Professional Documents
Culture Documents
Administrator’s Guide
docs.paloaltonetworks.com
Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support.html
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
©2018–2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve
companies.
Last Revised
February 15, 2022
Cortex® XDR™ Prevent Administrator’s Guide 2 ©2022 Palo Alto Networks, Inc.
Table of Contents
Cortex® XDR™ Overview................................................................................ 7
Cortex® XDR™ Prevent Architecture.....................................................................................8
Cortex XDR versus Tradional Endpoint Protecon........................................................ 11
Exploit Protecon Overview.......................................................................................12
Malware Protecon Overview....................................................................................12
Cortex XDR Licenses................................................................................................................15
Features by Cortex XDR License Type..................................................................... 15
Cortex XDR Endpoint License Allocaon................................................................ 19
Cortex XDR License Expiraon..................................................................................20
Cortex XDR License Monitoring................................................................................ 21
Cortex® XDR™ Prevent Administrator’s Guide 3 ©2022 Palo Alto Networks, Inc.
Table of Contents
Cortex® XDR™ Prevent Administrator’s Guide 4 ©2022 Palo Alto Networks, Inc.
Table of Contents
Monitoring....................................................................................................... 351
Cortex XDR Dashboard.........................................................................................................352
Dashboard Widgets.................................................................................................... 352
Predefined Dashboards.............................................................................................. 361
Build a Custom Dashboard....................................................................................... 364
Manage Dashboards................................................................................................... 365
Cortex® XDR™ Prevent Administrator’s Guide 5 ©2022 Palo Alto Networks, Inc.
Table of Contents
Log Forwarding...............................................................................................379
Log Forwarding Data Types..................................................................................................380
Integrate Slack for Outbound Noficaons..................................................................... 381
Integrate a Syslog Receiver.................................................................................................. 382
Configure Noficaon Forwarding..................................................................................... 385
Cortex® XDR™ Log Noficaon Formats........................................................................ 387
Management Audit Log Messages.......................................................................... 387
Alert Noficaon Format.......................................................................................... 425
Agent Audit Log Noficaon Format..................................................................... 435
Management Audit Log Noficaon Format........................................................ 437
Cortex® XDR™ Log Formats....................................................................................438
Managed Security..........................................................................................471
About Managed Security...................................................................................................... 472
Cortex XDR Managed Security Access Requirements................................................... 473
Switch to a Different Tenant................................................................................................474
Pivot to Another Tenant............................................................................................ 474
Pair a Parent Tenant with Child Tenant.............................................................................475
Pairing a Parent and Child Tenant...........................................................................475
Unpairing a Parent and Child Tenant......................................................................476
Manage a Child Tenant..........................................................................................................477
Track your Tenant Management.............................................................................. 477
Invesgate Child Tenant Data.................................................................................. 478
Create and Allocate Configuraons........................................................................479
Create a Security Managed Acon......................................................................... 479
Cortex® XDR™ Prevent Administrator’s Guide 6 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
The Cortex XDR™ app offers you complete visibility over network traffic, user
behavior, and endpoint acvity. It simplifies threat invesgaon to reveal threat
causalies and melines. This enables you to easily idenfy the root cause of every
alert. The app also allows you to perform immediate response acons.
7
Cortex® XDR™ Overview
Cortex® XDR™ Prevent Administrator’s Guide 8 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
With Cortex XDR, Palo Alto Networks deploys and manages the security infrastructure globally
to manage endpoint security policy for both local and remote endpoints and to ensure that the
service is secure, resilient, up to date, and available to you when you need it. This allows you
to focus less on deploying the infrastructure and more on defining the polices to meet your
corporate usage guidelines.
Cortex XDR is comprised of the following components:
• Cortex XDR web interface—A cloud-based security infrastructure service that is designed to
minimize the operaonal challenges associated with protecng your endpoints. From Cortex
XDR, you can manage the endpoint security policy, review security events as they occur, and
perform addional analysis of associated logs.
You can host your Cortex XDR tenant in either the US Region or EU Region.
• Cortex XDR Agents—Each local or remote endpoint is protected by the Cortex XDR agent,
which is installed and connuously runs on the endpoint. The Cortex XDR agent enforces your
security policy on the endpoint and sends a report when it detects a threat. Cortex XDR agents
support secure communicaon with Cortex XDR using Transport Layer Security (TLS) 1.2.
You can host your Cortex Data Lake instance in either the United States (US) Region
or European Union (EU) Region.
• Directory Sync Service—The Directory Sync Service enables Palo Alto Networks cloud-
based applicaons to leverage computer, user, and group aributes from your on-premises
Acve Directory for use in policy and endpoint management. The Directory Sync Service
uses an on-premises agent to collect those aributes from your on-premises Acve
Directory. The Directory Sync Service agent runs in the background to collect the Acve
Directory informaon and syncs it with the cloud-based Directory Sync Service that you
configure using the Hub.
You can host your Directory Sync Service instance in either the US Region or EU
Region.
• WildFire cloud service—The WildFire® cloud service idenfies previously unknown malware
and generates signatures that Palo Alto Networks firewalls and Cortex XDR can use to then
detect and block that malware. When a Cortex XDR agent detects an unknown sample (an
aempt to run a macro, DLL, or executable file), Cortex XDR can automacally forward the
sample for WildFire analysis. Based on the properes, behaviors, and acvies the sample
Cortex® XDR™ Prevent Administrator’s Guide 9 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
displays when analyzed and executed in the WildFire sandbox, WildFire determines the
sample to be benign, grayware, phishing, or malicious. WildFire then generates signatures to
recognize the newly-discovered malware and makes the latest signatures globally available
every five minutes. For more informaon, see WildFire® Analysis Concepts.
Cortex® XDR™ Prevent Administrator’s Guide 10 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
Cortex® XDR™ Prevent Administrator’s Guide 11 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
Cortex® XDR™ Prevent Administrator’s Guide 12 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
Cortex® XDR™ Prevent Administrator’s Guide 13 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
• Evaluaon of trusted signers—Permits unknown files that are signed by trusted signers to run
on the endpoint.
• Periodic and automated scanning—Enables you to block dormant malware that has not yet
tried to execute on endpoints. Scanning requires Cortex XDR agent 7.1 or a later release.
Cortex® XDR™ Prevent Administrator’s Guide 14 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
Feature Cortex XDR Cortex XDR Pro Cortex XDR Cortex XDR Pro
Prevent per Endpoint Cloud per Host per TB
Kubernetes Host — — —
Support
Host Insights, — —
including:
Without the Without the
• Host add-on license, add-on license,
Inventory Host Insights is Host Insights is
available with available with
Cortex® XDR™ Prevent Administrator’s Guide 15 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
Feature Cortex XDR Cortex XDR Pro Cortex XDR Cortex XDR Pro
Prevent per Endpoint Cloud per Host per TB
• Vulnerability Cortex XDR Pro Cloud Host
Assessment per Endpoint for Protecon for
• File Search a 1-month trial Cortex XDRfor
and Destroy period. a 1-month
trial period.
Forensics — —
Without the Without the
add-on license, add-on license,
Forensics is Forensics is
available with available with
Cortex XDR Pro Cloud Host
per Endpoint for Protecon for
a 1-month trial Cortex XDR
period. for a 1-month
trial period.
Compute Unit —
Without the Without the Without the
add-on license, add-on license, add-on license,
Compute unit Compute unit Compute unit
is available with is available with is available with
Cortex XDR Pro Cloud Host Cortex XDR
per Endpoint for Protecon for Pro per TBfor
a 1-month trial Cortex XDR for a 1-month trial
period. a 1-month trial period.
period.
Period Based —
Retenon (Hot
Storage)
Period Based —
Retenon (Cold
Storage)
Endpoint —
management
Device control —
Host firewall —
Disk encrypon —
Cortex® XDR™ Prevent Administrator’s Guide 16 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
Feature Cortex XDR Cortex XDR Pro Cortex XDR Cortex XDR Pro
Prevent per Endpoint Cloud per Host per TB
Response Acons
Live Terminal —
Endpoint —
isolaon
External —
dynamic list
(EDL)
Script execuon — —
Remediaon — —
analysis
Incident Scoring —
Rules
Featured Alert —
Fields
Widget Library —
Assets
Asset —
Management
Analysis
Analycs, —
including
Identy
Analycs
Cortex XDR —
agent alerts
Prisma Cloud — — —
and Prisma
Cloud Compute
Third-Party — — —
Cloud Security
Cortex® XDR™ Prevent Administrator’s Guide 17 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
Feature Cortex XDR Cortex XDR Pro Cortex XDR Cortex XDR Pro
Prevent per Endpoint Cloud per Host per TB
Data (AWS,
Azure, Google)
Enhanced data — —
collecon for
EDR and other
Pro features
Other alerts —
(from Palo Alto
(API)
Networks and
third-party
sources)
Other logs — — —
(from Palo Alto
Networks and
third-party
sources)
Integraons
Threat
intelligence
(AutoFocus,
VirusTotal)
Outbound
integraon and
+ agent audit + agent audit
noficaon
logs logs
forwarding
(Slack, Syslog)
Broker VM
Agent Proxy
Syslog Collector — — —
CSV Collector — — —
Database — — —
Collector
FTP Collector — — —
Cortex® XDR™ Prevent Administrator’s Guide 18 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
Feature Cortex XDR Cortex XDR Pro Cortex XDR Cortex XDR Pro
Prevent per Endpoint Cloud per Host per TB
NetFlow — — —
Collector
Network —
Mapper
Pathfinder —
Windows Event — — —
Collector
MSSP
MSSP (requires
addional MSSP
license)
Managed — —
Threat Hunng
+ a minimum of
(requires an
500 endpoints
addional
Managed Threat
Hunng License)
Cortex® XDR™ Prevent Administrator’s Guide 19 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
permied number of Pro agents, Cortex XDR displays a noficaon in the noficaon area.
Cortex XDR permits a small grace over the permied number but begins enforcing the number
of agents aer 14 days. If addional Pro agents are required, increase your Cortex XDR Pro per
Endpoint license capacity.
To view the Pro license status for specific endpoints, see View Details About an Endpoint.
Endpoint Type License Return Agent Removal from Agent Removal from
Cortex XDR console Cortex XDR Database
Standard and Aer 30 days Aer 180 days Aer 180 days
mobile devices
Aer a license is revoked, if the agent connects to Cortex XDR, reconnecon will succeed as long
as the agent has not been deleted.
If a deleted agent tries to connect to Cortex XDR during the 180 days period, the agent can
resume connecon and maintain its agent ID. Aer the 180 days period, the agent ID is deleted
alongside all the associated data. In order to reconnect the agent, you must use Cytool to
reconnect it or reinstall it on the endpoint, and the agent will be assigned a new ID and a fresh
start.
Cortex® XDR™ Prevent Administrator’s Guide 20 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
period of 48 hours. Aer the 48-hour grace period, Cortex XDR disables access to the Cortex
XDR app unl you renew the license.
For the first 30 days of your expired license, Cortex XDR connues to protect your endpoints and/
or network and retains data in the Cortex Data Layer according to your data retenon policy and
licensing. Aer 30 days, the tenant is decommissioned and agent prevenon capabilies cease.
Cortex XDR displays a le with your Cortex XDR Prevent license type, total number of concurrent
agents permied by your license, number of installed agents, and the expiraon date of your
license.
For informaon on your data usage and storage license, select Sengs > Configuraons > Data
Management > Dataset Management. See Dataset Management.
To keep you informed of updates made to your license and avoid service disrupons, Cortex XDR
displays license noficaons when you log in. The noficaon idenfies any changes made to your
license and describes any required acons.
Cortex® XDR™ Prevent Administrator’s Guide 21 ©2022 Palo Alto Networks, Inc.
Cortex® XDR™ Overview
Cortex® XDR™ Prevent Administrator’s Guide 22 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™
Prevent
> Set up Cortex XDR Prevent Overview
23
Get Started with Cortex® XDR™ Prevent
STEP 4 | (Oponal) Set Up Cloud Identy Engine (Formally Directory Sync Services (DSS))
1. Acvate and Set Up a Cloud Identy Engine Instance.
2. Add the Cloud Identy Engine Instance to Cortex XDR.
Cortex® XDR™ Prevent Administrator’s Guide 24 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Cortex® XDR™ Prevent Administrator’s Guide 25 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
New Cortex XDR tenants Determine the amount of log storage you need for
your Cortex XDR deployment. Talk to your Partner or
Sales Representave to determine whether you must
purchase addional storage within the Cortex XDR
tenant.
Determine the region in which you want to host
Cortex XDR and any associated services, such as
Directory Sync Service.
Cortex® XDR™ Prevent Administrator’s Guide 26 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Migraon from the Traps Endpoint Review to determine if upgrading is right for you.
Security Manager
Cortex® XDR™ Prevent Administrator’s Guide 27 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Review Differences Between Endpoint Security Manager and Cortex XDR to determine
whether upgrading to Cortex XDR is right for you.
Upgrade your ESM and Traps agent to a version that supports migraon to Cortex XDR:
Aer you upgrade to a major Cortex XDR release version, you can subsequently connue to
upgrade to a desired minor (maintenance) release in Cortex XDR.
Sanize your Security policy. Because the policy structure for Cortex XDR is different than
for ESM, you cannot migrate rules from an exisng deployment. Before you migrate to Cortex
XDR, Palo Alto Networks recommends that you review exisng user rules for each policy type
and remove any that you no longer need. For example, remove all rules that are resolved in
content updates or that apply only to earlier versions of the Traps agent.
Review restore candidates. Before you migrate to Cortex XDR, review all quaranned files and
determine whether they need to be restored or whether they require addional acon to
remediate the endpoint. Aer you upgrade the agent to an agent version supported by Cortex
XDR, the agent will not communicate with ESM and, therefore, will not respond to requests
from ESM to restore files.
Review security events. Review and address all events that require remediaon before you
migrate to Cortex XDR. During the migraon, Cortex XDR migrates any security events the
Traps agent sent to the ESM before the new Cortex XDR agent was installed on the endpoint.
Any unsent security events on the endpoint will not be migrated to Cortex XDR.
STEP 1 | Acvate Cortex XDR.
Aer you receive your Cortex XDR Prevent license, you can acvate Cortex XDR from the hub.
During acvaon, you can also associate Cortex XDR with a Cortex Data Lake instance and a
Directory Sync Service instance.
Cortex® XDR™ Prevent Administrator’s Guide 28 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
There may be more than one WildFire rules with the allow list. While ESM
merges WildFire rules, this capability is not available in Cortex XDR.
Ensure that you migrate paths to the appropriate Malware Security Profile for each
plaorm:
• Copy paths in macOS WildFire rules to the Mach-O Files whitelist in a macOS profile.
• Copy paths in Windows WildFire rules for Executables and DLL files to the Portable
Executables and DLLs allow list in a Windows profile.
• Copy paths in Windows WildFire rules for Office files to the Office Files allow list in a
Windows profile.
4. Apply Security Profiles for each group of target objects to which the profile (and any
associated hash excepons) applies.
You can return to the Malware Profile to specify the target objects aer you upgrade the
Traps agent.
Cortex® XDR™ Prevent Administrator’s Guide 29 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Aer you upgrade the Traps agent, you can return to Cortex XDR to apply any excepons for
specific endpoints.
STEP 5 | Upgrade the Traps agent to a Cortex XDR agent version that supports migraon.
See Supported Migraon Paths to learn about the ESM and Traps versions that
support migraon to Cortex XDR. If you use an earlier ESM and Traps version that does
not have direct migraon support, you have three opons for migraon:
• Upgrade the earlier version to a version which supports migraon using acon rules
and then use the workflow below to upgrade the Traps agent.
• Upgrade the Traps agent using a third-party soware deployment tool, such as
JAMF or SCCM. With this method you must uninstall the agent and install a fresh
installaon package of Traps 5.0 instead of an upgrade package.
• Manually uninstall the earlier Traps agent and install a fresh installaon package of
Traps 5.0.
To upgrade from a Traps agent version that supports migraon, connue with the
following workflow:
1. From Cortex XDR, Create an Agent Installaon Package with the installaon type set to
Upgrade from ESM.
For Linux endpoints, you must use the default shell package instead of the
package manager.
2. Download the package to a locaon reachable from the ESM.
3. From the ESM Console, disable service protecon.
4. Create an agent acon rule to upgrade the Traps agent using the package created from
Cortex XDR. If you need the agent to communicate through a proxy server, you can
specify a Proxy List in the acon rule. The list supports up to ten proxy servers, comma-
separated, and in the format <serverIPaddress>:<port>.
Because this procedure is valid only for a specific version of Traps agents, we
recommend that you use a condion for the acon rule to upgrade the agents
matching the Traps agent version.
5. Save and Apply the rule.
STEP 6 | Customize your Endpoint Security Policy and set excepons, as needed, for specific
endpoints.
If you have policy excepons, you can either configure global endpoint policy excepons or
add condions to the allow list within endpoint security profiles that apply to the specific
endpoints.
Cortex® XDR™ Prevent Administrator’s Guide 30 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Visibility
Import never seen hashes and Hash Control Response > Acon Center >
set verdicts for them. Import Hash Excepons
From the Acon Center,
you can also add hashes
individually to the block list or
allow list.
Display quaranned files that Hash Control Response > Acon Center >
are eligible to be restored to Quarane
their original locaon on the
endpoint.
Policy Management
Excepon creaon and policy You can create almost any Palo Alto Networks can
configuraon policy rule that Palo Alto also create granular policy
Networks Research teams changes, using either
(oen at the instrucon of support excepons or
Support) can create. content updates. You can
also edit profiles, create
You can also allow very
excepons, and disable
specific flows including
specific capabilies, such
adding to allow list specific
as for a specific module or
DLL files for EPMs, and
process.
Cortex® XDR™ Prevent Administrator’s Guide 31 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Excepons for Acve Assign rules to any AD object. Assign rules to any AD object.
Directory (AD) objects
Change mode per process Report or block an event Report or block an event
based on the process. based on the category and
not the process.
View protected processes Visibility from the ESM Visibility from Cortex
Console (Policies > Exploit > XDR (select or search for
Process Management). Protected Processes in the
relevant exploit protecon
capability from Endpoints
> Policy Management >
Profiles > + New Profile >
<plaorm> > Exploit Profile).
View policy from the Traps The Traps console displays N/A
console the policy rules and
excepons that apply on the
agent.
Agent and ESM sengs Granular control over sengs Fixed sengs but reduced
such as the Heartbeat heartbeat interval (5 minutes)
Interval (the frequency and reporng interval
at which the Traps agent (1 hour).
aempts to check in), the
Reporng Interval (the
frequency at which the
Traps agent sends report
noficaons, including
changes in service, crash
events, and new processes),
and the Heartbeat Grace
Cortex® XDR™ Prevent Administrator’s Guide 32 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Role-based access control Granular access control for Predefined roles to allow
different areas and flows in access to Cortex XDR
the ESM Console. features.
Cortex® XDR™ Prevent Administrator’s Guide 33 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Permission Management
You can manage roles and permissions for a single tenant or a number of tenants at the same
me using the Cortex XDR Permission Management console, which is accessible via the Cortex
Gateway. The Permission Management console is used for first me acvaons. To create and
assign roles, you must first acvate your Cortex XDR tenant and be assigned a XDR Account Admin
role in the Cortex Gateway.
The Permission Management console is divided into two subcategories, Permissions and Roles,
which you can view on separate pages.
In the Permissions page, Cortex XDR lists all the users allocated to a specific CSP account and
tenant name. The Permissions table provides different fields of informaon as detailed below.
You can select whether to Show User Subset to display only the users who are not designated
as a Hidden user (default). For example, this is useful when you have users, who are not related
to Cortex XDR and will not be designated with a Cortex XDR role, such as CSP Super Users, and
you want to hide them from the list. You can also select whether to View By Users (default) or
Tenants.
Groups and Group Roles can only be configured in Cortex XDR in the Sengs >
Configuraons > Access Management > User Groups page. For more informaon, see
Manage User Groups.
• User Name—Displays the first and last name of the user and whether the user is a CSP Super
User and Account Admin. If the user is allocated to more than one tenant, expand the user name
to display the details for each tenant.
• Email—Email address of the user.
• Tenant—Name of the tenant the user has permission to access. Next to the user name, expand
( ) to view the tenant name.
Cortex® XDR™ Prevent Administrator’s Guide 34 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
• Direct XDR Role—Name of the role assigned to the user. Next to the user name, expand ( ) to
view the role assigned per tenant, if the user does not have any Cortex XDR access permission,
the field displays No-Role.
• Groups—Lists the groups that a user belongs to, where any group imported from Acve
Directory has the leers AD added beside the group name.
• Group Roles—Lists the different group roles based on the groups the user belongs to. When
you hover over the group role, the group associated with this role is displayed.
• Last Login Time—Last date and me the user accessed the tenant.
• Status—Displays whether the user is Acve or Inacve.
In the Roles page, Cortex XDR lists the Predefined User Roles for Cortex XDR and custom
defined roles. Use roles to assign specific view and acon access privileges to administrave user
accounts. The way you configure administrave access depends on the security requirements of
your organizaon. The built-in roles provide specific access rights that cannot be changed. The
roles you create provide more granular access control.
The Roles table provides the following fields of informaon.
• Role Name—Name of the role.
• Created By—Displays one of the following opons depending on whether the role is a custom
role created by a user or a predefined role.
• Palo Alto Networks—Predefined role granng user permissions in all tenants.
• <user email address> —Custom role created in the Cortex Gateway granng user
permission in all tenants.
• <user email address> —Custom role created in the Cortex XDR app granng user
permission that specific tenant alone.
• Tenant—Name of the tenant the role applies to according to where the role was created;
Cortex Gateway or Cortex XDR app.
• Descripon—Descripon of the role.
• Creaon Time—Date and me when the role was created. The field is available for only a
custom role.
• Modificaon Time—Date and me of when the role was last updated. The field is available for
only a custom role.
STEP 1 | Select Tenant Navigator > Cortex Gateway > Permission Management.
Cortex® XDR™ Prevent Administrator’s Guide 35 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Cortex® XDR™ Prevent Administrator’s Guide 36 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Access Management
The Access Management console is accessible by selecng Sengs > Configuraons > Access
Management. The console is divided into the following subcategories, which you can view on
separate pages.
• Users—Manage users allocated to a specific tenant.
• Roles—Manage roles for a specific tenant.
• User Groups—Manage your user groups for a specific tenant.
Manage Users
In the Users page, Cortex XDR lists all the users allocated to a specific tenant. The Users table
provides different fields of informaon as detailed below. At the top of the page, you can perform
the following acons.
• Import Mulple User Roles as a CSV (Comma-separated values) file. This import can be used
to quickly add users who already belong to a CSP account and assign them preexisng roles
Cortex® XDR™ Prevent Administrator’s Guide 37 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
in Cortex XDR. You can use the Download example file to view the required format of the
CSV file to upload and replace the file contents with the data you want to upload, where the
following columns must be included.
• User email—The email address of the user belonging to a CSP account that you want to
import.
• Role Name—The name of the role that you want to assign to this user, where the role must
already be created in Cortex XDR.
• Is an account role (default=false)—A boolean value to define whether the user is designated
with an XDR Account Admin role in the Cortex Gateway. To define this in the CSV file, set
the value to TRUE; otherwise, the value is set to FALSE (default).
• Show User Subset to display only the users who are not designated as a Hidden user (default).
• Search for something in the search box.
The following is a descripon of the different columns in the Users table.
Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is
exposed by default.
Cortex® XDR™ Prevent Administrator’s Guide 38 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
For a user with an XDR Account Admin role, you can only degregate their role
using the Cortex Gateway.
3. Add a parcular user to a group by selecng the User Groups from the list.
4. Show Accumulated Permissions for the user(s) based on the Role and User Groups
assigned to the user(s). Role permissions are comprised of different Components
permissions. By default All permissions are displayed, which lists the combined
permissions of every Role and User Group assigned to the user. You can also select the
specific roles assigned to the user, which enables you to compare available permissions
based on the roles selected. This can help you understand how the role permissions for a
parcular user are built. For example, if you need to isolate for a specific component, the
permissions provided by a parcular Role or User Group.
5. Update User to save your changes to the user role.
• Deacvate a user.
Locate the user you want to deacvate, right-click, and select Deacvate User.
Cortex® XDR™ Prevent Administrator’s Guide 39 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Manage Roles
You can manage roles for a specific tenant only using the Cortex XDR Access Management
console.
In the Roles page, Cortex XDR lists the Predefined User Roles for Cortex XDR and custom
defined roles. Use roles to assign specific view and acon access privileges to administrave user
accounts. The way you configure administrave access depends on the security requirements of
your organizaon. The built-in roles provide specific access rights that cannot be changed. The
roles you create provide more granular access control.
The following is a descripon of the different columns in the Roles table.
• Role Name—Name of the role.
• Created By—Displays either the email address of the user who created a custom role or for
predefined roles one of the following opons are displayed.
• Palo Alto Networks—Predefined role granng user permissions in all tenants.
• <user email address> —Custom role created in the gateway granng user permission to
this tenant.
• <user email address> —Custom role created in the Cortex XDR app granng user
permission to this specific tenant.
• Descripon—Descripon of the role.
• Creaon Time—Date and me when the role was created. The field is available for only a
custom role.
• Update Date—Date and me of when the role was last updated. The field is available for only a
custom role.
• Custom—Displays a boolean value of either Yes or No to indicate whether the role is a custom
role.
When creang a New Role or eding an exisng role, you can manage roles for all Cortex XDR
apps and services in the Components tab of the Create Role window. Role permissions for the
various Cortex XDR components are listed according to the sidebar navigaon in Cortex XDR.
By assigning roles, you enforce the separaon of viewing access and iniang acons among
funconal or regional areas of your organizaon.
STEP 1 | Select Sengs > Configuraons > Access Management > Roles.
Cortex® XDR™ Prevent Administrator’s Guide 40 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
This feature is only available if you enabled the Cloud Identy Engine in
Configuraons > Integraons > Cloud Identy Engine.
• Create a new user group for a number of different system users or groups.
The User Groups table provides the following fields of informaon.
• Group Name—Name of the user group.
• Descripon —Descripon of the user group.
• Role—Lists the group role associated with this user group. You can only have a single role
designated per group.
• Users—Lists all the users belonging to this user group.
• Nested Groups—Lists any nested groups associated with this user group.
• Insert Time—Date and me when the user group was added.
• Update Time—Date and me of when the user group was last updated.
• Source—Displays the source of the user group as either a user group imported from Acve
Directory or a Custom user group created in Cortex XDR.
You can also pivot (right-click) from rows and specific values in the table, where a number of
different opons are available to help you manage your Cortex XDR user groups from this page.
Cortex® XDR™ Prevent Administrator’s Guide 41 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Cortex® XDR™ Prevent Administrator’s Guide 42 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
This feature is only available if you enabled the Cloud Identy Engine in
Configuraons > Integraons > Cloud Identy Engine.
1. Import AD Group.
2. Set the following parameters in the Import Group from Acve Directory window.
-Import AD Group—Specify the parcular Acve Directory group in the field and select
whether the AD group can be found in All, OUs, or Groups.
-Specify a Descripon.
-Role—Select a role that you want to designate for this user group, where only a single
role can be assigned to a group.
3. Import the user group.
• Create a new user group for a number of different system users or groups.
1. Select New Group.
2. Set the following parameters in the New Custom Group window.
-Specify the Name and Descripon for the user group.
-Role—Select a role that you want to designate for this user group, where only a single
role can be assigned to a group.
-Users—Select the user(s) that you want to belong to this user group, where you can also
use the search field to narrow down the list of users.
-Nested Groups—(oponal) Select the nested group(s) that you want associated with this
user group.
3. Create the user group.
• Save an exisng group as a new group.
1. Select the user group or right-click the user group, and select Save as New Group.
2. Set the following parameters in the New Custom Group window.
-Specify the Name and Descripon for the user group.
-Role—Leave the designated role or select a new role that you want to designate for this
user group.
-Users—Leave the current user(s) or select the user(s) that you want to belong to this
user group. You can also use the search field to narrow down the list of users.
Cortex® XDR™ Prevent Administrator’s Guide 43 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
-Nested Groups—Leave the current nested group(s), select the nested group(s) that you
want associated with this user group, or remove all nested groups if you don’t want any
defined.
3. Create the user group.
• Edit a user group.
1. Select the user group or right-click the user group, and select Edit Group.
2. Set the following parameters in the Edit Custom Group window.
-Update the Name and Descripon for the user group.
-Role—Leave the designated role or select a new role that you want to designate for this
user group.
-Users—Leave the current user(s) or select the user(s) that you want to belong to this
user group. You can also use the search field to narrow down the list of users.
-Nested Groups—Leave the current nested group(s), select the nested group(s) that you
want associated with this user group, or remove all nested groups if you don’t want any
defined.
3. Save your changes.
• Remove a user group.
1. To remove more than one user group, select the user groups, right-click, and select
Remove Groups.
To remove one user group, select the user group or right-click the user group, and select
Remove Group.
2. Click Delete in the window that is displayed.
• Copy text to clipboard to copy text from a specific row field in the row of a user group.
• Copy enre row to copy the text from all the fields in a row of a user group.
Cortex® XDR™ Prevent Administrator’s Guide 44 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Some features are license-dependent. Accordingly, users may not see a specific feature
if the feature is not supported by the license type or if they do not have access based on
their assigned role.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Cortex® XDR™ Prevent Administrator’s Guide 45 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
File Retrieval
File Search
Destroy Files
Allow List/
Block List
Disable
Response
Acons
Cortex® XDR™ Prevent Administrator’s Guide 46 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Remediaon
Delete
Quaranned
files
Agent Scripts — —
Library
Run Standard
Script
Run High-
Risk Script
Script
Configuraons
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Cortex® XDR™ Prevent Administrator’s Guide 47 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
Retrieve
Endpoint
Data
Endpoint
Scan
Change
Managing
Server
Pause
Protecon
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Cortex® XDR™ Prevent Administrator’s Guide 48 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
Excepons
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Cortex® XDR™ Prevent Administrator’s Guide 49 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Threat — — —
Intelligence
EDL — — —
Configuraon
Instance Administrator
Full access to the app instance for which this role is assigned.
The Instance Administrator can also make other users an Instance
Administrator for the app instance. If the app has predefined or custom roles,
the Instance Administrator can assign those roles to other users.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Cortex® XDR™ Prevent Administrator’s Guide 50 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
File Retrieval
File Search
Destroy Files
Allow List/
Block List
Disable
Response
Acons
Remediaon
Delete
Quaranned
files
Cortex® XDR™ Prevent Administrator’s Guide 51 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Agent Scripts — —
Library
Run Standard
Script
Run High-
Risk Script
Script
Configuraons
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Cortex® XDR™ Prevent Administrator’s Guide 52 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Endpoint
Management
Retrieve
Endpoint
Data
Endpoint
Scan
Change
Managing
Server
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Cortex® XDR™ Prevent Administrator’s Guide 53 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Device — —
Control
Rules
Excepons
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
Cortex® XDR™ Prevent Administrator’s Guide 54 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
EDL — — —
Configuraon
Deployment Admin
Manage and control endpoints and installaons, and configure broker VMs.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Cortex® XDR™ Prevent Administrator’s Guide 55 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Terminate
Process
—
Quaranne
—
EDL
—
File Retrieval
—
File Search
—
Destroy Files
—
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
Cortex® XDR™ Prevent Administrator’s Guide 56 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Run High-
Risk Script
—
Script
Configuraons
—
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
Cortex® XDR™ Prevent Administrator’s Guide 57 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Retrieve
Endpoint
Data
—
Endpoint
Scan
—
Change
Managing
Server
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
Cortex® XDR™ Prevent Administrator’s Guide 58 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Excepons
—
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Cortex® XDR™ Prevent Administrator’s Guide 59 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Table 5: Investigator
Invesgator
View and triage alerts and incidents.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
Cortex® XDR™ Prevent Administrator’s Guide 60 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
EDL
—
File Retrieval
—
File Search
—
Destroy Files
—
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Cortex® XDR™ Prevent Administrator’s Guide 61 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Script
Configuraons
—
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
—
Cortex® XDR™ Prevent Administrator’s Guide 62 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Endpoint
Scan
—
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Excepons
—
Cortex® XDR™ Prevent Administrator’s Guide 63 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Cortex® XDR™ Prevent Administrator’s Guide 64 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Invesgaon Admin
View and triage alerts and incidents, configure rules, view endpoint profiles and
policies, and Analycs management screens.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
Cortex® XDR™ Prevent Administrator’s Guide 65 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
EDL
File Retrieval
—
File Search
—
Destroy Files
—
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
Cortex® XDR™ Prevent Administrator’s Guide 66 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
—
Endpoint
Scan
Cortex® XDR™ Prevent Administrator’s Guide 67 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
Excepons
Sengs
Cortex® XDR™ Prevent Administrator’s Guide 68 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Table 7: Responder
Cortex® XDR™ Prevent Administrator’s Guide 69 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Responder
View and triage alerts, and access all response capabilies excluding Live
Terminal.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
File Retrieval
Cortex® XDR™ Prevent Administrator’s Guide 70 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
File Search
—
Destroy Files
—
Allow List/
Block List
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Live Terminal — — —
Cortex® XDR™ Prevent Administrator’s Guide 71 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
—
Endpoint
Scan
—
Cortex® XDR™ Prevent Administrator’s Guide 72 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Excepons
—
Sengs
>General Auding — — —
Sengs
Cortex® XDR™ Prevent Administrator’s Guide 73 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Privileged Invesgator
Cortex® XDR™ Prevent Administrator’s Guide 74 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
EDL
File Retrieval
Cortex® XDR™ Prevent Administrator’s Guide 75 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
File Search
—
Destroy Files
—
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Live Terminal — — —
Cortex® XDR™ Prevent Administrator’s Guide 76 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
—
Endpoint
Scan
—
Cortex® XDR™ Prevent Administrator’s Guide 77 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Excepons
—
Sengs
>General Auding — — —
Sengs
Cortex® XDR™ Prevent Administrator’s Guide 78 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Privileged Responder
Cortex® XDR™ Prevent Administrator’s Guide 79 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
File Retrieval
File Search
Cortex® XDR™ Prevent Administrator’s Guide 80 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Destroy Files
Allow List/
Block List
Disable
Response
Acons
—
Remediaon
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
Run High-
Risk Script
Script
Configuraons
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Cortex® XDR™ Prevent Administrator’s Guide 81 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Prevenon
Rules
—
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
Endpoint
Scan
Change
Managing
Server
—
Pause
Protecon
—
Cortex® XDR™ Prevent Administrator’s Guide 82 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
Excepons
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Cortex® XDR™ Prevent Administrator’s Guide 83 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
IT Admin
Manage and control endpoints and installaons, configure broker VMs, view
endpoint profiles and policies, and view alerts.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Cortex® XDR™ Prevent Administrator’s Guide 84 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
EDL
—
File Retrieval
—
File Search
—
Destroy Files
—
Cortex® XDR™ Prevent Administrator’s Guide 85 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
Cortex® XDR™ Prevent Administrator’s Guide 86 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
Retrieve
Endpoint
Data
Endpoint
Scan
—
Change
Managing
Server
—
Pause
Protecon
—
Cortex® XDR™ Prevent Administrator’s Guide 87 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Excepons
—
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Cortex® XDR™ Prevent Administrator’s Guide 88 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Pathfinder
Applet
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Privileged IT Admin
Manage and control endpoints and installaons, configure brokers, create
profiles and policies, view alerts, and iniate Live Terminal.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
Cortex® XDR™ Prevent Administrator’s Guide 89 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
EDL
—
File Retrieval
File Search
Destroy Files
Allow List/
Block List
Cortex® XDR™ Prevent Administrator’s Guide 90 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Disable
Response
Acons
—
Remediaon
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
Run High-
Risk Script
Script
Configuraons
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Cortex® XDR™ Prevent Administrator’s Guide 91 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
Retrieve
Endpoint
Data
Endpoint
Scan
—
Change
Managing
Server
Pause
Protecon
Endpoint — — —
Groups
Endpoint — — —
Installaons
Cortex® XDR™ Prevent Administrator’s Guide 92 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
Excepons
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
Cortex® XDR™ Prevent Administrator’s Guide 93 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Cortex® XDR™ Prevent Administrator’s Guide 94 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
File Retrieval
File Search
Destroy Files
Allow List/
Block List
Disable
Response
Acons
—
Remediaon
Cortex® XDR™ Prevent Administrator’s Guide 95 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
Run High-
Risk Script
Script
Configuraons
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Cortex® XDR™ Prevent Administrator’s Guide 96 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
Endpoint
Scan
Change
Managing
Server
—
Pause
Protecon
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Cortex® XDR™ Prevent Administrator’s Guide 97 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
Excepons
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Cortex® XDR™ Prevent Administrator’s Guide 98 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Threat — — —
Intelligence
EDL — — —
Configuraon
Viewer
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Cortex® XDR™ Prevent Administrator’s Guide 99 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Terminate
Process
—
Quaranne
—
EDL
—
File Retrieval
—
File Search
—
Destroy Files
—
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Cortex® XDR™ Prevent Administrator’s Guide 100 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Cortex® XDR™ Prevent Administrator’s Guide 101 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Endpoint
Management
—
Retrieve
Endpoint
Data
—
Endpoint
Scan
—
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Cortex® XDR™ Prevent Administrator’s Guide 102 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Device — —
Control
Rules
—
Excepons
—
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Cortex® XDR™ Prevent Administrator’s Guide 103 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Threat — — —
Intelligence
EDL — — —
Configuraon
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Cortex® XDR™ Prevent Administrator’s Guide 104 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Isolate
Terminate
Process
Quaranne
EDL
—
File Retrieval
File Search
Destroy Files
Allow List/
Block List
—
Disable
Response
Acons
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
Cortex® XDR™ Prevent Administrator’s Guide 105 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Run High-
Risk Script
Script
Configuraons
—
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
Cortex® XDR™ Prevent Administrator’s Guide 106 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Retrieve
Endpoint
Data
Endpoint
Scan
Change
Managing
Server
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Cortex® XDR™ Prevent Administrator’s Guide 107 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Excepons
—
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Cortex® XDR™ Prevent Administrator’s Guide 108 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Security Admin
Triage and invesgate alerts and incidents, respond (excluding Live Terminal),
and edit profiles and policies.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
Cortex® XDR™ Prevent Administrator’s Guide 109 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
File Retrieval
—
File Search
—
Destroy Files
—
Allow List/
Block List
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Cortex® XDR™ Prevent Administrator’s Guide 110 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
Endpoint
Scan
Cortex® XDR™ Prevent Administrator’s Guide 111 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Excepons
—
Sengs
>General Auding — — —
Sengs
Cortex® XDR™ Prevent Administrator’s Guide 112 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Cortex® XDR™ Prevent Administrator’s Guide 113 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Important: The rest of the funconal areas and their permissions in Cortex XDR do not
support SBAC. Accordingly, if these permissions are granted to a scoped user, the user
will be able to access all endpoints in the tenant within this funconal area. For example,
a scoped user with a permission to view incidents, can view all incidents in the system
without limitaon to a scope.
Also note that the Agent Installaon widget is not available for scoped users.
STEP 2 | Select and right-click the user or users to which you want to assign a scope, and then select
Assign Endpoint Scope.
The Assign Endpoint Scope dialog box appears.
STEP 4 | Apply.
The users to whom you have scoped parcular endpoints are now able to use Cortex XDR only
within the scope of their assigned endpoints.
Make sure to assign the required default permissions for scoped users. This depends on
the structure and divisions within your organizaon, and the parcular purpose of each
organizaonal unit to which scoped users belong.
Cortex® XDR™ Prevent Administrator’s Guide 114 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
For more informaon about user roles, see Manage User Roles.
Cortex® XDR™ Prevent Administrator’s Guide 115 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Acvang a Cortex XDR tenant is a one-me task you’ll need to perform when you first start
using Cortex XDR. Aer you’ve acvated your Cortex XDR tenant—and completed all the steps
described in Set up Cortex XDR Prevent Overview—you’ll only need to repeat the acvaon if you
want to add addional Cortex XDR tenants.
The following are prerequisites to acvate Cortex XDR:
• Locate the email that contains your acvaon informaon.
• Ensure you have CSP Super User role permissions to your exisng administrator accounts. This
role cannot be removed or changed through the Cortex Gateway.
To acvate your Cortex XDR tenant:
STEP 1 | Navigate to the acvaon link you received in email and sign in to begin acvaon in the
Cortex Gateway.
As a first user with CSP Super User permissions to access the Cortex Gateway, you are
automacally granted XDR Account Admin permissions to the Cortex Gateway. With
these permissions, you are able to acvate Cortex XDR tenants, create new roles, and
assign permissions to users allocated to your tenant.
The Cortex Gateway displays tenants Available for Acvaon and Available Tenants.
In the Available for Acvaon secon, you can view all the tenants allocated to your CSP
account that are ready for acvaon. You can review the tenant details, such as license type,
number of endpoints, and purchase date.
The Available Tenants secon lists tenants that have already been acvated. If you have more
than one CSP account, the tenants are displayed according the CSP account name.
STEP 2 | In the Available for Acvaon secon, locate the tenant you want to acvate according to
the serial number and Acvate to launch the Tenant Acvaon wizard.
Cortex® XDR™ Prevent Administrator’s Guide 116 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
STEP 3 | In Tenant Acvaon > Select Support Account, ensure the tenant you want to acvate is
allocated to the correct CSP account. You can expand Cortex XDR and Cortex Data Lake to
view the tenants and Cortex Data Lake instances associated within the CSP account.
If you manage mulple company CSP accounts, make sure you select the specific
account to which you want to allocate the Cortex XDR tenant before proceeding with
acvaon. Once acvated, the tenant will be associated with the account and cannot
be moved.
STEP 4 | In Tenant Acvaon > Define Tenant Sengs, define the following tenant details:
• Tenant Name—Give your Cortex XDR app instance an easily-recognizable name. Choose a
name that is 59 or fewer characters and is unique across your company account.
• Region—Select a region in which you want to set up your Cortex Data Lake instance. If
you selected an exisng Cortex Data Lake instance, this field automacally displays the
region in which your Cortex Data Lake instance is deployed and cannot be changed.
• Tenant Subdomain—Give your Cortex XDR instance an easy to recognize
name that is used to access the tenant directly using the full URL (https://
<subdomain>.xdr.<region>.paloaltonetworks.com).
Note this is a public FQDN, so be careful with sensive informaon such as the
company name.
• Cortex Data Lake—You can either Acvate new Data Lake or select the Cortex Data Lake
instance name you created that is already logging Palo Alto Networks products.
• Review and agree to the terms and condions of the Privacy policy, Term of Use, EULA.
STEP 6 | Select Back to main gateway and in the Available Tenant secon, search for your tenant
name. Hover over a tenant to display the Tenant Status and License Details. When the
tenant displays an Acve status, select the tenant name to confirm you can successfully
access the Cortex XDR management console.
Cortex® XDR™ Prevent Administrator’s Guide 117 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
STEP 2 | Acvate and configure your Cloud Identy Engine instance as described in the Cloud Identy
Engine Geng Started guide.
Acvang a Cloud Identy Engine instance on your Cortex XDR account will allow you to pair
your Cortex XDR tenant with the Acve Directory informaon collected by the Cloud Identy
Engine instance. During the Acvaon step, make sure to take note of the instance name you
create.
STEP 3 | Aer you complete the Cloud Identy Engine Geng Started steps, navigate and log into
your Cortex XDR management console.
Wait about ten minutes aer you have acvated the instance before you do this.
1. In the Cortex XDR app, select Sengs > Configuraon > Integraons > Cloud Identy
Engine.
2. Add the Cloud Identy Engine instance you want to Cortex XDR to use.
3. In the Add Cloud Identy Engine dialog, select the App Instance Name you created in
the hub and Save.
Cortex® XDR™ Prevent Administrator’s Guide 118 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Cortex XDR Pro per Endpoint Grants ingeson and 30 The following are the storage
(PAN-XDR-ADV-EP) days retenon. If you want opons available with this
to save more than 30 days license.
of endpoint data, you need
• Hot storage EP—Minimum
to obtain addional Cold
of 1 month storage.
or Hot Storage according
to your requirements for • Cold storage EP—
all of your endpoints. For Minimum of 6 months
example, if you obtain 20,000 storage.
endpoints for 30 days and
then require an addional 6
months retenon, you need
to purchase retenon for 6
months for 20,000 endpoints.
Cortex XDR Cloud per Host Grants ingeson and 30 The following are the storage
(PAN-XDR-ADV-EP-CLOUD) days retenon. If you want opons available with this
to save more than 30 days license.
of cloud data, you need to
• Hot storage EP—Minimum
obtain addional Cold or Hot
of 1 month storage.
Storage according to your
requirements for all of your • Cold storage EP—
hosts. Minimum of 6 months
storage.
Cortex XDR Pro per TB Where each license adheres For retenon, each license
(PAN-XDR-ADV-1TB) to the following guidelines. provides you with a default
retenon of 30 days. If
• Allows ingesng up to 1
you want to save more
TB per month and no more
than 30 days of Pro per TB
than 33GB per day.
data, you need to obtain
addional Cold or Hot
Cortex® XDR™ Prevent Administrator’s Guide 119 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
For more informaon on your storage license details, see Dataset Management.
A Cortex XDR Prevent license grants you 30 days retenon.
Cortex® XDR™ Prevent Administrator’s Guide 120 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
STEP 7 | Customize your Endpoint Security Profiles and assign them to your endpoints.
STEP 8 | (Oponal) Configure Device Control profiles to restrict access to USB-connected devices.
STEP 10 | Verify that the Cortex XDR agent can connect to your Cortex XDR instance.
If successful, the Cortex XDR displays a Connected status. In your Cortex XDR consule,
navigate to Endpoints > All Endpoints to view the status of all your agents.
Cortex® XDR™ Prevent Administrator’s Guide 121 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
• The POC doesn't always reflect all the variables that exist in your producon environment.
• There is a rare chance that the Cortex XDR agent will affect business applicaons, which can
reveal vulnerabilies in the soware as a prevented aack.
• During the POC, it is much easier to isolate issues that appear and provide a soluon before full
implementaon in a large environment where issues could affect a large number of users.
A mul-step deployment approach ensures a smooth implementaon and deployment of the
Cortex XDR soluon throughout your network. Use the following steps for beer support and
control over the added protecon.
0. Calculate the bandwidth as needed For every 100,000 agents, you will need
required to support the number to allocate 120Mbps of bandwidth. The
of agents you plan to deploy. bandwidth requirement scales linearly. For
example, to support 300,000 agents, plan
to allocate 360Mbps of bandwidth (three
mes the amount required for 100,000
agents).
1. Install Cortex XDR on 1 week Install the Cortex XDR agent on a small
endpoints. number of endpoints (3 to 10).
Test normal behavior of the Cortex
XDR agents (injecon and policy) and
confirm that there is no change in the user
experience.
3. Complete the Cortex XDR 2 or more Broadly distribute the Cortex XDR agent
installaon. weeks throughout the organizaon unl all
endpoints are protected.
4. Define corporate policy and Up to 1 week Add protecon rules for third-party or in-
protected processes. house applicaons and then test them.
5. Refine corporate policy and Up to 1 week Deploy security policy rules to a small
protected processes. number of endpoints that use the
applicaons frequently. Fine tune the
policy as needed.
6. Finalize corporate policy and A few minutes Deploy protecon rules globally.
protected processes.
Cortex® XDR™ Prevent Administrator’s Guide 122 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
STEP 2 | In your firewall configuraon, enable access to Cortex XDR communicaon servers, storage
buckets, and resources.
For the complete list or resources, refer to Resources Required to Enable Access to Cortex.
With Palo Alto Networks firewalls, we recommend that you use the following App-IDs to allow
communicaon between Cortex XDR agents and the Cortex XDR management console when
you configure your security policy:
• cortex-xdr—Requires PAN-OS Applicaons and Threats content update version 8279 or
a later release.
• traps-management-service—Requires PAN-OS Applicaons and Threats content
update version 793 or a later release.
If you use App-ID in your security policy, you must also allow access for addional resources
that are not covered by the App-ID. If you do not use Palo Alto Networks firewalls with App-ID
you must allow access to the full list of resources.
STEP 3 | To establish secure communicaon (TLS) to Cortex XDR, the endpoints, and any other
devices that iniate a TLS connecon with Cortex, you must have the following cerficates
installed on the operang system:
Cerficate Fingerprint
Cortex® XDR™ Prevent Administrator’s Guide 123 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Cerficate Fingerprint
For the Cortex XDR agent 5.X release installed on endpoints
running a Windows version that does not support SHA256
by default, you must install KB2868626 to establish a
connecon between Cortex XDR and the agent. This applies
to Windows Server 2003 R2 (32-bit) (SP2 & later), Windows
Server 2003 (32-bit) (SP2 & later), Windows XP (32-bit)
(SP3 & later), Windows Server 2008 (all edions; FIPS
Mode), and Windows Vista (SP1 & later; FIPS Mode).
STEP 5 | (Supported on Cortex XDR agent 7.0 or a later for Windows endpoints and Cortex XDR
agent 7.3 or later for Mac and Linux endpoints) Enable peer-to-peer (P2) content updates.
By default, the Cortex XDR agent retrieves content updates from its peer Cortex XDR agents
on the same subnet. To enable P2P, you must enable UDP and TCP over port 33221. You can
change the port number or choose to download the content directly from the Cortex XDR
sever in the Agent sengs profile.
STEP 6 | Verify that you can access your Cortex XDR tenant.
Aer you download and install the Cortex XDR agent soware on your endpoints and
configure your endpoint security policy, verify that the Cortex XDR agents can check in with
Cortex XDR to receive the endpoint policy.
Cortex® XDR™ Prevent Administrator’s Guide 124 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
STEP 7 | If you use SSL decrypon and experience difficulty in connecng the Cortex XDR agent
to the server, we recommend that you add the FQDNs required for access to your SSL
Decrypon Exclusion list.
In PAN-OS 8.0 and later releases, you can configure the list in Device > Cerficate
Management > SSL Decrypon Exclusion.
Some of the IP addresses required for access are registered in the United States. As a
result, some GeoIP databases do not correctly pinpoint the locaon in which IP addresses
are used. All customer data is stored in your deployment region, regardless of the IP
address registraon and restricts data transmission through any infrastructure to that
region. For consideraons, see Plan Your Cortex Deployment.
Throughout this topic, <xdr-tenant> refers to the chosen subdomain of your Cortex
XDR tenant and <region> is the region in which your Cortex Data Lake is deployed (see
Plan Your Cortex Deployment for supported regions).
Refer to the following tables for the FQDNs, IP addresses, ports, and App-ID coverage for your
deployment.
• Required Resources by Region
• Required Resources for Federal (United States - Government)
For IP address ranges in GCP, refer to the following tables for IP address coverage for your
deployment:
• hps://www.gstac.com/ipranges/goog.json—Refer to this list to look up and allow access to
the IP address ranges subnets.
• hps://www.gstac.com/ipranges/cloud.json—Refer to this list to look up and allow access to
the IP address ranges associated with your region.
Cortex® XDR™ Prevent Administrator’s Guide 125 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Cortex® XDR™ Prevent Administrator’s Guide 126 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Cortex® XDR™ Prevent Administrator’s Guide 127 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Broker VM Resources
Required for deployments that use Broker VM features
distributions.traps.paloaltonetworks.com
• IP address— traps-
35.223.6.69 management-
• Port—443 service
Cortex® XDR™ Prevent Administrator’s Guide 128 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
identy.paloaltonetworks.com • IP address— —
34.107.215.35
(SSO)
• Port—443
login.paloaltonetworks.com • IP address— —
34.107.190.184
(SSO)
• Port—443
data.pendo.io Port—443 —
pendo- Port—443 —
stac-5664029141630976.storage.googleapis.com
Email Noficaons
— IP address by region: —
• US— 67.231.148.124
• EU—67.231.156.123
Cortex® XDR™ Prevent Administrator’s Guide 129 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
app- • IP address— —
proxy.federal.paloaltonetworks.com104.155.148.118
• Port—443
api-<xdr- • IP address— —
130.211.195.231
tenant>.xdr.federal.paloaltonetworks.com
• Port—443
Cortex® XDR™ Prevent Administrator’s Guide 130 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Broker VM Resources
Required for deployments that use Broker VM features
br-<xdr- • IP address— —
34.71.185.11
tenant>.xdr.federal.paloaltonetworks.com:443
• Port—443
identy.paloaltonetworks.com • IP address— —
34.107.215.35
(SSO)
• Port—443
login.paloaltonetworks.com • IP address— —
34.107.190.184
(SSO)
• Port—443
data.pendo.io Port—443 —
pendo- Port—443 —
stac-5664029141630976.storage.googleapis.com
Proxy Communicaon
You can configure communicaon through proxy servers between the Cortex XDR server and the
Cortex XDR agents running on Windows, Mac, and Linux endpoints. The Cortex XDR agent uses
Cortex® XDR™ Prevent Administrator’s Guide 131 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
the proxy sengs defined as part of the Internet & Network sengs or WPAD protocol on the
endpoint. You can also configure a list of proxy servers that your Cortex XDR agent will use to
communicate the with Cortex XDR server.
Cortex XDR supports the following types of proxy configuraons:
• System-wide proxy—Use system-wide proxy to send all communicaon on the endpoint
including to and from the Cortex XDR agent through a proxy server configured for the
endpoint. Cortex XDR supports proxy communicaon for proxy sengs defined explicitly on
the endpoint, as well as proxy sengs configured in a proxy auto-config (PAC) file.
• Applicaon-specific proxy—(Available with Traps agent 5.0.9, Traps agent 6.1.2, and Cortex
XDR agent 7.0 and later releases) Configure a Cortex XDR specific proxy that applies only to
the Cortex XDR agent and does not enforce proxy communicaons with other apps or services
on your endpoint. You can set up to five proxy servers either during the Cortex XDR agent
installaon process, or following agent installaon, directly from the Cortex XDR management
console.
If the endpoints in your environment are not connected directly to the internet, you can deploy
a Palo Alto Networks broker VM.
Applicaon-specific proxy configuraons take precedence over system-wide proxy configuraons.
The Cortex XDR agent retrieves the proxy list defined on the endpoint and tries to establish
communicaon with the Cortex XDR server first through app-specific proxies. Then, if
communicaon is unsuccessful, the agent tries to connect using the system-wide proxy, if defined.
If none are defined, the Cortex XDR agent aempts communicaon with the Cortex XDR server
directly. The Cortex XDR agent does not support proxy communicaon in environments where
proxy authencaon is required.
Cortex® XDR™ Prevent Administrator’s Guide 132 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
displays next to relevant Key Arfacts in the incidents details page, the causality view, and
within the Live Terminal view of processes.
WildFire provides verdicts and analysis reports to Cortex XDR users without requiring a
license key. Using WildFire for next-generaon firewalls or other use-cases connues to
require an acve license.
Before you can view external threat intelligence in Cortex XDR incidents, you must obtain the
license key for the service and add it to the Cortex XDR Configuraon. Aer you integrate any
services, you will see the verdict or verdict score when you invesgate the incident..
To integrate an external threat intelligence service:
STEP 1 | Get your the API License Key for the service.
• Get your AutoFocus API key.
• Get your VirusTotal API key.
Cortex® XDR™ Prevent Administrator’s Guide 133 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Select Timezone
Select your own specific mezone. Selecng a mezone affects the mestamps displayed in the
Cortex XDR management console, auding logs, and when exporng files.
In the Timezone secon, select the mezone in which you want to display your Cortex XDR
data.
In the Timestamp Format secon, select the mestamp format in which you want to display
your Cortex XDR data.
Cortex® XDR™ Prevent Administrator’s Guide 134 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
In the Email Contacts secon, enter email addresses you want to include in a distribuon list.
Make sure to select aer each email address.
In the Define the Incident target MTTR per incident severity secon, enter within how many
days and hours you want incidents resolved according to the incident severity High, Medium,
and Low.
The defined MTTR is used to display the Resolved Incident MTTR dashboard widgets.
In the Impersonaon Sengs secon, define the level and duraon of the permissions.
• Select one of the following Role permissions:
• Read-Only—Default seng, grants read only access to your tenant.
• Support related acons—Grants permissions to tech support file collecon, dump file
collecon, invesgaon query, BIOC and IOC rule eding, alert starring, exclusion and
excepon eding.
• Full role permissions—No limitaons are applied, grants full permissions to all acons and
content on your tenant.
• Set the Permission Reset Timeframe.
If you selected Support related acons or Full role permissions in the Role field, set a
specific meframe for how long these permissions are valid. Select either 7 Days, 30 Days,
or No me limitaon.
We recommend that Role permissions are granted only for a specific meframe, and full
administrave permissions is granted only when specifically requested by the support team.
Cortex® XDR™ Prevent Administrator’s Guide 135 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
• User Expiraon—Enables you to deacvate an inacve user, and also set the user deacvaon
trigger period.
• Allowed Domains—Enables you to specify one or more domain names that can be used in your
distribuon lists.
From the Cortex XDR management console, select Sengs > Configuraons > Security
Sengs.
Under User Expiraon, define if you want to Deacvate Inacve User. By default, user
expiraon is Disabled, when Enabled enter the number of days aer which inacve users
should be deacvated.
Under Allowed Domains, specify one or more domain names that users in your organizaon
can be used in your distribuon list. For example, when generang a report, ensure the reports
are not sent to email addresses outside your organizaon.
Save.
Cortex® XDR™ Prevent Administrator’s Guide 136 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Cortex® XDR™ Prevent Administrator’s Guide 137 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Cortex XDR provides an easy-to-use interface that you can access from the hub. When you
log in to the Cortex XDR management console, you see your default dashboard. If you haven’t
customized the dashboard or changed the default, you see the Incident Management Dashboard.
In addion to your main dashboard, and depending on your assigned role, you can explore the
menus for other features, as detailed in the following table.
Interface Descripon
Dashboard & Reports From the Dashboard & Reports menu you can view and
manage your dashboards and reports from the dashboard and
incidents table, and view alert exclusions.
• Dashboard—Provides dashboards that you can use to view
high-level stascs about your agents and incidents.
• Reports—View all the reports that Cortex XDR
administrators have run.
• Customize—Create and manage new dashboard and reports.
• Dashboards Manager—Add new dashboards with
customized widgets to surface the stascs that maer
to you most.
• Reports Templates—Build reports using pre-defined
templates, or customize a report. Reports can generated
on- demand scheduled.
Incident Response From the Incident Response menu, you can view, manage,
invesgate and take acon on all incidents.
• Incidents—Invesgate and manage your incidents.
• Response
• Acon Center—Provides a central locaon from which
you can track the progress of all invesgaon, response,
and maintenance acons performed on your endpoints.
• Live Terminal—Iniate a remote connecon to an
endpoint enabling you to remotely manage, invesgate,
and perform response acons on the endpoint.
• Incident Configuraon—Create a starring configuraon
that automacally categorizes and starts incidents when
Cortex® XDR™ Prevent Administrator’s Guide 138 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Interface Descripon
a related alert contains specific aributes that you define
as important.
Endpoints From the Endpoints menu, you can manage your registered
endpoints and configure policy.
• All Endpoints—View and manage endpoints that have
registered with your Cortex XDR instance.
• Endpoint Groups—Create endpoint groups to which you can
perform acons and assign policy.
• Agent Installaons—Create packages of the Cortex XDR
agent soware for deployment to your endpoints.
• Policy Management—Configure your endpoint security
profiles and assign them to your endpoints.
• Host Firewall—Control communicaons on your endpoints
by applying sets of rules that allow or block internal and
external traffic.
• Device Control Violaons—Monitor all instances where
end users aempted to connect restricted USB-connected
devices and Cortex XDR blocked them on the endpoint.
• Disk Encrypon Visibility—View and manage endpoints that
were encrypted using BitLocker.
Quick Launcher Open an in-context shortcut that you can use to search for
informaon, perform common invesgaon tasks, or iniate
response acons from any place in the Cortex XDR console.
Sengs From the Sengs menu, you can view informaon about
your Cortex XDR license, review logs of acons iniated by
Cortex XDR analysts, and configure Cortex XDR Cortex XDR
sengs, integraons with other apps and services, and access
management.
Tenant Navigator View and switch to tenants to which you have access to,
divided per CSP account. You can also navigate directly to the
Cortex Gateway.
User From the User, see who is logged into Cortex XDR. Right click
and select:
• About to view addional version and tenant ID informaon.
• What’s New to view selected new features available for
your license type.
Cortex® XDR™ Prevent Administrator’s Guide 139 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Interface Descripon
• Log Out to terminate connecon with your Cortex XDR
Management Console.
Manage Tables
Most pages in Cortex XDR present data in table format and provide controls to help you manage
and filter the results. If addional views or acons are available for a specific value, you can pivot
(right-click) from the value in the table. For example, you can view the incident details, or pivot to
the Causality View for an alert or you can pivot to the results for a query.
On most pages, you can also refresh ( ) the content on the page.
To manage tables in the app:
• Filter Page Results
• Export Results to File
• Save and Share Filters
• Show or Hide Results
• Manage Columns and Rows
• Display Quick Acons
Cortex® XDR™ Prevent Administrator’s Guide 140 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
CMD fields have a 128 character limit. Shorten longer query strings to 127
characters and add an asterisk (*).
Alternavely, you can select Include empty values to create a filter that excludes or
includes results when the field has an empty values.
STEP 3 | To add addional filters, click +AND (within the filter brackets) to display results that must
match all specified criteria, or +OR to display results that match any of the criteria.
STEP 4 | Click out of the filter area into the results table to see the results.
Save a filter:
Saved filters are listed on the Filters tab for the table layout and filter manager menu.
1. Save ( ) the acve filter.
2. Enter a name to idenfy the filter.
You can create mulple filters with the same name. Saving a filter with an exisng name
will not override the exisng filter.
3. Choose whether to Share this filter or whether to keep it private for your own use only.
Cortex® XDR™ Prevent Administrator’s Guide 141 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Share a filter:
You can share a filter across your organizaon.
1. Select the table layout and filter menu indicated by the three vercal dots, then select
Filters.
2. Select the filter to share and click the share icon.
3. If needed, you can later unshare ( ) or delete ( ) a filter.
Unsharing a filter will turn a public filter private. Deleng a shared filter will remove it for
all users.
CMD fields are limited to 128 characters. If you pivot on a CMD field with a truncated
value, the app shows or hides all results that match the first 128 characters.
The show or hide acon is a temporary means of filtering the results: If you navigate away from
the page and later return, any results you previously hid will appear again.
This opon is available for fields which have a finite list of opons.
To hide or show only results that match a specific field value:
STEP 1 | Right-click the matching field value by which you want to hide or show.
Cortex® XDR™ Prevent Administrator’s Guide 142 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Cortex® XDR™ Prevent Administrator’s Guide 143 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex® XDR™ Prevent
Cortex® XDR™ Prevent Administrator’s Guide 144 ©2022 Palo Alto Networks, Inc.
Endpoint Security
> Communicaon Between Cortex® > Endpoint Protecon Modules
XDR™ and Agents > Endpoint Security Profiles
> Manage Cortex XDR Agents > Customizable Agent Sengs
> Define Endpoint Groups > Apply Security Profiles to Endpoints
> File Analysis and Protecon Flow > Excepons Security Profiles
> About Content Updates > Hardened Endpoint Security
> Endpoint Protecon Capabilies
145
Endpoint Security
Agent-Iniated Communicaon
The Cortex XDR agent iniates communicaon with Cortex XDR every five minutes by sending
a heartbeat to the server. An agent heartbeat includes data about the Cortex XDR agent, and
informaon gathered by the agent on the endpoint. For example, policy updates are performed via
heartbeat: in each heartbeat the Cortex XDR agent sends to the Cortex XDR server the content
version it uses. The Cortex XDR server compares this number with the number of latest content in
use, and sends the agent a message to download newer content if it exists.
However not all agent-server communicaon is sent over the five-minute heartbeat. If a security
event occurs on the endpoint, the agent immediately sends the server a security event message
so you can respond immediately to the event and iniate invesgaon and remediaon acons on
the endpoint. If the message is not crical, such as status reports, the agent sends them once an
hour.
Server-Iniated Communicaon
(Traps agent 6.1 and later releases) Cortex XDR can iniate some acons immediately on the
endpoint through a web socket that is maintained between Cortex XDR and the Cortex XDR
agent, improving the response acon me and prevenng delays. Examples of these acons
include:
• Quaranne file and restore file
• Terminate process
• Isolate endpoint and cancel endpoint isolaon
• Iniate Live Terminal
• Set endpoint proxy disable endpoint proxy
• Retrieve endpoint files
• Retrieve security event data
• Retrieve support file
• Perform heartbeat
The acons that can be performed via web socket are only acons that your current agent
version already supports.
Cortex® XDR™ Prevent Administrator’s Guide 146 ©2022 Palo Alto Networks, Inc.
Endpoint Security
If the web socket communicaon fails, the acon will be executed on the next successful Cortex
XDR agent heartbeat. You can use Cytool to display the current web socket connecon status by
running the websocket command on the endpoint.
Cortex® XDR™ Prevent Administrator’s Guide 147 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 3 | Enter a unique Name and an oponal Descripon to idenfy the installaon package.
The package Name must be no more than 100 characters and can contain leers, numbers,
hyphens, underscores, commas, and spaces.
Cortex® XDR™ Prevent Administrator’s Guide 148 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 149 ©2022 Palo Alto Networks, Inc.
Endpoint Security
to install the agent manually on the endpoint, unzip the ZIP folder and double-click the pkg
file.
• For Linux endpoints, you can download .rpm or .deb installers (according to the endpoint
Linux distribuon), and deploy the installers on the endpoints using the Linux package
manager. Alternavely, you can download a Shell installer and deploy it manually on the
endpoint.
When you upgrade a CortexXDR agent version without package manager, Cortex
XDR will upgrade the installaon process to package manager by default, according
to the endpoint Linux distribuon.
• For Kubernetes clusters on Linux endpoints, download the YAML file. Palo Alto Networks
strongly recommends that you do not edit this file.
• For Android endpoints, Cortex XDR creates a tenant-specific download link which you
can distribute to Android endpoints. When a newer agent version is available, Cortex XDR
idenfies older package versions as [Outdated].
Since Cortex XDR relies on the installaon package ID to approve agent registraon
during install, it is not recommended to delete the installaon package of acve
endpoints. If you install the CortexXDR agent from a package aer you delete it,
Cortex XDR denies the registraon request leaving the agent in an unprotected
state. Hiding the installaon package will remove it from the default list of
available installaon packages, and can be useful to eliminate confusion within
the management console main view. These hidden installaon can be viewed by
removing the default filter.
• Copy text to clipboard to copy the text from a specific field in the row of an installaon
package.
• Hide installaon packages. Using the Hide opon provides a quick method to filter out
results based on a specific value in the table. You can also use the filters at the top of the
page to build a filter from scratch. To create a persistent filter, save ( ) it.
In environments where agents communicate with the Cortex XDR server through a wide-system
proxy, you can now set an applicaon-specific proxy for the Traps and Cortex XDR agent without
affecng the communicaon of other applicaons on the endpoint. You can set the proxy in one
Cortex® XDR™ Prevent Administrator’s Guide 150 ©2022 Palo Alto Networks, Inc.
Endpoint Security
of three ways: during the agent installaon or aer installaon using Cytool on the endpoint or
from All Endpoints in Cortex XDRas described in this topic. You can assign up to five different
proxy servers per agent. The proxy server the agent uses is selected randomly and with equal
probability. If the communicaon between the agent and the Cortex XDR server through the app-
specific proxies fails, the agent resumes communicaon through the system-wide proxy defined
on the endpoint. If that fails as well, the agent resumes communicaon with Cortex XDR directly.
STEP 1 | From Cortex XDR, select Endpoints > All Endpoints.
Cortex® XDR™ Prevent Administrator’s Guide 151 ©2022 Palo Alto Networks, Inc.
Endpoint Security
package created for a Cortex XDR Agent 5.0.0 for Windows. The operang system version can be
different.
To change the managing server of a Cortex XDR Agent:
STEP 1 | Obtain an installaon package ID from the target managing server.
1. Log in to Cortex XDR on the target management server, then navigate to Endpoints >
Agent Installaons.
2. From the agent installaons table, locate a valid installaon package you can use to
register the agent. Alternavely, you can create a new installaon package if required.
3. Right-click the ID field and copy the value. Save this value, you will need it later for the
registraon process. If the ID column is not displayed in the table, add it.
3. Enter the ID number of the installaon package you obtained in Step 1. If you selected
agents running on different operang systems, for example Windows and Linux, you
must provide an ID for each operang system. When done, click Move.
Cortex® XDR™ Prevent Administrator’s Guide 152 ©2022 Palo Alto Networks, Inc.
Endpoint Security
• You cannot upgrade VDI endpoints. Addionally, you cannot upgrade a Golden
Image from Cortex XDR agent 6.1.x or an earlier release to a Cortex XDR agent
7.1.0 or a later release.
• Before upgrading a Cortex XDRagent 7.0 or later running on macOS 10.15.4 or
later, you must ensure that the System Extensions were approved on the endpoint.
Otherwise, if the extensions were not approved, aer the upgrade the extensions
remain on the endpoint without any opon to remove them which could cause
the agent to display unexpected behavior. To check whether the extensions
were approved, you can either verify that the endpoint is in Fully Protected state
in Cortex XDR, or execute the following command line on the endpoint to list
the extensions: systemextensionsctl list. If you need to approve the
extensions, follow the workflow explained in the Cortex XDR agent administraon
guide for approving System Extensions, either manually or using an MDM profile.
Upgrades are supported using acons which you can iniate from the Acon Center or from All
Endpoints as described in this workflow.
STEP 1 | Create an Agent Installaon Package for each operang system version for which you want
to upgrade the Cortex XDR agent.
Note the installaon package names.
Cortex® XDR™ Prevent Administrator’s Guide 153 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 4 | Right-click your selecon and select Endpoint Control > Upgrade Agent Version.
For each plaorm, select the name of the installaon package you want to push to the selected
endpoints.
Starng in the Cortex XDR agent 7.1 release, you can install the Cortex XDR agent on Linux
endpoints using package manager. When you upgrade an agent on a Linux endpoint that is not
using package manager, Cortex XDR upgrades the installaon process by default according to
the endpoint Linux distribuon. Alternavely, if you do not want to use the package manage,
clear the opon Upgrade to installaon by package manager.
The Cortex XDR agent keeps the name of the original installaon package aer every
upgrade.
STEP 5 | Upgrade.
Cortex XDR distributes the installaon package to the selected endpoints at the next heartbeat
communicaon with the agent. To monitor the status of the upgrades, go to Response > Acon
Center. From the Acon Center you can also view addional informaon about the upgrade
(right-click the acon and select Addional data) or cancel the upgrade (right-click the acon
and select Cancel Agent Upgrade).
• During the upgrade process, the endpoint operang system might request for a
reboot. However, you do not have to perform the reboot for the Cortex XDR agent
upgrade process to complete successfully.
• Aer you upgrade to a Cortex XDR agent 7.2 or a later release on an endpoint with
Cortex XDR Device Control rules, you need to reboot the endpoint for the rules to
take effect.
Crical Environment Versions are designed for sensive and highly regulated environments
and do not contain all updates and content exisng in the standard version. Therefore, it is
recommended to restrict the use of these versions to the required minimum.
Seng an endpoint with a CE agent version requires you to define your Agent Configuraons
which then allows you to:
• Create a CE Agent Installaon Package
• Define the upgrade and auto-upgrade Agent Sengs Profile
To set a Cortex XDR agent CE version:
STEP 1 | Define your agent configuraon.
1. Navigate to Sengs > Configuraons > Agent Configuraons > Crical Environment
Versions.
2. Enable Crical Environment Versions to be Created and Installed in the Tenant.
Cortex® XDR™ Prevent Administrator’s Guide 154 ©2022 Palo Alto Networks, Inc.
Endpoint Security
The following workflow describes how to delete the Cortex XDR agent from one or more
Windows, Mac, or Linux endpoints.
STEP 1 | Select Endpoints > All Endpoints.
Cortex® XDR™ Prevent Administrator’s Guide 155 ©2022 Palo Alto Networks, Inc.
Endpoint Security
• Alerts that already include the endpoint data at the me of the alert creaon are not affected.
Before upgrading a Cortex XDRagent 7.0 or later running on macOS 10.15.4 or later, you
must ensure that the System Extensions were approved on the endpoint. Otherwise, if the
extensions were not approved, aer the upgrade the extensions remain on the endpoint
without any opon to remove them which could cause the agent to display unexpected
behavior. To check whether the extensions were approved, you can either verify that the
endpoint is in Fully Protected state in Cortex XDR, or execute the following command
line on the endpoint to list the extensions: systemextensionsctl list. If you
need to approve the extensions, follow the workflow explained in the Cortex XDR agent
administraon guide for approving System Extensions, either manually or using an MDM
profile.
The following workflow describes how to uninstall the Cortex XDR agent from one or more
Windows, Mac, or Linux endpoints. To uninstall the Cortex XDR app for Android, you must do so
from the Android endpoint.
STEP 1 | Log in to Cortex XDR.
Go to Incident Response > Response > Acon Center > + New Acon.
STEP 4 | Select the target endpoints (up to 100) for which you want to uninstall the Cortex XDR
agent.
STEP 6 | Review the acon summary and click Done when finished.
STEP 7 | To track the status of the uninstallaon, return to the Acon Center.
Cortex® XDR™ Prevent Administrator’s Guide 156 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 6 | Use the Quick Launcher to search the endpoints by alias across the Cortex XDR management
console.
Cortex® XDR™ Prevent Administrator’s Guide 157 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 2 | Select either Create New to create an endpoint group from scratch or Upload From File,
using plain text files with new line separator, to populate a stac endpoint group from a file
containing IP addresses, hostnames, or aliases.
STEP 3 | Enter a Group Name and oponal Descripon to idenfy the endpoint group. The name you
assign to the group will be visible when you assign endpoint security profiles to endpoints.
• Stac—Select specific registered endpoints that you want to include in the endpoint group.
Use the filters, as needed, to reduce the number of results.
When you create a stac endpoint group from a file, the IP address, hostname, or alias of
the endpoint must match an exisng agent that has registered with Cortex XDR. You can
select up to 250 endpoints.
Disconnecng Cloud Identy Engine in your Cortex XDR deployment can affect
exisng endpoint groups and policy rules based on Acve Directory properes.
Cortex® XDR™ Prevent Administrator’s Guide 158 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 159 ©2022 Palo Alto Networks, Inc.
Endpoint Security
When a user opens a non-executable file, such as a PDF or Word document, and the process that
opened the file is protected, the Cortex XDR agent seamlessly injects code into the soware.
This occurs at the earliest possible stage before any files belonging to the process are loaded
into memory. The Cortex XDR agent then acvates one or more protecon modules inside
the protected process. Each protecon module targets a specific exploitaon technique and is
designed to prevent aacks on program vulnerabilies based on memory corrupon or logic flaws.
In addion to automacally protecng processes from such aacks, the Cortex XDR agent reports
any security events to Cortex XDR and performs addional acons as defined in the endpoint
security policy. Common acons that the Cortex XDR agent performs include collecng forensic
data and nofying the user about the event.
The default endpoint security policy protects the most vulnerable and most commonly used
applicaons but you can also add other third-party and proprietary applicaons to the list of
protected processes.
Malware Protecon
The Cortex XDR agent provides malware protecon in a series of four evaluaon phases:
Cortex® XDR™ Prevent Administrator’s Guide 160 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 161 ©2022 Palo Alto Networks, Inc.
Endpoint Security
1. Hash excepon—A hash excepon enables you to override the verdict for a specific file
without affecng the sengs in your Malware Security profile. The hash excepon policy is
evaluated first and takes precedence over all other methods to determine the hash verdict.
For example, you may want to configure a hash excepon for any of the following situaons:
• You want to block a file that has a benign verdict.
• You want to allow a file that has a malware verdict to run. In general, we recommend
that you only override the verdict for malware aer you use available threat intelligence
resources—such as WildFire and AutoFocus—to determine that the file is not malicious.
• You want to specify a verdict for a file that has not yet received an official WildFire verdict.
Aer you configure a hash excepon, Cortex XDR distributes it at the next heartbeat
communicaon with any endpoints that have previously opened the file.
When a file launches on the endpoint, the Cortex XDR agent first evaluates any relevant hash
excepon for the file. The hash excepon specifies whether to treat the file as malware. If the
file is assigned a benign verdict, the Cortex XDR agent permits it to open.
If a hash excepon is not configured for the file, the Cortex XDR agent next evaluates the
verdict to determine the likelihood of malware. The Cortex XDRagent uses a mul-step
evaluaon process in the following order to determine the verdict: Highly trusted signers,
WildFire verdict, and then Local analysis.
2. Highly trusted signers (Windows and Mac)—The Cortex XDR agent disnguishes highly
trusted signers such as Microso from other known signers. To keep parity with the signers
defined in WildFire, Palo Alto Networks regularly reviews the list of highly trusted and known
signers and delivers any changes with content updates. The list of highly trusted signers
also includes signers that are included the allow list from Cortex XDR. When an unknown
file aempts to run, the Cortex XDR agent applies the following evaluaon criteria: Files
signed by highly trusted signers are permied to run and files signed by prevented signers are
blocked, regardless of the WildFire verdict. Otherwise, when a file is not signed by a highly
trusted signer or by a signer included in the block list, the Cortex XDR agent next evaluates
the WildFire verdict. For Windows endpoints, evaluaon of other known signers takes place if
WildFire evaluaon returns an unknown verdict for the file.
3. WildFire verdict—If a file is not signed by a highly trusted signer on Windows and Mac
endpoints, the Cortex XDR agent performs a hash verdict lookup to determine if a verdict
already exists in its local cache.
If the executable file has a malware verdict, the Cortex XDR agent reports the security event to
the Cortex XDR and, depending on the configured behavior for malicious files, the Cortex XDR
agent then does one of the following:
• Blocks the malicious executable file
• Blocks and quarannes the malicious executable file
• Nofies the user about the file but sll allows the file to execute
• Logs the issue without nofying the user and allows the file to execute.
If the verdict is benign, the Cortex XDR agent moves on to the next stage of evaluaon (see
Phase 4: Evaluaon of Malware Protecon Policy).
If the hash does not exist in the local cache or has an unknown verdict, the Cortex XDR agent
next evaluates whether the file is signed by a known signer.
Cortex® XDR™ Prevent Administrator’s Guide 162 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 163 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Starng with the Cortex XDR 7.1 agent release, Cortex XDR delivers to the agent the
content update in parts and not as a single file, allowing the agent to retrieve only the
updates and addions it needs.
• Default security policy including exploit, malware, restricon, and agent sengs profiles
• Default compability rules per module
• Protected processes
• Local analysis logic
• Trusted signers
• Processes included in your block list by signers
• Behavioral threat protecon rules
• Ransomware module logic including Windows network folders suscepble to ransomware
aacks
• Event Log for Windows event logs and Linux system authencaon logs
• Python scripts provided by Palo Alto Networks
• Python modules supported in script execuon
• Maximum file size for hash calculaons in File search and destroy
• List of common file types included in File search and destroy
• Network Packet Inspecon Engine rules
When a new update is available, Cortex XDR nofies the Cortex XDR agent. The Cortex XDR
agent then randomly chooses a me within a six-hour window during which it will retrieve the
content update from Cortex XDR. By staggering the distribuon of content updates, Cortex
XDRreduces the bandwidth load and prevents bandwidth saturaon due to the high volume and
size of the content updates across many endpoints. You can view the distribuon of endpoints by
content update version from the Cortex XDR Dashboard.
The Cortex XDR research team releases more frequent content updates in-between major
content versions to ensure your network is constantly protected against the latest and newest
threats in the wild. When you enable minor content updates, the Cortex XDR agent receives
minor content updates, starng with the next content releases. Otherwise, if you do not wish
to deploy minor content updates, your Cortex XDR agents will keep receiving content updates
for major releases which usually occur on a weekly basis. The content version numbering format
remains XXX-YYYY, where XXX indicates the version and YYYY indicates the build number. To
disnguish between major and minor releases, XXX is rounded up to the nearest ten for every
major release, and incremented by one for a minor release. For example, 180-<build_num> and
190-<build_num> are major releases, and 181-<build_num>, 182-<build_num>, and 191-
<build_num> are minor releases.
Cortex® XDR™ Prevent Administrator’s Guide 164 ©2022 Palo Alto Networks, Inc.
Endpoint Security
To adjust content update distribuon for your environment, you can configure the following
oponal sengs:
• Content management sengs as part of the Cortex XDR global agent configuraons.
• Content download source, as part of the Cortex XDR agent seng profile.
Otherwise, if you want the Cortex XDR agent to retrieve the latest content from the server
immediately, you can force the Cortex XDR agent to connect to the server in one of the following
methods:
• (Windows and Mac only) Perform manual check-in from the Cortex XDR agent console.
• Iniate a check-in using the Cytool checkin command.
Cortex® XDR™ Prevent Administrator’s Guide 165 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 166 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Unpatched Vulnerabilies — — —
Protecon
If you have Windows endpoints in
your network that are unpatched
and exposed to a known
vulnerability, Palo Alto Networks
strongly recommends that you
upgrade to the latest Windows
Update that has a fix for that
vulnerability. If you choose not to
patch the endpoint, the Unpatched
Vulnerabilies Protecon capability
allows the Cortex XDR agent to
apply a workaround to protect
the endpoints from the known
vulnerability.
Cortex® XDR™ Prevent Administrator’s Guide 167 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Ransomware Protecon — — —
Targets encrypon based acvity
associated with ransomware to
analyze and halt ransomware before
any data loss occurs.
Cortex® XDR™ Prevent Administrator’s Guide 168 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Execuon Paths — — —
Many aack scenarios are based on
wring malicious executable files to
certain folders such as the local temp
or download folder and then running
them. Use this capability to restrict
the locaons from which executable
files can run.
Network Locaons — — —
To prevent aack scenarios that
are based on wring malicious files
to remote folders, you can restrict
access to all network locaons
except for those that you explicitly
trust.
Removable Media — — —
To prevent malicious code from
gaining access to endpoints using
external media such as a removable
drive, you can restrict the executable
files, that users can launch from
external drives aached to the
endpoints in your network.
Opcal Drive — — —
Cortex® XDR™ Prevent Administrator’s Guide 169 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 170 ©2022 Palo Alto Networks, Inc.
Endpoint Security
An-Ransomware — — —
Targets encrypon-
based acvity
associated with
ransomware and has
the ability to analyze
and halt ransomware
acvity before any data
loss occurs.
APC Protecon — — —
Prevents aacks
that change the
execuon order of a
process by redirecng
an asynchronous
procedure call (APC) to
point to the malicious
shellcode.
Behavioral Threat —
Prevents sophiscated
aacks that leverage
built-in OS executables
and common
administraon ulies
by connuously
monitoring endpoint
acvity for malicious
causality chains.
Cortex® XDR™ Prevent Administrator’s Guide 171 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Child Process — — —
Protecon
Prevents script-based
aacks that are used
to deliver malware,
such as ransomware,
by blocking known
targeted processes
from launching child
processes that are
commonly used to
bypass tradional
security approaches.
CPL Protecon — — —
Protects against
vulnerabilies related
to the display roune
for Windows Control
Panel Library (CPL)
shortcut images,
which can be used as
a malware infecon
vector.
Data Execuon — — —
Prevenon (DEP)
Prevents areas of
memory defined to
contain only data from
running executable
code.
DLL Hijacking — — —
Prevents DLL-hijacking
aacks where the
aacker aempts to
Cortex® XDR™ Prevent Administrator’s Guide 172 ©2022 Palo Alto Networks, Inc.
Endpoint Security
DLL Security — — —
Prevents access to
crucial DLL metadata
from untrusted code
locaons.
Dylib Hijacking — — —
Prevents Dylib-
hijacking aacks where
the aacker aempts to
load dynamic libraries
on Mac operang
systems from unsecure
locaons to gain control
of a process.
Font Protecon — — —
Prevents improper font
handling, a common
target of exploits.
Gatekeeper — — —
Enhancement
Cortex® XDR™ Prevent Administrator’s Guide 173 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Hash Excepon
Halts execuon of files
that an administrator
idenfied as malware
regardless of the
WildFire verdict.
Java Deserializaon — — —
Blocks aempts to
execute malicious code
during the Java objects
deserializaon process
on Java-based servers.
JIT — —
Prevents an aacker
from bypassing the
operang system's
memory migaons
using just-in-me (JIT)
compilaon engines.
Kernel Integrity — — —
Monitor (KIM)
Cortex® XDR™ Prevent Administrator’s Guide 174 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Local Analysis —
Examines hundreds of
characteriscs of an
unknown executable
file, DLL, or macro to
determine if it is likely
to be malware. The
local analysis module
uses a stac set of
paern-matching
rules that inspect
mulple file features
and aributes, and
a stascal model
that was developed
using machine learning
on WildFire threat
intelligence.
Cortex® XDR™ Prevent Administrator’s Guide 175 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Local Privilege —
Escalaon Protecon
Prevents aackers
from performing
malicious acvies
that require privileges
that are higher than
those assigned to the
aacked or malicious
process.
Network Packet — — —
Inspecon Engine
Analyze network packet
data to detect malicious
behavior already at
the network level. The
engine leverages both
Palo Alto Networks
NGFW content rules,
and new Cortex XDR
content rules created
by the Research Team
which are updated
through the security
content.
Null Dereference — — —
Prevents malicious
code from mapping
to address zero in
the memory space,
making null dereference
vulnerabilies
unexploitable.
Restricted Execuon - — — —
Local Path
Prevents unauthorized
execuon from a local
path.
Cortex® XDR™ Prevent Administrator’s Guide 176 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Restricted Execuon - — — —
Network Locaon
Prevents unauthorized
execuon from a
network path.
Restricted Execuon - — — —
Removable Media
Prevents unauthorized
execuon from
removable media.
Reverse Shell — — —
Protecon
Blocks malicious
acvity where an
aacker redirects
standard input and
output streams to
network sockets.
ROP —
Protects against the
use of return-oriented
programming (ROP) by
protecng APIs used in
ROP chains.
SEH — — —
Prevents hijacking
of the structured
excepon handler
(SEH), a commonly
exploited control
structure that can
contain mulple SEH
blocks that form a
linked list chain, which
contains a sequence of
funcon records.
Shellcode Protecon — — —
Reserves and protects
certain areas of
Cortex® XDR™ Prevent Administrator’s Guide 177 ©2022 Palo Alto Networks, Inc.
Endpoint Security
ShellLink — — —
Prevents shell-link
logical vulnerabilies.
SO Hijacking — — —
Protecon
Prevents dynamic
loading of libraries from
unsecure locaons
to gain control of a
process.
SysExit — — —
Prevents using system
calls to bypass other
protecon capabilies.
UASLR — — —
Improves or altogether
implements ASLR
(address space layout
randomizaon) with
greater entropy,
robustness, and strict
enforcement.
Vulnerable Drivers — — —
Protecon
Detect aempts to load
vulnerable drivers.
WildFire
Leverages WildFire for
threat intelligence to
determine whether
a file is malware. In
the case of unknown
files, Cortex XDR can
forward samples to
Cortex® XDR™ Prevent Administrator’s Guide 178 ©2022 Palo Alto Networks, Inc.
Endpoint Security
WildFire Post-
Detecon (Malware
and Grayware)
Idenfies a file that
was previously allowed
to run on an endpoint
that is now determined
to be malware. Post-
detecon events
provide noficaons for
each endpoint on which
the file executed.
Cortex® XDR™ Prevent Administrator’s Guide 179 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 180 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Aer you add the new security profile, you can Manage Endpoint Security Profiles.
Cortex® XDR™ Prevent Administrator’s Guide 181 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 3 | Configure the acon to take when the Cortex XDR agent detects an aempt to exploit each
type of soware flaw.
For details on the different exploit protecon capabilies, see Endpoint Protecon Capabilies.
• Block—Block the exploit aack.
• Report—Allow the exploit acvity but report it to Cortex XDR.
• Disabled—Disable the module and do not analyze or report exploit aempts.
• Default—Use the default configuraon to determine the acon to take. Cortex XDR displays
the current default configuraon for each capability in parenthesis. For example, Default
(Block).
To view which processes are protected by each capability, see Processes Protected by Exploit
Security Policy .
For Logical Exploits Protecon, you can also configure a block list for the DLL Hijacking
module. The block list enables you to block specific DLLs when run by a protected process.
The DLL folder or file must include the complete path. To complete the path, you can use
environment variables or the asterisk ( *) as a wildcard to match any string of characters (for
example, */windows32/).
For Exploit Protecon for Addional Processes, you also add one or more addional
processes.
In Exploit Security profiles, if you change the acon mode for processes, you must
restart the protected processes for the following security modules to take effect on the
process and its forked processes: Brute Force Protecon, Java Deserializaon, ROP, and
SO Hijacking.
STEP 4 | (Windows only) Configure how to address unpatched known vulnerabilies in your network.
If you have Windows endpoints in your network that are unpatched and exposed to a
known vulnerability, Palo Alto Networks strongly recommends that you upgrade to the
latest Windows Update that has a fix for that vulnerability.
If you choose not to patch the endpoint, the Unpatched Vulnerabilies Protecon capability
allows the Cortex XDR agent to apply a workaround to protect the endpoints from the known
vulnerability. It takes the Cortex XDR agent up to 6 hours to enforce your configured policy on
the endpoints.
To address known vulnerabilies CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094,
you can Modify IPv4 and IPv6 sengs as follows:
• Do not modify system sengs (default)—Do not modify the IPv4 and IPv6 sengs
currently set on the endpoint, whether the current values are your original values or values
that were modified as part of this workaround.
• Modify system sengs unl the endpoint is patched—If the endpoint is already patched,
this opon does not modify any system sengs. For unpatched endpoints, the Cortex
XDR agent runs the following commands to temporarily modify the IPv4 and IPv6 sengs
unl the endpoint is patched. Aer the endpoint is patched for CVE-2021-24074,
CVE-2021-24086, and CVE-2021-24094, all modified Windows system sengs as part
of this workaround are automacally reverted to their values before modificaon. Palo
Cortex® XDR™ Prevent Administrator’s Guide 182 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Alto Networks strongly recommends that you review these commands before applying this
workaround in your network to ensure your crical business components are not affected
or harmed:
netsh int ipv6 set global reassemblylimit=0, this command disables IPv6
fragmentaon on the endpoint.
netsh int ipv4 set global sourceroutingbehavior=drop, this command
disables LSR / loose source roung for IPv4.
• Revert system sengs to your previous sengs—Revert all Windows system sengs
to their values before modificaon as part of this workaround, regardless of whether the
endpoint was patched or not.
This workaround applies only to the specific Windows versions listed as exposed to
these CVEs, and requires a Cortex XDR agent 7.1 or later and content 167-51646
or later. This workaround in not recommended for non-persistent, stateless, or linked-
clone environments. In some cases, enabling this workaround can affect the network
funconality on the endpoint.
Cortex® XDR™ Prevent Administrator’s Guide 183 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 184 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 185 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 186 ©2022 Palo Alto Networks, Inc.
Endpoint Security
By default, the Cortex XDR agent will receive the default profile that contains a pre-defined
configuraon for each malware protecon capability supported by the plaorm. To fine-tune
your Malware security policy, you can override the configuraon of each capability to block the
malicious behavior or file, allow but report it, or disable the module. For each seng you override,
clear the opon to Use Default.
To configure a Malware security profile:
STEP 1 | Add a new profile.
1. From Cortex XDR, select Endpoints > Policy Management > Prevenon > Profiles > +
New Profile.
2. Select the plaorm to which the profile applies and Malware as the profile type.
STEP 3 | Configure the Cortex XDR agent to examine executable files, macros, or DLL files on
Windows endpoints, Mach-O files or DMG files on Mac endpoints, ELF files on Linux
endpoints, or APK files on Android endpoints.
1. Configure the Acon Mode—the behavior of the Cortex XDR agent—when malware is
detected:
• Block—Block aempts to run malware.
• Report—Report but do not block malware that aempts to run.
• (Android only) Prompt—Enable the Cortex XDR agent to prompt the user when
malware is detected and allow the user to choose to allow malware, dismiss the
noficaon, or uninstall the app.
• Disabled—Disable the module and do not examine files for malware.
2. Configure addional acons to examine files for malware.
By default, Cortex XDR uses the sengs specified in the default malware security profile
and displays the default configuraon in parenthesis. When you select a seng other
than the default, you override the default configuraon for the profile.
• (Windows, Mac starng with Cortex XDR agent 7.4, Linux starng with Cortex XDR
agent 7.5) Quaranne Malicious Executables / Mach-O / ELF files—By default, the
Cortex XDR agent blocks malware from running but does not quaranne the file.
Enable this opon to quaranne files depending on the verdict issuer (local analysis,
WildFire, or both local analysis and WildFire).
The quaranne feature is not available for malware idenfied in network drives.
• Upload <file_type> files for cloud analysis—Enable the Cortex XDR agent to send
unknown files to Cortex XDR, and for Cortex XDR to send the files to WildFire for
analysis. With macro analysis, the Cortex XDR agent sends the Microso Office file
Cortex® XDR™ Prevent Administrator’s Guide 187 ©2022 Palo Alto Networks, Inc.
Endpoint Security
containing the macro. The file types that the Cortex XDR agent analyzes depend on
the plaorm type. WildFire accepts files up to 100MB in size.
• Treat Grayware as Malware—Treat all grayware with the same Acon Mode you
configure for malware. Otherwise, if this opon is disabled, grayware is considered
benign and is not blocked.
• Acon on Unknown to WildFire—Select the behavior of the Cortex XDR agent
when an unknown file tries to run on the endpoint (Allow, Run Local Analysis, or
Block). With local analysis, the Cortex XDRagent uses embedded machine learning to
determine the likelihood that an unknown file is malware and issues a local verdict for
the file. If you block unknown files but do not run local analysis, unknown files remain
blocked unl the Cortex XDR agent receives an official WildFire verdict.
• (Cortex XDR agent 7.5 and later for Windows only)Acon when WildFire verdict is
Benign with Low Confidence—Select the behavior of the Cortex XDR agent when a
file with Benign Low Confidence verdict from WildFire tries to run on the endpoint
(Allow, Run Local Analysis, or Block). With local analysis, the Cortex XDR agent
uses embedded machine learning to determine the likelihood that an unknown file
is malware and issues a local verdict for the file. If you block these files but do not
run local analysis, they remain blocked unl the Cortex XDR agent receives a high-
confidence WildFire verdict. To enable this capability, ensure that WildFire analysis
scoring is enabled in your Global Agent Sengs.
• For opmal user experience, Palo Alto Networks recommends you set the
acon mode to either Allow or Run Local Analysis.
• Acon on Benign LC verdict is supported from agent version 7.5 and
above. For agent version 7.4.X, acon on Benign LC verdict is the same as
the acon for files with Unknown verdict.
• (Windows only) Examine Office Files From Network Drives—Enable the Cortex XDR
agent to examine Microso Office files in network drives when they contain a macro
that aempts to run. If this opon is disabled, the Cortex XDR agent will not examine
macros in network drives.
(Windows only) As part of the an-malware security flow, the Cortex XDR
agent leverages the OS capability to idenfy revoked cerficates for executables
and DLL files that aempt to run on the endpoint by accessing the Windows
Cerficate Revocaon List (CRL). To allow the Cortex XDR agent access the CRL,
you must enable internet access over port 80 for Windows endpoints running
Traps 6.0.3 and later releases, Traps 6.1.1 and later releases, or Cortex XDR
7.0 and later releases. If the endpoint is not connected to the internet, or you
experience delays with executables and DLLs running on the endpoint, please
contact Palo Alto Networks Support.
3. (Oponal) Add files and folders to your allow list to exclude them from examinaon.
1. +Add a file or folder.
2. Enter the path and press Enter or click the check mark when done. You can also use
a wildcard to match files and folders containing a paral name. Use ? to match a
Cortex® XDR™ Prevent Administrator’s Guide 188 ©2022 Palo Alto Networks, Inc.
Endpoint Security
single character or * to match any string of characters. To match a folder, you must
terminate the path with * to match all files in the folder (for example, c:\temp\*).
3. Repeat to add addional files or folders.
4. Add signers to your allow list to exclude them from examinaon.
When a file that is signed by a signer you included in your allow list aempts to run,
1. +Add a trusted signer.
2. Enter the name of the trusted signer (Windows) or the SHA1 hash of the cerficate
that signs the file (Mac) and press Enter or click the check mark when done. You can
also use a wildcard to match a paral name for the signer. Use ? to match any single
character or * to match any string of characters.
3. Repeat to add addional folders.
Cortex XDR agent evaluates the signer name using the CN (Common Name)
value in the digital signature, while the Cortex XDR console can display in the
Alerts table both the O (Organizaon) value and the CN (Common Name).
STEP 4 | (Windows, Mac, and Linux only) Configure Behavioral Threat Protecon.
Behavioral threat protecon requires Traps agent 6.0 or a later release for Windows
endpoints, and Traps 6.1 or later versions for Mac and Linux endpoints.
With Behavioral threat protecon, the agent connuously monitors endpoint acvity to
idenfy and analyze chains of events—known as causality chains. This enables the agent to
detect malicious acvity in the chain that could otherwise appear legimate if inspected
individually. A causality chain can include any sequence of network, process, file, and registry
acvies on the endpoint. Behavioral threat protecon can also idenfy behavior related
to vulnerable drivers on Windows endpoints. For more informaon on data collecon for
Behavioral Threat Protecon, see Endpoint Data Collected by Cortex XDR.
Palo Alto Networks researchers define the causality chains that are malicious and distribute
those chains as behavioral threat rules. When the Cortex XDRagent detects a match to a
behavioral threat protecon rule, the Cortex XDR agent carries out the configured acon
(default is Block). In addion, the Cortex XDR agent reports the behavior of the enre event
chain up to the process, known as the causality group owner (CGO), that the Cortex XDR agent
idenfied as triggering the event sequence.
To configure Behavioral Threat Protecon:
1. Define the Acon mode to take when the Cortex XDR agent detects malicious causality
chains:
• Block (default)—Block all processes and threads in the event chain up to the CGO.
• Report—Allow the acvity but report it to Cortex XDR.
• Disabled—Disable the module and do not analyze or report the acvity.
2. Define whether to quaranne the CGO when the Cortex XDR agent detects a malicious
event chain.
• Enabled—Quaranne the CGO if the file is not signed by a highly trusted signer.
When the CGO is signed by a highly trusted signer or powershell.exe, wscript.exe,
Cortex® XDR™ Prevent Administrator’s Guide 189 ©2022 Palo Alto Networks, Inc.
Endpoint Security
This module is supported with Cortex XDR agent 7.3.0 and later release.
1. Select the Acon Mode to take when the Cortex XDR agent detects remote malicious
causality chains:
• Enabled (default)—Terminate connecon and block IP address of the remote
connecon.
• Disabled—Do not block remote IP addresses.
2. To allow specific and known safe IP address or IP address ranges that you do not want
the Cortex XDR to block, add these IP addresses to your allow list.
+Add and then specify the IP address.
Cortex® XDR™ Prevent Administrator’s Guide 190 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 7 | (Windows only) Configure the Cortex XDR agent to Prevent Malicious Child Process
Execuon.
1. Select the Acon Mode to take when the Cortex XDR agent detects malicious child
process execuon:
• Block—Block the acvity.
• Report—Allow the acvity but report it to Cortex XDR.
2. To allow specific processes to launch child processes for legimate purposes, add the
child process to your allow list with oponal execuon criteria.
+Add and then specify the allow list criteria including the Parent Process Name, Child
Process Name, and Command Line Params. Use ? to match a single character or * to
match any string of characters.
If you are adding child process evaluaon criteria based on a specific security
event, the event indicates both the source process and the command line
parameters in one line. Copy only the command line parameter for use in the
profile.
Cortex® XDR™ Prevent Administrator’s Guide 191 ©2022 Palo Alto Networks, Inc.
Endpoint Security
is powered-on again. The scheduling of future scans is not affected by this delay. To beer
understand how the agent scans the endpoint, refer to Scan an Endpoint for Malware.
When periodic scanning is enabled in your profile, the Cortex XDR agent iniates an
inial scan when it is first installed on the endpoint, regardless of the periodic scanning
scheduling me.
1. Configure the Acon Mode for the Cortex XDRagent to periodically scan the endpoint
for malware: Enabled to scan at the configured intervals, Disabled (default) if you don’t
want the Cortex XDR agent to scan the endpoint.
2. To configure the scan schedule, set the frequency (Run Weekly or Run Monthly) and day
and me at which the scan will run on the endpoint.
Just as with an on-demand scan, a scheduled scan will resume aer a reboot, process
interrupon, or operang system crash.
3. (Windows only) To include removable media drives in the scheduled scan, enable the
Cortex XDR agent to Scan Removable Media Drives.
4. Add folders you your allow list to exclude them from examinaon.
1. Add (+) a folder.
2. Enter the folder path. Use ? to match a single character or * to match any string of
characters in the folder path (for example, C:\*\temp).
3. Press Enter or click the check mark when done.
4. Repeat to add addional folders.
STEP 9 | (Windows Vista and later Windows releases) Enable Password The Protecon.
Select Enabled to enable the Cortex XDR agent to prevent aacks that use the Mimikatz
tool to extract passwords from memory. When set to Enabled, the Cortex XDR agent silently
prevents aempts to steal credenals (no noficaons are provided when these events occur).
The Cortex XDR agent enables this protecon module following the next endpoint reboot. If
you don’t want to enable the module, select Disabled.
This module is supported with Traps agent 5.0.4 and later release.
Cortex® XDR™ Prevent Administrator’s Guide 192 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex XDR content rules created by the Research Team which are updated through the
security content.
This module is supported with Cortex XDR agent 7.5.0 and later release.
1. Define the Acon mode to take when the Cortex XDR agent detects malicious behavior:
• Terminate Session (default)—Drop the malicious connecons. In case of an outgoing
connecon, also terminate all associated processes.
• Report—Allow the packets in your network but report it to Cortex XDR.
• Disabled—Disable the module and do not analyze or report the acvity.
This module is supported with Cortex XDR agent 7.2.0 and later release.
1. Select the Acon Mode to take when the Cortex XDR agent detects the malicious
behavior.
• Enable—Enable the Cortex XDR agent to analyze the endpoint for PHP files arriving
from the web server and alert of any malicious PHP scripts.
• Disable—Disable the module and do not analyze or report the acvity.
2. Quaranne malicious files.
When Enabled, the Cortex XDR agents quaranne malicious PHP files on the endpoint.
The agent quarannes newly created PHP files only, and does not quaranne updated
files.
3. (Oponal) Add files and folders to your allow list to exclude them from examinaon.
1. +Add a file or folder.
2. Enter the path and press Enter or click the check mark when done. You can also use
* to match files and folders containing a paral name. To match a folder, you must
terminate the path with * to match all files in the folder (for example, /usr/bin/*).
3. Repeat to add addional files or folders.
Cortex® XDR™ Prevent Administrator’s Guide 193 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 194 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 195 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 196 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 197 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
Created Time Date and me at which the security profile was
created.
Modificaon Time Date and me at which the security profile was
modified.
Cortex® XDR™ Prevent Administrator’s Guide 198 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 199 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Agent Profiles
Disk Space —
Customize the amount
of disk space the Cortex
XDR agent uses to store
logs and informaon
about events.
User Interface — —
Determine whether
and how end users can
access the Cortex XDR
console.
Traps Tampering — —
Protecon
Prevent users from
tampering with the
Cortex XDR agent
components by
restricng access.
Uninstall Password — —
Change the default
uninstall password to
prevent unauthorized
users from uninstalling
the Cortex XDR agent
soware.
Cortex® XDR™ Prevent Administrator’s Guide 200 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Windows Security — — —
Center Configuraon
Configure your Windows
Security Center
preferences to allow
registraon with the
Microso Security
Center, to allow
registraon with
automated Windows
patch installaon, or to
disable registraon.
Forensics — — —
Change forensic data
collecon and upload
preferences.
Response Acons —
Manual response acons
that you can take on
the endpoint aer a
malicious file, process,
or behavior is detected.
For example, you can
terminate a malicious
process, isolate the
infected endpoint from
the network, quaranne
a malicious file, or
perform addional
acon as necessary to
remediate the endpoint.
Content Updates —
Cortex® XDR™ Prevent Administrator’s Guide 201 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Global Uninstall —
Password
Set the uninstall
password for all agents in
the system.
Content Bandwidth —
Management
Cortex® XDR™ Prevent Administrator’s Guide 202 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Advanced Analysis —
Enable Cortex XDR to
automacally upload
alert data for secondary
verdict verificaon and
security policy tuning.
STEP 3 | (Windows, Mac, and Linux only) Configure the Disk Space to allot for Cortex XDR agent logs.
Specify a value in MB from 100 to 10,000 (default is 5,000).
Cortex® XDR™ Prevent Administrator’s Guide 203 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 4 | (Windows and Mac only) Configure User Interface opons for the Cortex XDR console.
By default, Cortex XDR uses the sengs specified in the default agent sengs profile and
displays the default configuraon in parenthesis. When you select a seng other than the
default, you override the default configuraon for the profile.
• Tray Icon—Choose whether you want the Cortex XDR agent icon to be Visible (default) or
Hidden in the noficaon area (system tray).
• XDR Agent Console Access—Enable this opon to allow access to the Cortex XDR console.
• XDR Agent User Noficaons—Enable this opon to operate display noficaons in the
noficaons area on the endpoint. When disabled, the Cortex XDR agent operates in silent
mode where the Cortex XDR agent does not display any noficaons in the noficaon
area. If you enable noficaons, you can use the default noficaon messages, or provide
custom text for each noficaon type. You can also customize a noficaon footer.
• Live Terminal User Noficaons—Choose whether to Nofy the end user and display a
pop-up on the endpoint when you iniate a Live Terminal session. For Cortex XDR agents
7.3 and later releases only, you can choose to Request end-user permission to start the
session. If the end user denies the request, you will not be able to iniate a Live Terminal
session on the endpoint.
• (Cortex XDR agent 7.3 and later releases only) Live Terminal Acve Session Indicaon—
Enable this opon to display a blinking light ( ) on the tray icon (or in the status bar for
Mac endpoints) for the duraon of the remote session to indicate to the end user that a live
terminal session is in progress.
STEP 6 | (Windows and Mac only) Configure Agent Security opons that prevent unauthorized access
or tampering with the Cortex XDR agent components.
Use the default agent sengs or customize them for the profile. To customize agent security
capabilies:
1. Enable XDR Agent Tampering Protecon.
2. (Windows only) By default, the Cortex XDR agent protects all agent components,
however you can configure protecon more granularly for Cortex XDR agent services,
processes, files, and registry values. With Traps 5.0.6 and later releases, when protecon
is enabled, access will be read-only. In earlier Traps releases, enabling protecon disables
all access to services, processes, files, and registry values.
Cortex® XDR™ Prevent Administrator’s Guide 204 ©2022 Palo Alto Networks, Inc.
Endpoint Security
between Cortex XDR and Cortex XDR agents. Addionally, the uninstall password is used to
protect tampering aempts when using Cytool commands.
The default uninstall password is Password1. A new password must sasfy the Password
Strength indicator requirements:
• Contain eight or more characters.
• Contain English leers, numbers, or any of the following symbols: !()-._`~@#"'.
When you Enable the Cortex XDR agent to register to the Windows Security Center,
Windows shuts down Microso Defender on the endpoint automacally. If you
sll want to allow Microso Defender to run on the endpoint where Cortex XDR
is installed, you must Disable this opon. However, Palo Alto Networks does not
recommend running Windows Defender and the Cortex XDRagent on the same
endpoint since it might cause performance issues and incompability issues with
Global Protect and other applicaons.
Cortex® XDR™ Prevent Administrator’s Guide 205 ©2022 Palo Alto Networks, Inc.
Endpoint Security
session. As a result, before using the response acon you must add the VDI processes and
corresponding IP addresses to your allow list.
1. +Add an entry to the allow list.
2. Specify the Process Path you want to allow and the IPv4 or IPv6 address of the endpoint.
Use the * wildcard on either side to match any process or IP address. For example, specify *
as the process path and an IP address to allow any process to run on the isolated endpoint
with that IP address. Conversely, specify * as the IP address and a specific process path to
allow the process to run on any isolated endpoint that receives this profile.
3. Click the check mark when finished.
STEP 10 | (Supported on Cortex XDR agent 7.0 or a later for Windows endpoints and Cortex XDR
agent 7.3 or later for Mac and Linux endpoints) Specify the Content Configuraon for your
Cortex XDR agents.
• Content Auto-update—By default, Cortex XDR agent always retrieves the most updated
content and deploys it on the endpoint so it is always protected with the latest security
measures. However, you can Disable the automac content download. Then, the agent
stops retrieving content updates from the Cortex XDR Server and keeps working with the
current content on the endpoint.
• If you disable content updates for a newly installed agent, the agent will retrieve
the content for the first me from Cortex XDR and then disable content updates
on the endpoint.
• When you add a Cortex XDR agent to an endpoints group with disabled content
auto-upgrades policy, then the policy is applied to the added agent as well.
• Content Rollout—The Cortex XDR agent can retrieve content updates Immediately as they
are available, or aer a pre-configured Delayed period. When you delay content updates,
the Cortex XDR agent will retrieve the content according to the configured delay. For
example, if you configure a delay period of two days, the agent will not use any content
released in the last 48 hours.
Cortex® XDR™ Prevent Administrator’s Guide 206 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 11 | Enable Agent Auto Upgrade for your Cortex XDR agents.
To ensure your endpoints are always up-to-date with the latest Cortex XDR agent release,
enable automac agent upgrades.
1. Select the Automac Upgrade Scope:
• Latest agent release
• Only maintenance release
• Only maintenance release in a specific version
• Upgrade to a specific version
2. Select the Upgrade Rollout:
• Immediate
• Delayed—Specify the Delay Period In Days using a numeric value. Oponal values are
7 through 45.
To control the agent auto upgrade scheduler and number of parallel upgrades in your
network, see Configure Global Agent Sengs.
Automac upgrades are not supported with non-persistent VDI and temporary
sessions.
3. (Oponal) For Crical Environment (CE) versions, make sure to select if you want to
upgrade your CE versions only within the CE lines. It can take up to 15 minutes for new
and updated auto-upgrade profile sengs to take effect on your endpoints.
STEP 12 | (Supported on Cortex XDR agent 7.0 or a later for Windows endpoints and Cortex XDR
agent 7.3 or later for Mac and Linux endpoints) Specify the Download Source for agent and
content updates.
To reduce your external network bandwidth loads during updates, you can choose the
Download Source(s) from which the Cortex XDR agent retrieves agent release upgrades and
content updates: from a peer agent in the local network, from the Palo Alto Networks Broker
VM, or directly from the Cortex XDR server. If all opons are selected in your profile, then the
aempted download order is first using P2P, then from Broker VM, and lastly from the Cortex
Server.
• (Requires Cortex XDR agents 7.4 and later for P2P agent upgrade) P2P—Cortex XDR
deploys serverless peer-to-peer P2P distribuon to Cortex XDR agents in your LAN
network by default. Within the six hour randomizaon window during which the Cortex
XDR agent aempts to retrieve the new version, it will broadcast its peer agents on the
same subnet twice: once within the first hour, and once again during the following five
hours. If the agent did not retrieve the files from other agents in both queries, it will proceed
to the next download source defined in your profile.
To enable P2P, you must enable UDP and TCP over the defined PORT in Download Source.
By default, Cortex XDR uses port 33221. You can configure another port number.
• (Requires Cortex XDR agents 7.4 and later releases and Broker VM 12.0 and later) Broker
VM—If you have a Palo Alto Networks Broker VM in your network, you can leverage the
Local Agent Sengs applet to cache release upgrades and content updates. When enabled
and configured, the Broker retrieves from Cortex XDR the latest installers and content
every 15 minutes and stores them for a 30-days retenon period since an agent last asked
Cortex® XDR™ Prevent Administrator’s Guide 207 ©2022 Palo Alto Networks, Inc.
Endpoint Security
for them. If the files were not available on the Broker VM at the me of the ask, the agent
proceeds to download the files directly from the Cortex XDR server.
If you enable the Broker download opon, proceed to select one or more available brokers
from the list. Cortex XDR enables you to select only brokers that are connected and for
which the caching is configured. When you select mulple brokers, the agent chooses
randomly which broker to use for each download request.
• Cortex Server—To ensure your agents remain protected, the Cortex Server download source
is always enabled to allow all Cortex XDR agents in your network to retrieve the content
directly from the Cortex XDR server on their following heartbeat.
STEP 13 | Enable Network Locaon Configuraon for your Cortex XDR agents.
(Requires Cortex XDR agents 7.1 and later releases) If you configure host firewall rules in your
network, you must enable Cortex XDR to determine the network locaon of your device, as
follows:
1. A domain controller (DC) connecvity test— When Enabled, the DC test checks whether
the device is connected to the internal network or not. If the device is connected to the
internal network, then it is in the organizaon. Otherwise, if the DC test failed or returned
an external domain, Cortex XDR proceeds to a DNS connecvity test.
2. A DNS test—In the DNS test, the Cortex XDR agent submits a DNS name that is known
only to the internal network. If the DNS returned the pre-configured internal IP, then the
device is within the organizaon. Otherwise, if the DNS IP cannot be resolved, then the
device is located elsewhere. Enter the IP Address and DNS Server Name for the test.
If the Cortex XDR agent detects a network change on the endpoint, the agent triggers the
device locaon test, and re-calculates the policy according to the new locaon.
Cortex® XDR™ Prevent Administrator’s Guide 208 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
Process Creaon Time Part of process unique ID per boot session (PID + creaon me)
Cortex® XDR™ Prevent Administrator’s Guide 209 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 210 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 211 ©2022 Palo Alto Networks, Inc.
Endpoint Security
• Connect • Session ID
User Presence (Traps 6.1 and User Detecon Detecon when a user is
later) present or idle per acve user
session on the computer.
Event Log See the Windows Event Logs table for the list of Windows
Event Logs that can be sent to the server.
In Traps 6.1.3 and later releases, Cortex XDR and Traps agents can send the following Windows
Event Logs to the server:
Applicaon EMET
Cortex® XDR™ Prevent Administrator’s Guide 212 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 213 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 214 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 215 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 216 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 217 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 3 | Manage the content updates bandwidth and frequency in your network.
• Enable bandwidth control—Palo Alto Networks allows you to control your Cortex XDR
agent network consumpon by adjusng the bandwidth it is allocated. Based on the
number of agents you want to update with content and upgrade packages, acve or future
agents, the Cortex XDR calculator configures the recommended amount of Mbps (Megabits
per second) required for a connected agent to retrieve a content update over a 24 hour
period or a week. Cortex XDR supports between 20 - 10000 Mbps, you can enter one of
the recommended values or enter one of your own.For opmized performance and reduced
bandwidth consumpon, it is recommended that you install and update new agents with
Cortex XDR agents 7.3 and later that include the content package built in using SCCM.
• Enable minor content version updates—The Cortex XDR research team releases more
frequent content updates in-between major content versions to ensure your network is
constantly protected against the latest and newest threats in the wild. When you enable
minor content version updates, the Cortex XDR agent receives minor content updates,
starng with the next content releases. To learn more about the minor content numbering
format, refer to the About Content Updates topic.
Cortex® XDR™ Prevent Administrator’s Guide 218 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 5 | Configure the Cortex XDR agent auto upgrade scheduler and number of parallel upgrades.
If Agent Auto Upgrades are enabled for your Cortex XDR agents, you can control the
automac upgrade process in your network. To beer control the rollout of a new Cortex
XDR agent release in your organizaon, during the first week only a single batch of agents
is upgraded. Aer that, auto-upgrades connue to be deployed across your network with
number of parallel upgrades as configured.
• Amount of Parallel Upgrades—Set the number of parallel agent upgrades, while the
maximum is 500 agents.
• Days in week—You can schedule the upgrade task for specific days of the week and a
specific me range. The minimum range is four hours.
STEP 6 | Configure automated Advanced Analysis of Cortex XDR Agent alerts raised by exploit
protecon modules.
Advanced Analysis is an addional verificaon method you can use to validate the verdict
issued by the Cortex XDR agent. In addion, Advanced Analysis also helps Palo Alto Networks
researchers tune exploit protecon modules for accuracy.
To iniate addional analysis you must retrieve data about the alert from the endpoint. You
can do this manually on an alert-by-alert basis or you can enable Cortex XDR to automacally
retrieve the files.
Aer Cortex XDR receives the data, it automacally analyzes the memory contents and
renders a verdict. When the analysis is complete, Cortex XDR displays the results in the
Advanced Analysis field of the Addional data view for the data retrieval acon on the Acon
Center. If the Advanced Analysis verdict is benign, you can avoid subsequent blocked files for
users that encounter the same behavior by enabling Cortex XDR to automacally create and
distribute excepons based on the Advanced Analysis results.
1. Configure the desired opons:
• Enable Cortex XDR to automacally upload defined alert data files for advanced
analysis. Advanced Analysis increases the Cortex XDR exploit protecon module
accuracy
• Automacally apply Advanced Analysis excepons to your Global Excepons
list. This will apply all Advanced Analysis excepons suggested by Cortex XDR,
regardless of the alert data file source
2. Save the Advanced Analysis configuraon.
STEP 7 | Configure the Cortex XDR Agent license revocaon and deleon period.
This configuraon applies to standard endpoints only and does not impact the license status of
agents for VDIs or Temporary Sessions.
1. Configure the desired opons:
• Connecon Lost (Days)—Configure the number of days aer which the license should
be returned when an agent loses the connecon to Cortex XDR. Default is 30 days;
Range is 2 to 60 days.
• Agent Deleon (Days)—Configure the number of days aer which the agent and
related data is removed from the Cortex XDR management console and database.
Cortex® XDR™ Prevent Administrator’s Guide 219 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Default is 180 days; Range is 3 to 360 days and must exceed the Connecon Lost
value.
2. Save the Agent Status configuraon.
STEP 8 | Enable WildFire analysis scoring for files with Benign verdicts.
The WildFire analysis score for files with Benign verdict is used to indicate the level of
confidence WildFire has in the Benign verdict. For example, a file by a trusted signer or a file
that was tested manually gets a high confidence Benign score, whereas a file that did not
display any suspicious behavior at the me of tesng gets a lower confidence Benign score. To
add an addional verificaon method to such files, enable this seng. Then, when Cortex XDR
receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile
sengs you currently have in place (Run local analysis to determine the file verdict, Allow, or
Block).
Disabling this capability takes immediate effect on new hashes, fresh agent
installaons, and exisng security policies. It could take up to a week to take effect on
exisng agents in your environment pending agent caching.
If you have any Cortex XDR filters, starring policies, exclusion policies, scoring rules,
log forwarding queries, or automaon rules configured for XSOAR/3rd party SIEM, we
advise you to update those to support the changes before acvang the feature. For
example, change the query to include the previous descripon that is sll available in
the new descripon, instead of searching for an exact match.
Cortex® XDR™ Prevent Administrator’s Guide 220 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 2 | Define a Policy Name and oponal Descripon that describes the purpose or intent of the
policy.
STEP 3 | Select the Plaorm for which you want to create a new policy.
STEP 4 | Select the desired Exploit, Malware, Restricons, and Agent Sengs profiles you want to
apply in this policy.
If you do not specify a profile, the Cortex XDR agent uses the default profile.
STEP 6 | Use the filters to assign the policy to one or more endpoints or endpoint groups.
Cortex XDR automacally applies a filter for the plaorm you selected. To change the plaorm,
go Back to the general policy sengs.
STEP 8 | In the Policy Rules table, change the rule posion, if needed, to order the policy relave to
other policies.
The Cortex XDR agent evaluates policies from top to boom. When the Cortex XDR agent
finds the first match it applies that policy as the acve policy. To move the rule, select the
arrows and drag the policy to the desired locaon in the policy hierarchy.
Right-click to View Policy Details, Edit, Save as New, Disable, and Delete.
Cortex® XDR™ Prevent Administrator’s Guide 221 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Behavioral Threat Protecon Rule Excepon An excepon disabling a specific BTP rule
across all processes.
Local File Threat Examinaon Excepon (Linux only) An excepon allowing specific
PHP files.
Example A
Cortex® XDR™ Prevent Administrator’s Guide 222 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Example B
Cortex® XDR™ Prevent Administrator’s Guide 223 ©2022 Palo Alto Networks, Inc.
Endpoint Security
for this profile. To apply the process excepon on all security modules, Select all. To
apply the process excepon on all exploit security modules, select Disable Injecon.
4. Click the adjacent arrow.
5. Aer you’ve added all processes, click Create.
You can return to the Process Excepon profile from the Endpoints Profile page at any
point and edit the sengs, for example if you want to add or remove more security
modules.
To configure a Support Excepon:
1. Import the json file you received from Palo Alto Networks support team by either
browsing for it in your files or by dragging and dropping the file on the page.
2. Click Create.
To configure module specific excepons relevant for the selected profile plaorm:
• Behavioral Threat Protecon Rule Excepon—When you view an alert for a Behavioral
Threat event which you want to allow in your network from now on, right-click the alert and
Create alert excepon. Review the alert data (Plaorm and Rule name) and select from the
following opons as needed.
- CGO hash—Causality Group Owner (CGO) hash value.
- CGO signer—CGO signer enty (for Windows and Mac only).
- CGO process path—Directory path of the CGO process.
- CGO command arguments—CGO command arguments. This opon is available only if
CGO process path is selected, and only if you are using Cortex XDR Agent 7.5 or later on
your endpoints. Aer selecng this opon, check the full path of each relevant command
argument within quote marks. You can edit the displayed paths if needed.
From Excepon Scope, select Profile and click Create.
• Digital Signer Excepon—When you view an alert for a Digital Signer Restricon which
you want to allow in your network from now on, right-click the alert and Create alert
excepon. Cortex XDR displays the alert data (Plaorm, Signer, and Generang Alert ID).
Select Excepon Scope: Profile and select the excepon profile name. Click Add.
• Java Deserializaon Excepon—When you idenfy a Suspicious Input Deserializaon
alert that you believe to be benign and want to suppress future alerts, right-click the
alert and Create alert excepon. Cortex XDR displays the alert data (Plaorm, Process,
Java executable, and Generang Alert ID). Select Excepon Scope: Profile and select the
excepon profile name. Click Add.
• Local File Threat Examinaon Excepon—When you view an alert for a PHP file which you
want to allow in your network from now on, right-click the alert and Create alert excepon.
Cortex XDR displays the alert data (Process, Path, and Hash). Select Excepon Scope:
Profile and select the excepon profile name. Click Add
• Gatekeeper Enhancement Excepon—When you view a Gatekeeper Enhancement security
alert for a bundle or specific source-child combinaon you want to allow in your network
from now on, right-click the alert and Create alert excepon. Cortex XDR displays the
alert data (Plaorm, Source Process, Target Process, and Alert ID). Select Excepon Scope:
Profile and select the excepon profile name. Click Add. This excepon allows Cortex
Cortex® XDR™ Prevent Administrator’s Guide 224 ©2022 Palo Alto Networks, Inc.
Endpoint Security
XDR to connue enforcing the Gatekeeper Enhancement protecon module on the source
process running other child processes.
At any point, you can click the Generang Alert ID to return to the original alert from which
the excepon was originated. You cannot edit module specific excepons.
Cortex® XDR™ Prevent Administrator’s Guide 225 ©2022 Palo Alto Networks, Inc.
Endpoint Security
apply the process excepon on all exploit security modules, select Disable Injecon.
Click the adjacent arrow to add the excepon.
STEP 2 | Review the alert data (plaorm and rule name) and then select from the following opons as
needed:
1. CGO hash—Causality Group Owner (CGO) hash value.
2. CGO signer—CGO signer enty (for Windows and Mac only).
3. CGO process path—Directory path of the CGO process.
4. CGO command arguments—CGO command arguments. This opon is available only if
CGO process path is selected, and only if you are using Cortex XDR Agent 7.5 or later on
your endpoints. Aer selecng this opon, check the full path of each relevant command
argument within quote marks. You can edit the displayed paths if needed.
5. From Excepon Scope, select Global.
Cortex® XDR™ Prevent Administrator’s Guide 226 ©2022 Palo Alto Networks, Inc.
Endpoint Security
return to the original alert from which the excepon was originated. To delete a specific global
excepon, select it and click X.
You cannot edit global excepons generated from a BTP security event.
STEP 2 | Review the alert data (plaorm and rule name) and select Excepon Scope: Global.
Cortex® XDR™ Prevent Administrator’s Guide 227 ©2022 Palo Alto Networks, Inc.
Endpoint Security
return to the original alert from which the excepon was originated. To delete a specific global
excepon, select it and click X. You cannot edit global excepons generated from a digital
signer restricon security event.
Cortex® XDR™ Prevent Administrator’s Guide 228 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 229 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Hardened endpoint security capabilies are not supported for Android endpoints.
Device Control —
Protects endpoints from Cortex XDR agent Cortex XDR agent
loading malicious files from 7.0 and later 7.2 and later
USB-connected removable
For VDI, Cortex
devices (CD-ROM, disk
XDR agent 7.3 and
drives, floppy disks and
later
Windows portable devices
drives).
Host Firewall —
Protects endpoints from Cortex XDR agent Cortex XDR agent
aacks originang in 7.1 and later 7.2 and later
network communicaons
to and from the endpoint.
Disk Encrypon —
Provides visibility into Cortex XDR agent Cortex XDR agent
endpoints that encrypt 7.1 and later 7.2 and later
their hard drives using
BitLocker or FileVault.
Cortex® XDR™ Prevent Administrator’s Guide 230 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Device Control
By default, all external USB devices are allowed to connect to your Cortex XDR endpoints. To
protect endpoints from connecng USB-connected removable devices—such as disk drives, CD-
ROM drives, floppy disk drives, and other portable devices—that can contain malicious files,
Cortex XDR provides device control.
For example, with device control, you can:
• Block all supported USB-connected devices for an endpoint group.
• Block a USB device type but add to your allow list a specific vendor from that list that will be
accessible from the endpoint.
• Temporarily block only some USB device types on an endpoint.
The following are prerequisites to enforce device control policy rules on your endpoints:
If you are running Cortex XDR agents 7.3 or earlier releases, device control rules take
effect on your endpoint only aer the Cortex XDR agent deploys the policy. If you already
had a USB device connected to the endpoint, you have to disconnect it and connect it
again for the policy to take effect.
Cortex® XDR™ Prevent Administrator’s Guide 231 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Profile Descripon
Device Configuraon and Device Excepons profiles are set for each operang system separately.
Aer you configure a device control profile, Apply Device Control Profiles to Your Endpoints.
Cortex® XDR™ Prevent Administrator’s Guide 232 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Currently, the default is set to Use Default (Allow) however Palo Alto Networks may
change the default definion at any me.
You cannot edit or delete the default profiles pre-defined in Cortex XDR .
STEP 5 | (Oponal) To define excepons to your Device Configuraon profile, Add a New Excepons
Profile.
Cortex® XDR™ Prevent Administrator’s Guide 233 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 234 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 235 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 236 ©2022 Palo Alto Networks, Inc.
Endpoint Security
endpoint only or to all endpoints in your network, or set which device idenfiers will
be included in the excepon.
3. Configure the excepon TIME FRAME by defining the number of days or number of
hours during which the excepon will be applied, up to 30 days.
4. Click Save. The excepon is added to the Device Temporary Excepons list and will be
applied in the next heartbeat.
3. Create an Excepon within a Profile.
1. On the Device Control Violaons page, right-click the violaon event triggered by the
device you want to add to a Device Excepons profile.
2. Select the PROFILE from the list.
3. Click Save. The excepon is added to the Excepons Profile and will be applied in the
next heartbeat.
STEP 3 | Save.
The new device class is now available in Cortex XDR as all other device classes.
Host Firewall
The Cortex XDR host firewall enables you to control communicaons on your endpoints. To
use the host firewall, you set rules that allow or block the traffic on the devices and apply them
to your endpoints using Cortex XDR host firewall policy rules. Addionally, you can configure
different sets of rules based on the current locaon of your endpoints - within or outside your
Cortex® XDR™ Prevent Administrator’s Guide 237 ©2022 Palo Alto Networks, Inc.
Endpoint Security
organizaon network. The Cortex XDR host firewall rules leverage the operang system firewall
APIs and enforce these rules on your endpoints, but not your Windows or Mac firewall sengs.
The following are prerequisites to apply Cortex XDR host firewall policy rules on your endpoints:
Cortex® XDR™ Prevent Administrator’s Guide 238 ©2022 Palo Alto Networks, Inc.
Endpoint Security
• Create rule(s) within rule groups—Create host firewall rules groups that you can reuse across
all host firewall profiles. Add rules to each group and priorize the rules from top to boom to
create an enforcement hierarchy.
• Configure a profile—Select one or more rules groups into a host firewall enforcement profile
that you later associate with an enforcement policy. The profile can enforce different rules
when the endpoint is located within the organizaon’s internal network, and when it is outside.
Priorize the groups within the profile from top to boom to create an enforcement hierarchy.
• Configure a policy—Add your host firewall profile to a new or exisng policy that will be
enforced on selected target endpoints.
• Monitor and troubleshoot—View aggregated host firewall enforcement events, or all single
host firewall acvies the agent performed in your network. Cortex XDR Pro customers can
also query the host firewall events using the new host_firewall_events dataset in XQL
Search for data and network analysis.
Migration and Backwards Supportability
Host firewall is supported with Cortex XDR agents 7.1 or a later release. Starng with Cortex XDR
3.0 and Cortex XDR agent 7.5, new capabilies were added. Your exisng host firewall rules and
policies are migrated as follows:
• Any exisng host firewall profile in Cortex XDR 2.9 is converted into a single rules group in
Cortex XDR 3.0 and located on the Host Firewall Rules Groups page.
• If the exisng profile contains both internal and external rules, then two groups are created:
an external rules group and an internal rules group, and the rule name is added an internal/
external suffix respecvely. For example, internal rule-x is renamed as rule-x-internal
• Cortex XDR 3.0 host firewall includes new features which are supported only with Cortex XDR
agents 7.5 and later, such as mulple IP addresses, reporng mode, and more. For an older
agent release, exisng host firewall rules remain unaffected. However, if you create a rule from
Cortex XDR 3.0, or edit an already exisng rule that was created in an old Cortex XDR release
and add one of these unsupported parameters, the agent could display unexpected behavior
and the host firewall policy will be disabled on the endpoint.
As a result, all migrated rules are set not to report matching traffic by default and
enforcement events are not included in the Host Firewall Events table.
Set Up the Host Firewall
Set up your rule groups and host firewall profile.
Create a Rules Group
Group rules into Rules Groups that you can reuse across all host firewall profiles. A host firewall
group includes one or more host firewall unique rules. The rules are enforced according to their
order of appearance within the group, from top to boom. Aer you create a rules group, you can
assign the group to a host firewall profile. When you edit, re-priorize, disable, or delete a rule
from a group, the change takes effect in all policies where this group is included. To support this
scalability and structure, every rule in Cortex XDR is assigned a unique ID and must be contained
within a group. Addionally, you can import exisng firewall rules into Cortex XDR , or export
them in JSON format.
Cortex® XDR™ Prevent Administrator’s Guide 239 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 240 ©2022 Palo Alto Networks, Inc.
Endpoint Security
TCP(6) you can set local and remote ports, whereas for ICMPv4(1) you can add the
ICMP type and code.
When selecng ICMP protocol, you must enter a the ICMP Type and Code.
Without these values the ICMP protocol is ignored by the Windows and
macOS Cortex XDR agents.
• Direcon—Select the direcon of the communicaon this rule applies to: Inbound
communicaon to the endpoint, Outbound communicaon from the endpoint, or
Both.
• Acon—Select whether the rule acon is to Allow or Block the communicaon on the
endpoint.
• Local/Remote IP Address—Configure the rule for specific local or remote IP addresses
s and/or Ports. You can set a single IP address, mulple IP addresses separated by
a comma, range of IP addresses separated by a hyphen, or a combinaon of these
opons.
• Depending on the type of plaorm you selected, define the Applicaon, Service, and
Bundle IDs of the Windows Sengs and/or macOS Sengs—Configure the rule for
all applicaons/services or specific ones only by entering the full path and name. If
you use system variables in the path definion, you must re-enforce the policy on the
endpoint every me the directories and/or system variables on the endpoint change.
• Report Matched Traffic—When Enabled, enforcement events captured by this rule are
reported periodically to Cortex XDR and displayed in the Host Firewall Events table,
whether the rule is set to Allow or Block the traffic. When Disabled, the rule is applied
but enforcement events are not reported periodically.
2. Save rule.
Aer you fill-in all the details, you need to save the rule. If you know you need to create
a similar rule, click Create another to save this rule and leave the specified parameters
available for edit for the next rule. Otherwise, to save the rule and exit, click Create.
STEP 5 | Save.
When you are done, click Create. The new rules group is created and can be associated with a
host firewall profile.
Cortex® XDR™ Prevent Administrator’s Guide 241 ©2022 Palo Alto Networks, Inc.
Endpoint Security
such as name, mode, and number of rules included. To view all rules within a group and all the
profiles the group is associated with, click the expand icon.
• Edit group—Right click the group and Edit its sengs.
• Delete/Disable—To stop enforcing the rules within this group, right-click the group and Delete/
Disable it. On the next heartbeat, its rule will be removed/disabled from all profiles this group is
associated with.
• Import/Export group rules—Using a JSON file, you can import rules into the Cortex XDR host
firewall or export them. Right-click the rule and Import/Export.
Manage Rules
Aer you create a host firewall rule and assign it to a rules group, you can manage the rule
sengs and enforcement as follows:
• View/Edit—Right-click the rule to view it or edit its parameters.
• Change priority—Change the rule priority within the group by dragging its row up and down
the rules list.
• Delete/Disable—To stop enforcing the rule, you can right-click the rule and Delete/Disable it.
On the next heartbeat, the rule will be removed/disabled in all profiles where this rules group is
included.
Create a Host Firewall Profile
Configure host firewall profiles that contain one or more rules groups. The groups are enforced
according to their order of appearance within the profile, from top to boom (and within each
group, the rules are also enforced from top to boom). You can also configure profiles based on
the device locaon within your internal network. When you edit, re-priorize, disable, or delete a
rules group from a profile, the change takes effect on the next heartbeat in all policies where this
profile is included.
STEP 1 | Create a profile.
From Endpoints > Policy Management > Extensions Profile, click +New Profile. Select the
plaorm and click Host Firewall > Next.
Cortex® XDR™ Prevent Administrator’s Guide 242 ©2022 Palo Alto Networks, Inc.
Endpoint Security
opon, your policy will apply the internal set of rules only, and that will be applied to the
device regardless of its locaon.
Create a New Ruleor add a rules group to the Internal/External Groups:
1. Click +Add Group.
2. Select one or more groups, and click Add.
To quickly apply the exact same rules in both cases, select Add as external/internal rules
groups as well.
3. Review the rule group field details.
The groups are listed according to the order of enforcement from top to boom. To
change this order, click on the group priority number and drag the group to the desired
row.
Field Descripon
Creaon Time Date and me of when the rule was created.
4. (Oponal) Select View Rules to view a list of all the rule details within the rules group.
The table is filtered according to the rules associated with the plaorm profile you are
creang.
5. Allow or Block the Default Acon for Inbound/Outbound Traffic in the profile if you
want to allow all network connecons that have not been matched to any other rule in
the profile.
Cortex® XDR™ Prevent Administrator’s Guide 243 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Manage Profiles
Aer you create the host firewall extensions profile, you can perform addional acons. The
changes take effect on the next heartbeat. From Endpoints > Policy Management > Extension
Policies, you can:
• Edit profile—Right-click the profile and Edit. Change the profile sengs and Save. The change
takes effect in all policies enforcing this profile.
• Delete profile—Right-click the profile and Delete. The profile is deleted from all policies it was
associated with, while the rules groups are not deleted and are sll available in Cortex XDR .
Create a Host Firewall Policy
Aer you define the required host firewall profiles, configure host firewall policies that will be
enforced on your target endpoints. You can associate the profile with an exisng policy, or create a
new one.
STEP 1 | Create a policy.
From Endpoints > Policy Management > Extensions > Policy Rules, click +New Policy
• The data is aggregated and reported periodically every 60 minutes since the first me
the host firewall policy was enforced on the endpoint, not every round hour.
• The table lists enforcement events only for rules set to Report Matching Traffic.
Every enforcement event includes addional data such as the me of the first rule hit, the rule
acon, protocol, and more.
Cortex® XDR™ Prevent Administrator’s Guide 244 ©2022 Palo Alto Networks, Inc.
Endpoint Security
In Cortex XDR 3.0, no change was made to the Host Firewall Configuraon or operaon
on macOS endpoints. All exisng policies configured in Cortex XDR 2.9 sll apply and will
connue to work as expected with Cortex XDR agent 7.2 or a later release. Enforcement
events triggered by macOS endpoints are not included in the Host Firewall Events table.
To configure the Cortex XDR host firewall in your network, follow this high-level workflow:
• Ensure you meet the host firewall requirements and prerequisites.
• Enable Network Locaon Configuraon
• Add a New Host Firewall Profile
• Apply Host Firewall Profiles to Your Endpoints
• Monitor the Host Firewall Acvity on your Endpoint
Enable Network Location Configuration
If you want to apply locaon based host firewall rules, you must first enable network locaon
configuraon in your Agent Sengs Profile. On every heartbeat, and if the Cortex XDR agent
detects a network change on the endpoint, the agent triggers the device locaon test and re-
calculates the policy according to the new locaon.
Add a New Host Firewall Profile
Configure host firewall profiles that contain one or more rules groups. The groups are enforced
according to their order of appearance within the profile, from top to boom (and within each
group, the rules are also enforced from top to boom). You can also configure profiles based on
the device locaon within your internal network. When you edit, re-priorize, disable, or delete a
rules group from a profile, the change takes effect on the next heartbeat in all policies where this
profile is included.
Rules created on macOS 10 and Cortex XDR agent 7.5 and prior are managed only in the Legacy
Host Firewall Rules and do not appear in the Rule Groups tables.
Cortex® XDR™ Prevent Administrator’s Guide 245 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
Creaon Time Date and me of when the rule was created.
Cortex® XDR™ Prevent Administrator’s Guide 246 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
4. (Oponal) Select View Rules to view a list of all the rule details within the rules group.
The table is filtered according to the rules associated with the plaorm profile you are
creang.
Any type protocol and specific ports cannot be edited. If saved as a new rule, the specific
ports previously defined are removed from the cloned rule.
5. Allow or Block the Default Acon for Inbound/Outbound Traffic in the profile if you
want to allow all network connecons that have not been matched to any other rule in
the profile.
Cortex® XDR™ Prevent Administrator’s Guide 247 ©2022 Palo Alto Networks, Inc.
Endpoint Security
policies match, the default policy that enables all communicaon to and form the endpoint is
applied.
STEP 1 | Log in to Cortex XDR.
Go to Endpoints > Policy Management > Extensions Policy Rules > +New Policy.
Disk Encrypon
Cortex XDR provides full visibility into encrypted Windows and Mac endpoints that were
encrypted using BitLocker and FileVault, respecvely. Addionally, you can apply Cortex XDR
Disk Encrypon rule on the endpoints by creang disk encrypon rules and policies that leverage
BitLocker and FileVault capabilies.
Before you start applying disk encrypon policy rules, ensure you meet the following
requirements and refer to these known limitaons:
Cortex® XDR™ Prevent Administrator’s Guide 248 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Disk Encrypon Scope You can enforce XDR disk • You can enforce XDR disk
encrypon policy rules only encrypon policy rules
on the Operang System only on the Operang
volume. System volume.
• The Cortex XDR Disk
Encrypon profile for
Mac can encrypt the
endpoint disk, however it
cannot decrypt it. Aer
you disable the Cortex
XDR policy rule on the
endpoint, you can decrypt
the endpoint manually.
Cortex® XDR™ Prevent Administrator’s Guide 249 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Follow this high-level workflow to deploy the Cortex XDR disk encrypon in your network:
• Monitor the Endpoint Encrypon Status in Cortex XDR
• Configure a Disk Encrypon Profile
• Apply Disk Encrypon Profile to Your Endpoints
Field Descripon
Cortex® XDR™ Prevent Administrator’s Guide 250 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
endpoint is not compliant with the Cortex
XDR disk encrypon policy.
• Not Configured—Indicates that no disk
encrypon rules are configured on the
endpoint.
• Not Supported—Indicates that the
operang system running on the endpoint
is not supported by Cortex XDR.
• Unmanaged—Indicates that the endpoint
encrypon is not managed by Cortex XDR.
Last Reported Date and me of the last change in the agent’s
status. For more details, see View Details
About an Endpoint.
You can also monitor the endpoint Encrypon Status in your Endpoint Administraon table. If the
Encrypon Status is missing from the table, add it.
Cortex® XDR™ Prevent Administrator’s Guide 251 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 5 | (Windows only) Specify the Encrypon methods per operang system.
For each operang system (Windows 7, Windows 8-10, Windows 10 (1511) and above), select
the encrypon method from the corresponding list.
You must select the same encrypon method configured by the Microso Windows
Group Policy in your organizaon for the target endpoints. Otherwise, if you select a
different encrypon method than the one already applied through the Windows Group
Policy, Cortex XDR will display errors.
Cortex® XDR™ Prevent Administrator’s Guide 252 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 253 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR™ Prevent Administrator’s Guide 254 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
> Invesgate Incidents
> Invesgate Alerts
> Invesgate Endpoints
> Invesgate Files
> Response Acons
255
Invesgaon and Response
Invesgate Incidents
The Incidents page displays all incidents in the Cortex XDR management console to help you
priorize, track, triage, invesgate and take remedial acon.
To begin invesgang your incidents:
• Learn about Cortex XDR Incidents
• Manage your Incident Starring
• Triage your Incidents
• Manage your Incidents
The table view displays only the incident fields in a table format. Right-click an incident to view
the incident details, and invesgate the related assets, arfacts, and alerts. For more informaon
see Invesgate Incidents.
Cortex® XDR™ Prevent Administrator’s Guide 256 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
The following table describes both the default and addional oponal fields that you can view in
the Incidents table and lists the fields in alphabecal order.
Incidents created prior to Cortex XDR version 2.9 are updated as follows:
• MITRE Aack Taccs, MITRE Aack Techniques, and Alert Categories fields will remain
empty.
• WildFire Hits field will begin with an empty value, however when a new alert is added
to the incident the filed is updated.
• High Severity, Medium Severity, Low Severity, Alert Grouping Status fields are updated
with the corresponding value.
• If an incident is merged or moved with other incidents, Cortex XDR will recalculate and
update the fields.
Field Descripon
Creaon Time Date and me when the incident was created.
High Severity Alerts Number of high severity alerts that are part of the
incident.
Cortex® XDR™ Prevent Administrator’s Guide 257 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
and user affected, or number of users and hosts
affected.
Last Updated The last me a user took an acon or an alert was
added to the incident.
Low Severity Alerts Number of low severity alerts that are part of the
incident.
Resolved Timestamp Displays the date and me when the incident was
set with a resolved status.
Cortex® XDR™ Prevent Administrator’s Guide 258 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Resolved - Known Issue
• Resolved - Duplicate Incident
• Resolved - False Posive
• Resolved - Auto Resolve - Auto-resolved by
Cortex XDR when all of the alerts contained in
an incident have been excluded.
STEP 2 | From the Incident List, locate the incident you want to star.
Cortex® XDR™ Prevent Administrator’s Guide 259 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 4 | Enter a descripve Comment that idenfies the reason or purpose of the starring
configuraon.
STEP 5 | Use the alert filters to build the match criteria for the policy.
You can also right-click a specific value in the alert to add it as match criteria. The app refreshes
to show you which alerts in the incident would be included.
Triage Incidents
To help you triage and invesgate your incidents, Cortex XDR displays your incidents in a split-
pane view allowing you to easily invesgate the enre scope and cause of an event, view all
relevant assets, suspicious arfacts, and alerts within the incident details.
Navigate to Incident Response > Incidents. The Incident split-pane view is divided into two main
secons:
• Incident List
• Details Pane
The Details Pane supports Advanced View for incidents created aer Cortex XDR 3.0.
Incidents created before Cortex XDR 3.0, are displayed in a Legacy view. To enable
flexibility, you can select to display incidents created aer Cortex XDR 3.0 Cortex using
either the Legacy view or Advanced view.
The Incident List enables you to filter and sort according to the incident fields, such as status,
score, severity, and mestamp. Each incident displays a summary of the incident severity,
assignee, status, creaon me, descripon, and assets. From the Incident List you can also review
addional informaon.
The Details pane displays the informaon of the selected incident in the Incident List. The pane is
made up of the following tabs that allow you to further invesgate and manage each incident.
• Overview—Made up of an Incident Header lisng the incident details, the MITRE taccs
and techniques, summarized meline, and widgets to visualize the number of alerts, type of
sources, hosts, and users associated with the incident. Select the pin icon next to the tab name
to always display a specific tab first when you invesgate incidents.
• Key Assets & Arfacts—Displays the incident asset and arfact informaon of hosts, users, and
key arfacts associated with the incident.
• Alerts & Insights—Displays a table of the alerts and insights associated with the incident.
• Timeline—A chronological representaon of alerts and acons relang to the incident.
Manage Incidents
The Incident view allows you track incidents, invesgate incident details and take remedial acon.
Navigate to Incident Response > Incidents and locate the incident you want to invesgate.
Cortex® XDR™ Prevent Administrator’s Guide 260 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
View the incident severity, score, and assignee. Select whether to you want to Star the incident.
View the status of the incident and when it was last updated.
Cortex® XDR™ Prevent Administrator’s Guide 261 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Assign an incident.
Select the assignee (or Unassigned) and begin typing the assignee’s email address for
automated suggesons. Users must have logged in to the app to appear in the auto-generated
list.
Cortex® XDR™ Prevent Administrator’s Guide 262 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Merge incidents.
To merge incidents you think belong together, select the ellipsis icon, Merge Incidents and
enter the target incident ID you want to merge the incident with.
Incident assignees are managed as follows:
• If both incidents have been assigned—Merged incident takes the target incident assignee.
• If both incidents are unassigned—Merged incident remains unassigned.
• If the target incident is assigned and the source incident unassigned —Merged incident takes
the target assignee
• If the target incident is unassigned and the source incident is assigned—Merged incident
takes the exisng assignee
Create an exclusion.
Select the ellipsis icon, Create Exclusion and enter the Policy Name. Select the alerts to include
in the policy by filtering the Alert table and Create the exclusion.
The Overview tab supports Advanced View for incidents created aer Cortex XDR 3.0.
Incidents created before Cortex XDR 3.0, are displayed in a Legacy view. To enable
flexibility, you can select to display incidents created aer Cortex XDR 3.0 Cortex using
either the Legacy view or Advanced view.
Cortex® XDR™ Prevent Administrator’s Guide 263 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
In some cases the number of alerts associated with the techniques will not be aligned
with the number of the parent tacc because of missing tags or in case an alert belongs
to several techniques.
Invesgate informaon about the Alerts, Sources, and Assets associated with the incident.
• In the Alerts widget:
• Select See All to pivot to the Alerts & Insights table.
• Review the Total number of alerts and the colored line indicang the alert severity. Select
the severity tag to pivot to the Alerts & Insights table filtered according to the selected
severity.
• In the Sources widget:
• Select See All to pivot to the Alerts & Insights table.
• Select each of the alert source types to pivot to the Alerts & Insights table filtered
according to the selected alert source.
• In the Assets widget:
• Select See All to pivot to the Key Assets and Arfacts tab.
• Select the host names to display the Details panel. The panel is only available for hosts
with Cortex XDR agent installed and displays the host name, whether it’s connected,
along with the Endpoint Details, Agent Details, Network, and Policy informaon. Use
the available acons listed in the top right-hand corner to take remedial acons.
• Review Users that are marked as Featured.
• If available, review the User Score allocated to each user.
Cortex® XDR™ Prevent Administrator’s Guide 264 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR™ Prevent Administrator’s Guide 265 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate arfacts.
In the Arfacts secon, search for and review the arfacts associated with the incident. Each
arfact displays, if available, the following arfact informaon and available acons according
to the type of arfact; File, IP Address, and Domain.
File Arfact
• File Details
• File name
• SHA256 value
• Number of alerts in the incident that include the file
• Signature status and signer
• WildFire Report. Select to view the Wildfire Analysis Report.
• AutoFocus (AF) tags. Select the tag to display the Source, Tag Class, and Descripon.
• VirusTotal (VT) Score. You can select the score to pivot to the VirusTotal report.
• Number of alerts in the incident that include the file according to severity
• Ellipses File Acons
• Open in Quick Launcher
• Go to VirusTotal
• Go to AutoFocus
• Search File on all Endpoints
• Open Hash View
• View Related Alerts
• Add to Block List
• Add to Allow List
IP Address Arfact
• IP Address Details
• IP Address value and name
• Number of alerts in the incident that include the IP address
• Whether the IP address in External or Internal.
• Whois informaon. Hover to display the Net Range, Registered Date, Registered name,
Organizaon, Updated Date details.
• VirusTotal (VT) Score. You can select the score to pivot to the VirusTotal report.
• Number of alerts in the incident that include the IP address according to severity
• Ellipsis IP Address Acons
• Open in Quick Launcher
• Go to VirusTotal
• Open IP View
Cortex® XDR™ Prevent Administrator’s Guide 266 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate hosts.
In the Hosts secon, search for and review the hosts associated with the incident. Each host
displays, if available, the following host informaon and available acons:
• Host Details
• Icons represenng whether a Cortex XDR Agent is installed on the host and the
operang system plaorm. A green icon indicates the host is connected.
• Host Name
• IP address associated with the host.
• Number of alerts that include the host according to severity.
• Ellipsis Host Acons
You can choose to perform an acon on mulple hosts by marking the entries you want to
include or Select All.
• Security Operaons > Isolate Endpoint, Iniate Malware Scan, Retrieve Endpoint Files,
Iniate Live Terminal
• Open in Quick Launcher
• Open Asset View
• View Related Alerts
To further invesgate the host:
Select the host name to display the Details panel. The panel is only available for hosts with
Cortex XDR agent installed and displays the host name, whether it’s connected, along with the
Endpoint Details, Agent Details, Network, and Policy informaon details. In addion, you can
perform the available acons listed in the top right-hand corner.
Cortex® XDR™ Prevent Administrator’s Guide 267 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate users.
In the Users secon, search for and review the users associated with the incident. Each user
displays, if available, the following user informaon and available acons:
• User Details
• User Name
• Whether the user is Featured
• The User Score if available.
• Acve Directory and Organizaon Unit names. Hover to display the if the name is an
Acve Directory or OU.
• Workday icon. Hover to display the Workday informaon.
• Number of alerts that include the user according to severity.
• Ellipsis User Acons
• View Related Alerts
Filter the Alerts and Insights tables as you would in the dedicated Cortex XDR pages.
Select an alert or insight to display the corresponding Details panel. The panel displays the
following alert details, if available.
• Alert
• Alert name, severity, alert source, and rule name
• General
• MITRE ATT&CK
• Host
• Rule
• Network Connecons
• Insight
• Insight name, type, source, and descripon
• General
• MITRE ATT&CK
• Host
• Rule
• Process Execuon
Use the available acons listed in the top right-hand corner to take remedial acons.
Cortex® XDR™ Prevent Administrator’s Guide 268 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Navigate to the Timeline tab and filter the acons according to following acon types:
• All acons
• Alerts
• Response Acons
• Incident Management Acons
• Automac Incident Updates
Cortex® XDR™ Prevent Administrator’s Guide 269 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate Alerts
• Cortex XDR Alerts
• Triage Alerts
• Manage Alerts
• Alert Exclusions
• Causality View
Field Descripon
Cortex® XDR™ Prevent Administrator’s Guide 270 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Cortex® XDR™ Prevent Administrator’s Guide 271 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Prevented (Silently Dropped The Session With
An ICMP Unreachable Message To The Host
Or Applicaon)
• Prevented (Terminated The Session And
Sent a TCP Reset To Both Sides Of The
Connecon)
• Prevented (Terminated The Session And Sent
a TCP Reset To The Client)
• Prevented (Terminated The Session And Sent
a TCP Reset To The Server)
• N/A
AGENT OS SUB TYPE The operang system subtype of the agent from
which the alert was triggered.
ALERT NAME Module that triggered the alert. Alerts that match
an alert starring policy also display a purple star.
Cortex® XDR™ Prevent Administrator’s Guide 272 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
CGO MD5 The MD5 value of the CGO that iniated the
alert.
CGO SHA256 The SHA256 value of the CGO that iniated the
alert.
CLOUD PROVIDER The name of the cloud provider where the alert
occurred:
• AWS
Cortex® XDR™ Prevent Administrator’s Guide 273 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• GCP
• Azure
DNS Query Name The domain name queried in the DNS request.
Cortex® XDR™ Prevent Administrator’s Guide 274 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Registry Event
FILE PATH When the alert triggered on a file (the Event Type
is File) this is the path to the file on the endpoint.
If not, then N/A.
FW RULE NAME The firewall rule name that matches the network
traffic that triggered the firewall alert.
FW SERIAL NUMBER The serial number of the firewall that raised the
firewall alert.
Cortex® XDR™ Prevent Administrator’s Guide 275 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
INITIATOR MD5 The MD5 value of the process which iniated the
alert.
Cortex® XDR™ Prevent Administrator’s Guide 276 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
NGFW VSYS NAME Name of the virtual system for the Palo Alto
Networks firewall that triggered an alert.
Cortex® XDR™ Prevent Administrator’s Guide 277 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
OS PARENT USER NAME Name of the user associated with the parent
operang system.
PROCESS EXECUTION SIGNATURE Signature status of the process that triggered the
alert:
• Unsigned
• Signed
• Invalid Signature
• Unknown
PROCESS EXECUTION SIGNER Signer of the process that triggered the alert.
RESOLUTION STATUS The status that was assigned to this alert when
it was triggered (or modified): New, Under
Invesgaon, Resolved. Right-click an alert to
Change Status.
Any update made to an alert impacts the
associated incident. An incident with all
its associated alerts marked as resolved is
automacally set to Auto-Resolved. Cortex XDR
connues to group Alerts to an Auto-Resolved
Incident for up to 6 hours. In the case where an
Cortex® XDR™ Prevent Administrator’s Guide 278 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
alert is triggered during this duraon, Cortex
XDR will re-open the Incident.
SOURCE ZONE NAME The source zone name of the connecon for
firewall alerts.
TARGET FILE SHA256 The SHA256 hash vale of an external DLL file
that triggered the alert.
TARGET PROCESS SHA256 The SHA256 value of the process whose creaon
triggered the alert.
TIMESTAMP The date and me when the alert was triggered.
Right-click to Show rows 30 days prior or 30
days aer the selected mestamp field value.
USER NAME The name of the user that iniated the behavior
that triggered the alert. If the user is a domain
user account, this field also idenfies the domain.
Any alert triggered based on network,
authencaon, or login events, displays the User
Name in the follow standardized format in the
Alerts and Incidents pages.
<company domain>\<username>
Cortex® XDR™ Prevent Administrator’s Guide 279 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
From the Alerts page, you can also perform addional acons to manage alerts and pivot on
specific alerts for deeper understanding of the cause of the event.
• Manage Alerts
• Causality View
Triage Alerts
When the Cortex XDR management console displays a new alert on the Alerts page, use the
following steps to invesgate and triage the alert:
STEP 1 | Review the data shown in the alert such as the command-line arguments (CMD), process info,
etc.
For more informaon about the alert fields, see Cortex XDR Alerts.
STEP 3 | If deemed malicious, consider responding by isolang the endpoint from the network.
STEP 4 | Remediate the endpoint and return the endpoint from isolaon.
Manage Alerts
From the Incident Response > Incidents > Alerts Table, you can manage the alerts you see and the
informaon Cortex XDR displays about each alert.
• Copy Alerts
• Analyze an Alert
• Pivot to Views
• Create Profile Excepons
• Add File Path to Malware Profile Allow List
• Retrieve Addional Alert Details
• Export Alert Details to a File
• Add an Alert Exclusion Policy
Copy Alerts
You can copy an alert into memory as follows:
Cortex® XDR™ Prevent Administrator’s Guide 280 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Analyze an Alert
To help you understand the full context of an alert, Cortex XDR provides a powerful analysis view
that empowers you to make a thorough analysis very quickly.
The Causality View is available for XDR agent alerts that are based on endpoint data and for alerts
raised on network traffic logs that have been stched with endpoint data.
To view the analysis:
STEP 1 | From the Alerts page, locate the alert you want to analyze.
STEP 2 | Right-click anywhere in the alert, and select Invesgate Causality Chain.
STEP 3 | Choose whether to open the Causality View card for an alert in a new tab or the same tab.
STEP 4 | Review the chain of execuon and available data for the process and, if available, navigate
through the processes tree.
Pivot to Views
From any listed alert you can pivot to the following alert-related views:
• Open Asset View—Open the Asset View panel and view informaon related to the alert there.
Cortex® XDR™ Prevent Administrator’s Guide 281 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• View full endpoint details—View the full details of the endpoint to which the alert relates.
• View related incident—View informaon about an incident related to the alert.
• View Observed Behaviors—View informaon about observed behaviors that are related to the
alert.
To pivot to any of these views:
STEP 1 | Right-click a listed alert.
STEP 2 | From the pop-up menu, select the view to which you want to pivot.
STEP 2 | Right-click and select Add <path type> to malware profile allow list.
STEP 3 | In the Add <path type> to malware profile allow list dialog, select from your exisng Profiles
and Modules to which you want to add the file path to the allow list.
Cortex® XDR™ Prevent Administrator’s Guide 282 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 1 | From the Alerts page, locate the alert for which you want to retrieve informaon.
STEP 2 | Right-click anywhere in the alert, and select one of the following opons:
• Retrieve alert data—Cortex XDR can provide addional analysis of the memory contents
when an exploit protecon module raises an XDR Alert. To perform the analysis you
must first retrieve alert data consisng of the memory contents at the me the alert was
raised. This can be done manually for a specific alert, or you can enable Cortex XDR to
automacally retrieve alert data for every relevant XDR Alert. Aer Cortex XDR receives
the data and performs the analysis, it issues a verdict for the alert. You can monitor the
retrieval and analysis progress from the Acon Center (pivot to view Addional data). When
analysis is complete, Cortex XDR displays the verdict in the Advanced Analysis field.
• Retrieve related files—To further examine files that are involved in an alert, you can request
the Cortex XDR agent send them to the Cortex XDR management console. If mulple files
are involved, Cortex XDR supports up to 20 files and 200MB in total size. The agent collects
all requested files into one archive and includes a log in JSON format containing addional
status informaon. When the files are successfully uploaded, you can download them from
the Acon Center for up to one week.
If you require assistance from Palo Alto Networks Support to invesgate the alert,
ensure to provide the downloaded ZIP file.
STEP 2 | When you are sasfied with the results, click the download icon ( ).
The icon is grayed out when there are no results.
Cortex XDR exports the filtered result set to the TSV file.
Alert Exclusions
The Incident Response > Incident Configuraon > Alerts Exclusions page displays all alert
exclusion policies in Cortex XDR.
An alert exclusion is a policy that contains a set of alert match criteria that you want to suppress
from Cortex XDR. You can Add an Alert Exclusion Policy from scratch or you can base the
exclusion off of alerts that you invesgate in an incident. Aer you create an exclusion policy,
Cortex XDR excludes and no longer saves any of the future alerts that match the criteria from
incidents and search query results. If you choose to apply the policy to historic results as well as
future alerts, the app idenfies the historic alerts as grayed out.
Cortex® XDR™ Prevent Administrator’s Guide 283 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
The following table describes both the default fields and addional oponal fields that you can
add to the alert exclusions table and lists the fields in alphabecal order.
Field Descripon
Check box to select one or more alert exclusions on which you want to
perform acons.
BACKWARD SCAN Exclusion policy status for historic data, either enabled if you want to
STATUS apply the policy to previous alerts or disabled if you don’t want to apply
the policy to previous alerts.
DESCRIPTION Text summary of the policy that displays the match criteria.
MODIFICATION Date and me when the exclusion policy was created or modified.
DATE
If an incident contains only alerts with exclusions, Cortex XDR changes the incident status
to Resolved - False Positive and sends an email noficaon to the incident
assignee (if set).
There are two ways to create an exclusion policy. You can define the exclusion criteria when you
invesgate an incident or you can create an alert exclusion from scratch.
• Build an Alert Exclusion Policy from Alerts in an Incident
• Build an Alert Exclusion Policy from Scratch
Cortex® XDR™ Prevent Administrator’s Guide 284 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | Enter a descripve Comment that idenfies the reason or purpose of the alert exclusion
policy.
STEP 4 | Use the alert filters to add any the match criteria for the alert exclusion policy.
You can also right-click a specific value in the alert to add it as match criteria. The app refreshes
to show you which alerts in the incident would be excluded. To see all matching alerts including
those not related to the incident, clear the opon to Show only alerts in the named incident.
STEP 4 | Enter any comments to explain the purpose or intent behind the policy.
This acon is irreversible: All historic excluded alerts will remain excluded if you disable
or delete the policy.
STEP 7 | Create and then select Yes to confirm the alert excepon policy.
Cortex® XDR™ Prevent Administrator’s Guide 285 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Causality View
The Causality View provides a powerful way to analyze and respond to alerts. The scope of
the Causality View is the Causality Instance (CI) to which this alert pertains. The Causality View
presents the alert (generated by Cortex XDR or sent to Cortex XDR from a supported alert source
such as the Cortex XDR agent) and includes the enre process execuon chain that led up to the
alert. On each node in the CI chain, Cortex XDR provides informaon to help you understand
what happened around the alert.
The Causality View comprises five secons:
Context
Summarizes informaon about the alert you are analyzing, including the host name, the process
name on which the alert was raised, and the host IP and MAC address . For alerts raised on
endpoint data or acvity, this secon also displays the endpoint connecvity status and operang
system.
Cortex® XDR™ Prevent Administrator’s Guide 286 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Enty Data
Provides addional informaon about the enty that you selected. The data varies by the type of
enty but typically idenfies informaon about the enty related to the cause of the alert and the
circumstances under which the alert occurred.
For example, device type, device informaon, remote IP address.
When you invesgate command-line arguments, click {***} to obfuscate or decode the base64-
encoded string.
For connued invesgaon, you can copy the enre enty data summary to the clipboard.
Response Acons
You can choose to isolate the host, on which the alert was triggered, from the network or iniate a
live terminal session to the host to connue invesgaon and remediaon.
Events Table
Displays up to 100,000 related events for the process node which matches the alert criteria that
were not triggered in the alert table but are informaonal.
To connue invesgaon, you can perform the following acons from the right-click pivot menu:
• Add <path type> to malware profile allow list from the Process and File table <path> fields. For
example, target_process_path, src_process_path, file_path, or os_parent_path.
• For the behavioral threat protecon results, you can take acon on the iniator to add it to an
allow list or block list, terminate it, or quaranne it.
Cortex® XDR™ Prevent Administrator’s Guide 287 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• Revise the event results to see possible related events near the me of an event using an
updated mestamp value to Show rows 30 days prior or 30 days aer.
To view stascs for files on VirusTotal, you can pivot from the Iniator MD5 or SHA256
value of the file on the Files tab.
Cortex® XDR™ Prevent Administrator’s Guide 288 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate Endpoints
• Acon Center
• View Details About an Endpoint
• Retrieve Files from an Endpoint
• Retrieve Support Logs from an Endpoint
• Scan an Endpoint for Malware
Acon Center
The Acon Center provides a central locaon from which you can track the progress of all
invesgaon, response, and maintenance acons performed on your Cortex XDR-protected
endpoints. The main All Acons tab of the Acon Center displays the most recent acons iniated
in your deployment. To narrow down the results, click Filter on the top right.
You can also jump to filtered Acon Center views for the following acons:
• Quaranne—View details about quaranned files on your endpoints. You can also switch to an
Aggregated by SHA256 view that collapses results per file and lists the affected endpoints in
the Scope field.
• Block List/Allow List—View files that are permied and blocked from running on your
endpoints regardless of file verdict.
Blocking files on endpoints is enforced by the endpoint malware profile. To block a hash
value, ensure the hash value is configured in the Malware Security Profile.
• Isolaon—View the endpoints in your organizaon that have been isolated from the network.
For more informaon, refer to Isolate an Endpoint.
• Endpoint Blocked IP Addresses—View remote IP addresses that the Cortex XDR agent
has automacally blocked from communicang with endpoints in your network. For more
informaon, refer to Add a New Malware Security Profile.
For acons that can take a while to complete, the Acon Center tracks the acon progress and
displays the acon status and current progress descripon for each stage. For example, aer
iniang an agent upgrade acon, Cortex XDR monitors all stages from the Pending request
unl the acon status is Completed. Throughout the acon lifeme, you can view the number of
endpoints on which the acon was successful and the number of endpoints on which the acon
failed. Aer a period of 90 days since the acon creaon, the acon is removed from Cortex XDR
and is no longer displayed in the Acon Center. You cannot delete acons manually from the
Acon Center.
The following table describes both the default and addional oponal fields that you can view
from the All Acons tab of the Acon Center and lists the fields in alphabecal order.
Field Descripon
Cortex® XDR™ Prevent Administrator’s Guide 289 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Cortex® XDR™ Prevent Administrator’s Guide 290 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Completed with Paral Success—The
acon was completed on all endpoints.
However, some endpoints did not complete
it successfully. Depending on the acon type,
it may have failed, been canceled, expired, or
failed to retrieve all data.
• Completed Successfully—The acon was
completed successfully on all endpoints.
• Failed—The acon failed on all endpoints.
• Timeout—The acon med-out on all
endpoints.
Addional data—If addional details are available for an acon or for specific endpoints, you
can pivot (right-click) to the Addional data view. You can also export the addional data to a
TSV file. The page can include details in the following fields but varies depending on the type of
acon.
Acon Last Update Time at which the last status update occurred
for the acon.
Addional Data | Malicious Files Addional data, if any is available, for the acon.
For malware scans, this field is tled Malicious
Files and indicates the number of malicious files
idenfied during the scan.
Cortex® XDR™ Prevent Administrator’s Guide 291 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 2 | Select the acon you want to iniate and follow the required steps and parameters you need
to define for each acon.
Cortex XDR displays only the endpoints eligible for the acon you want to perform.
Cortex® XDR™ Prevent Administrator’s Guide 292 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Acon
Cortex® XDR™ Prevent Administrator’s Guide 293 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Acon
• Isolate Endpoint
The following table describes both the default and addional oponal fields that you can view in
the Endpoints table and lists. The table lists the fields in alphabecal order.
Field Descripon
Acve Directory Lists all Acve Directory Groups and Organizaonal Units to which the
user belongs.
Auto Upgrade Status When Agent Auto Upgrades are enabled, indicates the acon status is
either:
• In progress—Indicates that the Cortex XDR agent upgrade is in
progress on the endpoint.
• Up to date—Indicates that the current Cortex XDR agent version on
the endpoint is up to date.
• Failure—Indicates that the Cortex XDR agent upgrade failed aer
three retries.
• Not configured—Indicates that automac agent upgrades are not
configured for this endpoint.
• Pending—Indicates that the Cortex XDR agent version running
on the endpoint is not up to date, and the agent is waing for the
upgrade message from Cortex XDR.
• Not supported—Indicates this endpoint type does not support
automac agent upgrades. Relevant for VDI, TS, or Android
endpoints.
To include or exclude one or more endpoints from auto upgrade, right-
click and select Endpoint Control > <Exclude/Include> endpoints from
auto upgrade
Cortex® XDR™ Prevent Administrator’s Guide 294 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Aer an endpoint is excluded, the Auto upgrade profile
configuraon will no longer be available.
If you exclude the endpoint from Auto Upgrade while the
Auto Upgrade Status is In progress status, the ongoing
upgrade will sll take place.
Content Auto Update Indicates whether automac content updates are Enabled or Disabled
for the endpoint. See Agent Sengs profile.
Content Release Displays the me and date of when the current content version was
Timestamp released.
Content Rollout If you configured delayed content rollout, the number of days for delay
Delay (days) is displayed here. See Agent Sengs profile.
Content Version Content update version used with the Cortex XDR agent.
Disabled Capabilies A list of the capabilies that were disabled on the endpoint. To disable
one or more capabilies, right-click the endpoint name and select
Endpoint Control > Disable Capabilies. Opons are:
• Live Terminal
• Script Execuon
• File Retrieval
You can disable these capabilies during the Cortex XDR agent
installaon on the endpoint or through Endpoint Administraon.
Disabling any of these acons is irreversible, so if you later want to
enable the acon on the endpoint, you must uninstall the Cortex XDR
agent and install a new package on the endpoint.
Endpoint Alias If you assigned an alias to represent the endpoint in Cortex XDR, the
alias is displayed here. To set an endpoint alias, right-click the endpoint
name, and select Change endpoint alias. The alias can contain any of
the following characters: a-Z, 0-9, !@#$%^&()-'{}~_.
Cortex® XDR™ Prevent Administrator’s Guide 295 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Not Isolated—Normal network communicaon is permied on the
endpoint.
• Pending Isolaon—The isolaon acon has reached the server and
is pending contact with the endpoint.
• Pending Isolaon Cancellaon—The cancel isolaon acon has
reached the server and is pending contact with the endpoint.
Endpoint Name Hostname of the endpoint. If the agent enables Pro features, this field
also includes a PRO badge. For Anrdoid endpoints, the hostname
comprises the <firstname>—<lastname> of the registered user,
with a separang dash.
Endpoint Status Registraon status of the Cortex XDR agent on the endpoint:
• Connected—The Cortex XDR agent has checked in within 10
minutes for standard endpoints, and within 3 hours for mobile
endpoints.
• Connecon Lost—The Cortex XDR agent has not checked in within
30 to 180 days for standard endpoints, and between 90 minutes
and 6 hours for VDI and temporary sessions.
• Disconnected—The Cortex XDR agent has checked in within the
defined inacvity window: between 10 minutes and 30 days for
standard and mobile endpoints, and between 10 minutes and 90
minutes for VDI and temporary sessions.
• VDI Pending Log-on—(Windows only) Indicates a non-persistent
VDI endpoint is waing for user logon, aer which the Cortex XDR
agent consumes a license and starts enforcing protecon.
• Uninstalled—The Cortex XDR agent has been uninstalled from the
endpoint.
Endpoint Version Versions of the Cortex XDR agent that runs on the endpoint.
First Seen Date and me the Cortex XDR agent first checked in (registered) with
Cortex XDR.
Golden Image ID For endpoints with a System Type of Golden Image, the image ID is a
unique idenfier for the golden image.
Group Names Endpoint Groups to which the endpoint is a member, if applicable. See
Define Endpoint Groups.
Cortex® XDR™ Prevent Administrator’s Guide 296 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• OS Incompable—The Cortex XDR agent is incompable with the
operang system.
When Cortex XDR agents are compable with the operang system
and environment, this field is blank.
Isolaon Date Date and me of when the endpoint was Isolated. Displayed only for
endpoints in Isolated or Pending Isolaon Cancellaon status.
Install Date Date and me at which the agent was first installed on the endpoint.
Installaon Package Installaon package name used to install the Cortex XDR agent.
Last Content Update Displays the me and date when the agent last deployed a content
Time update.
Last Origin IP Represents the last IP address from which the Cortex XDR agent
connected.
Last Scan Date and me of the last malware scan on endpoint.
Last Seen Date and me of the last change in an agent's status. This can occur
when Cortex XDR receives a periodic status report from the agent
(once an hour), a user performed a manual Check In, or a security event
occurred.
Last Used Proxy The IP address and port number of proxy that was last used for
communicaon between the agent and Cortex XDR.
Cortex® XDR™ Prevent Administrator’s Guide 297 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Network Locaon (Cortex XDR agent 7.1 and later for Windows and Cortex XDR agent
7.2 and later for macOS and Linux) Endpoint locaon is reported by
the Cortex XDR agent when you enable this capability in the Agent
Sengs profile:
• Internal
• External
• Not Supported—The Cortex XDR agent is running a prior agent
version that does not support network locaon reporng.
• Disabled—The Cortex XDR agent was unable to idenfy the
network locaon.
Cortex® XDR™ Prevent Administrator’s Guide 298 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Users User that was last logged into the endpoint. On Android endpoints,
the Cortex XDR app idenfies the user from the email prefix specified
during app acvaon.
STEP 3 | Select the operang system and enter the paths for the files you want to retrieve, pressing
ADD aer each completed path.
You cannot define a path using environment variables on Mac and Linux endpoints.
STEP 5 | Select the target endpoints (up to 10) from which you want to retrieve files.
If needed, Filter the list of endpoints. For more informaon, refer to Filiter Page
Results.
STEP 7 | Review the acon summary and click Done when finished.
To track the status of a files retrieval acon, return to the Acon Center. Cortex XDR retains
retrieved files for up to 30 days.
If at any me you need to cancel the acon, you can right-click it and select Cancel for pending
endpoint. You can cancel the retrieval acon only if the endpoint is sll in Pending status and
Cortex® XDR™ Prevent Administrator’s Guide 299 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
no files have been retrieved from it yet. The cancellaon does not affect endpoints that are
already in the process of retrieving files.
STEP 8 | To view addional data and download the retrieved files, right-click the acon and select
Addional data.
This view displays all endpoints from which files are being retrieved, including their IP Address,
Status, and Addional Data such as error messages of names of files that were not retrieved.
STEP 9 | When the acon status is Completed Successfully, you can right-click the acon and
download the retrieved files logs.
Cortex XDR retains retrieved files for up to 30 days.
Disabling File Retrieval does not take effect on file retrieval acons that are in progress.
STEP 3 | Select the target endpoints (up to 10) from which you want to retrieve logs.
If needed, Filter the list of endpoints. For more informaon, refer to Filiter Page
Results.
STEP 5 | Review the acon summary and click Done when finished.
In the next heart beat, the agent will retrieve the request to package and send all logs to Cortex
XDR.
Cortex® XDR™ Prevent Administrator’s Guide 300 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 6 | To track the status of a support log retrieval acon, return to the Acon Center.
When the status is Completed Successfully, you can right-click the acon, select
Addional data, and download the support logs. Cortex XDR retains retrieved files for up to 30
days.
If at any me you need to cancel the acon, you can right-click it and select Cancel for pending
endpoint. You can cancel the retrieval acon only if the endpoint is sll in Pending status and
no files have been retrieved from it yet. The cancellaon does not affect endpoints that are
already in the process of retrieving files.
STEP 7 | To view addional data and download the support logs, right-click the acon and select
Addional data.
You will see all endpoints from which files are being retrieved, including their IP Address,
Status, and Addional Data.
STEP 8 | When the acon status is Completed Successfully, you can right-click the acon and
download the retrieved logs.
Cortex XDR retains retrieved files for up to 30 days.
Cortex® XDR™ Prevent Administrator’s Guide 301 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 4 | Select the target endpoints (up to 100) on which you want to scan for malware.
Scanning is available on Windows and Mac endpoints only. Cortex XDR automacally filters
out any endpoints for which scanning is not supported. Scanning is also not available for
inacve endpoints.
STEP 6 | Review the acon summary and click Done when finished.
Cortex XDR iniates the acon at the next heart beat and sends the request to the agent to
iniate a malware scan.
Cortex® XDR™ Prevent Administrator’s Guide 302 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate Files
• Manage File Execuon
• Manage Quaranned Files
• Review WildFire® Analysis Details
• Import File Hash Excepons
Linux ELF
STEP 6 | You are automacally redirected to the Block List or Allow List that corresponds to the
acon in the Acon Center.
Cortex® XDR™ Prevent Administrator’s Guide 303 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 7 | To manage the file hashes on the Block List or the Allow List, right-click the file and select
one of the following:
• Disable—The file hash remains on the list but will not be applied on your Cortex XDR
agents.
• Move to Block List or Move to Allow List—Removes this file hash from the current list and
adds it to the opposite one.
• Edit Incident ID—Select to either Link to exisng incident or Remove incident link.
• Edit Comment—Enter a comment.
• Delete—Delete the file hash from the list altogether, meaning this file hash will no longer be
applied to your endpoints.
• Open in VirusTotal—Directs you to the VirusTotal analysis of this hash.
• (Cortex XDR Pro License only) Open Hash View—Pivot the hash view of the hash.
• Open in Quick Launcher—Open the quick launcher search results for the hash.
Cortex® XDR™ Prevent Administrator’s Guide 304 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
This will restore all files with the same hash on all of your endpoints.
Cortex® XDR™ Prevent Administrator’s Guide 305 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Analyze. You can open ( ) the WildFire report of any file included in the alert Causality
Chain.
Cortex XDR displays the preview of WildFire reports that were generated within
the last couple of years only. To view a report that was generated more than two
years ago, you can Download the WildFire report.
2. Analyze the WildFire report.
On the le side of the report you can see all the environments in which the Wildfire
service tested the sample. If a file is low risk and WildFire can easily determine that it
is safe, only stac analysis is performed on the file. Select the tesng environment on
the le, for example Windows 7 x64 SP1, to review the summary and addional details
for that tesng environment. To learn more about the behavior summary, see WildFire
Analysis Reports—Close Up.
3. (Oponal) Download the WildFire report.
If you want to download the WildFire report as it was generated by the WildFire service,
click ( ). The report is downloaded in PDF format.
Cortex® XDR™ Prevent Administrator’s Guide 306 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR™ Prevent Administrator’s Guide 307 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Response Acons
Aer or during the invesgaon of malicious acvity in your network, Cortex XDR offers various
response acons that enable you invesgate the endpoint and take immediate acon to remediate
it. For example, when you detect a compromised endpoint, you can isolate it from your network to
prevent it from communicang with any other internal or external device and thereby reducing an
aacker’s mobility on your network. The available response acons in Cortex XDR are:
• Iniate a Live Terminal Session
• Isolate an Endpoint
For response acons that rely on a Cortex XDR agent, the following table describes the supported
plaorms and minimal agent version. A dash (—) indicates the seng is not supported.
Isolate an Endpoint —
Halts all network access Cortex XDR agent Cortex XDR agent
on the endpoint except 6.0 and later 7.3 and later on
for traffic to Cortex macOS 10.15.4 and
XDR to prevent a later
compromised endpoint
from communicang
with any other internal
or external device.
Cortex® XDR™ Prevent Administrator’s Guide 308 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Isolate an Endpoint
When you isolate an endpoint, you halt all network access on the endpoint except for traffic to
Cortex XDR. This can prevent a compromised endpoint from communicang with other endpoints
thereby reducing an aacker’s mobility on your network. Aer the Cortex XDR agent receives
the instrucon to isolate the endpoint and carries out the acon, the Cortex XDR console shows
an Isolated check-in status. To ensure an endpoint remains in isolaon, agent upgrades are not
available for isolated endpoints.
Network isolaon is supported for endpoints that meet the following requirements:
STEP 3 | Enter a Comment to provide addional background or other informaon that explains why
you isolated the endpoint.
Aer you isolate an endpoint, Cortex XDR will display the Isolaon Comment on the Acon
Center > Isolaon. If needed, you can edit the comment from the right-click pivot menu.
STEP 5 | Select the target endpoint that you want to isolate from your network.
If needed, Filter the list of endpoints. To learn how to use the Cortex XDR filters, refer
to Filter Page Results Filter Page Results.
Cortex® XDR™ Prevent Administrator’s Guide 309 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 7 | Review the acon summary and click Done when finished.
In the next heart beat, the agent will receive the isolaon request from Cortex XDR.
STEP 8 | To track the status of an isolaon acon, select Incident Response > Response > Acon
Center > Currently Applied Acons > Endpoint Isolaon.
If aer iniang an isolaon acon, you want to cancel, right-click the acon and select
Cancel for pending endpoint. You can cancel the isolaon acon only if the endpoint is sll in
Pending status and has not been isolated yet.
STEP 9 | Aer you remediate the endpoint, cancel endpoint isolaon to resume normal
communicaon.
You can cancel isolaon from the Acons Center (Isolaon page) or from Endpoints > Endpoint
Management > Endpoint Administraon. From either place right-click the endpoint and select
Endpoint Control > Cancel Endpoint Isolaon.
Cortex® XDR™ Prevent Administrator’s Guide 310 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
If the endpoint supports the necessary requirements, you can iniate a Live Terminal session from
the Endpoints page. You can also iniate a Live Terminal as a response acon from a security
event. If the endpoint is inacve or does not meet the requirements, the opon is disabled.
Aer you terminate the Live Terminal session, you also have the opon to save a log of the
session acvity. All logged acons from the Live Terminal session are available for download as a
text file report when you close the live terminal session.
You can fine tune the Live Terminal session visibility on the endpoint by adjusng the User
Interface opons in your Agent Sengs Profile.
STEP 1 | Start the session.
From a security event or endpoint details, select Incident Response > Response > Live
Terminal. It can take the Cortex XDR agent a few minutes to facilitate the connecon.
STEP 2 | Use the Live Terminal to invesgate and take acon on the endpoint.
• Manage Processes
• Manage Files
• Run Operang System Commands
• Run Python Commands and Scripts
STEP 3 | When you are done, Disconnect the Live Terminal session.
You can oponally save a session report containing all acvity you performed during the
session.
The following example displays a sample session report:
Jun 27th 2019 13:56:13 Live Terminal session has started [success]
Jun 27th 2019 14:00:45 Kill process calc.exe (4920) [success]
Jun 27th 2019 14:11:46 Live Terminal session end request [success]
Jun 27th 2019 14:11:47 Live Terminal session has ended [success]
Manage Processes
From the Live Terminal you can monitor processes running on the endpoint. The Task Manager
displays the task aributes, owner, and resources used. If you discover an anomalous process
while invesgang the cause of a security event, you can take immediate acon to terminate the
process or the whole process tree, and block processes from running.
Cortex® XDR™ Prevent Administrator’s Guide 311 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 1 | From the Live Terminal session, open the Task Manager to navigate the acve processes on
the endpoint.
You can toggle between a sorted list of processes and the default process tree view ( ). You
can also export the list of processes and process details to a comma-separated values file.
If the process is known malware, the row displays a red indicator and idenfies the file using a
malware aribute.
Manage Files
The File Explorer enables you to navigate the file system on the remote endpoint and take
remedial acon to:
• Create, manage (move or delete), and download files, folders, and drives, including connected
external drives and devices such as USB drives and CD-ROM.
• View file aributes, creaon and last modified dates, and the file owner.
• Invesgate files for malicious content.
To navigate and manage files on a remote endpoint:
STEP 1 | From the Live Terminal session, open the File Explorer to navigate the file system on the
endpoint.
Cortex® XDR™ Prevent Administrator’s Guide 312 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 2 | Navigate the file directory on the endpoint and manage files.
To locate a specific file, you can:
• Search for any filename rows on the screen from the search bar.
• Double click a folder to explore its contents.
On Windows endpoints, you cannot run GUI-based cmd commands like winver or
appwiz.cpl
Cortex® XDR™ Prevent Administrator’s Guide 313 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | When you are done, Disconnect the Live Terminal session.
Choose whether to save the live terminal session report including files and tasks marked as
interesng. Administrator acons are not saved to the endpoint.
STEP 3 | When you are done, Disconnect the Live Terminal session.
Choose whether to save the live terminal session report including files and tasks marked as
interesng. Administrator acons are not saved to the endpoint.
Disabling Live Terminal does not take effect on sessions that are in progress.
Cortex® XDR™ Prevent Administrator’s Guide 314 ©2022 Palo Alto Networks, Inc.
Broker VM
315
Broker VM
Broker VM Overview
The Palo Alto Networks Broker is a secured virtual machine (VM), integrated with Cortex XDR,
that bridges your network and Cortex XDR. By seng up the broker, you establish a secure
connecon in which you can route your endpoints, and collect and forward logs and files for
analysis.
The Broker can be leveraged for running different services separately on the VM using the same
Palo Alto Networks authencaon. Once installed, the broker automacally receives updates and
enhancements from Cortex XDR, providing you with new capabilies without having to install a
new VM.
Cortex® XDR™ Prevent Administrator’s Guide 316 ©2022 Palo Alto Networks, Inc.
Broker VM
Per your Cortex XDR license, the following figure illustrates the different Broker VM features that
could be available on your organizaon side.
Cortex® XDR™ Prevent Administrator’s Guide 317 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR™ Prevent Administrator’s Guide 318 ©2022 Palo Alto Networks, Inc.
Broker VM
Set up Broker VM
The Palo Alto Networks Broker VM is a secured virtual machine (VM), integrated with Cortex
XDR, that bridges your network and the Cortex XDR app. By seng up the broker VM, you
establish a secure connecon in which you can route your endpoints, collect logs, and forward
logs and files for analysis.
Cortex XDR can leverage the broker VM to run different services separately using the same Palo
Alto Networks authencaon. Aer you complete the inial setup, the broker VM automacally
receives updates and enhancements from Cortex XDR, providing you with new capabilies
without having to install a new VM or manually update the exisng VM.
• Configure the Broker VM
• Acvate the Local Agent Sengs
• Acvate the Syslog Collector
• Acvate the CSV Collector
• Acvate the Database Collector
• Acvate the Files and Folders Collector
• Acvate the FTP Collector
• Acvate the NetFlow Collector
• Acvate the Network Mapper
• Acvate Pathfinder™
• Acvate the Windows Event Collector
The broker VM comes with a 512GB disk. Therefore, deploy the broker VM with
thin provisioning, meaning the hard disk can grow up to 512GB but will do so only if
needed.
Bandwidth is higher than 10mbit/s.
Cortex® XDR™ Prevent Administrator’s Guide 319 ©2022 Palo Alto Networks, Inc.
Broker VM
VM compable with:
Enable communicaon between the Broker Service, and other Palo Alto Networks services and
apps.
Cortex® XDR™ Prevent Administrator’s Guide 320 ©2022 Palo Alto Networks, Inc.
Broker VM
Enable Access to Cortex XDR from the broker VM to allow communicaon between agents and
the Cortex XDR app.
If you use SSL decrypon in your firewalls, you need to add a trusted self-signed
cerficate authority on the broker VM to prevent any difficules with SSL decrypon.
If adding a CA cerficate to the broker is not possible, ensure that you’ve added the
Broker Service FQDNs to the SSL Decrypon Exclusion list on your firewalls.
Configure your broker VM as follows:
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs.
STEP 2 | Download and install the broker VM images for your corresponding infrastructure:
• Amazon Web Services (AWS)—Use the VMDK to Create a Broker VM Amazon Machine
Image (AMI).
• Google Cloud Plaorm—Use the VMDK image to Set up the Broker VM on Google Cloud
Plaorm (GCP).
• Microso Hyper-V—Use the VHD image.
• Microso Azure—Use the VHD (Azure) image to Create a Broker VM Azure Image.
• VMware ESXi—Use the OVA image.
The token is valid only for 24 hours. A new token is generated each me you select
Generate Token.
STEP 5 | Log in with the default password !nitialPassw0rd and then define your own unique
password.
The password must contain a minimum of eight characters, contain leers and
numbers, and at least one capital leer and one special character.
Cortex® XDR™ Prevent Administrator’s Guide 321 ©2022 Palo Alto Networks, Inc.
Broker VM
• If you choose Stac, define the following and Save your configuraons:
• Stac IP address
• Netmask
• Default Gateway
• DNS Server
2. (Requires Broker VM 14.0.42 and later) (Oponal) Internal Network
Specify a network subnet to avoid the broker VM dockers colliding with your internal
network. By default, the Network Subnet is set to 172.17.0.1/16.
You can configure another broker VM as a Proxy Server for this broker
VM by selecng the HTTP type. When selecng HTTP to route broker VM
communicaon, you need to add the IP Address and Port number (set when
acvang the Agent Proxy) for the other broker VM registered in your tenant
that you want to designate as a proxy for this broker VM.
• Specify the proxy Address (IP or FQDN), Port, and an oponal User and Password.
Select the pencil icon to specify the password.
• Save your configuraons.
4. (Oponal) (Requires Broker VM 8.0 and later) Configure your NTP servers.
Specify the required server addresses using the FQDN or IP address of the server.
5. (Requires Broker VM 8.0 and later) (Oponal) In the SSH Access secon, Enable or
Disable SSH connecons to the broker VM. SSH access is authencated using a public
key, provided by the user. Using a public key grants remote access to colleagues and
Cortex® XDR™ Prevent Administrator’s Guide 322 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex XDR support who the private key. You must have Instance Administrator role
permissions to configure SSH access.
To enable connecon, generate an RSA Key Pair, enter the public key in the SSH Public
Key secon. Once one SSH public key is added, you can +Add Another. When you are
finished, Save your configuraon.
When using PuTTYgen to create your public and private key pairs, you need to copy
the public key generated in the Public key for pasng into OpenSSH authorized_keys
file box, and paste it in the broker VM SSH Public Key secon as explained above. This
public key is only available when the PuTTYgen console is open aer the public key is
generated. If you close the PuTTYgen console before pasng the public key, you will need
to generate a new public key.
6. (Requires Broker VM 10.1.9 and later) (Oponal) In the SSL Cerficates secon, upload
your signed server cerficate and key to establish a validated secure SSL connecon
between your endpoints and the broker VM. Cortex XDR validates that the cerficate
and key match, but does not validate the Cerficate Authority (CA).
The Palo Alto Networks Broker supports only strong cipher SHA256-based
cerficates. MD5/SHA1-based cerficates are not supported.
7. In the Trusted CA Cerficate secon, upload your signed Cerficate Authority (CA)
cerficate or Cerficate Authority chain file in a PEM format. If you use SSL decrypon
in your firewalls, you need to add a trusted self-signed CA cerficate on the broker VM
to prevent any difficules with SSL decrypon. For example, when configuring Palo Alto
Networks NGFW to decrypt SSL using a self-signed cerficate, you need to ensure the
broker VM can validate a self-signed CA by uploading the cert_ssl-decrypt.crt file
on the broker VM.
If adding a CA cerficate to the broker is not possible, ensure that you’ve added
the Broker Service FQDNs to the SSL Decrypon Exclusion list on your firewalls.
See Enable Access to Cortex XDR.
8. (Requires Broker VM 8.0 and later) (Oponal) Collect and Generate New Logs. Your
Cortex XDR logs will download automacally aer approximately 30 seconds.
STEP 7 | Register and enter your unique Token, created in the Cortex XDR console.
Cortex® XDR™ Prevent Administrator’s Guide 323 ©2022 Palo Alto Networks, Inc.
Broker VM
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o
"awscli-bundle.zip"unzip awscli-bundle.zipsudo /usr/local/bin/
python3.7 awscli-bundle/install -i /usr/local/aws -b /usr/local/
bin/aws
aws configure
STEP 2 | In the AWS Console, navigate to Services > Storage > S3 > Buckets.
STEP 3 | In the S3 buckets page, + Create bucket to upload your broker image to.
STEP 4 | Upload the Broker VM VMDK you downloaded from Cortex XDR to the AWS S3 bucket.
Run
[ { "Description":"<Broker VM Version>",
"Format":"vmdk", "UserBucket":{
"S3Bucket":"<your_bucket>", "S3Key":"<broker-vm-
version.vmdk>" } }]
Cortex® XDR™ Prevent Administrator’s Guide 324 ©2022 Palo Alto Networks, Inc.
Broker VM
To track the progress, use the task id value from the output and run:
.
Completed status output example:
{ "ImportImageTasks":[ { "...",
"SnapshotDetails":[ {
"Description":"Broker VM version", "DeviceName":"/
dev/<name>", "DiskImageSize":2976817664.0,
"Format":"VMDK", "SnapshotId":"snap-1234567890",
"Status":"completed", "UserBucket":
{ "S3Bucket":"broker-vm",
"S3Key":"broker-vm-<version>.vmdk" } }
], "Status":"completed", "..." } ]}
STEP 7 | (Oponal) Aer the AMI image has been created, you can define a new name for the image.
Navigate to Services > EC2 > IMAGES > AMIs and locate your AMI image using the task ID.
Select the pencil icon to enter a new name.
Launch an Instance
STEP 2 | Search for your AMI image and Launch the file.
STEP 3 | In the Launch Instance Wizard define the instance according to your company requirements
and Launch.
STEP 4 | (Oponal) In the Instances page, locate your instance and use the pencil icon to rename the
instance Name.
Cortex® XDR™ Prevent Administrator’s Guide 325 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR™ Prevent Administrator’s Guide 326 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | Create a new storage blob on your Azure account by uploading the VHD file. You can use to
upload either from Microso Windows or Ubuntu.
Uploading from Microso Windows.
1. Verify you have:
• Windows PowerShell version 5.1 or later.
• .NET Framework 4.7.2 or later.
2. Open PowerShell and execute Set-ExecutionPolicy unrestricted.
• [Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
• Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201-
Force
3. Install azure cmdlets.
Install-Module -Name Az -AllowClobber
4. Connect to your Azure account.
Connect-AzAccount
5. Start the upload.
az storage blob upload -f <vhd to upload> -n <vhd name> -c
<container name> --account-name <account name>.
STEP 3 | In the Azure home page, navigate to Azure services > Disks and +Add a new disk.
Cortex® XDR™ Prevent Administrator’s Guide 327 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 4 | In the Create a managed disk > Basics page define the following informaon:
Project details
• Resource group—Select your resource group.
Disk details
• Disk name—Enter a name for the disk object.
• Region—Select your preferred region.
• Source type—Select Storage Blob. Addional field are displayed, define as follows:
• Source blob—Select Browse. You are directed to the Storage accounts page. From the
navigaon panel, select the bucket and then container to which you uploaded the Cortex
XDR VHD image.
In the Container page, Select your VHD image.
• OS type—Select Linux
• VM generaon—Select Gen 1
Review + create to check you sengs.
Creang the VM can take up to 15 minutes. The broker VM Web UI is not accessible
during this me.
Cortex® XDR™ Prevent Administrator’s Guide 328 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | From G Cloud, create a Google Cloud Storage bucket to store the broker VM image.
1. Create a project in GCP and enable Google Cloud Storage, for example: brokers-project.
Make sure you have defined a Default Network.
2. Create a bucket to store the image, for example: broker-vms
Cortex® XDR™ Prevent Administrator’s Guide 329 ©2022 Palo Alto Networks, Inc.
Broker VM
The import tool uses Cloud Build API, which must be enabled in your project. For
image import to work, Cloud Build service account must have compute.admin and
iam.serviceAccountUser roles. When using the Google Cloud console to import
the image, you will be prompted to add these permissions automacally.
• gcloud CLI
The following command uses the minimum required parameters. For more informaon on
permissions and available parameters, refer to the Google Cloud SDK.
Open a command prompt and run:
Cortex® XDR™ Prevent Administrator’s Guide 330 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 6 | When the Google Compute completes the image creaon, create a new instance.
1. From the Google Cloud Plaorm, select Compute Engine > VM instances.
2. Create instance.
3. In Boot disk opon, choose Custom images and select the image you created.
4. In the Firewall secon, Allow HTTPS traffic.
5. Set up the instance according to your needs.
If you are using the broker VM to facilitate only Agent Proxy, use e2-startdard-2. If you
are using the broker VM for mulple applets, use e2-standard-4.
Cortex® XDR™ Prevent Administrator’s Guide 331 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR™ Prevent Administrator’s Guide 332 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | Upload the image file to Alibaba Cloud using the ulity file you downloaded.
The command is dependent on the operang system and architecture you are using. Below
are a few examples of the commands to use based on the different operang systems and
architectures, which you may need to modify based on your system requirements.
• Linux (using CLI)
• Format
• Example
• Example
D:\ossutil>ossutil64.exe cp Downloads\QCOW2_broker-
vm-14.0.1.qcow2 oss://kvm-images-qcow2/XDR-broker-
vm-14.0.1.qcow2
For Linux and Windows uploads, you can use Alibaba Cloud’s graphical management
tool called ossbrowser.
Cortex® XDR™ Prevent Administrator’s Guide 333 ©2022 Palo Alto Networks, Inc.
Broker VM
example, in the step above the <directory name> used in the examples provided is kvm-
images-qcow2.
The Object Storage Service must be created in the same Region as the image of
the virtual machine.
3. From the list of images displayed, find the row for the Broker VM QCOW2 image that
you uploaded, and click View Details.
4. In the URL field of the View Details right-pane displayed, copy the internal link for
the image in Alibaba cloud. The URL that you copy ends with .com and you should not
include any of the text displayed aer this.
5. Select Hamburger menu > Elasc Compute Service > Instances & Images > Images.
6. In the Import Images area on the Images page, click Import Images.
7. In the Import Images window, set the following parameters.
• OSS Object Address—This field is a combinaon of the internal link that you copied
for the Broker VM image and the <file name for uploaded image> using this format
<internal link>/<file name for uploaded image>. Paste the internal link for the Broker
VM QCOW2 image in Alibaba Cloud that you copied, and add the following text aer
the .com: /<file name for uploaded image>.
• Image Name—Specify a name for the image.
• Operang System/Plaorm—Leave Linux configured and change CentOS to Ubuntu.
• System Architecture—Leave the default x86_64 selected.
• Leave the rest of the fields as defined by the default or change them according to your
system requirements.
8. Click OK.
A noficaon is displayed indicang that image was imported successfully. Once the
Status for the imported image in the Images page changes to Available, you will know
the process is complete. This can take a few minutes.
Cortex® XDR™ Prevent Administrator’s Guide 334 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR™ Prevent Administrator’s Guide 335 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 5 | Reboot the Broker VM before logging in for the first me.
Saving the image to Nutanix hypervisor can take me as it’s a large file.
Cortex® XDR™ Prevent Administrator’s Guide 336 ©2022 Palo Alto Networks, Inc.
Broker VM
Creang the VM can take up to 15 minutes. The broker VM Web user interface is
not accessible during this me.
Cortex® XDR™ Prevent Administrator’s Guide 337 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | Click the New VM icon ( ) to open the Create a new virtual machine wizard.
STEP 3 | In the Step 1 screen of the wizard, select Import exisng disk image, and click Forward.
STEP 8 | In the Step 4 screen of the wizard, set a Name for your new VM.
Cortex® XDR™ Prevent Administrator’s Guide 338 ©2022 Palo Alto Networks, Inc.
Broker VM
download the files directly from the Cortex XDR server. If asked by an agent, the Broker VM
can also cache a specific installer that is not on the list of latest installers.
The following are prerequisites and limitaons for the Local Agent Sengs applet:
Requirement Descripon
Agent Proxy • Supported with Traps agent version 5.0.9 and Traps
agent version 6.1.2 and later releases.
Agent Installer and Content Caching • Supported with Cortex XDR agent version 7.4 and
later releases and Broker VM 12.0 and later.
• Requires a Broker VM with an 8-core processor to
support caching for 10K endpoints.
• Requires the Broker to have an FQDN record in
your local DNS server.
• Requires you upload a strong cipher SHA256-based
SSL cerficates when you setup the Broker VM.
• Requires adding the Broker as a download source in
your Agent Sengs Profile.
Aer you configured and registered your Palo Alto Networks Broker VM, proceed to setup you
Local Agent Sengs applet.
STEP 1 | In Cortex XDR, go to Sengs > Configuraons > Data Broker > Broker VMs and locate your
broker VM.
When you install your Cortex XDR agents, you must configure the IP address of
the broker VM and a port number during the installaon. You can use the default
8888 port or set a custom port. You are not permied to configure port numbers
between 0-1024 and 63000-65000, or port numbers 4369, 5671, 5672, 5986,
6379, 8000, 9100, 15672, 25672. Addionally, you are not permied to reuse
port numbers you already assigned to the Syslog Collector applet.
Cortex® XDR™ Prevent Administrator’s Guide 339 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 4 | Aer a successful acvaon, the Apps field displays Local Agent Sengs - Acve. Hover
over it to view the applet status and resource usage.
STEP 5 | Manage the local agent sengs. Aer the local agent sengs have been acvated, right-click
your broker VM:
• To change your sengs, click Local Agent Sengs > Configure.
• To disable the local agent sengs altogether, click Local Agent Sengs > Deacvate.
Cortex® XDR™ Prevent Administrator’s Guide 340 ©2022 Palo Alto Networks, Inc.
Broker VM
Field Descripon
Cortex® XDR™ Prevent Administrator’s Guide 341 ©2022 Palo Alto Networks, Inc.
Broker VM
Field Descripon
Cortex® XDR™ Prevent Administrator’s Guide 342 ©2022 Palo Alto Networks, Inc.
Broker VM
Field Descripon
For AWS and Azure cloud environments, the field
displays the Internal IP value.
Cortex® XDR™ Prevent Administrator’s Guide 343 ©2022 Palo Alto Networks, Inc.
Broker VM
manager. The Broker VM FQDN sengs affect the WEC and Agent Installer and Content
Caching.
• (Requires Broker VM 8.0 and later) (Oponal) Internal Network
Specify a network subnet to avoid the broker VM dockers colliding with your internal
network. By default, the Network Subnet is set to 172.17.0.1/16.
• Auto Upgrade
Enable or Disable automac upgrade of the broker VM. By default, auto upgrade is
enabled at Any me for all 7 days of the week, but you can also set the Days in Week and
Specific me for the automac upgrades. If you disable auto-upgrade, new features and
improvements will require manual upgrade.
• Monitoring
Enable or Disable of local monitoring of the broker VM usage stascs in Prometheus
metrics format, allowing you to tap in and export data by navigang to http://
<broker_vm_address>:9100/metrics/. By default, monitoring your broker VM is
disabled.
• (Oponal) SSH Access
• (For Broker VM 7.4.5 and earlier) Enable/Disable ssh Palo Alto Networks support team
SSH access by using a Cortex XDR token.
Enabling allows Palo Alto Networks support team to connect to the broker VM remotely,
not the customer, with the generated password. If you use SSL decrypon in your
firewalls, you need to add a trusted self-signed CA cerficate on the broker VM to
prevent any difficules with SSL decrypon. For example, when configuring Palo Alto
Networks NGFW to decrypt SSL using a self-signed cerficate, you need to ensure the
broker VM can validate a self-signed CA by uploading the cert_ssl-decrypt.crt file
on the broker VM.
Make sure you save the password before closing the window. The only way to re-
generate a password is to disable ssh and re-enable.
• (Requires Broker VM 14.0.42 and later) Customize the login banner displayed, when
logging into SSH sessions on the broker VM in the Welcome Message field by
overwring the default welcome message with a new one added in the field. When the
field is empty, the default message is used.
• Broker UI Password
Reset your current Broker VM Web UI password. Define and Confirm your new password.
Password must be at least 8 characters.
Cortex® XDR™ Prevent Administrator’s Guide 344 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | Locate your broker VM, right-click and select one of these opons depending on the type of
logs you want to download.
• Broker Management > Generate New Logs— Regenerates the most up-to-date logs and
downloads them once they are ready.
• Broker Management > Download Logs (<TIMESTAMP>)—Downloads the logs from the last
creaon date reflected in the <TIMESTAMP> displayed. This opon is only displayed when
you’ve downloaded your logs previously using Generate New Logs.
Logs are generated automacally, but can take up to a few minutes depending on the size of
the logs.
Reboot a Broker VM
Cortex XDR enables you to reboot your broker VM directly from the Cortex XDR management
console.
STEP 1 | In Cortex XDR , select Sengs > Configuraons > Data Broker > Broker VMs > Broker VMs
table.
STEP 2 | Locate your broker VM, right-click and select Broker Management > Reboot VM.
STEP 2 | Locate your broker VM in the Broker VMs table, right-click, and select Broker Management >
Shutdown VM.
Upgrade a Broker VM
You can upgrade any broker VM directly from the Cortex XDR management console.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs table.
Cortex® XDR™ Prevent Administrator’s Guide 345 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | Locate your broker VM, right-click and select Broker Management > Upgrade Broker
version.
Upgrading your broker VM takes approximately 5 minutes.
Cortex® XDR™ Prevent Administrator’s Guide 346 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | Locate the broker VM you want to connect to, right-click and select Open Remote Terminal.
Cortex XDR opens a CLI window where you can perform the following commands:
• Logs
Broker VM logs located are located in /data/logs/ folder and contain the applet
name in file name. For example, folder /data/logs/[applet name], containing
container_ctrl_[applet name].log
• Ubuntu Commands
Cortex XDR Broker VM supports all Ubuntu commands. For example, telnet 10.0.0.10
80 or ifconfig -a.
• Sudo Commands
Broker VM supports the command listed in the following table. All the commands are
located in the /home/admin/sbin folder.
Cortex XDR requires you use the following values when running commands:
Applet Names
• Agent Proxy—tms_proxy
• Syslog Collector—anubis
• WEC—wec
• Network Mapper—network_mapper
• Pathfinder—odysseus
Services
• Upgrade—zenith_upgrade
• Frontend service—webui
• Sync with Cortex XDR—cloud_sync
• Internal messaging service (RabbitMQ)—rabbitmq-server
• Upload metrics to Cortex XDR—metrics_uploader
• Prometheus node exporter—node_exporter
• Backend service—backend
The following table displays the available commands in alphabecal order.
Cortex® XDR™ Prevent Administrator’s Guide 347 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR™ Prevent Administrator’s Guide 348 ©2022 Palo Alto Networks, Inc.
Broker VM
Remove a Broker VM
Cortex XDR allows you to remove a broker VM directly from the Cortex XDR management
console.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs.
STEP 2 | Locate your broker VM, right-click and select Broker Management > Remove Broker.
Cortex® XDR™ Prevent Administrator’s Guide 349 ©2022 Palo Alto Networks, Inc.
Broker VM
Broker VM Noficaons
To help you monitor your broker VM version and connecvity effecvely, Cortex XDR sends
noficaons to your Cortex XDR console Noficaon Center.
Cortex XDR sends the following noficaons:
• New Broker VM Version—Nofies when a new broker VM version has been released.
• If the broker VM Auto Upgrade is disabled, the noficaon includes a link to the latest
release informaon. It is recommend you upgrade to the latest version.
• If the broker VM Auto Upgrade is enabled, 12 hours aer the release you are nofied of the
latest upgrade, or your are nofied that the upgrade failed. In such a case, open a Palo Alto
Networks Support Ticket.
• Broker VM Connecvity—Nofies when the broker VM has lost connecvity to Cortex XDR.
• Broker VM Disk Usage—Nofies when the broker VM is ulizing over 90% of the allocated disk
space.
Cortex® XDR™ Prevent Administrator’s Guide 350 ©2022 Palo Alto Networks, Inc.
Monitoring
> Cortex XDR Dashboard
> Monitor Cortex XDR Gateway Management Acvity
> Monitor Administrave Acvity
> Monitor Agent Acvity
> Monitor Agent Operaonal Status
351
Monitoring
The dashboard comprises Dashboard Widgets (2) that summarize informaon about your endpoint
in graphical or tabular format. You can customize Cortex XDR to display Predefined Dashboards
or create your own custom dashboard using the dashboard builder. You can toggle between your
available dashboards using the dashboard menu (1).
In addion, the dashboard provides a color theme toggle (3) that enables you to switch the
interface colors between light and dark.
Dashboard Widgets
Cortex XDR provides the following list of widgets to help you create dashboards and reports
displaying summarized informaon about your endpoints.
Cortex® XDR™ Prevent Administrator’s Guide 352 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex XDR sorts widgets in the Cortex XDR app according to the following categories:
• Agent Management Widgets
• Asset Widgets
• Incident Management Widgets
• Invesgaon Widgets
• System Monitoring
• User Defined Widgets
Agent Content Version Breakdown Displays the total number of registered Cortex
XDR agents and the distribuon of agents by
content update version.
Asset Widgets
Cortex® XDR™ Prevent Administrator’s Guide 353 ©2022 Palo Alto Networks, Inc.
Monitoring
Top 5 Notable Users Displays the top 5 users with the highest User
Score. Select a user to pivot to the User View.
Custom Widget
Host Insights
(Requires a Cortex XDR Host Insights Add-on)
Top CVEs By Affected Endpoints Displays the top Crical, High, and Medium
severity CVEs currently exisng in your
network according to the total number of
endpoints affected by each CVE.
Cortex® XDR™ Prevent Administrator’s Guide 354 ©2022 Palo Alto Networks, Inc.
Monitoring
Vulnerabilies On All Endpoints Over Time Displays CVEs over me across your network.
Select the me scope in the upper right to
view the number of CVEs over the last 24
hours, 7 days, or 30 Days.
Hover over the graph to view the number of
exisng CVEs on a specific day.
Cortex® XDR™ Prevent Administrator’s Guide 355 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex® XDR™ Prevent Administrator’s Guide 356 ©2022 Palo Alto Networks, Inc.
Monitoring
Overdue Incidents of top 5 Assignees Displays the last 30 days, 7 days, or 24 hours
of the following informaon according to the
incidents creaon me:
• Top 5 assignees, by assignee name, with
the highest number of overdue incidents.
For further invesgaon, select a user to pivot
to the Incident table filtered according to the
incident creaon me and assignee.
Cortex® XDR™ Prevent Administrator’s Guide 357 ©2022 Palo Alto Networks, Inc.
Monitoring
Invesgaon Widgets
Open Incidents by Severity Displays the total open incidents over the last
30 days according to severity.
Cortex® XDR™ Prevent Administrator’s Guide 358 ©2022 Palo Alto Networks, Inc.
Monitoring
Response Acon Breakdown Displays the top response acons taken in the
Acon Center over the last 24 hours, 7 days,
or 30 Days.
Top Hosts Displays the top ten hosts with the highest
number of incidents in order of severity over
the last 30 days. Incidents are color-coded:
red for high severity and yellow for medium
severity.
Click a host to open a filtered view of all open
incidents for the selected host.
Top Incidents Displays the top ten current incidents with the
highest number of alerts according to severity
over the last 30 days. Alerts are color-coded;
red for high and yellow for medium.
Click a severity to open a filtered view of all
open alerts for the selected incident.
System Monitoring
Cortex® XDR™ Prevent Administrator’s Guide 359 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex® XDR™ Prevent Administrator’s Guide 360 ©2022 Palo Alto Networks, Inc.
Monitoring
Predefined Dashboards
Cortex XDR comes with predefined dashboards that display widgets tailored to the dashboard
type. You can select any of the predefined dashboards directly from the dashboard menu in
Dashboards & Reports > Customize > Dashboards Manager. You can also select and rename a
predefined dashboard in the Dashboard Builder available by clicking + New Dashboard. The types
of dashboards that are available to you depend on your license type but can include:
• Agent Management Dashboard
• Incident Management Dashboard
• My Dashboard
• Security Admin Dashboard
• Security Manager Dashboard
Support for the Agent Management Dashboard requires either a Cortex XDR Prevent or
Cortex XDR Pro per Endpoint license.
Cortex® XDR™ Prevent Administrator’s Guide 361 ©2022 Palo Alto Networks, Inc.
Monitoring
My Dashboard
My Dashboard provides an overview of the incidents and MTTR for the logged-in user.
Cortex® XDR™ Prevent Administrator’s Guide 362 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex® XDR™ Prevent Administrator’s Guide 363 ©2022 Palo Alto Networks, Inc.
Monitoring
The Security Manager Dashboard requires either a Cortex XDR Prevent or Cortex XDR Pro
per Endpoint license.
STEP 2 | In the Dashboard Builder, enter a unique Dashboard Name and an oponal Descripon of
the dashboard.
Cortex® XDR™ Prevent Administrator’s Guide 364 ©2022 Palo Alto Networks, Inc.
Monitoring
STEP 6 | When you have finished customizing your dashboard, click Next.
STEP 7 | To set the custom dashboard as your default dashboard when you log in to Cortex XDR,
Define as default dashboard.
STEP 8 | To keep this dashboard visible only for you, select Private.
Otherwise, the dashboard is public and visible to all Cortex XDR app users with the appropriate
roles to manage dashboards.
Manage Dashboards
In the Cortex XDR console, navigate to Dashboards & Reports > Customize > Dashboards
Manager to view all custom and default dashboards. From the Dashboards Manager, you can also
delete, edit, duplicate, disable, and perform addional management acons on your dashboards.
To manage an exisng dashboard, right click the dashboard and select the desired acon.
• Delete - Permanently delete a dashboard.
• Edit - Edit an exisng dashboard. You cannot edit the default dashboards provided by Palo Alto
Networks, but you can save it as a new dashboard.
• Save as new - Duplicate an exisng template.
• Disable - Temporarily disable a dashboard. If the dashboard is public, this dashboard is also
removed for all users.
Cortex® XDR™ Prevent Administrator’s Guide 365 ©2022 Palo Alto Networks, Inc.
Monitoring
• Set as default - Make the dashboard the default dashboard that displays when you (and other
users, if the dashboard is public) log in to Cortex XDR.
• Save as report template - Save a report as a template.
STEP 2 | Right-click the dashboard from which you want to generate a report, and select Save as
report template.
STEP 3 | Enter a unique Report Name and an oponal Descripon of the report, then Save the
template.
STEP 6 | Aer your report completes, you can download it from the Reporng > Reports page.
STEP 2 | Enter a unique Report Name and an oponal Descripon of the report.
Cortex® XDR™ Prevent Administrator’s Guide 366 ©2022 Palo Alto Networks, Inc.
Monitoring
STEP 7 | When you have finished customizing your report template, click Next.
STEP 8 | If you are ready to run the report, select Generate now.
STEP 9 | To run the report on a regular Schedule, you can specify the me and frequency that Cortex
XDR will run the report.
STEP 10 | (Oponal) Enter an Email Distribuon list or Slack workspace to send a PDF version of your
report.
Select Add password used to access report sent by email and Slack to set a password
encrypon.
STEP 11 | (Oponal) Aach CSV file of your XQL query widget to a report.
From the drop-down menu, search and select one or more of your custom widgets to aach
to the report. The XQL query widget is aached to the report as a CSV file along with the
customized PDF. Depending on how you selected to send the report, the CSV file is aached
as follows:
• Email—Sent as separate aachments for each widget. The total size of the aachment in the
email cannot exceed 20MB.
• Slack—Sent within a ZIP file that includes the PDF file.
STEP 13 | Aer your report completes, you can download it from the Reporng > Reports page.
In the Name field, reports with mulple files, PDF and CSV files, are marked with a icon,
while reports with a single PDF are marked with a icon.
Cortex® XDR™ Prevent Administrator’s Guide 367 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex® XDR™ Prevent Administrator’s Guide 368 ©2022 Palo Alto Networks, Inc.
Monitoring
You must have Account Admin role permissions to access the Management Auding page.
Field Descripon
Cortex® XDR™ Prevent Administrator’s Guide 369 ©2022 Palo Alto Networks, Inc.
Monitoring
Field Descripon
Cortex® XDR™ Prevent Administrator’s Guide 370 ©2022 Palo Alto Networks, Inc.
Monitoring
Field Descripon
• Authencaon—User sessions started, along with
the user name that started the session.
• Broker API—Operaon related to the Broker
applicaon programming interface (API).
• Broker VM—Operaon related to the Broker
virtual machine (VM).
• Dashboards—Use of parcular dashboards.
• Device Control Permanent Excepons—
Modificaon of permanent device control
excepons.
• Device Control Profile—Modificaon of a device
control profile.
• Device Control Temporary Excepons—
Modificaon of temporary device control
excepons.
• Disk Encrypon Profile—Modificaon of a disk
encrypon profile.
• Endpoint Administraon—Management of
endpoints.
• Endpoint Groups—Management of endpoint
groups.
• Extensions Policy—Modificaon of extension
policy sengs, including host firewall and disk
encrypon.
• Extensions Profiles—Modificaon of extension
profile sengs.
• Global Excepons—Management of global
excepons.
• Host Firewall Profile—Modificaon of a host
firewall profile.
• Host Insights— Iniaon of Host Insights data
collecon scan (Host Inventory and Vulnerability
Assessment).
• Incident Management—Acons taken on incidents
and on the assets, alerts, and arfacts in incidents.
• Ingest Data—Import of data for immediate use or
storage in a database.
• Integraons—Integraon operaons, such as
integrang Slack for outbound noficaons.
• Licensing—Any licensing-related operaon.
Cortex® XDR™ Prevent Administrator’s Guide 371 ©2022 Palo Alto Networks, Inc.
Monitoring
Field Descripon
• Live Terminal—Remote terminal sessions created
and acons taken in the file manager or task
manager, a complete history of commands issued,
their success, and the response.
• Managed Threat Hunng—Acvity relang to
managed threat hunng.
• MSSP—Management of security services
providers.
• Policy & Profiles—Acvity related to managing
policies and profiles.
• Prevenon Policy Rules—Modificaon of
prevenon policy rules.
• Protecon Policy—Modificaon of the protecon
policy.
• Protecon Profile—Modificaon of the protecon
profile.
• Public API—Authencaon acvity using an
associated Cortex XDR API key.
• Query Center—Operaons in the Query Center.
• Remediaon—Remediaon operaons.
• Reporng—Any reporng acvity.
• Response—Remedial acons taken. For example:
Isolate a host, undo host isolaon, add a file hash
signature to block list, or undo the addion to the
block list.
• Rules—Modificaon to rules.
• Rules Excepons—Creaon, eding, or deleon
under Rules excepons.
• SaaS Collecon—Any collected SaaS data.
• Script Execuon—Any script execuon.
• Starred Incidents—Modificaon of starred
incidents.
• Vulnerability Assessment—Any vulnerability
assessment acvity.
Cortex® XDR™ Prevent Administrator’s Guide 372 ©2022 Palo Alto Networks, Inc.
Monitoring
The Cortex XDR agent logs entries for events that are monitored by the Cortex XDR agent and
reports the logs back to Cortex XDR hourly. Cortex XDR stores the logs for 365 days. To view the
Cortex XDR agent logs, select Sengs > Agent Auding.
To ensure you and your colleagues stay informed about agent acvity, you can Configure
Noficaon Forwarding to forward your Agent Audit log to an email distribuon list, Syslog server,
or Slack channel.
You can customize your view of the logs by adding or removing filters to the Agent Audits Table.
You can also filter the page result to narrow down your search. The following table describes the
default and oponal fields that you can view in the Cortex XDR Agents Audit Table:
Field Descripon
Category The Cortex XDR agent logs these endpoint events using one of the
following categories:
• Audit—Successful changes to the agent indicang correct
behavior.
• Monitoring—Unsuccessful changes to the agent that may require
administrator intervenon.
• Status—Indicaon of the agent status.
Received Time Date and me when the acon was received by the agent and
reported back to Cortex XDR.
Cortex® XDR™ Prevent Administrator’s Guide 373 ©2022 Palo Alto Networks, Inc.
Monitoring
Field Descripon
Type and Sub-Type Addional classificaon of agent log (Type and Sub-Type:
• Installation:
• Install
• Uninstall
• Upgrade
• Policy change:
• Local Configuration Change
• Content Update
• Policy Update
• Process Exception
• Hash Exception
• Agent service:
• Service start (reported only when the agent fails to start
and the RESULT is Fail)
• Service stopped
• Agent modules:
• Module initialization
• Local analysis module
• Local analysis feature extraction
• Agent status:
• Fully protected
• OS incompatible
• Software incompatible
• Kernel driver initialization
• Kernel extension initialization
• Proxy communication
• Quota exceeded (reported when old prevenon data is being
deleted from the endpoint)
• Minimal content
Cortex® XDR™ Prevent Administrator’s Guide 374 ©2022 Palo Alto Networks, Inc.
Monitoring
Field Descripon
• Action:
• Scan
• File retrieval
• Terminate process
• Isolate
• Cancel isolation
• Payload execution
• Quarantine
• Restore
• Block IP address
• Unblock IP address
XDR Agent Version Version of the Cortex XDR agent running on the endpoint.
Cortex® XDR™ Prevent Administrator’s Guide 375 ©2022 Palo Alto Networks, Inc.
Monitoring
Status Descripon
Cortex® XDR™ Prevent Administrator’s Guide 376 ©2022 Palo Alto Networks, Inc.
Monitoring
Status Descripon
• Behavioral threat protecon is not running
• An-malware flow is asynchronous
• Malware protecon is not running
• Exploit protecon is not running
Cortex® XDR™ Prevent Administrator’s Guide 377 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex® XDR™ Prevent Administrator’s Guide 378 ©2022 Palo Alto Networks, Inc.
Log Forwarding
To help you stay informed and updated, you can easily forward Cortex® XDR™ alerts
and reports to an external syslog receiver, a Slack channel, or to email accounts.
379
Log Forwarding
Alerts
Management Audit — —
Log
Reports — —
Cortex® XDR™ Prevent Administrator’s Guide 380 ©2022 Palo Alto Networks, Inc.
Log Forwarding
STEP 2 | Select the provided link to install Cortex XDR on your Slack workspace.
You are directed to the Slack browser to install the Cortex XDR app. You can only use
this link to install Cortex XDR on Slack. Aempng to install from Slack marketplace
will redirect you to Cortex XDR documentaon.
Cortex® XDR™ Prevent Administrator’s Guide 381 ©2022 Palo Alto Networks, Inc.
Log Forwarding
STEP 2 | Select Sengs > Configuraons > Integraons > External Applicaons.
Cortex® XDR™ Prevent Administrator’s Guide 382 ©2022 Palo Alto Networks, Inc.
Log Forwarding
If your Syslog receiver uses a self signed CA, Browse and upload your self-signed Syslog
receiver CA.
If you only use a trusted root CA leave the Cerficate field empty.
• Ignore Cerficate Error—Cortex XDR does not recommend, but you can choose to select
this opon to ignore cerficate errors if they occur. This will forward alerts and logs even if
the cerficate contains errors.
STEP 5 | Test the parameters to ensure a valid connecon and Create when ready.
You can define up to five Syslog servers. Upon success, the table displays the Syslog servers
and their status.
Cortex® XDR™ Prevent Administrator’s Guide 383 ©2022 Palo Alto Networks, Inc.
Log Forwarding
If you find the Syslog data limited, Cortex XDR recommended to run the Get Alerts
API for complete alert data.
Cortex® XDR™ Prevent Administrator’s Guide 384 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Use this workflow to configure noficaons for alerts. To receive noficaons about reports, see
Create a Report from Scratch.
STEP 1 | Select Sengs > Configuraons > General > Noficaons.
STEP 4 | Select the Log Type you want to forward, one of the following:
• Alerts—Send noficaons for specific alert types (for example, XDR Agent ).
STEP 5 | In the Configuraon Scope, Filter the type of informaon you want included in a noficaon.
For example, set a filter Severity = Medium, Alert Source = XDR Agent. Cortex
XDR sends the alerts or events matching this filter as a noficaon.
Cortex® XDR™ Prevent Administrator’s Guide 385 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Before you can select a Slack channel or Syslog receiver you must Integrate Slack for
Outbound Noficaons and Integrate a Syslog Receiver.
1. Enter the Slack channel name and select from the list of available channels.
Slack channels are managed independently of Cortex XDR in your Slack workspace. Aer
integrang your Slack account with your Cortex XDR tenant, Cortex XDR displays a list
of specific Slack channels associated with the integrated Slack workspace.
2. Select a Syslog receiver.
Cortex XDR displays the list of receivers integrated with your Cortex XDR tenant.
STEP 9 | (Oponal) To later modify a saved forwarding configuraon, right-click the configuraon, and
Edit, Disable, or Delete it.
Cortex® XDR™ Prevent Administrator’s Guide 386 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type-Acon Center
Type—Agent Configuraon
Cortex® XDR™ Prevent Administrator’s Guide 387 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Agent Installaon
• Severity—Informaonal
Type—Alert Exclusions
Cortex® XDR™ Prevent Administrator’s Guide 388 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Alert Noficaons
Cortex® XDR™ Prevent Administrator’s Guide 389 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Alert Rules
Type—Api Key
Cortex® XDR™ Prevent Administrator’s Guide 390 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Authencaon
• Sub Type—Login
• Status—Success
• Severity—Informaonal
• Sub Type—Logout
• Status—Success
• Severity—Informaonal
Type—Broker API
Type—Broker VMs
Cortex® XDR™ Prevent Administrator’s Guide 391 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Cortex® XDR™ Prevent Administrator’s Guide 392 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Cortex® XDR™ Prevent Administrator’s Guide 393 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Type—Dashboards
Cortex® XDR™ Prevent Administrator’s Guide 394 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR™ Prevent Administrator’s Guide 395 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
from a violation event to profile • Severity—Informaonal
{profile_name}
Cortex® XDR™ Prevent Administrator’s Guide 396 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—EDL Management
Type—Endpoint Administraon
Cortex® XDR™ Prevent Administrator’s Guide 397 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR™ Prevent Administrator’s Guide 398 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Endpoint Groups
Cortex® XDR™ Prevent Administrator’s Guide 399 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Extensions Policy
Type—Extensions Profile
Cortex® XDR™ Prevent Administrator’s Guide 400 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR™ Prevent Administrator’s Guide 401 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Global Excepons
Cortex® XDR™ Prevent Administrator’s Guide 402 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Host Insights
Type—Incident Management
Cortex® XDR™ Prevent Administrator’s Guide 403 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Cortex® XDR™ Prevent Administrator’s Guide 404 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Ingest Data
Type—Integraons
Cortex® XDR™ Prevent Administrator’s Guide 405 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Licensing
Cortex® XDR™ Prevent Administrator’s Guide 406 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Live Terminal
Cortex® XDR™ Prevent Administrator’s Guide 407 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Cortex® XDR™ Prevent Administrator’s Guide 408 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—MSSP
Cortex® XDR™ Prevent Administrator’s Guide 409 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Permission
Cortex® XDR™ Prevent Administrator’s Guide 410 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR™ Prevent Administrator’s Guide 411 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Cortex® XDR™ Prevent Administrator’s Guide 412 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Status—Success
• Severity—Informaonal
Type—Public API
Type—Query Center
Cortex® XDR™ Prevent Administrator’s Guide 413 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Remediaon
Type—Reporng
Cortex® XDR™ Prevent Administrator’s Guide 414 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Response
Cortex® XDR™ Prevent Administrator’s Guide 415 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Cortex® XDR™ Prevent Administrator’s Guide 416 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Cortex® XDR™ Prevent Administrator’s Guide 417 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Type—Rules
Cortex® XDR™ Prevent Administrator’s Guide 418 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR™ Prevent Administrator’s Guide 419 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
{limit} limit of hits in the past
24 hours.
Cortex® XDR™ Prevent Administrator’s Guide 420 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Rules Excepons
Cortex® XDR™ Prevent Administrator’s Guide 421 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—SaaS Collecon
Cortex® XDR™ Prevent Administrator’s Guide 422 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Scoring Rules
Cortex® XDR™ Prevent Administrator’s Guide 423 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Starred Incidents
Cortex® XDR™ Prevent Administrator’s Guide 424 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—System
Email Account
Alert noficaons are sent to email accounts according to the sengs you configured when
you Configure Noficaon Forwarding. If only one alert exists in the queue, a single alert email
format is sent. If more than one alert was grouped in the me frame, all the alerts in the queue
are forwarded together in a grouped email format. Emails also include an alert code snippet of the
fields of the alerts according to the columns in the Alert table.
Single Alert Email Example
Cortex® XDR™ Prevent Administrator’s Guide 425 ©2022 Palo Alto Networks, Inc.
Log Forwarding
{
"original_alert_json":{
"uuid":"<UUID Value>",
"recordType":"threat",
"customerId":"<Customer ID>",
"severity":4,
"generatedTime":"2020-11-03T07:46:03.166000Z",
"originalAgentTime":"2020-11-03T07:46:01.372974700Z",
"serverTime":"2020-11-03T07:46:03.312633",
"isEndpoint":1,
"agentId":"<agent ID>",
"endPointHeader":{
"osVersion":"<OS version>",
"agentIp":"<Agent IP Address>",
"deviceName":"<Device Name>",
"agentVersion":"<Agent Version>",
"contentVersion":"152-40565",
"policyTag":"<Policy Tag Value>",
"securityStatus":0,
"protectionStatus":0,
"dataCollectionStatus":1,
"isolationStatus":0,
"agentIpList":[
"<IP Address>"
],
"addresses":[
{
"ip":[
"<IP Address>"
],
"mac":"<Mac ID>"
}
],
Cortex® XDR™ Prevent Administrator’s Guide 426 ©2022 Palo Alto Networks, Inc.
Log Forwarding
"liveTerminalEnabled":true,
"scriptExecutionEnabled":true,
"fileRetrievalEnabled":true,
"agentLocation":0,
"fileSearchEnabled":false,
"deviceDomain":"env21.local",
"userName":"Aragorn",
"userDomain":"env21.local",
"userSid":"<User S ID>",
"osType":1,
"is64":1,
"isVdi":0,
"agentId":"<Agent ID>",
"agentTime":"2020-11-03T07:46:03.166000Z",
"tzOffset":120
},
"messageData":{
"eventCategory":"prevention",
"moduleId":"COMPONENT_WILDFIRE",
"moduleStatusId":"CYSTATUS_MALICIOUS_EXE",
"preventionKey":"<Prevention Key>",
"processes":[
{
"pid":111,
"parentId":<Parent ID>,
"exeFileIdx":0,
"userIdx":0,
"commandLine":"\"C:\\<file path>\\test.exe\" ",
"instanceId":"Instance ID",
"terminated":0
}
],
"files":[
{
"rawFullPath":"C:\\<file path>\\test.exe",
"fileName":"test.exe",
"sha256":"<SHA256 Value>",
"fileSize":"12800",
"innerObjectSha256":"<SHA256 Value>"
}
],
"users":[
{
"userName":"<User Name>",
"userDomain":"<Domain Name>",
"domainUser":"<Domain Name>\\<User Name>"
}
],
"urls":[
],
"postDetected":0,
"sockets":[
],
"containers":[
Cortex® XDR™ Prevent Administrator’s Guide 427 ©2022 Palo Alto Networks, Inc.
Log Forwarding
],
"techniqueId":[
],
"tacticId":[
],
"modules":[
],
"javaStackTrace":[
],
"terminate":0,
"block":0,
"eventParameters":[
"C:\\<file path>\\test.exe",
"B30--A56B9F",
"B30--A56B9F",
"1"
],
"sourceProcessIdx":0,
"fileIdx":0,
"verdict":1,
"canUpload":0,
"preventionMode":"reported",
"trapsSeverity":2,
"profile":"Malware",
"description":"WildFire Malware",
"cystatusDescription":"Suspicious executable detected",
"sourceProcess":{
"user":{
"userName":"<User Name>",
"userDomain":"<Domain Name>",
"domainUser":"<Domain Name>"\\"<User Name>"
},
"pid":1111,
"parentId":<Parent ID>,
"exeFileIdx":0,
"userIdx":0,
"commandLine":"\"C:\\<file path>\\test.exe\" ",
"instanceId":"<Instance ID>",
"terminated":0,
"rawFullPath":"C:\\<file path>\\Test.exe",
"fileName":"test.exe",
"sha256":"<SHA256 Value>",
"fileSize":"12800",
"innerObjectSha256":"<SHA256 Value>"
},
"policyId":"<Policy ID>"
}
},
"internal_id":<Internal ID>,
"external_id":"<External ID>",
"severity":"SEV_030_MEDIUM",
Cortex® XDR™ Prevent Administrator’s Guide 428 ©2022 Palo Alto Networks, Inc.
Log Forwarding
"matching_status":"MATCHED",
"end_match_attempt_ts":1604389636437,
"alert_source":"TRAPS",
"local_insert_ts":1604570760,
"source_insert_ts":160470366,
"alert_name":"WildFire Malware",
"alert_category":"Malware",
"alert_description":"Suspicious executable detected",
"bioc_indicator":null,
"matching_service_rule_id":null,
"attempt_counter":1,
"bioc_category_enum_key":null,
"alert_action_status":"REPORTED",
"case_id":111,
"is_whitelisted":false,
"starred":false,
"deduplicate_tokens":null,
"filter_rule_id":null,
"mitre_technique_id_and_name":[
""
],
"mitre_tactic_id_and_name":[
""
],
"agent_id":"80d2e314c92f6",
"agent_version":"7.2.1.2718",
"agent_ip_addresses":[
"10.208.213.137"
],
"agent_hostname":"<Agent Hostname>",
"agent_device_domain":"<Device Domain>",
"agent_fqdn":"<FQDN Value>",
"agent_os_type":"AGENT_OS_WINDOWS",
"agent_os_sub_type":"<Operating System Sub-Type> ",
"agent_data_collection_status":true,
"mac":"<Mac ID>",
"agent_is_vdi":null,
"agent_install_type":"STANDARD",
"agent_host_boot_time":[
1604446615
],
"event_sub_type":null,
"module_id":[
"WildFire"
],
"association_strength":null,
"dst_association_strength":null,
"story_id":null,
"is_disintegrated":null,
"event_id":null,
"event_type":[
1
],
"event_timestamp":[
1604389563166
],
Cortex® XDR™ Prevent Administrator’s Guide 429 ©2022 Palo Alto Networks, Inc.
Log Forwarding
"actor_effective_username":[
"<Domain Name>\\<User Name>"
],
"actor_process_instance_id":[
"<Actor>\/<Instance ID>"
],
"actor_process_image_path":[
"C:\\<file path>\\test.exe"
],
"actor_process_image_name":[
"test.exe"
],
"actor_process_command_line":[
"\"C:\\<file path>\\test.exe\" "
],
"actor_process_signature_status":[
"SIGNATURE_UNSIGNED"
],
"actor_process_signature_vendor":null,
"actor_process_image_sha256":[
"SHA256 Value>"
],
"actor_process_image_md5":[
"MD5 Value>"
],
"actor_process_causality_id":[
"<Actor>\/<Causality ID>"
],
"actor_causality_id":null,
"actor_process_os_pid":[
1111
],
"actor_thread_thread_id":[
1222
],
"causality_actor_process_image_name":[
"test1.exe"
],
"causality_actor_process_command_line":[
"C:\\<file path>\\test1.EXE"
],
"causality_actor_process_image_path":[
"C:\\<file path>\\test1.exe"
],
"causality_actor_process_signature_vendor":[
"Microsoft Corporation"
],
"causality_actor_process_signature_status":[
"SIGNATURE_SIGNED"
],
"causality_actor_causality_id":[
"AdaxtV\/iNIMAAAc8AAAAAA=="
],
"causality_actor_process_execution_time":[
1604389557724
],
Cortex® XDR™ Prevent Administrator’s Guide 430 ©2022 Palo Alto Networks, Inc.
Log Forwarding
"causality_actor_process_image_md5":null,
"causality_actor_process_image_sha256":[
"SHA256 value>"
],
"action_file_path":null,
"action_file_name":null,
"action_file_md5":null,
"action_file_sha256":null,
"action_file_macro_sha256":null,
"action_registry_data":null,
"action_registry_key_name":null,
"action_registry_value_name":null,
"action_registry_full_key":null,
"action_local_ip":null,
"action_local_port":null,
"action_remote_ip":null,
"action_remote_port":null,
"action_external_hostname":null,
"action_country":[
"UNKNOWN"
],
"action_process_instance_id":null,
"action_process_causality_id":null,
"action_process_image_name":null,
"action_process_image_sha256":null,
"action_process_image_command_line":null,
"action_process_signature_status":[
"SIGNATURE_UNAVAILABLE"
],
"action_process_signature_vendor":null,
"os_actor_effective_username":null,
"os_actor_process_instance_id":null,
"os_actor_process_image_path":null,
"os_actor_process_image_name":null,
"os_actor_process_command_line":null,
"os_actor_process_signature_status":[
"SIGNATURE_UNAVAILABLE"
],
"os_actor_process_signature_vendor":null,
"os_actor_process_image_sha256":null,
"os_actor_process_causality_id":null,
"os_actor_causality_id":null,
"os_actor_process_os_pid":null,
"os_actor_thread_thread_id":[
1396
],
"fw_app_id":null,
"fw_interface_from":null,
"fw_interface_to":null,
"fw_rule":null,
"fw_rule_id":null,
"fw_device_name":null,
"fw_serial_number":null,
"fw_url_domain":null,
"fw_email_subject":null,
"fw_email_sender":null,
Cortex® XDR™ Prevent Administrator’s Guide 431 ©2022 Palo Alto Networks, Inc.
Log Forwarding
"fw_email_recipient":null,
"fw_app_subcategory":null,
"fw_app_category":null,
"fw_app_technology":null,
"fw_vsys":null,
"fw_xff":null,
"fw_misc":null,
"fw_is_phishing":[
"NOT_AVAILABLE"
],
"dst_agent_id":null,
"dst_causality_actor_process_execution_time":null,
"dns_query_name":null,
"dst_action_external_hostname":null,
"dst_action_country":null,
"dst_action_external_port":null,
"is_pcap":null,
"contains_featured_host":[
"NO"
],
"contains_featured_user":[
"YES"
],
"contains_featured_ip":[
"YES"
],
"events_length":1,
"is_excluded":false
Cortex® XDR™ Prevent Administrator’s Guide 432 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Slack Channel
You can send alert noficaons to a single Slack contact or a Slack channel. Noficaons are
similar to the email format.
Syslog Server
Alert noficaon forwarded to a Syslog server are sent in a CEF format RF 5425.
Cortex® XDR™ Prevent Administrator’s Guide 433 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Secon Descripon
Syslog Header
<9>: PRI (considered a prioirty
field)1: version number2020-03-2
2T07:55:07.964311Z: timestamp of
when alert/log was sentcortexxd
r: host name
CEF Header
HEADER/Vendor="Palo Alto Network
s" (as a constant string)HEADER/
Device Product="Cortex XDR" (as
a constant string)HEADER/Product
Version= Cortex XDR version (2.
0/2.1....)HEADER/Severity=(integ
er/0 - Unknown, 6 - Low, 8 - Med
ium, 9 - High)HEADER/Device Even
t Class ID=alert sourceHEADER/na
me =alert name
CEF Body
end=timestamp shost=endpoint_nam
e deviceFacility=facility cat=ca
tegory externalId=external_id re
quest=request cs1=initiated_by_p
rocess cs1Label=Initiated by (co
nstant string) cs2=initiator_com
mande cs2Label=Initiator CMD (co
nstant string) cs3=signature cs3
Label=Signature (constant string
) cs4=cgo_name cs4Label=CGO name
(constant string) cs5=cgo_comma
nd cs5Label=CGO CMD (constant st
ring) cs6=cgo_signature cs6Label
=CGO Signature (constant string)
dst=destination_ip dpt=destinat
ion_port src=source_ip spt=sourc
e_port fileHash=file_hash filePa
th=file_path targetprocesssignat
ure=target_process_signature ten
antname=tenant_name tenantCDLid=
tenant_id CSPaccountname=account
_name initiatorSha256=initiator_
hash initiatorPath=initiator_pat
h osParentName=parent_name osPar
entCmd=parent_command osParentSh
a256=parent_hash osParentSignatu
re=parent_signature osParentSign
er=parent_signer incident=incide
nt_id act=action suser=actor_eff
ective_username
Cortex® XDR™ Prevent Administrator’s Guide 434 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Example
Cortex XDR forwards the agent audit log to external data resources according to the following
formats.
Email Account
Cortex XDR can forward agent audit log noficaons to email accounts.
Cortex® XDR™ Prevent Administrator’s Guide 435 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Syslog Server
Agent audit logs forwarded to a Syslog server are sent in a CEF format RFC 5425 according to the
following mapping.
Secon Descripon
Syslog Header
<9>: PRI (considered a prioirty field)1: version n
umber2020-03-22T07:55:07.964311Z: timestamp of whe
n alert/log was sentcortexxdr: host name
CEF Header
HEADER/Vendor="Palo Alto Networks" (as a constant
string)HEADER/Device Product="Cortex XDR Agent" (a
s a constant string)HEADER/Device Version= Cortex
XDR Agent version (7.0/7.1....)HEADER/Severity=(in
teger/0 - Unknown, 6 - Low, 8 - Medium, 9 - High)H
EADER/Device Event Class ID="Agent Audit Logs" (as
a constant string)HEADER/name = type
CEF Body
dvchost=domain shost=endpoint_name cat=category en
d=timestamp rt=received_time cs1Label=agentversion
(constant string) cs1=agent_version cs2Label=subt
ype (constant string) cs2=subtype cs3Label=result
(constant string) cs3=result cs4Label=reason (cons
tant string) cs4=reason msg=event_description tena
ntname=tenant_name tenantCDLid=tenant_id CSPaccoun
tname=csp_id
Example:
Cortex® XDR™ Prevent Administrator’s Guide 436 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Email Account
Management audit log noficaons are forward to email accounts.
Syslog Server
Management Audit logs forwarded to a Syslog server are sent in a CEF format RF 5425 according
to the following mapping:
Secon Descripon
Syslog Header
<9>: PRI (considered a prioirty field)1: ver
sion number2020-03-22T07:55:07.964311Z: time
stamp of when alert/log was sentcortexxdr: h
ost name
CEF Header
HEADER/Vendor="Palo Alto Networks" (as a con
stant string)HEADER/Device Product="Cortex X
DR" (as a constant string)HEADER/Device Vers
ion= Cortex XDR version (2.0/2.1....)HEADER/
HEADER/Severity=(integer/0 - Unknown, 6 - Lo
w, 8 - Medium, 9 - High)HEADER/Device Event
Class ID="Management Audit Logs" (as a const
ant string)HEADER/name = type
Cortex® XDR™ Prevent Administrator’s Guide 437 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Secon Descripon
CEF Body
suser=user end=timestamp externalId=external
_id cs1Label=email (constant string) cs1=use
r_mail cs2Label=subtype (constant string) cs
2=subtype cs3Label=result (constant string)
cs3=result cs4Label=reason (constant string)
cs4=reason msg=event_description tenantname
=tenant_name tenantCDLid=tenant_id CSPaccoun
tname=csp_id
Example
The FUTURE_USE tag applies to fields that Cortex XDR does not currently implement.
With log forwarding to an email desnaon, the Cortex XDR tenant sends an email with each field
on a separate line in the email body.
• Threat Logs
• Config Logs
• Analycs Logs
• System Logs
Threat Logs
Syslog format: recordType, class, FUTURE_USE, eventType, generatedTime, serverTime,
agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost,
serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64,
agentIp, deviceName, deviceDomain, severity, trapsSeverity, agentVersion, contentVersion,
proteconStatus, prevenonKey, moduleId, profile, moduleStatusId, verdict, prevenonMode,
Cortex® XDR™ Prevent Administrator’s Guide 438 ©2022 Palo Alto Networks, Inc.
Log Forwarding
recordType: threat
messageData/class: threat
messageData/subClass:
eventType: AgentSecurityEvent
generatedTime: 2019-01-29T05:07:58.045-08:00
serverTime: 2018-07-02T20:01:39.591Z
endPointHeader/agentTime: 2018-07-02T20:01:03Z
endPointHeader/tzOffset: 180
product:
facility: TrapsAgent
customerId: 245143
trapsId: mac510a2monday-01
serverHost: coreop-qaauta-2606-0-112132729246-266
serverComponentVersion: 2.0.2
regionId: 70
isEndpoint: 1
agentId: dc3af3198f172048082c21ff0956866b
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.11.6
endPointHeader/is64: 1
endPointHeader/agentIp: 10.200.37.201
endPointHeader/deviceName: A1260700MC1011
endPointHeader/deviceDomain:
severity: emergency
messageData/trapsSeverity: medium
endPointHeader/agentVersion: 5.1.0.1401
endPointHeader/contentVersion: 26-3625
endPointHeader/protectionStatus: 0
messageData/preventionKey: 9a94965188d2455486dd8d60cf4b3849
messageData/moduleId: COMPONENT_EPM_J01
messageData/profile: ExploitModules
messageData/moduleStatusId: CYSTATUS_JIT_EXCEPTION
messageData/verdict:
messageData/preventionMode: blocked
messageData/terminate: 1
messageData/terminateTarget:
quarantine:
messageData/block: 0
messageData/postDetected: 0
messageData/eventParameters: "[""/Users/administrator/Desktop/JitMac/
j01_test"",""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4fe4619""]"
messageData/sourceProcessIdx: 0
messageData/targetProcessIdx: -1
messageData/fileIdx: 0
messageData/processes: "[{""exeFileIdx"":0,""commandLine"":""/
Users/Administrator/Desktop/JitMac/j01_test test=system
depth=1"",""userIdx"":0,""pid"":1359,""parentId"":452}]"
messageData/files:
"[{""sha256"":""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4654619"",
Cortex® XDR™ Prevent Administrator’s Guide 439 ©2022 Palo Alto Networks, Inc.
Log Forwarding
""rawFullPath"":""/Users/administrator/Desktop/JitMac/
j01_test"",""signers"":[""N/A""],""fileName"":""j01_test""}]"
messageData/users: "[{""userName"":""Administrator""}]"
messageData/urls: []
messageData/description: Memory Corruption Exploit
Cortex® XDR™ Prevent Administrator’s Guide 440 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 441 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 442 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 443 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 444 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 445 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 446 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 447 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 448 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Config Logs
Syslog format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory,
generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost,
serverComponentVersion, regionId, isEndpoint, severity, trapsSeverity, messageCode,
friendlyName, FUTURE_USE, msgTextEn, userFullName, userName, userRole, userDomain,
addionalData(Array), messageCode, errorText, errorData, resultData
Email body format example:
recordType: system
messageData/class: system
messageData/subClass: Provisioning
messageData/subClassId: 13
eventType: ServerLogPerTenant
messageData/eventCategory: tenant
generatedTime: 2019-01-31T18:15:19.000000+00:00
serverTime: 2019-01-31T18:15:19.000000+00:00
product:
facility: TrapsServerManagement
customerId: 004403511
trapsId: 18520498190303952
serverHost: 14917869646-201.proda.brz
serverComponentVersion: 2.0.9+624
regionId:
isEndpoint: 0
agentId:
severity: notice
messageData/trapsSeverity: informational
messageData/messageCode: 19015
messageData/friendlyName: User Login
messageData/msgTextLoc:
messageData/msgTextEn: User username@paloaltonetworks.com has logged
in with role superadmin
endPointHeader/userFullName:
endPointHeader/username:
endPointHeader/userRole:
endPointHeader/userDomain:
endPointHeader/agentTime:
endPointHeader/tzOffset:
endPointHeader/osType:
endPointHeader/isVdi:
endPointHeader/osVersion:
endPointHeader/is64:
Cortex® XDR™ Prevent Administrator’s Guide 449 ©2022 Palo Alto Networks, Inc.
Log Forwarding
endPointHeader/agentIp:
endPointHeader/deviceName:
endPointHeader/deviceDomain:
endPointHeader/agentVersion:
endPointHeader/contentVersion:
endPointHeader/protectionStatus:
messageData/userFullName:
messageData/username:
messageData/userRole:
messageData/userDomain:
messageData/messageName:
messageData/messageId:
messageData/processStatus:
messageData/errorText:
messageData/errorData:
messageData/resultData:
messageData/parameters:
messageData/additionalData: {}
Cortex® XDR™ Prevent Administrator’s Guide 450 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 451 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 452 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 453 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Analycs Logs
Syslog format: recordType, class, FUTURE_USE, eventType, eventCategory, generatedTime,
serverTime, agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost,
Cortex® XDR™ Prevent Administrator’s Guide 454 ©2022 Palo Alto Networks, Inc.
Log Forwarding
recordType: analytics
messageData/class: agent_data
messageData/subClass:
eventType: AgentTimelineEvent
messageData/eventCategory: hash
generatedTime: 2019-01-31T18:00:43Z
serverTime: 2019-01-31T18:59:46.586Z
endPointHeader/agentTime: 2019-01-31T18:00:43Z
endPointHeader/tzOffset: -480
product:
facility: TrapsAgent
customerId: 110044035
trapsId: 18520039498190352
serverHost: coreop-f-proda-mnmauto03930348053-311.proda.brz
serverComponentVersion: 2.0.9+564
regionId: 10
isEndpoint: 1
agentId: 3bcf7e5ff56e2891c78684a38b728e49
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.12.6
endPointHeader/is64: 1
endPointHeader/agentIp: 192.168.0.21
endPointHeader/deviceName: Jeffreys-MacBook-Pro.local
endPointHeader/deviceDomain:
severity:
endPointHeader/agentVersion: 5.0.5.1193
endPointHeader/contentVersion: 42-6337
endPointHeader/protectionStatus: 0
messageData/sha256:
87e27ba9128d9c3b3d113c67623a06817a030b3bbb4d2871d1e6da9002206f26
messageData/type: macho
messageData/parentSha256:
messageData/lastSeen: 2019-01-31T18:00:43Z
messageData/fileName: crashpad_handler
messageData/filePath: /users/username/library/google/
googlesoftwareupdate/googlesoftwareupdate.bundle/contents/macos/
messageData/fileSize: 353680
messageData/localAnalysisResult:
"{""contentVersion"":""42-6337"",""result"":""Benign"",""trusted"":""None"",
""publishers"":[""developer id application: google, inc.
(eqhxz8m8av)""],""resultId"":0,""trustedId"":0}"
messageData/reported: 0
messageData/blocked: 0
messageData/executionCount: 4179
Cortex® XDR™ Prevent Administrator’s Guide 455 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 456 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 457 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 458 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 459 ©2022 Palo Alto Networks, Inc.
Log Forwarding
System Logs
Syslog format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory,
generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost,
serverComponentVersion, regionId, isEndpoint, agentId, severity, trapsSeverity, messageCode,
friendlyName, FUTURE_USE, msgTextEn, userFullName, username, userRole, userDomain,
agentTime, tzOffset, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain,
agentVersion, contentVersion, proteconStatus, userFullName, username, userRole, userDomain,
messageName, messageId, processStatus, errorText, errorData, resultData, parameters,
addionalData(Array)
Email body format example:
recordType: system
messageData/class: system
messageData/subClass: Provisioning
messageData/subClassId: 13
eventType: ServerLogPerTenant
messageData/eventCategory: tenant
generatedTime: 2019-01-31T18:15:19.000000+00:00
serverTime: 2019-01-31T18:15:19.000000+00:00
product:
facility: TrapsServerManagement
customerId: 004403511
trapsId: 18520498190303952
serverHost: 14917869646-201.proda.brz
serverComponentVersion: 2.0.9+624
regionId:
isEndpoint: 0
agentId:
severity: notice
messageData/trapsSeverity: informational
messageData/messageCode: 19015
messageData/friendlyName: User Login
messageData/msgTextLoc:
messageData/msgTextEn: User username@paloaltonetworks.com has logged
in with role superadmin
endPointHeader/userFullName:
endPointHeader/username:
endPointHeader/userRole:
endPointHeader/userDomain:
endPointHeader/agentTime:
endPointHeader/tzOffset:
endPointHeader/osType:
endPointHeader/isVdi:
endPointHeader/osVersion:
endPointHeader/is64:
endPointHeader/agentIp:
endPointHeader/deviceName:
endPointHeader/deviceDomain:
endPointHeader/agentVersion:
endPointHeader/contentVersion:
endPointHeader/protectionStatus:
messageData/userFullName:
messageData/username:
Cortex® XDR™ Prevent Administrator’s Guide 460 ©2022 Palo Alto Networks, Inc.
Log Forwarding
messageData/userRole:
messageData/userDomain:
messageData/messageName:
messageData/messageId:
messageData/processStatus:
messageData/errorText:
messageData/errorData:
messageData/resultData:
messageData/parameters:
messageData/additionalData: {}
Cortex® XDR™ Prevent Administrator’s Guide 461 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 462 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 463 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 464 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Analycs Logs
Format: recordType, class, FUTURE_USE, eventType, category, generatedTime,
serverTime, agentTime, tzoffset, FUTURE_USE, facility, customerId, trapsId, serverHost,
serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp,
deviceName, deviceDomain, severity, agentVersion, contentVersion, proteconStatus, sha256,
type, parentSha256, lastSeen, fileName, filePath, fileSize, localAnalysisResult, reported, blocked,
execuonCount
Email body format example:
recordType: analytics
messageData/class: agent_data
messageData/subClass:
Cortex® XDR™ Prevent Administrator’s Guide 465 ©2022 Palo Alto Networks, Inc.
Log Forwarding
eventType: AgentTimelineEvent
messageData/eventCategory: hash
generatedTime: 2019-01-31T18:00:43Z
serverTime: 2019-01-31T18:59:46.586Z
endPointHeader/agentTime: 2019-01-31T18:00:43Z
endPointHeader/tzOffset: -480
product:
facility: TrapsAgent
customerId: 110044035
trapsId: 18520039498190352
serverHost: coreop-f-proda-mnmauto03930348053-311.proda.brz
serverComponentVersion: 2.0.9+564
regionId: 10
isEndpoint: 1
agentId: 3bcf7e5ff56e2891c78684a38b728e49
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.12.6
endPointHeader/is64: 1
endPointHeader/agentIp: 192.168.0.21
endPointHeader/deviceName: Jeffreys-MacBook-Pro.local
endPointHeader/deviceDomain:
severity:
endPointHeader/agentVersion: 5.0.5.1193
endPointHeader/contentVersion: 42-6337
endPointHeader/protectionStatus: 0
messageData/sha256:
87e27ba9128d9c3b3d113c67623a06817a030b3bbb4d2871d1e6da9002206f26
messageData/type: macho
messageData/parentSha256:
messageData/lastSeen: 2019-01-31T18:00:43Z
messageData/fileName: crashpad_handler
messageData/filePath: /users/username/library/google/
googlesoftwareupdate/googlesoftwareupdate.bundle/contents/macos/
messageData/fileSize: 353680
messageData/localAnalysisResult:
"{""contentVersion"":""42-6337"",""result"":""Benign"",""trusted"":""None"",
""publishers"":[""developer id application: google, inc.
(eqhxz8m8av)""],""resultId"":0,""trustedId"":0}"
messageData/reported: 0
messageData/blocked: 0
messageData/executionCount: 4179
Cortex® XDR™ Prevent Administrator’s Guide 466 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 467 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 468 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 469 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR™ Prevent Administrator’s Guide 470 ©2022 Palo Alto Networks, Inc.
Managed Security
> About Managed Security
> Cortex XDR Managed Security Access Requirements
> Switch to a Different Tenant
> Pair a Parent Tenant with Child Tenant
> Manage a Child Tenant
471
Managed Security
Cortex® XDR™ Prevent Administrator’s Guide 472 ©2022 Palo Alto Networks, Inc.
Managed Security
Child Customer Support Portal Add the user name from the
(CSP) Account parent tenant who is iniang
the parent-child pairing and
ensure the user name has
Super User role permissions.
Cortex® XDR™ Prevent Administrator’s Guide 473 ©2022 Palo Alto Networks, Inc.
Managed Security
If you don’t own more than one account, the tenant navigator funcon is not available.
STEP 2 | From the list of available tenants, choose the tenant to which you want to switch (navigate).
You can also type a tenant name in the Search line to filter the list of tenants according to
what you type.
Cortex® XDR™ Prevent Administrator’s Guide 474 ©2022 Palo Alto Networks, Inc.
Managed Security
STEP 3 | In the Pair Tenant window, select the child tenant you want to pair. The drop-down only
displays child tenants your are allowed to pair with.
Child tenants are grouped according to:
• Unpaired—Children that have not yet been paired and are available. If another parent has
requested to pair with the child but the child has not yet agreed, the tenant will appear.
• Paired—Children that have already been paired to this parent.
• Paired with others—Children that have been paired with other parents.
• Pending—Children with a pending pairing request.
STEP 5 | In the child tenant Cortex XDR console, a child tenant user with Admin role permissions
needs to approve the pairing by navigang to , locate the Request for Pairing noficaon
and select Approve.
Cortex® XDR™ Prevent Administrator’s Guide 475 ©2022 Palo Alto Networks, Inc.
Managed Security
In the child tenant’s, pages managed by you appear with a read-only banner. Child tenant users
cannot perform any acons from these pages, but can view the configuraons you create on
their behalf.
Cortex® XDR™ Prevent Administrator’s Guide 476 ©2022 Palo Alto Networks, Inc.
Managed Security
Once a configuraon is created Cortex XDR resets the child tenant data and synchronizes
the security acons configured in the parent tenant.
Field Descripon
Cortex® XDR™ Prevent Administrator’s Guide 477 ©2022 Palo Alto Networks, Inc.
Managed Security
Field Descripon
BIOC RULES & EXCEPTIONS Name of the configuraon managing the BIOC
rules and excepons acons.
Cortex® XDR™ Prevent Administrator’s Guide 478 ©2022 Palo Alto Networks, Inc.
Managed Security
STEP 2 | In the corresponding Configuraon panel (1), + Create New (2) configuraon.
STEP 4 | Create.
The new configuraon (3) appears in the Configuraon pane.
STEP 6 | In the Tenant Management table, right-click a child tenant row and Edit Configuraons.
STEP 7 | Assign the configuraon you want to use to manage each of the security acons.
You can configure Profiles only as Managed or Unmanaged. All profiles you create are
automacally cloned to your child tenants.
STEP 8 | Update.
The Tenant Management table is updated with your assigned configuraons.
Cortex® XDR™ Prevent Administrator’s Guide 479 ©2022 Palo Alto Networks, Inc.
Managed Security
STEP 2 | In the corresponding Configuraon panel, select the acon configuraonacon configuraon
you created and allocated to your child tenant.
The corresponding security acon Table displays the acons managing the child tenant.
Cortex® XDR™ Prevent Administrator’s Guide 480 ©2022 Palo Alto Networks, Inc.