Ultimate Test Drive Cybersecurity Portfolio Workshop Guide

ULTIMATE
TEST DRIVE
Cybersecurity Portfolio
Workshop Guide
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 1
Table of Contents
How to Use This Guide 4
Activity 0 – Initiate the UTD Workshop 5
Task 1 – Log In to Your Ultimate Test Drive Class Environment 5
Task 2 - Understand the UTD Environment Setup 6
Task 3 - Enable Internet Access on the ML-Powered Next-Generation Firewall 7
Task 4 – Install Cortex XDR Agent on Protected Client 8
Activity 1 – Conduct a Ransomware Attack 10

Task 1 - Brief Overview of Ransomware Attack Sequence 10
Task 2 - Check Attacker VM Status 11
Task 3 - Compromise Victim System via Exploit 12
Task 4 - Attacker to Upload and Execute the Ransomware on Victim 13
Task 5 - Execute Ransomware on the Victim Client 14
Task 6 - Test Ransomware on the Protected Client 16
Activity 2 – Protection with the ML-Powered Next-Generation Firewall 17

Task 1 - Review the Port-Based Policy for the Victim 17
Task 2 - Review the Policy for the Protected Client 19
Task 3 - Re-Run the Ransomware on the Protected Client Without URL Filtering 20
Task 4 - Re-Run the Ransomware Attack on the Protected Client 23
Task 5 - Remove the Next-Generation Firewall Protection from the Protected Client 24
Activity 3 - Cortex XDR Detection and Response Platform 26

Task 1 - Review the Cortex XDR Client Console 26
Task 2 – Introduction to Cortex XDR 27
Task 3 – Login and Review Cortex XDR 28
Task 4 – Quick Look at Cortex XDR Pro 33
Activity 4 - Prevent Unknown Threat with WildFire and Cortex XDR 37

Task 1 - Enable WildFire on the ML-Powered Next-Generation Firewall 37
Task 2 - Review WildFire on Cortex XDR 39
Task 3 - Download and Execute a Zero-Day Malware Sample File 41
Task 4 - Review WildFire Submission and Verdict on Cortex XDR 41
Task 5 - Review WildFire Submission and Verdict on the Firewall 43
Activity 5 – Introduction to Cortex Data Lake and Cortex XSOAR 45

Task 1 – Log into Network Security Management: Panorama 45
Task 2 – Check the Panorama cloud services plugin and the Cloud Services status 47
Task 3 – Forwarding Logs to Cortex Data Lake with Template and Device Object 47
Task 4 – Your Guide to Security Orchestration Automation and Response (SOAR) 50
Task 5 – Quick Look at Cortex XSOAR 50
Activity 6 – Protection for Public Cloud with VM-Series and Prisma Cloud 52
Task 1 – VM-Series ML-Powered Next-Generation Firewall in Public Cloud 52
Task 2 – Manage VM-Series in Public Cloud with Panorama Plugins 55
Task 3 – Resources for VM-Series in Public Cloud 56
Task 4 – Prisma Cloud for Public Cloud Quick Look 58
Task 5 – Subscribe to Prisma Cloud Free Trial (Optional) 58
Activity 7 – Protecting SaaS Applications and Remote Users with Prisma SaaS
and Prisma Access 61
Task 1 - Sanctioned SaaS Applications 61
Task 2 - SaaS Application Security with Prisma SaaS 62
Task 3 - Prisma SaaS Dashboard 63
Task 4 - WildFire Analysis by Prisma SaaS and SaaS Risk Assessment Report 65
Task 5 – Prisma Access Overview 67
Activity 8 - Feedback on Ultimate Test Drive 68

Task 1 – Take the online survey 68
How to Use This Guide
The activities outlined in this Ultimate Test Drive Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any
potential issues with the UTD environment. This guide is meant to be used in conjunction with the
information and guidance provided by your facilitator.
Notes:
This workshop covers only basic topics and is not a substitute for training classes conducted by Palo Alto
Networks Authorized Training Centers. Please contact your partner or regional sales manager for more
information on available training and how to register for one near you.
Unless specified, the Google® Chrome™ web browser will be used to perform any tasks outlined in the
following activities (Chrome is pre-installed on the student desktop of the workshop PC).
Terminology:
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each tab, found in the left-hand column of each screen.
Activity 0 – Initiate the UTD Workshop
In this activity, you will:
• Log in to the Ultimate Test Drive Workshop from your laptop.
• Learn the layout of the environment and its various components.
• Enable the firewall to facilitate connectivity.
Task 1 – Log In to Your Ultimate Test Drive Class Environment

Step 1: Verify that your laptop is equipped with a modern browser that supports HTML 5.0. We
recommend using the latest version of Firefox®, Chrome, or Internet Explorer®/Edge®.
Step 2: Open a browser window and navigate to the class URL. If you have an invitation email, you will
find the class URL and passphrase there. Otherwise, your instructor will provide them.
Enter your email address and the class passphrase.
Step 3: Complete the registration form and click Login at the bottom.
Step 4: Once you have logged in, the system will create a unique UTD environment for you. Please note
that this process may take a while, as indicated by the green progress bar at the top of the screen.
Once the environment has been created, the system will display a welcome page.
This will display a list of all virtual systems that constitute the UTD environment.
Take note of the shortcut menu at the top of your browser window. You will use this menu throughout the
workshop to switch between the available desktops. There are more tabs on the righthand side, click on
the right arrow or the down arrow to see all the tabs.
Task 2 - Understand the UTD Environment Setup

This UTD environment consists of the following components:
A. Security Admin: This is the main workstation for you, the security administrator, which you will
use to modify the settings for different Palo Alto Networks products, including the ML-Powered
Next-Generation Firewall, Cortex XDR management service, Panorama and others.
B. Victim: This is a Windows® 7 virtual machine, on which you will carry out the exercises in our
workshop. This virtual machine is not protected by a firewall nor an endpoint solution. You will
use this system as the victim of the ransomware attacks in our workshop.
C. Protected Client: This Windows 7 virtual system is similar to the Victim, but protected by the
Palo Alto Networks products, including the ML-Powered Next-Generation firewall and Cortex
XDR.
D. Attacker: This virtual machine is a Kali Linux system that hosts Metasploit®, a penetration testing
tool. You will use this virtual machine to take on the role of the attacker in our workshop
exercises.
E. VM-Series: This is the Palo Alto Networks virtual ML-Powered Next-Generation Firewall.
Review the diagram below to better understand the UTD environment setup.
Task 3 - Enable Internet Access on the ML-Powered Next-Generation
Firewall
Step 1: Click the Security Admin tab to access that desktop in your browser. Click the Security Admin-
OpenKiosk icon to launch the browser. The VM-Series login page should already be loaded, if not,
click the VM-Series bookmark using the star icon next to the URL bar.
You can also use the “VM-Series GUI” tab to open a direct connection to the NGFW login page.
Log in to the firewall with the following name and password:

Name: student
Password: utd135
Close the Welcome message and you will be see the Dashboard view.
Step 2: Go to the Network tab. In the Interface node, note that the Link State of ethernet1/1 is red, click
on ethernet1/1.
Step 3: Click the Advanced tab. Click the Link State drop-down menu to the right of the dialog box,
select up, then click OK to close the window. Click the Commit button in the top right-hand corner to
confirm the changes. Click Commit again in the Commit window to activate the configuration changes.
Step 4: Once the commit process has completed, you will see that the Link State of ethernet1/1 has
turned green now that the interface is up.
Task 4 – Install Cortex XDR Agent on Protected Client

Step 1: Click the Protected Client tab to access that desktop in your browser.
Step 2: Double-click the “Install Cortex XDR” icon on the desktop to launch the Cortex XDR Agent
installer.
Step 3: The XDR agent will automatically install. Once completed, double-click the icon in the
system tray to bring up the Cortex XDR agent console. It may take a few minutes for the XDR agent to
connect to Cortex XDR.
Step 4: After the installation, open the Cortex XDR using the system tray icon, then click on Check in Now
to connect to the XDR Server. This will allow the newly installed XDR client to connect to the Cortex XDR
management.
End of Activity 0
Activity 1 – Conduct a Ransomware Attack
• Become the attacker and launch a ransomware attack on the Victim system.
• Experience how the Victim system is compromised through a spear phishing attack.
• Launch a ransomware attack on the Protected Client.
Task 1 - Brief Overview of Ransomware Attack Sequence

A typical ransomware attack involves two main stages:
• Compromise a victim system via exploit.
• Deliver and execute ransomware.
We will conduct a ransomware attack in this activity from both the attacker and victim perspectives. The
attacker hosts a website that delivers an exploit to the victim’s system. When the victim clicks a link in a
phishing email, he or she is redirected to the attacker’s website, where a Flash® Player exploit
compromises the victim’s system.
Once the victim’s system is compromised, the attacker uploads ransomware to the victim’s machine and
executes it.
This process is depicted in the figure below.
In the next few tasks in this activity, you will play the roles of both the attacker and the victim and see the
ransomware in action.
Task 2 - Check Attacker VM Status
Step 1: Click the Attacker tab to access that desktop in your browser.
Once you launch the Attacker VM, you will see a terminal window open on the desktop. (Login root /
toor).
Step 2: In the terminal window, type the following command and press the Enter/Return key:
root@kali:~# ./demo-attack
This will start the exploit program and configure the Attacker VM to listen for incoming connections and
serve the Flash Hacking Team zero-day exploit to the Victim VM. This process may take a while, so
please be patient.
When configuration is completed, the terminal should display the following prompt:
msf exploit(adobe_flash_hacking_team_uaf) >
The Attacker system is now ready and online, waiting for a connection from the Victim system.
Step 3: Enter “sessions” into the prompt to list the active sessions:
msf exploit(adobe_flash_hacking_team_uaf) > sessions
There should be no active sessions on the Attacker VM.
Task 3 - Compromise Victim System via Exploit
In this task, you take on the role of the victim. As the victim, you have received a spear phishing email,
which includes a hidden link to the attacker’s listener service. You will click the link, and the VM will be
compromised by the exploit delivered by the attacker’s listener service.
Step 1: Go to the Victim desktop. Click the Victim tab to open the Victim VM.
Microsoft Outlook® will be open and running on the desktop. An email with the subject line “Someone has
your password” is displayed in the preview pane. This looks like a legitimate email from Google, informing
you that someone is trying to access your device. The email suggests you review the device to ensure
your password is safe.
Step 2: Click the Review Your Devices Now link in the email. This will open Internet Explorer and,
after a short delay, display a webpage that resembles the Google account login page.
If you see the Google page, the Attacker system has successfully compromised the Victim system. In the
next task, you will resume the role of the attacker and continue the next stage of the attack.
Note: You should not need the credentials for the user associated with the Victim VM. However, if
the system does present you with a login screen, click the icon associated with the user “Jen” and
use the password “Password1”.
Task 4 - Attacker to Upload and Execute the Ransomware on Victim
In this task, you will return to the role of the Attacker and continue the next stage of the attack by
uploading and executing ransomware on the Victim system.
Step 1: Go back to the Attacker VM. You should see the Metasploit listener service received a request,
sent a SWF file in reply, and opened a “Meterpreter” session to the Victim VM.
Note: If you have been disconnected

from the Attacker desktop, click the
Reconnect link above the desktop
display area to re-establish your
connection.
Step 2: To verify the session between the Attacker and Victim is open, use the “sessions” command to list
the active sessions (hit Enter/Return to get the command prompt):
msf exploit(adobe_flash_hacking_team_uaf) > sessions
An open session indicates that the Attacker has an active, direct connection to the Victim VM, which can
be used to further compromise the system.
Note the Id of the active session connected to the Victim VM. This is the “Session Id” you will need to
enter in the next step. It should be session “1”.
Note: this number may be different if you refreshed the browser on the Victim VM at any point.
Step 3: Initiate an interactive session with the Victim by entering “sessions –i <id>” at the Metasploit
prompt. Remember to substitute your “Session Id” for the number “1” in this command if you have a
different ID number.
msf exploit(adobe_flash_hacking_team_uaf) > sessions –i 1
This will initiate the interactive session, display the message “Starting interaction with 1…” and change
the prompt to a Meterpreter prompt.
At this point, you have connected to the Victim VM and can execute any number of available commands
to exploit the system. For a list of available commands, type “?” and press Enter/Return at the
Meterpreter prompt (We will not explore the available Meterpreter commands in this exercise.). The
Attacker VM has taken control on the Victim VM at this point.
Step 4: The Attacker VM will now upload the ransomware executable file (happy.exe) to the Victim
VM. Enter the following command at the prompt:
meterpreter > cd /Temp
meterpreter > dir (the directory should be empty)
meterpreter > upload happy.exe
You should see messages confirming that “happy.exe” has been successfully uploaded to the Victim VM.
You can enter > “dir” to check that the file has been uploaded.
The Attacker VM is now ready to launch a ransomware attack on the Victim VM.
Note: The Petya ransomware is used in in this exercise.
Task 5 - Execute Ransomware on the Victim Client

For this task, you must be prepared to quickly switch over to the browser tab for the Victim VM as soon as
you (as the attacker) have executed the ransomware. This ransomware acts very quickly to infect a
system, and if you remain in the Attacker environment, you will miss some of its actions.
Step 1: In the Attacker terminal window, enter the following command at the Meterpreter prompt (be
prepared to switch to the Victim VM as soon as possible):
meterpreter > execute -f happy.exe -H
Step 2: Quickly switch to the Victim tab. Once the ransomware executes on the Victim VM, it will simulate
a “blue screen of death” that typically accompanies a Windows system crash and reboot the Victim VM.
The ransomware will simulate the process of checking the disk on the Victim VM (the CHKDSK process).
However, the counter that indicates the progress will never stop counting.
Step 3: Click on the Send Ctrl-Alt-Delete button on the left side of Victim VM window.
The Victim VM will display a flashing, red and grey “skull and cross bones” image and prompt the user to
“PRESS ANY KEY!”
Step 4: Click inside the “skull and cross bones” image and press the space bar. This should change the
image to a ransomware warning page, with a list of demands and instructions to submit payment in order
to unlock the system.
Congratulations! You are at once an attacker and a victim.

You will no longer be able to use this Victim VM. Return to the Attacker desktop.
Step 5: On the Attacker desktop, end the Meterpreter session using the exit command:
meterpreter > exit
Step 6: This will return you to the Metasploit prompt. Execute the sessions command again to see if
there are any other open sessions. You should see none, as the Victim system has been compromised.
Note: Leave the Attacker browser tab open. We will return to it in the next activity.
Task 6 - Test Ransomware on the Protected Client
In this task, we repeat the same attack on the Protected Client VM and see what happens.
Step 1: Click the Protected Client tab. Click the Outlook icon . You will see the same email in the
Outlook window. Also note the Cortex XDR window behind it, which we will use in Activity 3.
Step 2: Click the Review Your Device Now link in the phishing email, as you did on the Victim VM.
You should see a “Web Page Blocked” message. It looks like the Protected Client is protected against
compromise from the Stage 1 attack.
You can also see on the Attacker VM that no session was set up for exploit delivery.
In the next activity, we will take a closer look at how the next-generation firewall prevents the Protected
Client from the Stage 1 attack.
End of Activity 1
Activity 2 – Protection with the ML-Powered Next-
Generation Firewall
• Access the firewall and see how it helps to prevent a ransomware attack.
• Learn about the various layer of protections provided by the Palo Alto Networks ML-Powered
Next-Generation firewall.
• Witness Cortex XDR preventing a ransomware attack.
Task 1 - Review the Port-Based Policy for the Victim

In this task, you will access the firewall using the Security Admin VM to review how the ML-Powered
Next-Generation Firewall prevented the first stage of attack on the Protected Client VM in the last activity.
The firewall policies configured in this lab are designed to highlight the traffic between the Victim, Attacker
and Protected Client VMs. Policies for an actual network are likely to be different.
Step 1: Open Security Admin tab.
The next few steps will give a quick walkthrough of the next-generation firewall GUI. If this is your first
time using a Palo Alto Networks ML-Powered Next-Generation firewall, you may want to read carefully.
The Dashboard tab widgets show you the important information about the firewall, as the software
version, the operational status of each interface, resource utilization, and more. All of the available
widgets are displayed by default, but each administrator can remove and add individual widgets, as
needed.
Step 2: Click on the ACC tab. This takes you to the Application Command Center, where you can get a
look at the applications and threats the firewall sees.
The Policies tab is where all firewall policies are configured. There are various policies, from Security
policies that configure all firewall policies to NAT or Decryption policies that define other functions of the
next-generation firewall. Feel free to examine the different policy nodes on the left.
Step 3: Click on the Security node. The first policy, Victim to Attacker, is configured with a port-based
firewall policy. Click on Victim to Attacker to open the Security Policy Rule configuration window. Make
sure the Source is set to Victim and the destination is set to Attacker.
Step 4: Victim to Attacker policy is described as a port-based policy because it allows all applications to
run on ports 80, 443 and 8080. Review the Application and Service/URL Category tabs to confirm the
policy configuration.
While port 80 and 443 are open for both HTTP and SSL traffic, port 8080 is often opened for internal web
servers supporting internal webpages.
Step 5: Go to the Actions tab and note that Profile Setting is set to None, meaning no next-generation
protection is applied on this policy. This explains why the firewall did not provide any protection to the
Victim VM. Close the policy window.
Task 2 - Review the Policy for the Protected Client

Let’s look at the policy for the Protected Client VM and see how it is different.
Step 1: Click on the Protected Client to Attacker policy to open the Security Policy Rule configuration
window. Note that source and destination are set to Protected Client and Attacker.
Step 2: Go to the Application tab. Note that only selected applications (web-browsing, SSL and Flash)
are allowed.
Step 3: Go to the Service/URL Category tab. Note that application-default is selected, so those
applications are only allowed to run on the default ports. Note that you do not need to know which ports
are needed for the applications selected. The Palo Alto Networks ML-Powered Next-Generation Firewall
keeps track of the default port for each application.
Step 4: Go to the Actions tab. Note that protection profiles are configured for Antivirus, Vulnerability
Protection, Anti-Spyware, URL Filtering, Data Filtering and WildFire Analysis. These enable many
protections offered by the firewall.
Step 5: Change the URL Filtering protection to None. Let’s see if disabling URL Filtering will let the
Attacker VM exploit the Protected Client. Click OK to close the policy window.
Step 6: Click the Commit button in the top right-hand corner to confirm the changes. Click Commit again
in the Commit window to activate the configuration changes.
Task 3 - Re-Run the Ransomware on the Protected Client Without URL

Filtering
Let’s revisit the phishing email on the Protected Client to see if removing URL Filtering protection will
allow the attacker to exploit the system.
Step 1: Go back to the Protected Client and close the Web Page Blocked window. Then click on the
Review Your Devices Now link in the phishing email again.
This time, the Google page will be allowed to open, which shows that the Protected Client VM is not
protected by URL Filtering. Let’s go to the Attacker VM and see if the exploit succeeds.
Step 2: Go to the Attacker browser tab. Note there is no listener session open. Hit enter to get back to
the prompt. Enter “sessions” to see if there are any open sessions. There should be none.
This indicates the Attacker VM was not successful in exploiting the Protected Client VM.
Step 3: Go to back to the Security Admin VM. Go to the firewall and review the traffic logs under
Monitor > Logs > Traffic. At the bottom, click Resolve hostname to enable it.
Step 4: Let’s review the traffic logs. Under the Source column, click on Protected Client. This will
populate the search window with the Protected Client VM’s source address. Then, under the Destination
column, click on Attacker to add the Attacker VM’s destination address to the filter.
Step 5: Click on the Apply Filter icon (an arrow pointing to the right) to apply the filter string.
Note that the traffic from the Protected Client VM on port 8080 is blocked by the firewall.
Does this mean all traffic on port 8080 is blocked? Let’s go to the firewall policy and find out.
Step 6: Go to the Policies tab > Security node and look at the Internal-Web-Servers-on-8080 policy.
This policy only allows web browsing applications on port 8080 for all internal web servers supported in
the policy. Since the Attacker VM is not in the Internal-Web-Servers-on-8080 group, traffic from the
Protected Client VM is blocked.
Step 7: Let’s allow the Attacker on this policy and see if we can compromise the Protected Client VM.
Click on the Internal-Web-Servers-on-8080 policy. In the Destination tab, add Attacker to the
Destination Address.
This policy is meant to allow only web browsing on the internal web servers, but if we also want to enable
Flash to run on the internal web servers, or in this case let the Attacker to attack the client over flash, we
will need to add Flash to this policy to allow it.
Step 8: Go to the Application tab and add Flash to this policy.
Step 9: Click the Commit button in the upper righthand corner to confirm the changes.
Task 4 - Re-Run the Ransomware Attack on the Protected Client

Now that we have removed a few more layers of protection from the firewall, let’s test the ransomware
attack again.
Step 1: Go back to the Protected Client and close the Google login window. Next, click the Review Your
Devices Now link in the phishing email. You should see the Google login page open again.
Step 2: Go to the Attacker VM and look at the Metasploit terminal. Metasploit will be trying to send the
Flash exploit, but it will not have completed the process.
Step 3: Hit Enter/Return in the Metasploit prompt, then enter the “sessions” command to look for open
sessions. You should not see any, meaning Metasploit still failed to deliver the Flash exploit.
Step 4: Go to the Threat logs to review more about the threat that was detected. You can see that, once
again, the next-generation firewall protected the Protected Client VM from the attack.
Task 5 - Remove the Next-Generation Firewall Protection from the

Protected Client
Palo Alto Networks ML-Powered Next-Generation Firewall provide many layers of protection to prevent
attacks. Here are some of the layers applied to the Protected Client VM:
• URL Filtering with inline ML models to block access to exploit kit URLs.
• Vulnerability protection against exploits.
• Antivirus detection to prevent malware transfer.
• App-ID to explicitly deny unknown TCP port traffic.
We will not go through every layer, but we will disable all next-generation firewall protection by putting the
Protected Client VM to the same port-based policy as the Victim VM.
Step 1: From Security Admin, Go to Policies > Security > Victim-to-Attacker policy > Source tab and add
the Protected Client to this port-based policy.
Step 2: Commit the changes. Once the commit is completed, the “Protected Client” will just have the
same port-based protection like the “Victim”.
Step 3: Go to the Protected Client and close the Google page. Next, go to the phishing email and click
on the Review Your Devices Now link again. The webpage will open, but after a moment, you will see a
Cortex XDR notification that a malicious activity has been blocked.
Even though you have removed all next-generation firewall protections from the Protected Client VM, it is
still protected by Cortex XDR endpoint protection. We will see how Cortex XDR works to prevent the
ransomware attack on the Protected Client in the next activity.
Before we look at Cortex XDR, feel free to back to the Attacker VM and check for an open attack session
to the Protected Client VM. Use the “sessions” command in the Metasploit prompt, and you should see
no open sessions.
End of Activity 2
Activity 3 - Cortex XDR Detection and Response
Platform
• See how Cortex XDR Prevent advanced endpoint protection prevents the ransomware attack.
• Take a quick look at Cortex XDR Pro
Task 1 - Review the Cortex XDR Client Console

In this task, you will access and review the Cortex XDR client on the Protected Client VM.
Step 1: Cortex XDR successfully detected and prevented the Flash exploit session from the Attacker VM
in the last activity. Click OK to close the Cortex XDR Prevention Alert window.
Step 2: If the Cortex XDR client console is not open, click the Cortex XDR icon on the Windows
taskbar at the bottom of the desktop. This should display the Cortex XDR client console, which will read
“Advanced Endpoint Protection is Enabled.”
Note the date and time of the last check-in, indicated in the bottom left of the Cortex XDR client console.
Step 3: Click the Check In Now link to connect to the Cortex XDR management service and retrieve any
updated security policies. These updates are normally done on a set heartbeat schedule.
The link will change momentarily to Connecting. Once the Cortex XDR client has completed the check-in
process, it will return to Check In Now.
Step 4: Go to the Events tab, select the event to see the details about the protection event triggered by
the exploit hosted by the Attacker VM.
Cortex XDR is a lightweight client that is centrally managed by the Cortex XDR management service. We
will review this in the next task.
Task 2 – Introduction to Cortex XDR

In this task, we will log in to the Cortex XDR service and review the different types of protections offered
by Cortex XDR. Before we login to Cortex XDR, here is a quick introduction to Cortex XDR.
Cortex XDR is the industry's first extended detection and response platform that runs on integrated
endpoint, network and cloud data to reduce the noise and focus on real threats. The Cortex XDR™ offers
you complete visibility over network traffic, user behavior, and endpoint activity. It simplifies threat
investigation by correlating logs from your agents to reveal threat causalities and timelines. This enables
you to easily identify the root cause of every alert. Cortex XDR also allows you to perform immediate
response actions. Finally, to stop future attacks, you can pro-actively define IOCs and BIOCs to detect
and respond to malicious activity.
Here is a quick look at Cortex XDR Architecture. Cortex XDR is comprised of the following components:
Cortex XDR web management - A cloud-based security infrastructure service that is designed to
manage the endpoint security policy, review security events as they occur, and perform additional
analysis of associated logs.
Cortex XDR Agents - Cortex XDR agent enforces your security policy on the endpoint and sends a
report when it detects a threat.
Cortex Data Lake - A cloud-based logging infrastructure that centralize the collection and storage of logs
generated by the Cortex XDR agents. Cortex Data Lake also supports data collection from Palo Alto
Networks ML-Powered Next-Generation Firewalls, Prisma Access. We will take a closer look on Cortex
Data Lake later in this lab.
The following describes the different licensing tier that are available for Cortex XDR. Cortex XDR Prevent
focus on Endpoint prevention and Cortex XDR Pro extends the data sources ingestion capability to
include network, cloud and third-party products, and added automated investigation and integrated
response.
In this next task, we will take a quick look at the Cortex XDR web management interface with Cortex XDR
Prevent license.
Task 3 – Login and Review Cortex XDR

Step 1: Go to the Cortex XDR tab in the lab, this will open the Cortex login page.
If you see an expired page, you can click on the Home icon in Remote Access Control under the
Virtual Keyboard on the left to refresh the login page.
Step 2: Click “LOGIN” on the Single Sign On page to be logged in with the supplied credentials.
Note: you will be using a Read-Only account.
You can use the Virtual keyboard under Remote Access Controls on the left hand side to move
forward or back in the browser window. Or click on the Home icon to get back to the login page.
Once logged into Cortex XRD, you can get a quick glance of all connected Cortex XDR clients. The
Incident Management Dashboard provides a high-level view about the status of the incidents related to
the Cortex XDR agents managed by your Cortex XDR management service.
Step 3: Cortex XDR provide three different Dashboards to allow administrator quick access to different
information. We will take a closer look at the incident with the Incident Management Dashboard.
Step 4: Under the Top Incidents (Top 10) in the Incident Management Dashboard, Cortex XDR agents
report security events when the file or process matches your applied policy rules (either default policy
rules or custom rules you define). When the event occurs, Cortex XDR applies the action specified in the
applied security profile, either block the malicious activity, or allow and report the malicious activity.
The Cortex XDR management service ranks all events in order of severity, so you can quickly and easily
see the most important events when you log in to the Cortex XDR management service. You can then
drill down into the security events to determine if a security event is a real threat and, if so, you can
remediate it. In some cases, you may determine that a security event does not pose a real threat and can
create an exception for it.
Note: In your lab environment, all the VMs are cloned, this includes the Protected Client. The Cortex XDR
agent is also cloned, all events will show the same Endpoint name.
Click on the Memory Corruption Exploit incident to review the events when the Cortex XDR agent
identifies an attempt to run a malicious file or process. This will bring you the details of the that event in
the Investigation / Incidents.
Step 5: In the Incident window, you can review the details the selected incident, such as, the Key
Artifacts, Time of the event, host and username and more.
Step 6: Under Key Artifacts, click on WF Benign under Threat Intelligence to open the WildFire Analysis
report.
Step 7: Palo Alto Networks WildFire is a cloud-delivered malware analysis service uses data and threat
intelligence from the industry’s largest global community. In this case, this incident is trigger by the
Windows Internet Explorer process “iexplore.exe”, which is a benign on its own. If this incident is trigger
by malware or other unknown process, you will be able to get details about that malware or unknow
process here. Now close the WildFire Analysis Report.
Step 8: Now take a closer look under Alert, you can learn a great deal from the records displayed in the
Alert table by scrolling to the right of the table. You can see that the incident is triggered by an exploit on
the Windows Internet Explorer. This is a good indication to investigate further in this this exploit and apply
the latest patch or software upgrade if applicable.
Step 9: Cortex XDR agents provides multiple prevention methods, each of which include multiple
purpose-built prevention techniques tuned for maximum performance and accuracy.
These malware prevention capabilities include:
• WildFire Inspection and Analysis
• Static Analysis
• Execution Restrictions
• Trusted Publisher Identification
• Admin Override Policies
• Malware Quarantine
Please ask your instructor for more in-depth discussion of the malware prevention capabilities of Cortex
XDR agent.
Step 10: Click the Endpoints > Policy Management, then click on Profiles on the left node to view the
security profiles available to Windows, macOS, Linux and Android.
Cortex XDR management service provides default security profiles that you can use out of the box to
begin protecting your endpoints from threats immediately. While security rules enable you to block or
allow files to run on your endpoints, security profiles help you customize and reuse settings across
different groups of endpoints.
• Exploit – Exploit profiles block attempts to exploit system flaws in browsers, and in the operating
system. Exploit profiles are supported for Windows, Mac, and Linux.
• Malware – Malware profiles protect against the execution of malware including trojans, viruses,
worms, and grayware. Malware profiles are supported for all platforms.
• Restriction – Restrictions profiles limit where executables can run on the endpoint. Restriction
profiles are supported for Windows platform.
• Agent Settings – Agent Settings profiles enable you to customize settings that apply to the Cortex
XDR app such as the disk space quota for log retention.
Step 11: Click the Policy Rules node to view the assigned Profiles based on operating system type.
The Cortex XDR management service provides out-of-the-box protection for all registered endpoints with
a default security policy for each type of platform. To fine-tune your security policy, you customize settings
in a security profile and attach that profile to a policy rule.
Note: You have logged into a Cortex Prevent account in this lab activity. In the next task, you will take a
quick look at the Cortex XDR Pro features, but you will not be able to see the same screenshots in the
Cortex XDR Prevent account that you have logged into.
Task 4 – Quick Look at Cortex XDR Pro

Cortex XDR Pro provides deep root-cause analysis to show the chain of events all tied together in one
place. Cortex XDR Pro sends security event data and EDR logs, and the firewall sends firewall and threat
logs to the Cortex Data Lake, where XDR can use the data. By stitching the data together, you have one
coherent story on what happened, including the entire chain of events that occurred. The result will be a
full root-cause analysis of why an alert was raised (both detection and prevention alerts), what the
potential damage might be, and many notable items that require attention. After you understand the
cause, you can then respond and adapt to the alert.
Cortex XDR Pro offers addition capability to build customized queries and scheduled them to be executed
to all for more in-depth investigations.
Cortex XDR Pro
Cortex XDR
Prevent
The Query Builder is a powerful search tool at the heart of Cortex XDR that you can use to investigate
any lead quickly, expose the root cause of an alert, perform damage assessment, and hunt for threats
from your data sources. With Query Builder, you can build complex queries for entities and entity
attributes so that you can surface and identify connections between them. The Query Builder also
provides flexibility for both on-demand query generation and scheduled queries.
An attack event can affect several users or hosts and raise different types of alerts caused by a single
event. You can track incidents, assign analysts to investigate, and document the resolution.
When you identify a threat, you can define specific indicators for which you want Cortex XDR to raise
alerts. You can define rules for the following types of indicators:
Behavioral indicators of compromise (BIOCs)
Identifying threats based on their behaviors can be quite complex. As you identify specific network,
process, file, or registry activity that indicates a threat, you create BIOCs that can alert you when the
behavior is detected.
Indicators of compromise (IOCs)
Known artifacts that are considered malicious or suspicious. IOCs are static and based on criteria such as
SHA256 hashes, IP addresses and domains, file names, and paths. You create IOC rules based on
information that you gather from various threat-intelligence feeds or that you gather as a result of an
investigation within Cortex XDR.
Behavioral analytics are essential for stopping attacks. Machine learning enables you to detect low and
slow behaviors accurately and automatically, which is not possible with static rules that look for known
patterns and are not accurate for behavioral detection. XDR obtains data from multiple sources (network,
endpoint and cloud) and stitches them together to create a picture of what is happening.
XDR behavioral analytics enable security teams to detect and stop advanced attacks. XDR analyzes
endpoint, network and cloud data with machine learning. XDR accurately identifies behavior anomalies
that indicate an attack. This integrated analysis helps security analysts identify which apps or tools, such
as PowerShell or WMI, were used for attacks.
XDR analyzes data stored in the Cortex Data Lake Service (data from Palo Alto Networks endpoints, the
cloud, and the next-generation firewalls), including information on users, devices and applications. XDR
examines multiple logs, including Enhanced Application Logs, which provide data specifically designed
for analytics, allowing XDR to track attributes that are nearly impossible to ascertain from traditional threat
logs or high-level network flow data.
The analysis that XDR performs is based on a combination of unsupervised and supervised machine-
learning techniques. XDR uses unsupervised machine learning to model user and device behavior,
perform peer-group analysis, and cluster devices into relevant groups of behavior.With supervised
machine learning, XDR recognizes deviations from expected behavior based on the type of user or
device, reducing false positives manually.
To learn more about Cortex XDR, you can download the e-book XDR: Enterprise-scale Detection and
Response from Palo Alto Networks:
https://www.paloaltonetworks.com/resources/ebooks/xdr-enterprise-scale-detection-and-response
End of Activity 3
Activity 4 - Prevent Unknown Threat with WildFire
and Cortex XDR
WildFire™ cloud-based threat analysis service is the industry’s most advanced analysis and
prevention engine for highly evasive zero-day malware and exploits. A unique, multi-method
approach combines dynamic and static analysis, machine learning techniques, and
groundbreaking bare metal analysis to detect and prevent even the most evasive threats.
• Learn about WildFire and how it works with the ML-Powered Next-Generation Firewall and Cortex
XDR.
Task 1 - Enable WildFire on the ML-Powered Next-Generation Firewall

Step 1: On the Security Admin VM, log in to the NGFW GUI.
Step 2: Go to Policies > Security and select the policy named Protected Client to Internet. In the
Actions tab, under Profile Setting, change WildFire Analysis from None to default. This will enable
WildFire Analysis on this policy. Click OK to close the window.
Step 3: Go Device > Dynamic Updates to review how often the Pan-OS will retrieve WildFire updates.
In the latest Pan-OS release, real time Wildfire update is support and configured here. Click on the Real-
time next to Schedule to review the available options.
Step 4: Close the window and click Commit to commit the changes.
In the new Pan-OS 10.0, WildFire includes an inline machine learning-based engine delivered within the
NGFWs. This signatureless capability prevents malicious content in common file types—such as portable
executable files and fileless attacks stemming from PowerShell®—completely inline, with no required
cloud analysis, no damage to content, and no loss of user productivity.
We will take a quick look how you will enable this new inline machine learning WildFire prevention.
Step 5: Go to Objects > Security Profiles > Antivirus node, click on the default-with-wildfire antivirus
profiles.
Step 6: In the Action tab, you can see the new Wildfire Inline ML Action option for each protocol.
Step 7: In the WildFire Inline ML tab, you can see more details for each supported model and its action
setting.
This antivirus profile is already applied in the Protected-Client To Internet security policy.
Task 2 - Review WildFire on Cortex XDR

Step 1: Go to the Cortex XDR tab in the lab environment.
Step 2: Click on the EndPoints > Policy Management, then select the Profiles click the Windows
profile.
Step 3: Select a Malware type profile under the Windows Platform, then hold down the right mouse
button, then select View to review the details for the malware type.
Step 4: Click on Portable Executable and DLL Examination, scroll down, notice under Portable
Executable and DLL Examination, you have the option to Upload Unknown Files to WildFire. It is gray
out because you have read only access. Same as Office Files with Macros Examination.
Task 3 - Download and Execute a Zero-Day Malware Sample File
Step 1: On the Protected Client, open Internet Explorer.
Step 2: Go to http://wildfire.paloaltonetworks.com/publicapi/test/pe or click the WildFire test file

bookmark in the bookmarks bar.
Step 3: Ignore the warning message, select Save to download a “wildfire-test-pe-file.exe” sample file.
Check your Downloads folder to confirm the download.
Step 4: Double-click wildfire-test-pe-file.exe to execute it.
Step 5: Even though this is a sample file and does not contain any exploit methods, Cortex XDR prevents
it from executing because WildFire does not recognize the file initially. This behavior is controlled by the
Block files with unknown verdict setting in the previous task.
Task 4 - Review WildFire Submission and Verdict on Cortex XDR

Step 1: Go to the Cortex XDR tab in the lab environment to access the XDR GUI. Select Investigation >
Incidents:
Step 2: Select the incident with Incident Description [‘Local Analysis Malware’ generated by XDR Agent
…..] , then right click to View Incident.
Step 3: In the Incident details view, you can more details for this incidents, such as the machine and user
name. Scroll to right in Alerts to see more details of this incidents.
Step 4: Select the alert, then right click Analysis to open the analysis view of the alert. Here you will be
able the see the Wildfire score or verdict after the Wildfire has completed it analysis.
Step 5: You can open the Wildfire Analysis report by clicking on the report icon under WildFire Score.
Note: It may take around 5 – 10 minutes for a verdict to be returned. You may process to the next task
and return to this step later.
Step 6: In the WildFire Analysis Report, you review all the test and analysis WildFire has done on this file
submitted by the Cortex XDR agent.
Task 5 - Review WildFire Submission and Verdict on the Firewall

Step 1: In the firewall GUI, click the Monitor tab, then click the WildFire Submissions node. Not only did
the Cortex XDR management service submit the executable when it was executed by the Cortex XDR
client, but it was also seen and submitted by the next-generation firewall through the download process.
Note that this can take 5-10 minutes before the entry shows up.
Step 2: Expand the latest entry in the Logs, click the magnifying glass
Step 3: Note the Verdict of the WildFire analysis. It will be shown as “malicious.”
Step 4: Review the WildFire Analysis Report on the firewall by clicking on the WildFire Analysis Report
tab. Scroll down you will see detailed information about this malicious file.
WildFire will store this verdict and the full results of the analysis in the Threat Intelligence Cloud, making it
available to all Palo Alto Networks ML-Powered Next-Generation Firewalls that subscribe to the WildFire
service, anywhere in the world.
End of Activity 4
Activity 5 – Introduction to Cortex Data Lake and
Cortex XSOAR
Palo Alto Networks Cortex Data Lake, is a cloud-based offering for context-rich enhanced network
logs generated by our security offerings, including those of our ML-Powered Next-Generation
Firewalls, Prisma Access and Cortex XDR. The Cortex Data Lake is the cornerstone of the Palo
Alto Networks Cortex platform which provides a scalable ecosystem of security applications that
can apply advanced analytics in concert with Palo Alto Networks enforcement points to prevent
the most advanced attacks.
Cortex XSOAR is the industry-leading Security Orchestration, Automation & Response (SOAR)
technology that can automate many response actions requiring human review and allow
overloaded security teams to focus on the actions that really require their attention.
In this activity, we will take a quick look on how to enable Cortex Data Lake on the Palo Alto
Networks ML-Powered Next-Generation Firewall and begin your journey to security orchestration
and automation through Cortex XSOAR.
To enable the Next-Generation Firewalls to send logs to the Cortex Data Lake, they need to be managed
by a Panorama device with the Cortex Data Lake license. The next few activities will show you the
configuration screens and their settings related to the NGFW and Panorama.
Task 1 – Log into Network Security Management: Panorama

Step 1: From the Security Admin VM, open a new browser tab and open the Panorama bookmark.
Accept the self-signed certificate warning. Or click on the Panorama-GUI tab and open new direct tab in
your browser to connect to the Panorama Web interface.
Login to Panorama with the following “Read-Only” account:
Username: student
Password: utd246
Step 2: In your Panorama, across the upper right, navigate to the Panorama tab, then on the bottom left
the Licenses node. Check that the Premium Support license and the Cortex Data Lake license exists.
Step 3: In your Panorama, navigate to the Panorama tab > Managed Devices node > Summary sub-
node and check that the Firewall is a managed device. You will see your NGFW device here.
Note this step and the following step verifies that Managed Firewalls inherit the Logging Service license
from Panorama.
Step 4: In your Panorama, navigate to the Panorama tab > Device Deployment node > and Licenses
sub-node to check that the Firewall is licensed for the Cortex Data Lake.
Task 2 – Check the Panorama cloud services plugin and the Cloud
Services status
Step 1: In your Panorama, navigate to the Panorama tab > Plugins node and check that the
cloud_services plugin is uploaded and installed. Note, since you have a read-only account, this screen
will not load.
Note that these plugins are normally downloaded from the Customer Support Portal.
Step 2: In your Panorama, navigate to the Panorama tab > Cloud Services node > Status sub-node
and check Status color and the amount of Storage Used by Cortex Data Lake, and the estimated Log
Retention. For this lab environment, the number you see may fluctuate.
Note that the screenshot above is available because the Panorama has a cloud services plugin
installed and authenticated with Palo Alto Networks using a One Time Password generated through the
Support Portal. These steps were performed prior to this lab.
Task 3 – Forwarding Logs to Cortex Data Lake with Template and

Device Object
Note that the steps below can be performed either by using the Panorama or by using the Firewall
configuration screens. The steps will show the screens on Panorama. Make sure the Device Group and
Template is on “Cortex_Data_Lake_Device_Group” and “Cortex_Data_Lake_Template”.
Step 1: Click on Device and select the Setup node, make sure Cortex_Data_Lake_Template is
selected under Template.
Step 2: Navigate to the Management tab scroll down to Cortex Data Lake and view the configuration.
Both Enable Logging Service and Enable Enhanced Application Logging are enabled, and the
Region is americas.
Note that enhanced application logs in PAN-OS 8.1 and above allow the Firewall to send DHCP logs,
DNS logs, and additional HTTP headers directly to Cortex Data Lake, without saving them to disk. Cortex
XDR and other applications in the Cortex platform/App Framework can leverage these logs for further
analysis.
Step 3: Navigate to the Objects tab > Log Forwarding node. Make sure
Cortex_Data_Lake_Device_Group is selected under Device Group.
Step 4: Click on Cortex_Data_Lake_Profile to review the Forward Method is set to Panorama/Cortex
Data Lake for various log type.
Step 5: Navigate to the Policies tab > Security node > Post Rules subnode. Make sure Device Group is
set to Cortex_Data_Lake_Device_Group.
Step 6: Review that Example_policy rule has Log Forwarding set to Cortex_Data_Lake_Profile under
Log Setting. The Profile Setting for URL Filtering should be set to URL_Alert_All.
Once you push the rules set to use the Cortex_Data_Lake_Profile to the firewall, they will send logs to the
Cortex Data Lake.
Task 4 – Your Guide to Security Orchestration Automation and
Response (SOAR)
Security orchestration involves interweaving people, processes, and technology in the most effective
manner to strengthen the security posture of an organization. By streamlining security processes,
connecting disparate security tools and technologies, and maintaining the right balance of machine-
powered security automation and human intervention, security orchestration empowers security
professionals to effectively and efficiently carry out incident response.
If Security Orchestration Automation and Response (SOAR) is new to you, you can learn about the
basics of security orchestration, its underlying needs, implementation best practices and more from this
free eBook from Palo Alto Networks.
https://start.paloaltonetworks.com/your-guide-to-security-orchestration
Task 5 – Quick Look at Cortex XSOAR

Cortex XSOAR is the industry-leading Security Orchestration, Automation & Response (SOAR)
technology by Palo Alto Networks that will automate up to 95% of all response actions requiring human
review and allow overloaded security teams to focus on the actions that really require their attention.
Cortex XSOAR orchestration enables security teams to ingest alerts across sources and execute
standardized, automatable playbooks for accelerated incident response. Cortex XSOAR playbooks are
complemented by real-time collaboration capabilities that let security teams rapidly iterate to solve
emergent threats.
To learn about Cortex XSOAR, we invite you to take a quick look at this short video.
https://www.youtube.com/watch?v=DYJX9KFnJNo&feature=youtu.be
If you would like to give Cortex XSAOR a try, you can register to be the Community Edition user where
you will get a 30-days free trail of the full-featured version. Please visit the follow site to learn more an
sign up for the Cortex XSOAR Community Edition.
https://start.paloaltonetworks.com/sign-up-for-community-edition.html
End of Activity 5
Activity 6 – Protection for Public Cloud with VM-
Series and Prisma Cloud
Network protection must be adapted for cloud native environments while still enforcing consistent
policies across hybrid environments. Leveraging a single security tool with consistent control, the
VM-Series virtual firewalls provide comprehensive network visibility and advanced threat
protection across multi-cloud and hybrid cloud environment. The VM-Series virtual firewalls can
be deployed in many public cloud environments such as Microsoft Azure, Amazon Web Services
(AWS), Google Cloud Platform (GCP) and Oracle Cloud, so the same advanced security policies
and control can be applied across different cloud services and managed from the same user
interface.
The move to the cloud has changed all aspects of the application development lifecycle – security
being foremost among them. Security and DevOps teams face a growing number of entities to
secure as the organization adopts cloud native approaches. Ever-changing environments
challenge developers to build and deploy at a frantic pace, while security teams remain
responsible for the protection and compliance of the entire lifecycle. Prisma™ Cloud delivers
complete security across the development lifecycle on any cloud, enabling you to develop cloud
native applications with confidence.
In this activity, we will take a quick look at how the VM-Series for Public Cloud and Prisma Cloud
products offers comprehensive security for your journey to the public cloud.
You have experienced some of the VM-Series ML-Powered Next-Generation Firewall capability in
the previous lab activities. The same VM-Series NGFW can deployed in various public cloud to
protect your infrastructures in the same way it does in the data center. We will take a quick look
on how VM-Series can be deployed to protect your public cloud infrastructure.
Task 1 – VM-Series ML-Powered Next-Generation Firewall in Public

Cloud
VM-Series can be deployed directly from many public cloud marketplaces. Visit your public cloud provider
marketplace and search for Palo Alto Networks will provide you access to all the Palo Alto Networks
product available on the public cloud providers. Here are some examples:
Amazon Web Servicers (AWS) Marketplace
https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=Palo+Alto+Networks
Google Cloud Platform (GCP) Marketplace:
https://console.cloud.google.com/marketplace/browse?q=Palo%20Alto%20Networks
Microsoft Azure Marketplace:
https://azuremarketplace.microsoft.com/en-
us/marketplace/apps?search=Palo%20Alto%20Networks&page=1
Various licensing models are available for VM-Series in the public cloud deployment. Bring Your Own
License (BYOL) or Enterprise License Agreement (ELA) model are available for customers with current
licenses. Or you can choose between the Bundle 1 or Bundle 2 Pay As You Go (PAYG) license that
offers different subscription bundles.
With a valid public cloud account, you can deploy a VM-Series in your public cloud account using the Pay
As You Go (PAYG) license even if you don’t have an existing license from Palo Alto Networks. Please
note frees are applicable to both license and other public cloud service charges.
Some public cloud providers offer free Test Drive where you can access a temporary deployed VM-series
at no charge. The access is typically limited to a few hours and with no access to the underlying pubic
cloud configuration such as network, route policy and etc.
Palo Alto Networks offers workshops where you can learn more on how to deploy the VM-Series in
different public clouds. Please discuss with your instructor to learn more about our offerings for the public
clouds.
Task 2 – Manage VM-Series in Public Cloud with Panorama Plugins
Panorama offers easy-to-implement and centralized management features for the VM-Series NGFW so
you can implement the same security policy across different public cloud providers. The Panorama
extensible plugin architecture enables support for the various public cloud providers so you can select
what you need for your needs. We will take a quick look at the Panorama Plug-ins for the supposed
public cloud providers.
Step 1: Go to the Panorama GUI, go to the Panorama tab and scroll down on the left hand side and you
should see the AWS, Azure and Google Cloud Platform nodes under the Plugins node.
Step 2: Click on the AWS node to open to see the supported feature through the plugin.
Step 3: With the release of the new CN-Series container firewall, Panorama will be used to manage the
CN-Series in the respective public cloud container service using the plugins, see EKS Service Account
tab.
Step 4: Review some of the other plugin options that are available in the Azure and Google Cloud
Platform plugins.
Step 5: After reviewing the public cloud plugins, click on Plugins node. Here is where you can download
and update to the latest plugin version access the latest features in the respective public cloud providers
in Panorama. We hope this gives you a quick look on how Panorama can help to manage your Palo Alto
Networks firewall across multiple Public Cloud servers. With the read-only Panorama account, you will not
be able update or refresh the plugins list.
Task 3 – Resources for VM-Series in Public Cloud

Step 1: Visit the Palo Alto Networks Live community where you can you find a lot of resources in the
Getting Started with VM-Series for Public Cloud page. Select the public cloud service provider of your
interest and you will find many useful tips and help to get you started.
https://live.paloaltonetworks.com/t5/Getting-Started-With-VM-series/ct-p/Getting-Started-Public-Clouds
Step 2: For example, select the AWS to visit the AWS Resource Page.
https://live.paloaltonetworks.com/t5/AWS/ct-p/AWS
Step 3: Palo Alto Networks also shared many deployment samples, script files, SDK and more through
GitHub. Feel free to explore our GitHub repositories for tools that could help your journey in the Public
Cloud.
https://github.com/PaloAltoNetworks
Task 4 – Prisma Cloud for Public Cloud Quick Look
Prisma Cloud is a security and compliance service that dynamically discovers cloud resources and
sensitive data, and subsequently detects risky configurations, network threats, suspicious user behavior,
malware, data leakage, and host vulnerabilities across GCP, AWS, and Azure. It combines the most
comprehensive collection of rule-based security policies and industry-leading machine learning to detect
threats.
Prisma™ Cloud continuously ingesting data using hundreds of cloud service provider APIs and threat
intelligence sources, creates a massive data lake on your public cloud deployment. It applies policy- and
machine learning-based analysis to discover and classify assets, flag compliance and governance
violations, detect suspicious activities, and identify data risk. Interactive reports and investigation
capabilities enable rapid incident investigations. Finally, issues are automatically remediated via API
integration with your favorite tools or directly within the Prisma Cloud console itself.
We invite you to take a quick look at a short demo video on Prisma Cloud.
https://www.youtube.com/watch?v=DyEDVWYuvCw
Task 5 – Subscribe to Prisma Cloud Free Trial (Optional)

Prisma Cloud is available from the Palo Alto Networks Marketplace, you can also find Prisma Cloud
available on the Amazon Web Services (AWS) and Google Cloud Platform (GCP) Marketplace. A free
trial version is currently only available from Palo Alto Networks marketplace. If you have an existing AWS,
Azure or GCP account and you would like to try using Prisma Cloud to discover and detect risky
configurations in your account, this activity will show how you can subscribe to the Prisma Cloud free trial
version from Palo Alto Networks Marketplace.
To get the most out of your investment in Prisma™ Cloud trial, you will need to onboard your public cloud
account of choice to Prisma Cloud. This process requires that you have the correct permissions to
authenticate and authorize the connection between Prisma Cloud and your public cloud account for
retrieval of data. We recommend you take quick look at the following onboarding requirement to ensure
you have the proper access to your public cloud account before subscribing to the Prisma Cloud trial.
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform-
to-prisma-cloud/cloud-account-onboarding.html#idd7795ef9-4841-43f1-8ce3-bc57cb5ce7bb
NOTE: You are required to use your company email or any non-personal email to create a new account
for the trail. Personal email with domain such as @gmail.com or @outlook.com is restricted from the free
trail.
To subscribe to a Prisma Cloud Free Trial:
Step 1: Go to Palo Alto Networks Marketplace https://marketplace.paloaltonetworks.com/

Step 2: Scroll down and then click on View app.
Step 3: Click on Free Trial and then Create Account. (Note that the free trail is valid for 30 days)
Step 4: Enter the personal and company information requested in the form. Required fields are
indicated with red asterisks. Accept the privacy agreement and click on Create an account.
NOTE: You are required to use your company email or any non-personal email to create a new account
for the trail. Personal email with domain such as @gmail.com or @outlook.com is restricted from the free
trail.
Step 5: After completing the trial account registration process, your trial tenant will be ready for you
within 24 hours. You will receive a welcome email that includes a link to log in to the Prisma
Cloud tenant once it’s ready.
Step 6: You can follow our Access Prisma Cloud guide here to begin accessing your instance of
Prisma Cloud.
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/get-started-with-prisma-
cloud/access-prisma-cloud.html
End of Activity 6
Activity 7 – Protecting SaaS Applications and
Remote Users with Prisma SaaS and Prisma Access
Unsanctioned SaaS (Software as a Services) apps can expose sensitive data and propagate
malware, and even sanctioned SaaS adoption can increase the risk of data exposure, breaches
and noncompliance. Prisma SaaS reins in the risks by offering advanced data protection and
consistency across different SaaS applications.
Your organization’s cloud transformation is changing the way that your users access applications
and the way that you deliver security protection. You need to enable secure access, protect users
and applications, and control data – from anywhere. Prisma Access acts as a firewall service that
protects branch offices and remote users from threat while also providing the security services
expected from a next-generation firewall.

• See how Prisma SaaS protects your Sanctioned SaaS applications.
• Witness how Prisma SaaS and the ML-Powered Next-Generation Firewall work hand-in-hand.
• Take a quick look at the Secure Access Service Edge with Prisma Access.
Sanctioned applications are those allowed by your corporate IT team. The Prisma SaaS service connects
to the sanctioned SaaS application using the SaaS application’s API. This API integration allows Prisma
SaaS service to discover and scan all assets retroactively when you first connect the SaaS application.
In this task, you will review how to configure sanction applications in the next-generation firewall and how
Prisma SaaS security service can protect the sanctioned application and prevent malicious files from
spreading in your SaaS environment.
Task 1 - Sanctioned SaaS Applications

Step 1: On NGFW GUI, go to the Monitor tab. Under PDF Reports, select SaaS Application Usage.
Step 2: Open the SaaS Application Report and click Run Now.
Step 3: Take a quick look at the SAAS Report, there may not be any SaaS application in this firewall as it
is used for lab.
Task 2 - SaaS Application Security with Prisma SaaS

Step 1: In the Security Admin VM, open a new tab and use the Prisma SaaS (SaaS) bookmark to open
the Prisma SaaS login page in the browser.
Step 2: Log in to Prisma SaaS using the account:

utd-sop-saas-viewer@tpm.panw-labs.net
(If you get an login error, click login again to retry with the same login name and password.)
Step 3: Use the saved name and password to log in to the Prisma SaaS console. The account you will
use in this lab is a read-only account, but we can use it to demonstrate many powerful features in the next
task.
Step 4: Your instructor will to tell you more about Prisma SaaS. You can also watch this introduction
video on Prisma SaaS to learn more about the service:
https://www.youtube.com/watch?v=sGksNF3mONE
Task 3 - Prisma SaaS Dashboard

Step 1: Once logged in to the Prisma SaaS console, you will be on the Dashboard tab. As this is a demo
account, there is only one application connected. Click on Settings on the top, then select Cloud Apps &
Scan Stetting to review the applications that are connected to this Prisma SaaS.
Prisma SaaS supports a large and growing number of SaaS applications. Prisma SaaS Administrator can
easily add applications to be protected by the service.
Step 2: As the Prisma SaaS service starts scanning the sanctioned SaaS applications, the Dashboard
presents a summary of the scan in six widgets: Assets, Content Types, Incidents, Users, Policy Violations
and Collaborators. Scroll down the Dashboard to see all the widgets.
Assets widget —The Assets widget displays the top violations by exposure, (public, external, company,
and internal) and the file types associated with the exposure.
Content Types widget — The Content Types widget displays the six predefined data pattern groups and
the total amount of content in the cloud. Click > to drill down into the details by content category.
Incidents widget —The Incidents widget displays the number of the active incidents detected against
data pattern and policy rule violations for each content type.
Step 3: In the Dashboard , select WildFire rule in the Incidents widget. You will jump to the Incident tab
and filter the incidents triggered by the Wildfire rule.
Task 4 - WildFire Analysis by Prisma SaaS and SaaS Risk

Assessment Report
Step 1: Click an item in the Incident window,
Step 2: Click on any risk to view a detailed report. You will find more information about the detected risk,
which applications it was found in and its level of exposure.
Note: Since this is a demo account shared by all lab users, you will see many
WildFire sample files uploaded here. Prisma SaaS scanning is not instantaneous, so
you may not immediately be able to see the sample you have uploaded.
Step 3: Go to the Reports tab and open the pre-generated sample SaaS Risk Assessment Report.
From here, you can also generate a SaaS Risk Assessment Report. Note that you are logged in as a
read-only user so the generate report option is not available.
Ask your instructor for more information about how Prisma SaaS works with next-generation firewalls to
protect your SaaS applications.
Task 5 – Prisma Access Overview
Prisma Access delivers a secure access service edge (SASE) that provides globally distributed
networking and security to all your users and applications. Whether at branch offices or on the go, your
users connect to Prisma Access to safely access cloud and data center applications as well as the
internet.
We invite you to take a quick look at the following short video to learn more about how this cloud-
delivered protection addresses requirements for secure access to applications with global coverage.
https://www.youtube.com/watch?v=robkJtn_g8Q
Palo Alto Networks offers Secure Access Service Edge (SASE) with Prisma Access workshop where you
can learn more about the different use cases with Prisma Access. Please talk with your instructor if you
are interested to learn more about Prisma Access.
You can find other events at https://events.paloaltonetworks.com/ and fitler the product of your interest
using the Product menu.
End of Activity 7
Activity 8 - Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive event. We hope you enjoyed the presentation and the
labs that we have prepared for you. Please take a few minutes to complete the online survey form to tell
us what you think about this event.
Task 1 – Take the online survey

Step 1: In your lab environment, click on the “Survey” tab.
Step 2: Please complete the survey, and let us know what you think about this event.
End of Activity 8
Lab Setup
Firewall VM-Series
Interface: Int Type: IP Address: Connects to Zone:
Management - 10.30.21.1
Ethernet 1/1 L3 172.16.2.1 "Untrust"
Ethernet 1/2 L3 10.80.2.1 "Intranet"
Ethernet 1/3 L3 192.168.21.1 “Trust”
Ethernet 1/4 Tap “Tap”

Ultimate Test Drive Cybersecurity Portfolio Workshop Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ultimate Test Drive Cybersecurity Portfolio Workshop Guide

Uploaded by

Copyright:

Available Formats

ULTIMATE

Activity 1 – Conduct a Ransomware Attack 10

Activity 2 – Protection with the ML-Powered Next-Generation Firewall 17

Activity 3 - Cortex XDR Detection and Response Platform 26

Activity 4 - Prevent Unknown Threat with WildFire and Cortex XDR 37

Activity 5 – Introduction to Cortex Data Lake and Cortex XSOAR 45

Activity 8 - Feedback on Ultimate Test Drive 68

Task 1 – Log In to Your Ultimate Test Drive Class Environment

Enter your email address and the class passphrase.

Task 2 - Understand the UTD Environment Setup

Log in to the firewall with the following name and password:

Task 4 – Install Cortex XDR Agent on Protected Client

Task 1 - Brief Overview of Ransomware Attack Sequence

Note: If you have been disconnected

Task 5 - Execute Ransomware on the Victim Client

Congratulations! You are at once an attacker and a victim.

Task 1 - Review the Port-Based Policy for the Victim

Task 2 - Review the Policy for the Protected Client

Task 3 - Re-Run the Ransomware on the Protected Client Without URL

Step 8: Go to the Application tab and add Flash to this policy.

Task 4 - Re-Run the Ransomware Attack on the Protected Client

Task 5 - Remove the Next-Generation Firewall Protection from the

Task 1 - Review the Cortex XDR Client Console

Task 2 – Introduction to Cortex XDR

Task 3 – Login and Review Cortex XDR

Note: you will be using a Read-Only account.

Task 4 – Quick Look at Cortex XDR Pro

Cortex XDR Pro

Behavioral indicators of compromise (BIOCs)

Indicators of compromise (IOCs)

Task 1 - Enable WildFire on the ML-Powered Next-Generation Firewall

Task 2 - Review WildFire on Cortex XDR

Step 2: Go to http://wildfire.paloaltonetworks.com/publicapi/test/pe or click the WildFire test file

Step 4: Double-click wildfire-test-pe-file.exe to execute it.

Task 4 - Review WildFire Submission and Verdict on Cortex XDR

Task 5 - Review WildFire Submission and Verdict on the Firewall

Task 1 – Log into Network Security Management: Panorama

Login to Panorama with the following “Read-Only” account:

Task 3 – Forwarding Logs to Cortex Data Lake with Template and

Task 5 – Quick Look at Cortex XSOAR

Task 1 – VM-Series ML-Powered Next-Generation Firewall in Public

Amazon Web Servicers (AWS) Marketplace

Microsoft Azure Marketplace:

Task 3 – Resources for VM-Series in Public Cloud

Task 5 – Subscribe to Prisma Cloud Free Trial (Optional)

To subscribe to a Prisma Cloud Free Trial:

Step 1: Go to Palo Alto Networks Marketplace https://marketplace.paloaltonetworks.com/

In this activity, you will:

Task 1 - Sanctioned SaaS Applications

Task 2 - SaaS Application Security with Prisma SaaS

Step 2: Log in to Prisma SaaS using the account:

Task 3 - Prisma SaaS Dashboard

Task 4 - WildFire Analysis by Prisma SaaS and SaaS Risk

Task 1 – Take the online survey

Interface: Int Type: IP Address: Connects to Zone:

You might also like