Vulnerability Protection profiles protect against threats entering the network. For example, Vulnerability
Protection profiles help protect against buffer overflows, illegal code execution, and other attempts to
exploit system vulnerabilities. The default Vulnerability Protection profile protects clients and servers
from all known critical-, high-, and medium-severity threats. You can also create exceptions, which allow
you to change the response to a specific signature.
2.2.6 References
Endpoint Protection:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-
security-concepts/about-cortex-xdr-protection
With behavioral threat protection, the agent continuously monitors endpoint activity to identify and
analyze chains of events—known as causality chains. This enables the agent to detect malicious activity
in the chain that could otherwise appear legitimate if inspected individually. A causality chain can include
any sequence of network, process, file, and registry activities on the endpoint. Behavioral threat
protection can also identify behavior related to vulnerable drivers on Windows endpoints. For more
information on data collection for behavioral threat protection, see Endpoint Data Collected by Cortex
XDR.
Step 2: Define whether to quarantine the CGO when the Cortex XDR agent detects a malicious event
chain.
● Enabled—Quarantine the CGO if the file is not signed by a highly trusted signer. When the CGO
is signed by a highly trusted signer or powershell.exe, wscript.exe, cscript.exe, mshta.exe,
excel.exe, word.exe or powerpoint.exe, the Cortex XDR agent parses the command-line
arguments and instead quarantines any scripts or files called by the CGO.
● Disable (default)—Do not quarantine the CGO of an event chain nor any scripts or files called by
the CGO.
Step 4: (Optional) Add to your allow list any files that you do not want the Cortex XDR agent to terminate
when a malicious causality chain is detected. The allow list does not apply to vulnerable drivers.
● +Add a file path.
● Enter the file path you want to exclude from evaluation. Use ? to match a single character or * to
match any string of characters.
● Click the check mark to confirm the file path.
● Repeat the process to add any additional file paths to your allow list.
2.3.2 Identify the profiles that must be configured for malware prevention
Attackers always look for quick ways to steal data. Using readily available automated tools and advanced
techniques, they can do so with ease, leaving your traditional network defenses ineffective. Malware is
designed to spread quickly, create havoc, and affect as many machines as possible. To protect your
organization against such threats, you need a holistic, enterprise-wide malware protection strategy.
You only create the illusion of security if you only rely on perimeter security, such as firewalls,
intrusion-prevention systems, and URL filtering, or if you focus only on endpoint security, such as
antivirus, anti-spam, and malware analysis. With the ever-increasing attack surface and the growing
prevalence of automated, sophisticated, and volumetric attacks, you need a platform approach built for
Anti-Spyware Profiles - Anti-Spyware profiles block spyware on compromised hosts from trying to phone
home or beacon out to external command-and-control (C2) servers, allowing you to detect malicious
traffic leaving the network from infected clients.
Vulnerability Protection Profiles - Vulnerability Protection profiles stop attempts to exploit system flaws
or gain unauthorized access to systems. While Anti-Spyware profiles help identify infected hosts as traffic
leaves the network, Vulnerability Protection profiles protect against threats entering the network.
URL Filtering Profiles - URL Filtering profiles enable you to monitor and control how users access the
web over HTTP and HTTPS.
Data Filtering Profiles - Data filtering profiles prevent sensitive information such as credit card or Social
Security numbers from leaving a protected network. A Data Filtering profile also allows you to filter by
key words, such as a sensitive project name or the word confidential.
File Blocking Profiles - The firewall uses File Blocking profiles to block specified file types over specified
applications and in the specified session flow direction (inbound/outbound/both).
WildFire Analysis Profiles - Use a WildFire Analysis profile to enable the firewall to forward unknown
files or email links for WildFire analysis. Specify files to be forwarded for analysis based on application,
file type, and transmission direction (upload or download).
DoS Protection Profiles - DoS Protection profiles provide detailed control for denial of service (DoS)
protection policies. DoS policies allow you to control the number of sessions between interfaces, zones,
addresses, and countries based on aggregate sessions or source and/or destination IP addresses.
Zone Protection Profiles - Zone Protection profiles provide additional protection between specific
network zones in order to protect the zones against attack. The profile must be applied to the entire
zone, so it is important to carefully test the profiles in order to prevent issues that may arise with the
normal traffic traversing the zones.
2.3.3 Outline malware protection flow
The Cortex XDR agent provides malware protection in a series of four evaluation phases:
A hash exception enables you to override the verdict for a specific file without affecting the settings in
your Malware Security profile. The hash exception policy is evaluated first and takes precedence over all
other methods to determine the hash verdict.
For example, you may want to configure a hash exception for any of the following situations:
● You want to block a file that has a benign verdict.
● You want to allow a file that has a malware verdict to run. In general, Palo Alto Networks
recommends that you only override the verdict for malware after you use available threat
intelligence resources—such as WildFire and AutoFocus—to determine that the file is not
malicious.
● You want to specify a verdict for a file that has not yet received an official WildFire verdict.
After you configure a hash exception, Cortex XDR distributes it at the next heartbeat communication
with any endpoints that have previously opened the file.
When a file launches on the endpoint, the Cortex XDR agent first evaluates any relevant hash exception
for the file. The hash exception specifies whether to treat the file as malware. If the file is assigned a
benign verdict, the Cortex XDR agent permits it to open.
If a hash exception is not configured for the file, the Cortex XDR agent next evaluates the verdict to
determine the likelihood of malware.
2.3.5 Identify the use of malware prevention modules (MPMs)
In a ransomware attack, typically the attacker uses DLLs, macros, shell scripts, and other methods to
encrypt important data and holds the data hostage until the user pays a ransom to unlock the data. To
combat these attacks, Traps detects the behavior and prevents the ransomware from encrypting and
holding files hostage.
Like other MPMs, you can configure the module to operate in either notification or prevention mode.
When you configure the module to operate in prevention mode, Traps blocks the process exhibiting
ransomware behavior. When you configure this module in notification mode, Traps logs a security event
for each process once per minute. This means that if the same process exhibits ransomware behavior
within a minute of the first attempt, Traps ignores the event. This prevents the Traps agent from logging
and reporting an excessive number of events.
By enforcing the signature level, you can prevent attackers from leveraging a logical vulnerability in an
existing process to bypass the OS verification of the signature level. You can also choose to allow child
processes to run if they match (or exceed) the signature level of the parent process, or you can block all
child processes regardless of digital signature.
2.3.6 References
Security Profiles:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/security-profiles
2. At what phase in the malware protection flow does the Cortex XDR agent observe the file's
behavior and apply additional malware protection rules?
a. Evaluation of Child Process Protection Policy
b. Evaluation of the Restriction Policy
c. Hash Verdict Determination
d. Evaluation of Malware Security Policy
In a typical attack scenario, an attacker attempts to gain control of a system by first corrupting or
bypassing memory allocation or handlers. Using memory-corruption techniques, such as buffer
overflows and heap corruption, a hacker can trigger a bug in software or exploit a vulnerability in a
process. The attacker must then manipulate a program to run code provided or specified by the attacker
while evading detection.
If the attacker gains access to the operating system, the attacker can then upload malware, such as
Trojan horses (programs that contain malicious executable files), or can otherwise use the system to
their advantage. The Cortex XDR agent prevents such exploit attempts by employing roadblocks—or
traps—at each stage of an exploitation attempt.
By default, your Exploit Security profile protects endpoints from attack techniques that target specific
processes. Each exploit protection capability protects a different set of processes that Palo Alto Networks
researchers determine are susceptible to attack.
The default Endpoint Security policy protects the most vulnerable and most commonly used
applications, but you can also add other third-party and proprietary applications to the list of protected
processes.
2.4.3 Characterize the differences between application protection and kernel
protection
Application Protection:
Application security is the process of creating, integrating, and testing security features within
applications to protect against threats such as unauthorized access and modification.
Kernel Protection:
Application security is typically coded in the application. In kernel security, we are investigating
mechanisms to implement application security in an operating system kernel.
The mechanisms are designed with the goal in mind of providing authorization properties, which drives
the design of permissions and protection mechanisms. The resulting system is dynamic, allowing a
program’s set of permissions to evolve during program execution. Because the protection mechanism
gives the user more freedom in how they do things, it reduces the need for users and applications to be
aware of it.
2.4.4 References
Exploit Protection:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-
security-concepts/analysis-and-protection-flow
The analytics engine for Cortex XDR retrieves logs from Cortex Data Lake to understand the normal
behavior (create a baseline) so that it can raise alerts when abnormal activity occurs. This analysis is
highly sophisticated and performed on more than a thousand dimensions of data. Internally, the Cortex
XDR app organizes its analytics activity into algorithms called detectors. Each detector is responsible for
raising an alert when it detects worrisome behavior.
To raise alerts, each detector compares the recent past behavior to the expected baseline by examining
the data found in your logs. A certain amount of log file time is required to establish a baseline, and then
a certain amount of recent log file time is required to identify what is currently happening in your
environment.
There are several meaningful time intervals for Cortex XDR Analytics detectors:
The Cortex XDR app uses an analytics engine to examine logs and data from your sensors. The analytics
engine retrieves logs from Cortex Data Lake to understand the normal behavior (create a baseline) so
that it can raise alerts when abnormal activity occurs. The analytics engine accesses your logs as they are
streamed to Cortex Data Lake and analyzes the data as soon as it arrives. Cortex XDR raises an Analytics
alert when the analytics engine determines an anomaly.
The analytics engine is built to process—in parallel—large amounts of data stored in Cortex Data Lake.
The ultimate goal is to identify normal behavior so the Cortex apps can recognize and use alerts to notify
you of that abnormal behavior. The analytics engine can examine traffic and data from a variety of
sources such as network activity from firewall logs, VPN logs (from Prisma Access from the Panorama
plugin), endpoint activity data (on Windows endpoints), Active Directory, or a combination of those
sources, to identify endpoints and users on your network. After endpoints and users are identified, the
analytics engine collects relevant details about every asset that it sees based on the information it
obtains from the logs. The analytics engine can detect threats from only network data or only endpoint
data, but for more context when investigating an alert, a combination of data sources is recommended.
The list of what the engine looks for is large, varied, and constantly growing, but as a consequence of this
analysis, the analytics engine is able to build profiles about every endpoint and user it knows about.
Profiles allow the engine to put the activity of the endpoint or user in context by comparing it against
similar endpoints or users. The analytics engine creates and maintains a very large number of profile
types, but generally, they can all be placed into three categories:
● Peer Group Profiles—A statistical analysis of an entity or an entity relation that compares
activities from multiple entities in a peer group. For example, a domain might have a
cross-organization popularity profile or per-peer-group popularity profile.
● Temporal Profiles—A statistical analysis of an entity or an entity relation that compares the same
entity to itself over time. For example, a host might have a profile for how many ports it
accessed in the past.
● Entity classification—A model detecting the role of an entity. For example, users can be classified
as service accounts and hosts as domain controllers.
2.5.3 Identify the connection of analytic detection capabilities to MITRE
The analytics engine can alert on any of the following attack tactics as defined by the MITRE ATT&CK®
knowledge base of tactics.
Analytics Concepts:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/analytics/analytics-concepts
2.5.5 Sample Questions
1. Which MITRE ATT&CK tactic employs techniques for obtaining data from a network, such as
valuable enterprise data?
a. Exfiltration
b. Command and Control
c. Execution
d. Persistence
2. The analytics engine creates and maintains a very large number of profile types, but they can all
be categorized into how many categories in general?
a. 4
b. 2
c. 3
d. 5
Cortex XDR uses stitching logic to gather and assign alerts to incidents based on a set of rules that take
into account different alert attributes, such as the SHA-256 of files that are involved and IP addresses.
You can prioritize the incidents displayed in the Incidents Table according to these alert attributes.
To enable you to prioritize incidents that are significant to the needs of your organization, the Incident
Scoring Rules option allows you to set custom rules that highlight the incidents based on:
● A user-defined score
● Selected Cortex XDR alert attributes and assets
When an alert is triggered, Cortex XDR matches the alert with each of the custom incident rules you
created. If the alert matches one or more of the rules, the alert is given the score defined by each rule.
An incident rule can also contain a subrule that allows you to create a rule hierarchy. Where a subrule
exists, if the same alert matches one or more of the subrules, the alert is also given the score defined by
each subrule. By default, a score is applied only to the first alert that matches the defined rule and
subrule.
Within each incident, Cortex XDR aggregates the alert scores and assigns the incident a total score. The
incident score is displayed in the Incidents Table as a filterable field, Score, allowing you to prioritize the
Incident Table according to the incident score. You can also view the score while investigating in the
Incident View.
Step 4: Review the rule criteria and Create the incident rule. You are automatically redirected to the
Scoring Rules table.
Step 1: In Cortex XDR, select Settings ( ) > Configurations > Broker VM > Broker VMs table.
Step 2: Locate the broker VM you want to connect to, right-click, and select Open Remote Terminal.
Cortex XDR opens a CLI window where you can perform the following commands:
● Logs
The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules that take
into account different attributes. Examples of alert attributes include alert source, type, and time period.
The app extracts a set of artifacts related to the threat event, listed in each alert, and compares them
with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are
grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert
will create a new incident.
To keep incidents fresh and relevant, Cortex XDR provides thresholds after which an incident stops
adding alerts:
● 30 days after the incident was created
● 14 days since the last alert in the incident was detected (excludes backward scan alerts)
After the incident reaches either threshold, it stops accepting alerts, and Cortex XDR groups subsequent
related alerts in a new incident. You can track the grouping threshold status in the Alerts Grouping Status
field in the Incidents Table:
You can select to view the Incidents page in a table format or split-pane mode. Use to toggle
between the views. By default, Cortex XDR displays the split pane mode. Any changes you make to the
incident fields, such as description, resolution status, and filters; sort selections persist when you toggle
between the modes.
The split-pane mode displays a side-by-side view of the your incidents list and the corresponding incident
details.
The table view displays only the incident fields in a table format. Right-click an incident to view the
incident details and investigate the related assets, artifacts, and alerts.
Alerts:
The Alerts page displays a table of all alerts in Cortex XDR.
The Alerts page consolidates non-informational alerts from your detection sources to enable you to
efficiently and effectively triage the events you see each day. By analyzing the alert, you can better
understand the cause of what happened and the full story with context to validate whether an alert
requires additional action. Cortex XDR supports saving 2M alerts per 4,000 agents or 20 terabytes; half of
the alerts are allocated for informational alerts, and half for severity alerts.
To view detailed information for an alert, you can also view details in the Causality View and Timeline
View. From these views, you can also view related informational alerts that are not presented on the
Alerts page.
Cortex XDR processes and displays the names of users in the following standardized format, also termed
“normalized user”:
<company-domain>\<username>
As a result, any alert triggered based on network, authentication, or login events displays the User Name
in the standardized format in the Alerts and Incidents pages. This impacts every alert for Cortex XDR
Analytics and Cortex XDR Analytics BIOC, including Correlation, BIOC, and IOC alerts triggered on one of
these event types.
Exclusions:
The Investigation Incident Management Exclusions page displays all alert exclusion policies in Cortex
XDR.
An alert exclusion is a policy that contains a set of alert match criteria that you want to suppress from
Cortex XDR. You can Add an Alert Exclusion Policy from scratch, or you can base the exclusion on alerts
that you investigate in an incident. After you create an exclusion policy, Cortex XDR hides any future
alerts that match the criteria from incidents and search-query results. If you choose to apply the policy
to historic results as well as future alerts, the app identifies any historic alerts as grayed out.
FIELD DESCRIPTION
Check box to select one or more alert exclusions on which you want
to perform actions.
Exclusion policy status for historic data, either enabled if you want
BACKWARD SCAN STATUS to apply the policy to previous alerts or disabled if you don’t want
to apply the policy to previous alerts.
Administrator-provided comment that identifies the purpose or
COMMENT
reason for the exclusion policy.
DESCRIPTION Stop one or more applets.
MODIFICATION DATE Date and time when the exclusion policy was created or modified.
NAME Descriptive name provided to identify the exclusion policy.
POLICY ID Unique ID assigned to the exclusion policy.
STATUS Exclusion policy status, either enabled or disabled.
USER User who last modified the exclusion policy.
USER EMAIL Email associated with the administrative user.
Exceptions:
To allow full granularity, Cortex XDR enables you to create exceptions from your baseline policy. With
these exceptions, you can remove specific folders or paths from exemption or disable specific security
modules.
3.1.5 References
Incidents:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
investigate-incidents/cortex-xdr-incidents.html
Alerts:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
investigate-endpoint-alerts/cortex-xdr-alerts.html
3.1.6 Sample Questions
1. Cortex XDR supports saving how many alerts per how many agents?
a. 1M alerts per 4,000 agents
b. 2M alerts per 4,000 agents
c. 1M alerts per 3,000 agents
d. 2M alerts per 3,000 agents
4. Which policy exception is an exception disabling a specific BTP rule across all processes?
a. support exception
b. local file threat examination exception
c. behavioral threat protection rule exception
d. process exception
An attack can affect several hosts or users and raises different alert types stemming from a single event.
All artifacts, assets, and alerts from a threat event are gathered into an Incident.
The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules which
take into account different attributes. Examples of alert attributes include alert source, type, and time
period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it
with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are
grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert
will create a new incident.
To keep incidents fresh and relevant, Cortex XDR provides thresholds after which an incident stops
adding alerts:
● 30 days after the incident was created
● 14 days since the last alert in the incident was detected (excludes backward scan alerts)
The incident header allows you to quickly review and update your incident details.
● Investigate Incidents:
The Incidents page displays all incidents in the Cortex XDR management console to help you
prioritize, track, triage, investigate, and take remedial action.
● Investigate Alerts:
The Alerts page displays a table of all alerts in Cortex XDR.
The Alerts page consolidates non-informational alerts from your detection sources to enable you to
efficiently and effectively triage the events you see each day. By analyzing the alert, you can
better understand the cause of what happened and the full story with context to validate
whether an alert requires additional action. Cortex XDR supports saving 2M alerts per 4,000
agents or 20 terabytes, half of the alerts are allocated for informational alerts, and half for
severity alerts.
● Investigate Endpoints:
● Investigate Files:
You can manage file execution on your endpoints by using file hashes that are included in your allow
and block lists. If you trust a certain file and know it to be benign, you can add the file hash to
the allow list and allow it to be executed on all your endpoints regardless of the WildFire or
local-analysis verdict. Similarly, if you want to always block a file from running on any of your
endpoints, you can add the associated hash to the block list.
3.2.4 List the options to highlight or suppress incidents
To help you focus on the incidents that matter most, you can star an incident. Cortex XDR identifies
starred incidents with a purple star. You can star incidents in two ways: You can manually star an incident
after reviewing it, or you can create an incident-starring configuration that automatically categorizes and
stars incidents when a related alert contains the specific attributes that you decide are important.
After you define an incident-starring configuration, Cortex XDR adds a star indicator to any incidents that
contain alerts that match the configuration.
You can then sort or filter the Incidents Table for incidents containing starred alerts and similarly filter
the Alerts Table for starred alerts. In addition, you can also choose whether to display all incidents or
only starred incidents on the Incidents Dashboard.
Step 2: From the Incident List, locate the incident you want to star.
Step 5: Use the alert filters to build the match criteria for the policy.
You can also right-click a specific value in the alert to add it as a match criterion. The app refreshes to
show you which alerts in the incident would be included.
Investigate Incidents:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-respo
nse/investigate-incidents.html#idbe8c1797-22f5-4aaa-b593-f254022ff104
Scripts:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
response-actions/run-python-scripts
3.2.6 Sample Questions
1. The Action Center can be found on which tab?
a. Reporting
b. Investigation
c. Response
d. Endpoints
To investigate and respond to security events on endpoints, you can use the Live Terminal to initiate a
remote connection to an endpoint. The Cortex XDR agent facilitates the connection using a remote
procedure call. Live Terminal enables you to manage remote endpoints. Investigative and response
actions that you can perform include navigating and managing files in the file system, managing active
processes, and running the operating system or Python commands.
If the endpoint supports the necessary requirements, you can initiate a Live Terminal session from the
Endpoints page. You can also initiate Live Terminal as a response action from a security event. If the
endpoint is inactive or does not meet the requirements, the option is disabled.
After you terminate the Live Terminal session, you also have the option to save a log of the session
activity. All logged actions from the Live Terminal session are available for download as a text file report
when you close the live terminal session.
You can fine-tune the Live Terminal session visibility on the endpoint by adjusting the User Interface
options in your Agent Settings profile.
Step 2: Use the Live Terminal to investigate and take action on the endpoint.
● Manage processes
● Manage files
● Run operating system commands
● Run Python commands and scripts
Step 3: When you are done, Disconnect the Live Terminal session.
You can optionally save a session report containing all activity you performed during the session.
The following example displays a sample session report:
Jun 27th 2019 13:56:13 Live Terminal session has started [success]
Jun 27th 2019 14:00:45 Kill process calc.exe (4920) [success]
Jun 27th 2019 14:11:46 Live Terminal session end request [success]
Jun 27th 2019 14:11:47 Live Terminal session has ended [success]
3.3.2 Describe what actions can be performed using the Live Terminal
Manage Processes:
From the Live Terminal, you can monitor processes running on the endpoint. The Task Manager displays
the task attributes, owner, and resources used. If you discover an anomalous process while investigating
the cause of a security event, you can take immediate action to terminate the process or the whole
process tree and block processes from running.
● Step 1: From the Live Terminal session, open the Task Manager to navigate the active processes
on the endpoint.
You can toggle between a sorted list of processes and the default process tree view ( ). You can
also export the list of processes and process details to a comma-separated values (CSV) file.
If the process is known malware, the row displays a red indicator and identifies the file using a
malware attribute.
● Step 2: To take action on a process, right-click the process and select the action:
o Terminate process—Terminate the process or entire process tree.
o Suspend process—To stop an attack while investigating the cause, you can suspend a
process or process tree without killing it entirely.
o Resume process—Resume a suspended process.
o Open in VirusTotal—VirusTotal aggregates known malware from antivirus products and
online scan engines. You can scan a file using the VirusTotal scan service to check for
false positives or verify suspected malware.
o Get WildFire verdict—WildFire evaluates the file hash signature to compare it against
known threats.
o Get file hash—Obtain the SHA-256 hash value of the process.
o Download Binary—Download the file binary to your local host for further investigation
and analysis. You can download files up to 200MB in size.
o Mark as Interesting—Add an Interesting tag to a process to easily locate the process in
the session report after you end the session.
o Remove from Interesting—If no threats are found, you can remove the Interesting tag.
o Copy Value—Copy the cell value to your clipboard.
● Step 3: Select Disconnect to end the Live Terminal session.
Manage Files:
The File Explorer enables you to navigate the file system on the remote endpoint and take remedial
action to:
● Create, manage (move or delete), and download files, folders, and drives, including connected
external drives and devices such as USB drives and CD-ROM.
● View file attributes, creation and last-modified dates, and the file owner.
● Investigate files for malicious content.
The Python command interpreter uses Unix command syntax and supports Python 3 with standard
Python libraries. To issue Python commands or scripts on the endpoint, follow these steps:
● Step 1: From the Live Terminal session, select Python to start the Python command interpreter
on the remote endpoint.
● Step 2: Run Python commands or scripts as desired.
You can enter or paste the commands, or you can upload a script. After you are done, you can save
the command session output to a file.
For enhanced endpoint remediation and endpoint management, you can run Python 3.7 scripts on your
endpoints directly from Cortex XDR. For commonly used actions, Cortex XDR provides precanned scripts
you can use out of the box. You can also write and upload your own Python scripts and code snippets
into Cortex XDR for custom actions. Cortex XDR enables you to manage, run, and track the script
execution on the endpoints, as well as store and display the execution results per endpoint.
● Investigate Incidents:
The Incidents page displays all incidents in the Cortex XDR management console to help you
prioritize, track, triage, investigate, and take remedial action.
● Investigate Endpoints:
The Action Center provides a central location from which you can track the progress of all
investigation, response, and maintenance actions performed on your endpoints protected by
Cortex XDR. The main All Actions tab of the Action Center displays the most recent actions
initiated in your deployment. To narrow down the results, click Filter on the top right.
3.3.5 References
Live Terminal:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
response-actions/initiate-a-live-terminal-session
Investigation:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response
From the Query Builder, you can investigate connections between file activity and endpoints. The Query
Builder searches your logs and endpoint data for the file activity that you specify. To search for files on
endpoints instead of file-related activity, use the XQL Search.
Step 3: Enter the search criteria for the file events query.
● File activity—Select the type or types of file activity you want to search: All, Create, Read,
Rename, Delete, or Write.
● File attributes—Define any additional process attributes for which you want to search. Use a
pipe (|) to separate multiple values (for example, notepad.exe|chrome.exe). By default, Cortex
XDR will return the events that match the attribute you specify. To exclude an attribute value,
toggle the = option to =! . Attributes are:
o NAME—File name
o PATH—Path of the file
o PREVIOUS NAME—Previous name of a file
o PREVIOUS PATH—Previous path of the file
o MD5—MD5 hash value of the file
o SHA256—SHA256 hash value of the file
o DEVICE TYPE—Type of device used to run the file: Unknown, Fixed, Removable Media,
CD-ROM
o DEVICE SERIAL NUMBER—Serial number of the device type used to run the file
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.
Select and specify one or more of the attributes for the acting (parent) process.
Step 6: Specify the time period for which you want to search for events.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or a Custom time period.
Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.
The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules which
take into account different attributes. Examples of alert attributes include alert source, type, and time
period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it
with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are
grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert
will create a new incident.
To keep incidents fresh and relevant, Cortex XDR provides thresholds after which an incident stops
adding alerts:
● 30 days after the incident was created
● 14 days since the last alert in the incident was detected (excludes backward scan alerts)
After the incident reaches either threshold, it stops accepting alerts and Cortex XDR groups subsequent
related alerts in a new incident. You can track the grouping threshold status in the
You can select to view the Incidents page in a table format or split pane mode. Use to toggle between
the views. By default, Cortex XDR displays the split pane mode. Any changes you make to the incident
fields, such as description, resolution status, filters, and sort selections persist when you toggle between
the modes.
The split pane mode displays a side-by-side view of the your incidents list and the corresponding incident
details.
The table view displays only the incident fields in a table format. Right-click an incident to view the
incident details, and investigate the related assets, artifacts, and alerts.
The Alerts page consolidates non-informational alerts from your detection sources to enable you to
efficiently and effectively triage the events you see each day. By analyzing the alert, you can better
understand the cause of what happened and the full story with context to validate whether an alert
requires additional action. Cortex XDR supports saving 2M alerts per 4000 agents or 20 terabytes, half of
the alerts are allocated for informational alerts, and half for severity alerts.
To view detailed information for an alert, you can also view details in the Causality View and Timeline
View. From these views, you can also view related informational alerts that are not presented on the
Alerts page.
By default, the Alerts page displays the alerts that it received over the last seven days (to modify the
time period, use the page filters). Every 12 hours, Cortex XDR enforces a cleanup policy to remove the
oldest alerts that exceed the maximum alerts limit.
Cortex XDR processes and displays the name of users in the following standardized format, also termed
“normalized user”.
<company domain>\<username>
3.4.3 References
File Query:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
search-queries/query-builder/create-a-file-query.html
Incidents:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
investigate-incidents/cortex-xdr-incidents.html
Alerts:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
investigate-endpoint-alerts/cortex-xdr-alerts.html
3.4.4 Sample Questions
1. How many Cortex XDR rules are there?
a. 3
b. 4
c. 2
d. 5
2. What is the expiration limit set by Cortex XDR by default for agent upgradation and agent
uninstall?
a. 90 days
b. 60 days
c. 40 days
d. 30 days
When investigating suspicious incidents and causality chains, you often need to restore and revert
changes made to your endpoints as result of a malicious activity. To avoid manually searching for the
affected files and registry keys on your endpoints, you can ask Cortex XDR for remediation suggestions.
Cortex XDR investigates suspicious causality process chains and incidents on your endpoints and displays
a list of suggested actions to remediate processes, files, and registry keys on your endpoint.
FIELD DESCRIPTION
REMEDIATION DATE Displays the timestamp of when all of the endpoint artifacts were
remediated. If missing a successful remediation, field will not display
timestamp.
When investigating suspicious incidents and causality chains, you often need to restore and revert
changes made to your endpoints as result of a malicious activity. To avoid manually searching for the
affected files and registry keys on your endpoints, you can request Cortex XDR for remediation
suggestions.
Automatic remediation—Cortex XDR investigates suspicious causality process chains and incidents on
your endpoints and displays a list of suggested actions to remediate processes, files, and registry keys on
your endpoint. You can request Cortex XDR for remediation suggestions.
Cortex XDR displays the summary of the script execution action. If all the details are correct, Run the
script and proceed to Track Script Execution and View Results. Alternatively, to track the script-execution
progress on all endpoints and view the results in real time, Run in interactive mode.
In Interactive Mode, Cortex XDR displays general information that includes the scope of target endpoints
and a list of all the scripts that are being executed in this session. For each script on the executed scripts
list, you can view the following:
● The script name and date, the time the script execution action was initiated, and a list of input
parameters.
● A progress bar that indicates in real time the number of endpoints for which the script execution
is In Progress, Failed, or Completed. When you hover over the progress bar, you can drill down
for more information about the different sub-statuses included in each group. Similarly, you can
also view this information on the scripts list to the left in the form of a pie chart that is
dynamically updated for each script as it is being executed.
● Dynamic script results that are continuously updated throughout the script-execution process.
Cortex XDR lists the results and, if they have a small variety of values, graphically aggregates
results. When both views are available, you can switch between them.
False positive—An event that produces an alarm when no attack has taken place. For example, you
might investigate a brute-force alert and find out that it was just some user who mistyped their
password multiple times, not a real attack.
Prevention:
● Firstly, prevent false positives from being added to your data.
● Next, notify analysts about the likelihood of false positives.
● Report sightings, whether as observations or as an indication of a false positive.
● Inform analysts about these sightings.
● Disable the indicator from being actionable and included in your cyberthreat intel.
4.1.5 References
Remediation suggestion:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
response-actions/remediate-endpoints
2. Which of the following is a summary of the remediation suggestions to apply to the file or
registry?
a. Suggested remediation
b. Original event description
c. Suggested remediation description
d. Remediation status
Ransomware is a family of malware that attempts to encrypt files on end-user computers and then
demands some form of e-payment to recover the encrypted files. Ransomware is one of the more
common threats in the modern threat landscape.
This preset offers fields related to registry write, rename, and delete.
When you know a file is malicious, you can destroy all its instances on your endpoints directly from
Cortex XDR. You can destroy a file immediately from the file search action result or initiate a new action
from the Action Center. When you destroy a file, the Cortex XDR agent deletes all the file instances on
the endpoint.
Step 1: From the Action Center, select +New Action > Destroy File.
Step 2: To destroy by hash, provide the SHA-256 of the file. To destroy by path, specify the exact file path
and file name. Click Next.
4.2.4 References
Registry:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-xql-schema-reference/presets/registry-
preset-reference
2. What can you do to significantly decrease the chances of putting your organization at risk of a
ransomware attack?
a. Verify links in email, except know contacts.
b. Purchase only software, programs, and applications from reputable companies.
c. Implement email protection and web gateway solution.
d. All of the above
e. None of the above
A block list contains view files that are permitted and blocked from running on your endpoints regardless
of file verdict.
Palo Alto Networks regularly reviews and makes changes to the list of trusted signers and makes the list
available with the default Security policy. Any updates to the list of trusted signers are made available
with content updates that you can obtain from the Support portal (for more information, see Content
Updates). You can also define your own trusted signers from the ESM Console. For Windows signers,
adding a trusted signer adds the signer to the list of highly trusted signers.
An allow list contains view files that are permitted and blocked from running on your endpoints
regardless of file verdict.
To allow full granularity, Cortex XDR enables you to create exceptions from your baseline policy. With
these exceptions, you can remove specific folders or paths from exemption or disable specific security
modules.
When the Cortex XDR agent detects malware on a Windows endpoint, you can take additional
precautions to quarantine the file. When the Cortex XDR agent quarantines malware, it moves the file
from the location on a local or removable drive to a local quarantine folder where it isolates the file. This
prevents the file from attempting to run again from the same path or causing any harm to your
endpoints.
To evaluate whether an executable file is malicious, the Cortex XDR agent calculates a verdict using
information from the following sources in order of priority:
● Hash exception policy
● WildFire threat intelligence
● Local analysis
You can search for a file using the Query Builder or XQL Search or use the Action Center wizard as
described in the following workflow:
Step 1: From the Action Center, select +New Action > File Search.
o The file path must begin with a drive name—for example, c:\
o You must specify the exact path folder hierarchy—for example, c:\users\user\file.exe.
You must specify the exact path folder hierarchy also when you replace folder names
with wildcards, by using a wildcard for each folder in the hierarchy. For example,
c:\*\*\file.exe
● Click Next.
If not all endpoints in the query scope are connected or the search has not completed, the search action
remains in Pending status in the Action Center.
Destroy a File:
When you know a file is malicious, you can destroy all its instances on your endpoints directly from
Cortex XDR. You can destroy a file immediately from the file search action result or initiate a new action
from the Action Center. When you destroy a file, the Cortex XDR agent deletes all the file instances on
the endpoint.
Step 2: To destroy by hash, provide the SHA25 of the file. To destroy by path, specify the exact file path
and file name. Click Next.
4.3.7 References
Exceptions:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/exception
s-security-profiles
2. In Cortex XDR, how many different methods can you use to search a file?
a. 2
b. 4
c. 3
d. 5
Indicators of compromise (IOCs) are the artifacts that are considered malicious or suspicious. IOCs are
static and based on criteria such as:
● Full path
● File name
● Domain
● Destination IP address
● MD5 hash
● SHA-256
IOCs provide the ability to alert on known malicious objects on endpoints across the organization.
The app checks for matches in the endpoint data obtained from Cortex XDR agents when you define or
load IOCs. There are checks that are both retroactive and ongoing. The app searches all previous data for
IOC matches and continues to evaluate any new data it receives in the future.
You can view all indicators of compromise (IOCs) configured from or uploaded to the Cortex XDR app
from the Rules > IOC tab.
To filter the number of IOC rules you see, you can filter by one or more fields in the IOC Rules table. From
the IOC page, you can also manage or clone existing rules.
The following table describes the fields that are available for each IOC rule in alphabetical order.
FIELD DESCRIPTION
If, after investigating a threat, you identify a malicious artifact, you can create an alert for the single IOC
right away.
If you want to match on multiple indicators, you can upload the criteria in a CSV file.
Step 4: Define any expiration criteria for your IOC rules.
5.1.2 Explain the purpose and use of the BIOC technique
Behavioral indicators of compromise (BIOCs) enable you to alert and respond to behaviors—tactics,
techniques, and procedures. Instead of hashes and other traditional indicators of compromise, BIOC
rules detect behavior related to processes, registry, files, and network activity. If you enable Cortex XDR –
Analytics enabled, Cortex XDR can also raise Analytics BIOCs (ABIOCs).
To enable you to take advantage of the latest threat research, Cortex XDR automatically receives
preconfigured rules from Palo Alto Networks. These global rules are delivered to all tenants with content
updates. In cases where you need to override a global BIOC rule, you can disable it or set a rule
exception. You can also configure additional BIOC rules as you investigate threats on your network and
endpoints. BIOC rules are highly customizable: you can create a BIOC rule that is simple or quite
complex.
As soon as you create or enable a BIOC rule, the app begins to monitor input feeds for matches. Cortex
XDR also analyzes historical data collected in the Cortex Data Lake. Whenever there is a match, or hit, on
a BIOC rule, Cortex XDR logs a Cortex XDR alert.
Cortex XDR enables you to run XQL queries on your data sources using APIs. Each XQL query API
consumes compute units based on the timeframe, complexity, and number of API response results.
Cortex XDR provides a free daily quota of compute units allocated according to your license size. Queries
The Compute Unit add-on provides an additional one compute unit per day, in addition to your free daily
quota. For example, if you have allocated five free daily compute units, then with the add-on, you will
have a total of six daily compute units. The compute units are refreshed every 24 hours according to UTC
time. You can purchase a minimum of 50 compute units.
To gauge how many compute units you require, Cortex XDR provides a 30-day free trial period with a
total of three times your allocated compute units to run XQL API queries and track the cost of each XQL
API query responses and the XQL API Usage page. In addition, Cortex XDR sends a notification when the
Compute Units add-on has reached your daily threshold.
To enable the add-on, navigate to Configurations > Cortex XDR License > Add-ons, select the Compute
Unit tile, and Enable.
Step 2: In the Daily Usage in Compute Units section, monitor the amount of quota units used over the
past 24 hours and the amount of free daily quota allocated according to your license size. Timeframe is
calculated according to UTC time.
For Managed Security tenants, the values calculated are the total daily usage of parent and child tenants.
Step 3: In the “Compute Units over last 30 Days” section, track your quota usage over the past 30 days.
The red line represents your daily license quota. For Managed Security tenants, make sure you select
from the MSSP Tenant Selection drop-down menu the tenant for which you want to display the
information. To investigate further:
The Query Builder is a powerful search tool at the heart of Cortex XDR that you can use to investigate
any lead quickly, expose the root cause of an alert, perform damage assessment, and hunt for threats
from your data sources. With Query Builder, you can build complex queries for entities and entity
attributes so that you can surface and identify connections between them. The Query Builder searches
the raw data and logs stored in Cortex Data Lake and Cortex XDR for the entities and attributes you
specify and returns up to 100,000 results. From the Query Builder, you can also use the XQL Search to
create XQL queries to search for and view raw data that is stored in Cortex XDR or imported from custom
and third-party datasets.
The Query Builder provides queries for the following types of entities:
● Process—Search on process execution and injection by process name, hash, path, command-line
arguments, and more. See Create a Process Query.
The Query Builder also provides flexibility for both on-demand query generation and scheduled queries.
5.1.5 References
IOC Technique:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
cortex-xdr-indicators/working-with-iocs/ioc-rules-details.html#idb38e1dd3-cefc-4526-9c8d-016a962ca4c
2
BIOC Technique:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
cortex-xdr-indicators/working-with-biocs/bioc-rules-details.html#idb29d55b8-9757-4c1e-8733-ef25f11b
428d
XQL Technique:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/data-management/manage-
xql-api.html#ida87d71c2-5e82-4f77-b8a1-3c8db6ff42c7
Query Builder:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
search-queries/query-builder
5.1.6 Sample Questions
1. Which technique is used to investigate any lead quickly, expose the root cause of an alert,
perform damage assessment, and hunt for threats from your data sources?
a. IOC Technique
b. Query Builder Technique
c. BIOC Technique
d. XQL Technique
BIOC Rule:
2. Which three of the following field configurations are not included in user-defined BIOC rule
event? (Choose three.)
a. Host Name
b. Device Serial Number
c. IP Address
d. Device Type
Unit 42 brings together world-renowned threat researchers from Palo Alto Networks with an elite team
of security consultants to create an intelligence-driven, response-ready organization. The Unit 42 Threat
Intelligence team provides threat research that enables security teams to understand adversary intent
and attribution while enhancing protections offered by Palo Alto Networks products and services to stop
advanced attacks. As threats escalate, Unit 42 is available to advise customers on the latest risks, assess
their readiness, and help them recover when the worst occurs. The Unit 42 Security Consulting team
serves as a trusted partner with state-of-the-art cyber-risk expertise and incident-response capabilities,
helping customers focus on their business before, during, and after a breach.
Managed Threat Hunting offers round-the-clock monitoring from Unit 42 experts to discover attacks
anywhere in your organization. Threat hunters work on your behalf to discover advanced threats, such as
state-sponsored attackers, cybercriminals, malicious insiders, and malware.
Unit 42 analysts:
● Analyze suspicious signals generated by Cortex XDR analytics, custom detection rules, and Cortex
XDR research.
● Manually seek out emerging adversaries using the powerful data-exploration capabilities of
Cortex XDR.
Managed Threat Hunting augments your security by providing 24/7, year-round monitoring by Palo Alto
Networks threat researchers and Unit 42 experts. The Managed Threat Hunting teams proactively
safeguard your organization and provide threat reports for critical security incidents and impact reports
for emerging threats that provide an analysis of exposure in your organization. In addition, the Managed
Threat Hunting team can identify incidents and provide in-depth review of related threat reports.
5.3.2 References
Threat Hunting:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/managed-security/about-m
anaged-threat-hunting.html#id4e98a15b-1861-405b-9317-b62510cf515b
5.3.3 Sample Questions
1. Which statement is not true for Unit 42?
a. It investigates threats and determines the total scope of incidents.
b. It offers direct assistance to answer questions and provide guidance about Threat Reports and
Impact Reports.
c. It is available to advise customers on the latest risks, assess their readiness, and help them
recover when the worst occurs .
d. It can detect a variety of threats but may miss some complex malware.
Extended detection and response (XDR) is a new approach to threat detection and response that
provides holistic protection against cyberattacks, unauthorized access, and misuse.
Cortex XDR provides the following list of widgets to help you create dashboards and reports displaying
summarized information about your endpoints:
● Agent Management Widgets
● Incident Management Widgets
● Investigation Widgets
● User Defined Widgets
● Asset Widgets
● XQL Search
● Custom Widget
● System Monitoring
● Host Insights
Reporting menu:
From the Reporting menu, you can view and manage your dashboards and reports from the dashboard
and the Incidents Table and view alert exclusions.
● Dashboard—Provides dashboards that you can use to view high-level statistics about your
agents and incidents.
● Dashboards Manager—Add new dashboards with customized widgets to surface the statistics
that matter to you most.
● Reports—View all the reports that Cortex XDR administrators have run.
● Reports Templates—Build reports using predefined templates or customize a report.
6.1.2 References
Widgets:
Manage Dashboards:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/monitoring/cortex-xdr-dash
board/manage-dashboards
6.1.3 Sample Questions
1. Which option from the reporting menu will you choose if you need to add additional widgets to
the dashboard?
a. Dashboard
b. Dashboards Manager
c. Reports
d. Reports Templates
2. The Response action breakdown widget belongs to which of the following widget categories?
a. Agent Management Widgets
b. Incident Management Widgets
c. Investigation Widgets
d. User Defined Widgets
Step 2: Enter a unique Report Name and an optional Description of the report.
● You can choose Last 24H (day), Last 7D (week), Last 1M (month), or a custom timeframe.
Step 7: When you have finished customizing your report template, click Next.
Step 8: If you are ready to run the report, select Generate now.
Step 9: To run the report on a regular Schedule, you can specify the time and frequency that Cortex XDR
will run the report.
Step 10: (Optional) Enter an Email Distribution list or Slack workspace to send a PDF version of your
report.
● Select Add password used to access report sent by email and Slack to set a password
encryption. Password encryption is only available for PDF format.
Step 11: (Optional) Attach CSV file of your XQL query widget to a report.
● From the drop-down menu, search and select one or more of your custom widgets to attach to
the report. The XQL query widget is attached to the report as a CSV file along with the
customized PDF. Depending on how you chose to send the report, the CSV file is attached as
follows:
o Email—Sent as separate attachments for each widget. The total size of the attachment in
the email cannot exceed 20MB.
o Slack—Sent within a ZIP file that includes the PDF file.
Step 13: After your report completes, you can download it from the Reporting > Reports page.
● In the Name field, reports with both PDF and CSV files are marked with a icon, while
reports with a single PDF are marked with a icon.
Step 2: Right-click the dashboard from which you want to generate a report and select Save as report
template.
Step 3: Enter a unique Report Name and an optional Description of the report, then Save the template.
● You can either Generate Report to run the report on-demand, or you can Edit the report
template to define a schedule.
Step 6: After your report completes, you can download it from the Reporting > Reports page.
6.2.2 Interpret meaning from a report
You can run and customize reports containing a snapshot of statistics about your environment over a
selected time period. You can generate reports from Cortex XDR on demand or schedule them to run
daily or weekly. You can use dashboards as the basis for a report template, or you can customize your
report with widgets from the widget library. When your report is ready, you can download it from the
Reports page. You can also email reports to an email distribution of your choice.
6.2.3 Identify the information needed for a given audience
To create purposeful dashboards, you must consider the information that you and other analysts find
important to your day-to-day operations. This consideration guides you in building a custom dashboard.
When you create a dashboard, you can select widgets from the widget library and choose their
placement on the dashboard.
Step 2: Enter a unique Dashboard Name and an optional Description of the dashboard.
Step 7: To set the custom dashboard as your default dashboard when you log in to Cortex XDR, Define as
default dashboard.
Step 8: To keep this dashboard visible only for you, select Private. Otherwise, the dashboard is public
and visible to all Cortex XDR app users with the appropriate roles to manage dashboards.
From the Reporting > Dashboards Manager, you can view all custom and default dashboards. From the
Dashboards Manager, you can also delete, edit, duplicate, disable, and perform additional management
actions on your dashboards. To manage an existing dashboard, right-click the dashboard and select the
desired action.
● Delete—Permanently delete a dashboard.
● Edit—Edit an existing dashboard. You cannot edit the default dashboards provided by Palo Alto
Networks, but you can save it as a new dashboard.
● Save as new—Duplicate an existing template.
● Disable—Temporarily disable a dashboard. If the dashboard is public, this dashboard is also
removed for all users.
● Set as default—Make the dashboard the default dashboard that displays when you (and other
users if the dashboard is public) log in to Cortex XDR.
● Save as report template—Save a report as a template.
Investigation
Alerts
Incidents
Rules
Investigation Query
Response
Action Center
Scripts
Configurations
General Configurations
Auditing
Pathfinder Applet
Pathfinder Data Collection
Assets
Asset Management
Dashboards
Dashboards
Reports
Reports
6.2.4 Outline the capabilities of XQL to build a report
The XDR Query Language (XQL) enables you to query data ingested into Cortex XDR for rigorous endpoint
and network-event analysis. XQL forms queries in stages. Each stage performs a specific query operation
and is delimited by a pipe (|). Queries require a dataset, or data source, to run against. Unless otherwise
specified, the query will run against the xdr_data dataset, which contains all log information that Cortex
XDR collects. However, you can also configure Cortex XDR to query additional datasets.
It is possible to create a dataset with uppercase characters in its name, but when creating a query, the
dataset name only uses lowercase characters.
Step 2: (Optional) Include the widgets listed in the widget library in your custom dashboards and reports.
Each XQL query widget creates a separate CSV file that you can:
● Send by email as separate attachments for each widget. The total size of an attachment in the
email cannot exceed 20MB.
● Send by Slack as part of a ZIP file that includes the PDF.
● Download from the Reports page.
Step 2: Right-click the dashboard from which you want to generate a report and select Save as report
template.
Step 3: Enter a unique Report Name and an optional Description of the report, then Save the template.
Step 5: Run the report. You can either Generate Report to run the report on demand, or you can Edit the
report template to define a schedule.
Step 6: After your report completes, you can download it from the Reporting > Reports page.
Scheduled Queries:
From the Scheduled Queries page, you can easily view all scheduled and reoccurring queries created
from the Query Builder. The Scheduled Queries page displays information about the query including the
query parameters and allows you to adjust or modify the schedule as needed. To edit a query schedule,
right-click the query and select the desired action.
SCHEDULE TIME Frequency or time at which the query was scheduled to run
TIMESTAMP Date and time the query was created
6.2.6 References
Custom Dashboard:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/monitoring/cortex-xdr-dash
board/build-a-custom-dashboard.html
Scheduled Queries:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/
search-queries/scheduled-queries
2. Which of the following paths is required to create a report from the scratch?
Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log storage and aggregation for
your on-premises, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for
cloud-delivered services such as Cortex XDR.
Cortex Data Lake is secure, resilient, and fault-tolerant, and it ensures your logging data is up to date and
available when you need it. It provides a scalable logging infrastructure that alleviates the need for you
to plan and deploy Log Collectors to meet your log retention needs. If you already have on-premises Log
Collectors, the new Cortex Data Lake can easily complement your existing setup. You can augment your
existing log-collection infrastructure with the cloud-based Cortex Data Lake to expand operational
capacity as your business grows, or to meet the capacity needs for new locations.
With this service, Palo Alto Networks takes care of the ongoing maintenance and monitoring of the
logging infrastructure so that you can focus on your business.
The Cortex XDR agent protects endpoints by preventing known and unknown malware from running on
those endpoints and by halting any attempts to leverage software exploits and vulnerabilities. The agent
enforces Security policy for your organization as defined in Cortex XDR. When a security event occurs on
an endpoint, the agent collects forensic information about that event that you can use to analyze the
incident.
A Cortex XDR agent perform its own analysis locally on the endpoint but also consumes WildFire threat
intelligence. The Cortex XDR agent reports all endpoint activity to the Cortex Data Lake for analysis by
Cortex XDR apps.
Cortex XDR provides an easy-to-use interface that you can access from the Hub. By default, Cortex XDR
displays the Incident Management Dashboard when you log in. If desired, you can change the default
dashboard or build a custom dashboard that displays when you log in.
Depending on your license and assigned role, you can explore the areas in the app.
The Palo Alto Networks Broker is a secured virtual machine (VM), integrated with Cortex XDR, that
bridges your network and Cortex XDR. By setting up the broker, you establish a secure connection in
which you can route your endpoints and collect and forward logs and files for analysis.
You can configure communication through proxy servers between the Cortex XDR server and the Cortex
XDR agents running on Windows, Mac, and Linux endpoints. The Cortex XDR agent uses the proxy
settings defined as part of the Internet & Network settings or WPAD protocol on the endpoint. You can
also configure a list of proxy servers that your Cortex XDR agent will use to communicate the with the
Cortex XDR server.
The Directory Sync Service enables Palo Alto Networks cloud-based applications to leverage computer,
user, and group attributes from your on-premises Active Directory for use in policy and endpoint
management. The Directory Sync Service uses an on-premises agent to collect those attributes from your
on-premises Active Directory. The Directory Sync Service agent runs in the background to collect the
Active Directory information and syncs it with the cloud-based Directory Sync Service that you configure
using the Hub.
For each file, Cortex XDR receives a file verdict and the WildFire analysis report. This report contains the
detailed sample information and behavior analysis in different sandbox environments, leading to the
WildFire verdict. You can use the report to assess whether the file poses a real threat on an endpoint.
The details in the WildFire analysis report for each event vary depending on the file type and the
behavior of the file.
7.1.8 References
Cortex agent:
Cortex console:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/get-started-with-cortex-xdr-
pro/use-cortex-xdr.html
Cortex broker:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/broker-vm-overvi
ew.html#id55787a75-1692-4937-86e7-7237733b935b
Proxy communication:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/get-started-with-cortex-xdr-
pro/set-up-endpoint-protection/proxy-configuration
Directory sync:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/set-up-dir-sync
WildFire:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-respo
nse/investigate-files/review-wildfire-analysis-details
Cortex Data Lake receives logs from the industry-leading Palo Alto Networks cybersecurity portfolio.
When relevant events—based on the customer’s security policies—occur across any platform elements,
logs are generated to enable detection, investigation, and analysis.
Palo Alto Networks Next-Generation Firewalls send logs to a data center located in whichever region the
customer selects. The customer can choose any of the following types of logs to send to Cortex Data
Lake:
● Traffic logs—Information about internal and external network connections from the IP addresses
of devices and users.
● Threat logs—Information about web traffic the firewall sees.
● URL Filtering logs—Information about known and unknown threats.
● Data Filtering logs—Display entries for the security rules that help prevent sensitive information
such as credit card numbers from leaving the area that the firewall protects
● Tunnel inspection logs—Entries that track the start and end of inspected tunnel sessions. This
information is sometimes used to apply policies to tunneled traffic.
● SCTP logs—Information on a wide range of stream control transmission protocol (SCTP)
attributes, including SCTP event type, chunk type, payload protocol ID, SCTP cause code,
association ID, stream ID, and chunks, in addition to the general information that the firewall
identifies, such as source and destination address, source and destination port, and timestamp.
It also provides additional information on some applications running over SCTP, including
Diameter and SS7 protocols.
● HIP Match logs—Information about endpoints that have logged in to the GlobalProtect service.
Host Information Profile data is logged only when the connected device matches a configured
asset policy, such as when the host does not have antivirus installed.
● GlobalProtect logs—Information about the GlobalProtect auth method, LSVPN/satellite events,
portal, gateway, and clientless VPN logs.
● IP-Tag logs—Information about source IP addresses registered/unregistered on the firewall and
what tag the firewall applied to the address.
● User-ID logs—Additional user and group mappings corresponding to network and application
traffic logs.
● Authentication logs—Information about authentication events that occur when end users try to
access network resources controlled by authentication policy rules.
● Enhanced application logs—Information needed to perform analytics, such as MAC addresses,
hostnames, DNS queries/responses, and Kerberos authentication messages. MAC addresses and
hostnames are used to uniquely identify devices and their patterns on the network, while DNS
queries/responses are used to detect outbound communications caused by advanced malware.
Kerberos authentication messages log the username and can help identify unauthorized access
to services on the network.
File Forwarding
For samples that the Cortex XDR agent reports, the agent first checks its local cache of hashes to
determine whether it has an existing verdict for that sample. If the Cortex XDR agent does not have a
local verdict, the Cortex XDR agent queries Cortex XDR to determine whether WildFire has previously
analyzed the sample. If the sample is identified as malware, it is blocked. If the sample remains unknown
after comparing it against existing WildFire signatures, Cortex XDR forwards the sample for WildFire
analysis.
Verdicts
WildFire delivers verdicts to identify samples it analyzes as safe, malicious, or unwanted (grayware is
considered obtrusive but not malicious):
● Unknown—Initial verdict for a sample that WildFire has received but has not analyzed.
● Benign—The sample is safe and does not exhibit malicious behavior. If Low Confidence is
indicated for the Benign verdict, Cortex XDR can treat this hash as if the verdict is Unknown and
further run local analysis to get a verdict with higher confidence.
● Malware—The sample is malware and poses a security threat. Malware can include viruses,
worms, Trojans, remote access tools (RATs), rootkits, botnets, and malicious macros. For files
identified as malware, WildFire generates and distributes a signature to prevent against future
exposure to the threat.
When WildFire is not available or integration is disabled, the Cortex XDR agent can also assign a local
verdict for the sample using additional methods of evaluation. When the Cortex XDR agent performs
local analysis on a file, it uses pattern-matching rules and machine learning to determine the verdict. The
Cortex XDR agent can also compare the signer of a file with a local list of trusted signers to determine
whether a file is malicious.
Each time a file attempts to run, the Cortex XDR agent performs a lookup in its local cache to determine
whether a verdict already exists. If known, the verdict is either the official WildFire verdict or manually
set as a hash exception. Hash exceptions take precedence over any additional verdict analysis.
If the file is unknown in the local cache, the Cortex XDR agent queries Cortex XDR for the verdict. If
Cortex XDR receives a verdict request for a file that was already analyzed, Cortex XDR immediately
responds to the Cortex XDR agent with the verdict.
If Cortex XDR does not have a verdict for the file, it queries WildFire and optionally submits the file for
analysis. While the Cortex XDR agent waits for an official WildFire verdict, it can use file analysis and
protection flow to evaluate the file. After Cortex XDR receives the verdict, it responds to the Cortex XDR
agent that requested the verdict.
Palo Alto Networks Next-Generation Firewalls send logs to a data center located in whichever region the
customer selects. The customer can choose any of the following types of logs to send to Cortex Data
Lake:
● Traffic logs—information about internal and external network connections from the IP addresses
of devices and users.
An external dynamic list (EDL) is a text file hosted on an external web server that your Palo Alto
Networks firewall uses to provide control over user access to IP addresses and domains that the Cortex
XDR has found to be associated with an alert.
Cortex XDR hosts two external dynamic lists you can configure and manage from the Cortex XDR
management console:
● IP Addresses EDL
● Domain Names EDL
To maintain an EDL in Cortex XDR, you must meet the following requirements:
● Cortex XDR Pro per TB or Cortex Pro per Endpoint license
● An App Administrator, Privileged Investigator, or Privileged Security Admin role, which include
EDL permissions
● Palo Alto Networks firewall running PAN-OS 9.0 or a later release
● Access to your Palo Alto Networks firewall configuration
● Enable External Dynamic List and enter the Username and Password that the Palo Alto Networks
firewall should use to access the Cortex XDR EDL.
Step 2: Record the IP Addresses EDL URL and the Domains EDL URL. You will need these URLs in the
coming steps to point the firewall to these lists.
Step 5: Set the Cortex XDR EDL as the source for a firewall EDL.
For more detailed information about how Palo Alto Networks firewall EDLs work, how you can use EDLs,
and how to configure them, review how to Use an External Dynamic List in Policy.
● On the firewall, select Objects > External Dynamic Lists and Add a new list.
● Define the list Type as either IP List or Domain List.
● Enter the IP Addresses Block List URL or the Domains Block List URL that you recorded in the last
step as the list Source.
● Select the Certificate Profile that you created in the last step.
Step 6: Select Policies > Security and Add or edit a Security policy rule to add the Cortex XDR EDL as
match criteria to a security policy rule.
Review the different ways you can enforce policy on an external dynamic list; this topic describes the
complete workflow to add an EDL as match criteria to a Security policy rule.
● Select Policies > Security and Add or edit a Security policy rule.
● In the Destination tab, select Destination Zone and select the external dynamic list as the
Destination Address.
● Click OK to save the Security policy rule and Commit your changes.
You do not need to perform an additional commit or make any subsequent configuration changes for the
firewall to enforce the EDL as part of your Security policy; even as you update the Cortex XDR EDL, the
firewall will enforce the list most recently retrieved from Cortex XDR.
During investigation, you can also Add to EDL from the Actions menu that is available from investigation
pages such as the Incidents View, Causality View, IP View, or Quick Launcher.
Step 8: At any time, you can view and make changes to the IP addresses and domain names lists.
● Navigate to Response > Action Center > EDL.
The Palo Alto Networks Broker is a secured virtual machine (VM), integrated with Cortex XDR, that
bridges your network and Cortex XDR. By setting up the broker, you establish a secure connection in
which you can route your endpoints and collect and forward logs and files for analysis.
You can leverage the Broker to run different services separately on the VM using the same Palo Alto
Networks authentication. Once installed, the broker automatically receives updates and enhancements
from Cortex XDR, providing you with new capabilities without having to install a new VM.
In Cortex XDR, select Settings ( ) > Configurations > Broker VM to view detailed information regarding
your registered broker VMs.
The Broker VMs table enables you to monitor and manage your broker VM and applet connectivity
status, version management, device details, and usage metrics.
REQUIREMENT SPECIFICATION
● Intel Pentium 4 or later with SSE2 instruction set support
● AMD Opteron/Athlon 64 or later with SSE2 instruction set
Processor support
● Dual core processor (minimum) for Cortex XDR Agent version 7.0
and later.
The Cortex XDR agent for Mac has the following requirements:
REQUIREMENT SPECIFICATION
● Intel Pentium 4 or later with SSE2 instruction set support
Processor ● AMD Opteron/Athlon 64 or later with SSE2 instruction set
support
ca-certificates
openssl 1.0.0 or a later release
Distributions with SELinux in enforcing or permissive mode:
● Red Hat Enterprise Linux 6, CentOS 6, and Oracle Linux
6—policycoreutils-python
● Red Hat Enterprise Linux 7, CentOS 7, and Oracle Linux
Software packages 7—policycoreutils-python and selinux-policy-devel
● SUSE—policycoreutils-python and selinux-policy-devel
● Debian and Ubuntu—policycoreutils and selinux-policy-dev
7.3.3 References
2. How much RAM is required in Cortex XDR agent 7.2 for Windows?
a. 2GB minimum
b. 4GB; 8GB recommended
c. 3GB minimum
d. 512MB minimum; 2GB recommended
7.4 Outline how Cortex XDR ingests other non-Palo Alto Networks data
sources
7.4.1 Outline all ingestion possibilities
An INGEST section is used to define the resulting Parsing Rule. The CONST and RULE sections are only
add-ons, used to help organize the INGEST sections, and are optional to configure. Yet, a Parsing Rules
file that contains no INGEST sections generates no Parsing Rules, and it is mandatory to configure.
In addition to native log-ingestion support, Cortex XDR also supports the following custom log-ingestion
methods:
● Ingest logs from a syslog receiver
● Ingest CSV Files as datasets
● Ingest database data as datasets
● Ingest logs in a network share as datasets
● Ingest FTP Files as Datasets
● Ingest NetFlow flow records as datasets
● Set up an HTTP Log Collector to receive logs
● Ingest logs from Elasticsearch Filebeat
● Ingest data from ServiceNow CMDB
● Ingest report data from Workday
7.4.3 References
Ingest:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/data-management/create-p
arsing-rules/parsing-rules-file-structure/ingest
Ingestion methods:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/external-data-ingestion/addi
tional-log-ingestion-methods-for-cortex-xdr.html#additional-log-ingestion-methods-for-cortex-xdr
7.4.4 Sample Questions
1. What does SFTP stand for?
a. System File Transfer Protocol
b. Secure File Transfer Protocol
c. Secure File Transmission Protocol
d. System File Transmission Protocol
To set up the Broker virtual machine (VM), you need to deploy an image created by Palo Alto Networks
on your network or supported cloud infrastructure and activate the available applications. You can set up
several broker VMs for the same tenant to support larger environments. Ensure that each environment
matches the necessary requirements.
Step 2: Download and install the Broker VM images for your corresponding infrastructure:
● Amazon Web Services (AWS)—Use the VMDK to create a Broker VM Amazon Machine Image
(AMI).
● Google Cloud Platform—Use the VMDK image to set up the Broker VM on Google Cloud
Platform (GCP).
● Microsoft Hyper-V—Use the VHD image.
● Microsoft Azure—Use the VHD (Azure) image to create a Broker VM Azure Image.
● VMware ESXi—Use the OVA image.
Step 5: Log in with the default password !nitialPassw0rd and then define your own unique password.
● If you choose Static, define the following and Save your configurations:
o Static IP address
o Netmask
o Default Gateway
o DNS Server
When using PuTTYgen to create your public and private key pairs, you need to copy the public key
generated in the “Public key for pasting into OpenSSH authorized_keys file” box and paste it in the
broker VM SSH Public Key section, as explained above. This public key is only available when the
PuTTYgen console is open after the public key is generated. If you close the PuTTYgen console before
pasting the public key, you will need to generate a new public key.
● (Optional) (Requires Broker VM 8.0 and later) Collect and Download Logs. Your XDR logs will
download automatically after approximately 30 seconds.
Step 7: Register and enter your unique Token, created in the Cortex XDR console.
Cortex XDR can receive logs or both logs and alerts from the source. Depending on the data source,
Cortex XDR can provide visibility into your external data in the form of:
● Log stitching with other logs such as to create network or authentication stories.
● Raw data in queries from XQL Search.
● Alerts reported by the vendor throughout Cortex XDR such as in the Alerts Table, incidents, and
views.
● Alerts raised by Cortex XDR on log data such as Analytics alerts.
To ingest data, you must set up the Syslog Collector applet on a broker VM within your network.
To deploy Cortex XDR in restricted networks where endpoints do not have a direct connection to the
internet, set up Broker VM to act as a proxy that routes all the traffic between the Cortex XDR
management server and Cortex XDR agents via a centralized and controlled access point. This enables
your agents to receive Security policy updates and send logs and files to Cortex XDR without a direct
connection. Additionally, the Broker VM endpoints agents are able to connect to the internet.
In environments where agents communicate with the Cortex XDR server through a wide-system proxy,
you can now set an application-specific proxy for the Traps and Cortex XDR agent without affecting the
communication of other applications on the endpoint. You can set the proxy in one of three ways: during
the agent installation or after installation using Cytool on the endpoint or from Endpoints Management
in Cortex XDR as described in this topic. You can assign up to five different proxy servers per agent. The
proxy server the agent uses is selected randomly and with equal probability. If the communication
between the agent and the Cortex XDR server through the app-specific proxies fails, the agent resumes
communication through the system-wide proxy defined on the endpoint. If that fails as well, the agent
resumes communication with Cortex XDR directly.
Step 1: From Cortex XDR, select Endpoints > Endpoint Management > Endpoint Administration.
● You can assign up to five different proxies per agent. For each proxy, enter the IP address and
port number. For Cortex XDR agents 7.2.1 and later, you can also configure the proxy by entering
the FQDN and port number. When you enter the FQDN, you can use either all lowercase letters
or all uppercase letters. Avoid using special characters or spaces.
● For example: my.network.name:808,YOUR.NETWORK.COM:888,10.196.20.244:8080.
● Set when you’re done.
Pathfinder™ is a highly recommended, but optional, component integrated with the Broker VM that
deploys a nonpersistent data collector on network hosts, servers, and workstations that are not
managed by a Cortex XDR agent. The collector is automatically triggered by Analytics type alerts with a
severity of High and Medium as described in the Cortex XDR Analytics Alert Reference, providing insights
into assets that you previously would have been unable to scan.
When an alert is triggered, the data collector can run for up to two weeks gathering EDR data from
unmanaged hosts. You can track and manage the collector directly from the Cortex XDR console and
investigate the EDR data by running a query from the Query Center.
Activate the Pathfinder app to deploy and query the data collector.
Step 1: In Cortex XDR, select Settings > Configurations > Broker VM and locate your broker VM.
● Select the IP Address Ranges to scan from the your defined Network Configurations and deploy
the data collector. You can add IP address ranges if you don’t see a range in the populated list.
By default, every IP address range will use the Pathfinder credentials and settings you defined in the
Credentials section, and each range is labeled as an Applet Configuration.
● Activate your Pathfinder. After a successful activation, the Apps field displays the Pathfinder -
Active, Connected.
Step 4: In the App field, select Pathfinder to view the following applet metrics:
● Connectivity Status—Whether the applet is connected to Cortex XDR
● Handled Tasks—How many collectors are in progress, pending, or successfully running out of the
number of collectors that need to be set up
● Failed Tasks—How many collectors have failed
● Resources—Displays the amount of CPU, Memory, and Disk space the applet is using.
Step 7: Query the collector data. Data gathered by the data collector can be queried and investigated
from the Query Center. To run a query on the EDR data from an unmanaged host:
● Navigate to Investigation > Query Center.
● Select the type of query you want to run and enter the search criteria.
When defining the Host attributes, for INSTALLATION TYPE, make sure to select Data Collector.
7.5.5 References
Broker:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-v
m.html
Pathfinder:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-v
m/activate-pathfinder
7.5.6 Sample Questions
1. What does DHCP (dynamic host configuration protocol) provide to the client?
a. MAC address
b. IP address
c. URL
d. None of the mentioned
Domain 1.2.5
1. Which MITRE ATT&CK tactic is being used if the adversary is attempting to communicate with
compromised systems to control them?
a. Exfiltration
b. Command and Control
c. Execution
d. Persistence
e. Lateral Movement
2. Which MITRE ATT&CK tactic is being used if the adversary is trying to run malicious code?
a. Exfiltration
b. Command and Control
c. Execution
d. Persistence
e. Lateral Movement
Domain 1.3.5
2. You notice that a hardware device is damaged and important data files have been completely
erased from the system. What kind of threat appears to be present here?
a. Interruption
b. Interception
c. Fabrication
d. Modification
Domain 2.1.4
Domain 2.2.7
Domain 2.3.7
1. Which profiles prevents attempts to exploit system flaws or obtain unauthorized access to
systems?
a. Antivirus profiles
b. Anti-Spyware profiles
c. Vulnerability protection profiles
d. URL filtering profiles
2. At what phase in the malware protection flow does the Cortex XDR agent observe the file's
behavior and apply additional malware protection rules?
a. Evaluation of Child Process Protection Policy
b. Evaluation of the Restriction Policy
c. Hash Verdict Determination
d. Evaluation of Malware Security Policy
Domain 2.4.5
1. Which of the following is a piece of software or a command that takes advantage of a bug in
order to trigger undesired actions and behaviors?
a. Malware
b. Trojan
c. Exploit
d. Worms
1. Which MITRE ATT&CK tactic employs techniques for obtaining data from a network, such as
valuable enterprise data?
a. Exfiltration
b. Command and Control
c. Execution
d. Persistence
2. The analytics engine creates and maintains a very large number of profile types, but they can all
be categorized into how many categories in general?
a. 4
b. 2
c. 3
d. 5
Domain 3.1.6
Domain 3.2.6
8. What threshold does cortex xdr provides to keep incidents fresh and relevant?
a. 20 days after the incident was created and 14 days since the last alert in the incident was
detected
b. 30 days after the incident was created and 10 days since the last alert in the incident was
detected
c. 20 days after the incident was created and 10 days since the last alert in the incident was
detected
d. 30 days after the incident was created and 14 days since the last alert in the incident was
detected
Domain 3.3.6
1. By default, Palo Alto Networks provides you with a variety of pre-canned scripts that you can use
out-of-the-box. Which of the following statement about scripts is incorrect?
a. You can view the script.
b. You can download the script code and meta-data.
c. You can duplicate the script.
d. You can edit the code or definitions of pre-canned scripts.
Domain 3.4.4
Domain 4.1.6
2. Which of the following refers to the ‘summary of the remediation suggestion to apply to the file
or registry’?
a. Suggested remediation
b. Original event description
c. Suggested remediation description
d. Remediation status
Domain 4.2.5
1. What is ransomware?
a. Computer equipment that criminals steal from you and won’t return until you pay them.
b. Software that infects computer networks and mobile devices to hold your data hostage until
you send the attackers money.
c. Software used to protect your computer or mobile device from harmful viruses.
d. A form of cryptocurrency.
2. Which of the following can be done to significantly decrease the chances of putting your
organization at risk for a Ransomware attack?
a. Verify links in email, except know contacts
b. Purchase only software, programs and applications from reputable companies
Domain 4.3.8
2. In xdr, how many different methods can you use to search a file?
a. 2
b. 4
c. 3
d. 5
Domain 5.1.6
1. Which of the following technique is used to investigate any lead quickly, expose the root cause of
an alert, perform damage assessment, and hunt for threats from your data sources?
a. IOC Technique
b. Query Builder Technique
c. BIOC Technique
d. XQL Technique
2. Which of the following technique alert and responds to behaviors- tactics, techniques, and
procedures?
a. XQL Technique
b. IOC Technique
c. Query Builder Technique
d. BIOC Technique
Domain 5.2.3
2. Which of the following field configurations are not included in user-defined BIOC rule event?
(Choose three.)
a. Host Name
b. Device Serial Number
c. IP Address
d. Device Type
Domain 5.3.3
Domain 6.1.3
1. Which option from the reporting menu will you choose if you need to add additional widgets to
the dashboard?
a. Dashboard
b. Dashboards Manager
c. Reports
d. Reports Templates
2. Response action breakdown widget belongs to which of the following widget categories?
(Response action breakdown - Displays the top response actions taken in the Action Center over
the last 24 hours, 7 days, or 30 Days)
a. Agent Management Widgets
b. Incident Management Widgets
Domain 6.2.7
2. Which of the following paths is required to create a report from the scratch?
a. Reporting > Report Templates
b. Reporting > Dashboard Manager
c. Reporting > Reports
d. Reporting > Dashboard
Domain 7.1.9
1. _____ is a secured virtual machine, integrated with Cortex XDR, that bridges your network and
Cortex XDR.
a. Cortex Console
b. Cortex Agent
c. Cortex Broker
d. WildFire
2. Which of the following tab needs to be selected for managing cortex XDR agents?
a. Reporting
b. Investigation
c. Response
d. Endpoints
Domain 7.2.7
1. Which of the following does not pose a direct security threat, but might display otherwise
obtrusive behavior?
a. Virus
Domain 7.3.4
1. What is the specification for hard disk space in cortex XDR agent 7.2 for mac?
a. 10GB
b. 512MB minimum; 2GB recommended
c. 200MB minimum; 20GB recommended
d. 12 GB
2. How much RAM is required in cortex XDR agent 7.2 for Windows?
a. 2GB minimum
b. 4GB; 8GB recommended
c. 3GB minimum
d. 512MB minimum; 2GB recommended
Domain 7.4.4
Domain 7.5.6