Professional Documents
Culture Documents
Guide
3.3
docs.paloaltonetworks.com
Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support.html
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
©2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve
companies.
Last Revised
May 27, 2022
Cortex® XDR Pro Administrator’s Guide Version 3.3 2 ©2022 Palo Alto Networks, Inc.
Table of Contents
Cortex XDR Overview.................................................................................... 11
Cortex XDR Architecture........................................................................................................ 12
Cortex XDR Concepts.............................................................................................................. 14
XDR................................................................................................................................... 14
Sensors..............................................................................................................................14
Log Stching....................................................................................................................14
Causality Analysis Engine.............................................................................................15
Causality Chain...............................................................................................................15
Causality Group Owner (CGO)................................................................................... 15
Cortex XDR Licenses................................................................................................................16
Features by Cortex XDR License Type..................................................................... 16
Cortex XDR Endpoint Agent License Allocaon.................................................... 21
Cortex XDR License Expiraon..................................................................................22
Cortex XDR License Monitoring................................................................................ 22
Migrate Your Cortex XDR License.............................................................................23
Cortex® XDR Pro Administrator’s Guide Version 3.3 3 ©2022 Palo Alto Networks, Inc.
Table of Contents
Cortex® XDR Pro Administrator’s Guide Version 3.3 4 ©2022 Palo Alto Networks, Inc.
Table of Contents
Cortex® XDR Pro Administrator’s Guide Version 3.3 5 ©2022 Palo Alto Networks, Inc.
Table of Contents
Invesgate Files.......................................................................................................................436
Manage File Execuon...............................................................................................436
Manage Quaranned Files........................................................................................ 437
Review WildFire® Analysis Details......................................................................... 438
Import File Hash Excepons.....................................................................................440
Forensic Data Analysis...........................................................................................................441
Forensics Add-on Opons.........................................................................................446
Response Acons....................................................................................................................464
Iniate a Live Terminal Session................................................................................465
Isolate an Endpoint..................................................................................................... 470
Pause Endpoint Protecon........................................................................................472
Remediate Changes from Malicious Acvity........................................................ 473
Run Scripts on an Endpoint...................................................................................... 475
Search and Destroy Malicious Files........................................................................ 491
Manage External Dynamic Lists...............................................................................494
Cortex® XDR Pro Administrator’s Guide Version 3.3 6 ©2022 Palo Alto Networks, Inc.
Table of Contents
Cortex® XDR Pro Administrator’s Guide Version 3.3 7 ©2022 Palo Alto Networks, Inc.
Table of Contents
Cortex® XDR Pro Administrator’s Guide Version 3.3 8 ©2022 Palo Alto Networks, Inc.
Table of Contents
Analycs...........................................................................................................845
Analycs Concepts................................................................................................................. 846
Analycs Engine...........................................................................................................846
Analycs Sensors.........................................................................................................847
Coverage of MITRE Aack Taccs......................................................................... 849
Analycs Detecon Time Intervals.........................................................................851
Analycs Alerts and Analycs BIOCs.................................................................... 853
Identy Analycs.........................................................................................................853
Asset Management........................................................................................855
Network Configuraon..........................................................................................................856
Configure Your Network Parameters......................................................................856
Vulnerability Assessment...................................................................................................... 859
CVE Analysis.................................................................................................................860
Endpoint Analysis........................................................................................................ 861
Applicaon Analysis....................................................................................................862
Manage User Scores...............................................................................................................864
Asset Inventory........................................................................................................................866
All Assets....................................................................................................................... 869
Specific Assets..............................................................................................................871
Cloud Inventory Assets......................................................................................................... 874
All Cloud Assets...........................................................................................................874
Specific Cloud Assets................................................................................................. 877
Manage Your Cloud Inventory Assets.................................................................... 880
Monitoring....................................................................................................... 891
Cortex XDR Dashboard.........................................................................................................892
Dashboard Widgets.................................................................................................... 892
Manage Your Widget Library....................................................................................902
Predefined Dashboards.............................................................................................. 903
Build a Custom Dashboard....................................................................................... 909
Manage Dashboards................................................................................................... 910
Run or Schedule Reports...........................................................................................911
Monitor Cortex XDRXSIAM Incidents...............................................................................913
Monitor Cortex Gateway Management Acvity............................................................. 914
Monitor Administrave Acvity..........................................................................................915
Cortex® XDR Pro Administrator’s Guide Version 3.3 9 ©2022 Palo Alto Networks, Inc.
Table of Contents
Log Forwarding...............................................................................................923
Log Forwarding Data Types..................................................................................................924
Integrate Slack for Outbound Noficaons..................................................................... 925
Integrate a Syslog Receiver.................................................................................................. 926
Configure Noficaon Forwarding..................................................................................... 929
Cortex XDRXSIAM Log Noficaon Formats..................................................................931
Management Audit Log Messages.......................................................................... 931
Alert Noficaon Format.......................................................................................... 972
Agent Audit Log Noficaon Format..................................................................... 982
Management Audit Log Noficaon Format........................................................ 983
Cortex XDR Log Format for IOC and BIOC Alerts..............................................984
Cortex XDR Analycs Log Format.......................................................................... 994
Cortex XDR Log Formats........................................................................................ 1000
Cortex® XDR Pro Administrator’s Guide Version 3.3 10 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
The Cortex XDR app offers you complete visibility over network traffic, user behavior,
and endpoint acvity. It simplifies threat invesgaon by correlang logs from your
sensors to reveal threat causalies and melines. This enables you to easily idenfy
the root cause of every alert. The app also allows you to perform immediate response
acons. Finally, to stop future aacks, you can pro-acvely define Cortex XDR Rules
(BIOCs, IOCs, and Correlaon Rules) to detect and respond to malicious acvity.
11
Cortex XDR Overview
Cortex® XDR consumes data from the Cortex® Data Layer to provide cloud-based storage within
the Cortex XDR tenant including all sources streamed into Cortex XDR— endpoints, firewalls,
cloud sources, and third-party data. Cortex XDR can correlate and stch together this data from
logs across your different log sensors to derive event causality and melines.
A Cortex XDR deployment which uses the full set of sensors can include the following
components.
• Cortex XDR—The Cortex XDR app provides complete visibility into all your data in the Cortex
Data Layer. The app provides a single interface from which you can invesgate and triage
alerts, take remediaon acons, and define policies to detect the malicious acvity in the
future.
• Cortex Data Layer—A data layer within your Cortex XDR tenant that stores the logs from
across all the data types.
• Cortex XDR Pro per TB:
• Analycs engine—The Cortex XDR analycs engine is a security service that ulizes
network data to automacally detect and report on post-intrusion threats. The analycs
engine does this by idenfying good (normal) behavior on your network, so that it can noce
bad (anomalous) behavior.
• Palo Alto Networks next-generaon firewalls—On-premises or virtual firewalls that enforce
network security policies in your campus, branch offices, and cloud data centers.
• Palo Alto Networks Prisma Access and GlobalProtect—If you extend your firewall security
policy to mobile users and remote networks using Prisma Access or GlobalProtect, you can
Cortex® XDR Pro Administrator’s Guide Version 3.3 12 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
also forward related traffic logs, including IoT logs, to Cortex Data Lake. The analycs engine
can then analyze those logs and raise alerts on anomalous behavior.
• External firewalls and alerts— Cortex XDR can ingest traffic logs from external firewall
vendors—such as Check Point—and use the analycs engine to analyze those logs and raise
alerts on anomalous behavior. For addional context in your incidents, you can also send
alerts from external alert sources.
• Cortex XDR Pro per Endpoint:
• Analycs engine—The Cortex XDR analycs can also consume endpoint data to
automacally detect and report on post-intrusion threats. The analycs engine can use
endpoint data to raise alerts for abnormal network behavior (for example port scan acvity).
• Cortex XDR agents—Protects your endpoints from known and unknown malware and
malicious behavior and techniques. Cortex XDR agents perform its own analysis locally on
the endpoint but also consumes WildFire threat intelligence. The Cortex XDR agent reports
all endpoint acvity to the Cortex Data Layer for analysis by Cortex XDR apps.
• External alert sources—To add addional context to your incidents, you can send Cortex
XDR alerts from external sources using the Cortex XDR API.
Cortex® XDR Pro Administrator’s Guide Version 3.3 13 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
XDR
With Endpoint Detecon and Response (EDR), enterprises rely on endpoint data as a means
to trigger cybersecurity incidents. As cybercriminals and their taccs have become more
sophiscated, the me to idenfy and contain breaches has only increased. Extended Detecon
and Response (XDR) goes beyond the tradional EDR approach of using only endpoint data to
idenfy and respond to threats by applying machine learning across all your enterprise, network,
cloud, and endpoint data. This approach enables you to quickly find and stop targeted aacks and
insider abuse and remediate compromised endpoints.
Sensors
Cortex XDR uses your exisng Palo Alto Networks products as sensors to collect logs and
telemetry data. The sensors that are available to you depend on your Cortex XDR license type.
With a Cortex XDR Pro per TB license, a sensor can be any of the following:
• Virtual (VM-Series) or physical firewalls—Idenfies known threats in your network and cloud
data center environments
• Prisma Access or GlobalProtect—Idenfies known threats in your mobile user and remote
network traffic
• External vendors—You can forward logs from supported vendors and addional vendors that
adhere to required formats.
With a Cortex XDR Pro per Endpoint license, a sensor can be any of the following:
• Cortex XDR agents—Idenfies threats on your Windows, Mac, Linux, and Android endpoints
and halts any malicious behavior or files
While more sensors increases the amount of data Cortex XDR can analyze, you only need to
deploy one type of sensor to begin detecng and stopping threats with Cortex XDR.
Log Stching
To provide a complete and comprehensive picture of the events and acvity surrounding an event,
Cortex XDR correlates together firewall network logs, endpoint raw data, and cloud data across
your detecon sensors. The act of correlang logs from different sources is referred to as log
Cortex® XDR Pro Administrator’s Guide Version 3.3 14 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
stching and helps you idenfy the source and desnaon of security processes and connecons
made over the network.
Log stching allows you to:
• Run invesgaon queries based on stched network and endpoint logs
• Create granular BIOC and Correlaon Rules over logs from Palo Alto Networks Next-
Generaon Firewalls and raw endpoint data
• Invesgate correlated network and endpoint events in the Network Causality View
Log stching streamlines detecon and reduces response me by eliminang the need for manual
analysis across different data sensors. Stching data across the firewalls and endpoints allows
you to obtain data form different sensors in a unified view, each sensor adding another layer
of visibility. For example, when a connecon is seen through the firewall and the endpoint, the
endpoint can provide informaon on the processes involved and on the chain of execuon while
the firewall can provide informaon on the amount of data transferred over the connecon and
the different app ids involved.
Causality Chain
When a malicious file, behavior, or technique is detected, Cortex XDR correlates available data
across your detecon sensors to display the sequence of acvity that led to the alert. This
sequence of events is called the causality chain. The causality chain is built from processes, events,
insights, and alerts associated with the acvity. During alert invesgaon you should review the
enre causality chain to fully understand why the alert occurred.
Cortex® XDR Pro Administrator’s Guide Version 3.3 15 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
Feature Cortex XDR Cortex XDR Pro Cortex XDR Cortex XDR Pro
Prevent per Endpoint Cloud per Host per TB
Kubernetes Host — — —
Support
Cortex® XDR Pro Administrator’s Guide Version 3.3 16 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
Feature Cortex XDR Cortex XDR Pro Cortex XDR Cortex XDR Pro
Prevent per Endpoint Cloud per Host per TB
Host Insights, — —
including:
Without the Without the
• Host add-on license, add-on license,
Inventory Host Insights is Host Insights is
available with available with
• Vulnerability
Cortex XDR Pro Cloud Host
Assessment
per Endpoint for Protecon for
• File Search a 1-month trial Cortex XDRfor
and Destroy period. a 1-month
trial period.
Forensics — —
Without the Without the
add-on license, add-on license,
Forensics is Forensics is
available with available with
Cortex XDR Pro Cloud Host
per Endpoint for Protecon for
a 1-month trial Cortex XDR
period. for a 1-month
trial period.
Compute Unit —
Without the Without the Without the
add-on license, add-on license, add-on license,
Compute unit Compute unit Compute unit
is available with is available with is available with
Cortex XDR Pro Cloud Host Cortex XDR
per Endpoint for Protecon for Pro per TBfor
a 1-month trial Cortex XDR for a 1-month trial
period. a 1-month trial period.
period.
Period Based —
Retenon (Hot
Storage)
Period Based —
Retenon (Cold
Storage)
GB Event — — —
Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 17 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
Feature Cortex XDR Cortex XDR Pro Cortex XDR Cortex XDR Pro
Prevent per Endpoint Cloud per Host per TB
Endpoints Event — —
Forwarding
Endpoint —
management
Device control —
Host firewall —
Disk encrypon —
Response Acons
Live Terminal —
Endpoint —
isolaon
External —
dynamic list
(EDL)
Script execuon — —
Remediaon — —
analysis
Incident Scoring —
Rules
Featured Alert —
Fields
Widget Library —
Assets
Asset —
Management
Palo Alto — — —
Networks IoT
Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 18 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
Feature Cortex XDR Cortex XDR Pro Cortex XDR Cortex XDR Pro
Prevent per Endpoint Cloud per Host per TB
Analysis
Analycs, —
including
Identy
Analycs
Cortex XDR —
agent alerts
Prisma Cloud — — —
and Prisma
Cloud Compute
Palo Alto — — —
Networks IoT
Security
Third-Party — — —
Cloud Security
Data (AWS,
Azure, Google)
Enhanced data — —
collecon for
EDR and other
Pro features
Other alerts —
(from Palo Alto
(API)
Networks and
third-party
sources)
Other logs — — —
(from Palo Alto
Networks and
third-party
sources)
Integraons
Threat
intelligence
Cortex® XDR Pro Administrator’s Guide Version 3.3 19 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
Feature Cortex XDR Cortex XDR Pro Cortex XDR Cortex XDR Pro
Prevent per Endpoint Cloud per Host per TB
(AutoFocus,
VirusTotal)
Outbound
integraon and
+ agent audit + agent audit
noficaon
logs logs
forwarding
(Slack, Syslog)
Broker VM
Agent Proxy
Syslog Collector — — —
Apache Kaa — — —
Collector
CSV Collector — — —
Database — — —
Collector
FTP Collector — — —
NetFlow — — —
Collector
Network —
Mapper
Pathfinder —
Windows Event — — —
Collector
MSSP
MSSP (requires
addional MSSP
license)
Managed — —
Threat Hunng
(requires an
Cortex® XDR Pro Administrator’s Guide Version 3.3 20 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
Feature Cortex XDR Cortex XDR Pro Cortex XDR Cortex XDR Pro
Prevent per Endpoint Cloud per Host per TB
addional + a minimum of
Managed Threat 500 endpoints
Hunng License)
Cortex® XDR Pro Administrator’s Guide Version 3.3 21 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
available licenses. The me at which a license returns to the license pool depends on the type of
endpoint:
Endpoint Type License Return Agent Removal from Agent Removal from
Cortex XDR console Cortex XDR Database
Standard and mobile Aer 30 days Aer 180 days Aer 180 days
devices
Aer a license is revoked, if the agent connects to Cortex XDR, reconnecon will succeed as long
as the agent has not been deleted.
If a deleted agent tries to connect to Cortex XDR during the 180 days period, the agent can
resume connecon and maintain its agent ID. Aer the 180 days period, the agent ID is deleted
alongside all the associated data. In order to reconnect the agent, you must use Cytool to
reconnect it or reinstall it on the endpoint, and the agent will be assigned a new ID and a fresh
start.
Cortex® XDR Pro Administrator’s Guide Version 3.3 22 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
• For each license, Cortex XDR displays a le with the expiraon date of your license and
addional details specific to your license type:
• Cortex XDR Pro per Endpoint—Total number of installed agents in addion to the number
and percentage of agents with Pro features enabled.
• Cortex XDR Pro per TB—Amount of total storage included with your license.
• Cortex XDR Cloud per Host—Total number of hosts collecng cloud-based data.
• Combinaon of Cortex XDR Pro per Endpoint and Cortex XDR Pro per TB Cortex XDR Pro
per Endpoint—Total number of installed agents, while Cortex XDR Pro per TB displays how
many agents are enabled with endpoint data collecon, allowing them to collect and send
data to the server.
Addons
• Hover over the informaon icon to view a list of all available add-ons including the start and
expired dates.
• For each add-on associated to your Cortex XDR instance, Cortex XDR displays a le with
details specific to the add-on type.
For informaon on your data usage and storage license, select Sengs > Configuraons > Data
Management > Dataset Management. See Dataset Management.
To keep you informed of updates made to your license and avoid service disrupons, Cortex XDR
displays license noficaons when you log in. The noficaon idenfies any changes made to your
license and describes any required acons.
Cortex XDR also indicates when you have exceeded your Cortex XDR Pro per Endpoint license
capacity. To view the Pro license status for specific endpoints, see the View Details About an
Endpoint. For more informaon, see Enforcement of Cortex XDR Pro Endpoint Licenses.
Cortex® XDR Pro Administrator’s Guide Version 3.3 23 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
Aer migraon of Cortex XDR 2.0, when selecng Sengs > Cortex XDR License, the license
displays the converted amounts of network data or its equivalent number of endpoints allocated
to your license. The following table displays a conversion comparison between Cortex XDR 1.0
and 2.0 licenses.
Cortex XDR 1.0 License • Cortex XDR 1.0 PAN-MGFR-XDR-1TB license - 100TB
• Hub > Cortex Data Lake > Traps > Endpoint Data -
10TB Endpoint Data.
Aer you convert your legacy license to Cortex XDR 2.0 license structure, your new
network and endpoint allocaon are applied immediately. You can edit the allocaon at
any me, however, aer you convert to the new license structure you cannot revert to
your legacy license.
Cortex® XDR Pro Administrator’s Guide Version 3.3 24 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
STEP 1 | In Cortex XDR app, select Sengs > Cortex XDR License.
Cortex® XDR Pro Administrator’s Guide Version 3.3 25 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
STEP 2 | Convert your Cortex XDR 1.0 license to Cortex XDR 2.0 license.
1. Select Convert License.
2. Use the Network Allocaon slide bar to allocate your license between network and
endpoints (1 network TB = 200 endpoints).
If you allocate all of your license to network data then you disable endpoint
capabilies (and vice versa).
3. Apply your new license allocaons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 26 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
STEP 3 | In your new Cortex XDR 2.0 license, review or Edit your license allocaon.
• Number of Cortex XDR agents
• Amount of network TB
• Number of installed endpoints and endpoints enabled with EDR Data collecon according
to the number of agents allocated to your license, rather than the Cortex Data Lake
distribuon.
• Number of days remaining for Cortex XDR to retain your data.
STEP 4 | Should you require addional TB or agent coverage, contact your Sales representave.
Cortex® XDR Pro Administrator’s Guide Version 3.3 27 ©2022 Palo Alto Networks, Inc.
Cortex XDR Overview
Cortex® XDR Pro Administrator’s Guide Version 3.3 28 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
> Setup Overview > Set up Endpoint Protecon
> Plan Your Cortex XDR Deployment > Configure Your Network Devices
> Deploy your Network Devices > Set up Network Analysis
> Acvate Cortex XDR > Configure Cortex XDR
> Manage User Roles > Set up Outbound Integraon
> Set Up Cloud Identy Engine > Use the Interface
> Manage Your Log Storage within
Cortex XDR
29
Get Started with Cortex XDR Pro
Setup Overview
Before you can use Cortex XDR for advanced detecon and response, you must acvate the
Cortex XDR app and set up related apps and services.
You must perform the setup acvies as shown in the following image. Some steps are required
only if you have the corresponding license type.
STEP 2 | (Cortex XDR Pro per TB license only) Deploy your Network Devices.
STEP 3 | (Oponal) Configure Cortex XDR to take firewall logs from an exisng Cortex Data Lake.
You can configure Cortex XDR to take logs from other Palo Alto Networks products already
logging to an exisng Cortex Data Lake. Otherwise, you will Acvate a new Data Lake as part
of the Cortex XDR tenant acvaon when seng up Cortex XDR in the Cortex Gateway.
STEP 5 | (Oponal) Set Up Cloud Identy Engine (Formally Directory Sync Services (DSS))
1. Acvate and Set Up a Cloud Identy Engine Instance.
2. Add the Cloud Identy Engine Instance to Cortex XDR.
STEP 6 | (Cortex XDR Pro per Endpoint only) Set up Endpoint Protecon.
1. Plan your Cortex XDR agent deployment.
2. Create Cortex XDR agent installaon packages.
3. Define endpoint groups.
4. Deploy the Cortex XDR agent to your endpoints.
5. Configure your endpoint security policy.
Cortex® XDR Pro Administrator’s Guide Version 3.3 30 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
STEP 7 | (Cortex XDR Pro per TB license only) Configure your Network Devices.
STEP 8 | (Cortex XDR Pro per TB license only) Set up Network Analysis.
1. Perform any remaining setup of your network sensors.
2. Configure the internal networks that you want Cortex XDR to monitor.
3. Verify that Cortex XDR is receiving alerts.
4. If you set up a Directory Sync Service instance, enable Cortex XDR to use it.
Cortex® XDR Pro Administrator’s Guide Version 3.3 31 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
New Cortex XDR tenants Determine the amount of log storage you need
for your Cortex XDR deployment. Talk to your
Partner or Sales Representave to determine
whether you must purchase addional storage
within the Cortex XDR tenant.
Determine the region in which you want to host
Cortex XDR and any associated services, such as
Directory Sync Service.
Cortex® XDR Pro Administrator’s Guide Version 3.3 32 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Cortex® XDR Pro Administrator’s Guide Version 3.3 33 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
STEP 2 | Upgrade firewalls and Panorama to the latest soware and content releases.
PAN-OS 8.0.6 is the minimum required soware release version for Palo Alto Networks
firewalls and Panorama. However, to enable Cortex XDR to leverage the Directory Sync Service
and Enhanced Applicaon Logs, upgrade firewalls and Panorama to PAN-OS 8.1.1 or later and
to the latest content release:
Get the latest applicaon and threat content updates.
Upgrade to PAN-OS 8.1.1.
STEP 3 | Ensure that firewalls have visibility into internal traffic and applicaons.
It’s important that at least one firewall sending logs to the Cortex Data Lake is processing or
has visibility into internal traffic and applicaons.
If you have deployed only internet gateway firewalls, one opon might be to configure a tap
interface to give a firewall visibility into data center traffic even though the firewall is not in the
traffic flow. Connect the tap mode interface to a data center switch SPAN or mirror port that
provides the firewall with the mirrored traffic, and make sure that the firewall is enabled to log
the traffic and send it to the Cortex Data Lake.
Because data center firewalls already have visibility into internal network traffic, you
don’t need to configure these firewalls in tap mode; however, contact Palo Alto Networks
Professional Services for best pracces to ensure that the Cortex Data Lake and Cortex XDR-
required configuraon updates do not affect data center firewall deployments.
Cortex® XDR Pro Administrator’s Guide Version 3.3 34 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Acvang a Cortex XDR tenant is a one-me task you’ll need to perform when you first start
using Cortex XDR. Aer you’ve acvated your Cortex XDR tenant—and completed all the
steps described in Setup Overview—you’ll only need to repeat the acvaon if you want to add
addional Cortex XDR tenants.
The following are prerequisites to acvate Cortex XDR:
• Locate the email that contains your acvaon informaon.
• Ensure you have CSP Super User role permissions to your exisng administrator accounts. This
role cannot be removed or changed through the Cortex Gateway.
To acvate your Cortex XDR tenant:
STEP 1 | Navigate to the acvaon link you received in email and sign in to begin acvaon in the
Cortex Gateway.
As a first user with CSP Super User permissions to access the Cortex Gateway, you are
automacally granted XDR Account Admin permissions to the Cortex Gateway. With
these permissions, you are able to acvate Cortex XDR tenants, create new roles, and
assign permissions to users allocated to your tenant.
The Cortex Gateway displays tenants Available for Acvaon and Available Tenants.
In the Available for Acvaon secon, you can view all the tenants allocated to your CSP
account that are ready for acvaon. You can review the tenant details, such as license type,
number of endpoints, and purchase date.
The Available Tenants secon lists tenants that have already been acvated. If you have more
than one CSP account, the tenants are displayed according the CSP account name.
STEP 2 | In the Available for Acvaon secon, locate the tenant you want to acvate according to
the serial number and Acvate to launch the Tenant Acvaon wizard.
Cortex® XDR Pro Administrator’s Guide Version 3.3 35 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
STEP 3 | In Tenant Acvaon > Select Support Account, ensure the tenant you want to acvate is
allocated to the correct CSP account. You can expand Cortex XDR and Cortex Data Lake to
view the tenants and Cortex Data Lake instances associated within the CSP account.
If you manage mulple company CSP accounts, make sure you select the specific
account to which you want to allocate the Cortex XDR tenant before proceeding with
acvaon. Once acvated, the tenant will be associated with the account and cannot
be moved.
STEP 4 | In Tenant Acvaon > Define Tenant Sengs, define the following tenant details:
• Tenant Name—Give your Cortex XDR app instance an easily-recognizable name. Choose a
name that is 59 or fewer characters and is unique across your company account.
• Region—Select a region in which you want to set up your Cortex Data Lake instance. If
you selected an exisng Cortex Data Lake instance, this field automacally displays the
region in which your Cortex Data Lake instance is deployed and cannot be changed.
• Tenant Subdomain—Give your Cortex XDR instance an easy to recognize
name that is used to access the tenant directly using the full URL (https://
<subdomain>.xdr.<region>.paloaltonetworks.com).
Note this is a public FQDN, so be careful with sensive informaon such as the
company name.
• Cortex Data Lake—You can either Acvate new Data Lake or select the Cortex Data Lake
instance name you created that is already logging Palo Alto Networks products.
• Review and agree to the terms and condions of the Privacy policy, Term of Use, EULA.
STEP 6 | Select Back to main gateway and in the Available Tenant secon, search for your tenant
name. Hover over a tenant to display the Tenant Status and License Details. When the
tenant displays an Acve status, select the tenant name to confirm you can successfully
access the Cortex XDR management console.
Cortex® XDR Pro Administrator’s Guide Version 3.3 36 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Permission Management
You can manage roles and permissions for a single tenant or a number of tenants at the same
me using the Cortex XDR Permission Management console, which is accessible via the Cortex
Gateway. The Permission Management console is used for first me acvaons. To create and
assign roles, you must first acvate your Cortex XDR tenant and be assigned a XDR Account Admin
role in the Cortex Gateway.
The Permission Management console is divided into two subcategories, Permissions and Roles,
which you can view on separate pages.
In the Permissions page, Cortex XDR lists all the users allocated to a specific Customer Support
Portal (CSP) account and tenant name. If a user is not listed, ensure that the user is added in
the Customer Support Portal. The Permissions table provides different fields of informaon as
detailed below. You can select whether to Show User Subset to display only the users who are not
designated as a Hidden user (default). For example, this is useful when you have users, who are
not related to Cortex XDR and will not be designated with a Cortex XDR role, such as CSP Super
Users, and you want to hide them from the list. You can also select whether to View By Users
(default) or Tenants.
Groups and Group Roles can only be configured in Cortex XDR in the Sengs >
Configuraons > Access Management > User Groups page. For more informaon, see
Manage User Groups.
• User Name—Displays the first and last name of the user and whether the user is a CSP Super
User and Account Admin. If the user is allocated to more than one tenant, expand the user name
to display the details for each tenant.
• Email—Email address of the user.
• Tenant—Name of the tenant the user has permission to access. Next to the user name, expand
( ) to view the tenant name.
Cortex® XDR Pro Administrator’s Guide Version 3.3 37 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
• Direct XDR Role—Name of the role assigned to the user. Next to the user name, expand ( ) to
view the role assigned per tenant, if the user does not have any Cortex XDR access permission,
the field displays No-Role.
• Groups—Lists the groups that a user belongs to, where any group imported from Acve
Directory has the leers AD added beside the group name.
• Group Roles—Lists the different group roles based on the groups the user belongs to. When
you hover over the group role, the group associated with this role is displayed.
• Last Login Time—Last date and me the user accessed the tenant.
• Status—Displays whether the user is Acve or Inacve.
In the Roles page, Cortex XDR lists the Predefined User Roles for Cortex XDR and custom
defined roles. Use roles to assign specific view and acon access privileges to administrave user
accounts. The way you configure administrave access depends on the security requirements of
your organizaon. The built-in roles provide specific access rights that cannot be changed. The
roles you create provide more granular access control.
The Roles table provides the following fields of informaon.
• Role Name—Name of the role.
• Created By—Displays one of the following opons depending on whether the role is a custom
role created by a user or a predefined role.
• Palo Alto Networks—Predefined role granng user permissions in all tenants.
• <user email address> —Custom role created in the Cortex Gateway granng user
permission in all tenants.
• <user email address> —Custom role created in the Cortex XDR app granng user
permission that specific tenant alone.
• Tenant—Name of the tenant the role applies to according to where the role was created;
Cortex Gateway or Cortex XDR app.
• Descripon—Descripon of the role.
• Creaon Time—Date and me when the role was created. The field is available for only a
custom role.
• Modificaon Time—Date and me of when the role was last updated. The field is available for
only a custom role.
STEP 1 | Select Tenant Navigator > Cortex Gateway > Permission Management.
Cortex® XDR Pro Administrator’s Guide Version 3.3 38 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Cortex® XDR Pro Administrator’s Guide Version 3.3 39 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Access Management
The Access Management console is accessible by selecng Sengs > Configuraons > Access
Management. The console is divided into the following subcategories, which you can view on
separate pages.
• Users—Manage users allocated to a specific tenant.
• Roles—Manage roles for a specific tenant.
• User Groups—Manage your user groups for a specific tenant.
Manage Users
In the Users page, Cortex XDR lists all the users allocated to a specific Customer Support Portal
(CSP) account and tenant. If a user is not listed, ensure that the user is added in the Customer
Support Portal. The Users table provides different fields of informaon as detailed below. At the
top of the page, you can perform the following acons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 40 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
• Import Mulple User Roles as a CSV (Comma-separated values) file. This import can be used
to quickly add users who already belong to a CSP account and assign them preexisng roles
in Cortex XDR. You can use the Download example file to view the required format of the
CSV file to upload and replace the file contents with the data you want to upload, where the
following columns must be included.
• User email—The email address of the user belonging to a CSP account that you want to
import.
• Role Name—The name of the role that you want to assign to this user, where the role must
already be created in Cortex XDR.
• Is an account role (default=false)—A boolean value to define whether the user is designated
with an XDR Account Admin role in the Cortex Gateway. To define this in the CSV file, set
the value to TRUE; otherwise, the value is set to FALSE (default).
• Show User Subset to display only the users who are not designated as a Hidden user (default).
• Search for something in the search box.
The following is a descripon of the different columns in the Users table.
Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is
exposed by default.
Cortex® XDR Pro Administrator’s Guide Version 3.3 41 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
For a user with an XDR Account Admin role, you can only degregate their role
using the Cortex Gateway.
3. Add a parcular user to a group by selecng the User Groups from the list.
4. Show Accumulated Permissions for the user(s) based on the Role and User Groups
assigned to the user(s). Role permissions are comprised of different Components
permissionsfor all roles and Dataset permissions are also included for custom roles. By
default All permissions are displayed, which lists the combined permissions of every
Role and User Group assigned to the user. You can also select the specific roles assigned
to the user, which enables you to compare available permissions based on the roles
selected. This can help you understand how the role permissions for a parcular user
are built. For example, if you need to isolate for a specific component, the permissions
provided by a parcular Role or User Group.
5. Update User to save your changes to the user role.
• Deacvate a user.
Locate the user you want to deacvate, right-click, and select Deacvate User.
Cortex® XDR Pro Administrator’s Guide Version 3.3 42 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
you have users, who are not related to Cortex XDR and will not be designated with a Cortex
XDR role, such as CSP Super Users, and you want to hide them from the list.
• Copy text to clipboard to copy text from a specific row field in the row of a user.
• Copy enre row to copy the text from all the fields in a row of a user.
• Manage User Scope
Assign users to specific endpoint groups in your organizaon.
Manage Roles
You can manage roles for a specific tenant only using the Cortex XDR Access Management
console.In addion, you can also set manage user access permissions for the various XQL datasets
as part of managing roles.
In the Roles page, Cortex XDR lists the Predefined User Roles for Cortex XDR and custom
defined roles. Use roles to assign specific view and acon access privileges to administrave user
accounts. The way you configure administrave access depends on the security requirements of
your organizaon. The built-in roles provide specific access rights that cannot be changed. The
roles you create provide more granular access control.
The following is a descripon of the different columns in the Roles table.
• Role Name—Name of the role.
• Created By—Displays either the email address of the user who created a custom role or for
predefined roles one of the following opons are displayed.
• Palo Alto Networks—Predefined role granng user permissions in all tenants.
• <user email address> —Custom role created in the gateway granng user permission to
this tenant.
• <user email address> —Custom role created in the Cortex XDR app granng user
permission to this specific tenant.
• Descripon—Descripon of the role.
• Creaon Time—Date and me when the role was created. The field is available for only a
custom role.
• Update Date—Date and me of when the role was last updated. The field is available for only a
custom role.
• Custom—Displays a boolean value of either Yes or No to indicate whether the role is a custom
role.
When creang a New Role or eding an exisng role, you can manage roles for all Cortex XDR
apps and services in the Components tab of the Create Role window. Role permissions for the
various Cortex XDR components are listed according to the sidebar navigaon in Cortex XDR.
By assigning roles, you enforce the separaon of viewing access and iniang acons among
funconal or regional areas of your organizaon. In addion, Cortex XDR supports XQL dataset
permission enforcement as part of managing roles or specific permissions using role-based access
control (RBAC). The Datasets tab of the Create Role window is where you can enable or disable
the access permissions for the various datasets listed. The Datasets permissions control the
dataset access across the enre product components, as opposed to the Components RBAC
tab, which controls access to a specific component. When a dataset component is enabled for a
parcular role, the Alert and Incidents pages display all the alerts and incidents, where informaon
Cortex® XDR Pro Administrator’s Guide Version 3.3 43 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
about the datasets is included. By default, the Enable dataset access management feature is
disabled, and users have access to all datasets. Once you enable this feature, you need to define
for each dataset type the access permissions you want to grant for the role.
STEP 1 | Select Sengs > Configuraons > Access Management > Roles.
Cortex® XDR Pro Administrator’s Guide Version 3.3 44 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
This feature is only available if you enabled the Cloud Identy Engine in
Configuraons > Integraons > Cloud Identy Engine.
• Create a new user group for a number of different system users or groups.
The User Groups table provides the following fields of informaon.
• Group Name—Name of the user group.
• Descripon —Descripon of the user group.
Cortex® XDR Pro Administrator’s Guide Version 3.3 45 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
• Role—Lists the group role associated with this user group. You can only have a single role
designated per group.
• Users—Lists all the users belonging to this user group.
• Nested Groups—Lists any nested groups associated with this user group.
• Insert Time—Date and me when the user group was added.
• Update Time—Date and me of when the user group was last updated.
• Source—Displays the source of the user group as either a user group imported from Acve
Directory or a Custom user group created in Cortex XDR.
You can also pivot (right-click) from rows and specific values in the table, where a number of
different opons are available to help you manage your Cortex XDR user groups from this page.
• Save an exisng group as a new group.
• Edit a group.
• Remove a group.
• Copy text to clipboard.
• Copy enre row.
STEP 1 | Select Sengs > Configuraons > Access Management > User Groups.
In the User Groups page, a number of different opons are available to help you manage user
groups.
Cortex® XDR Pro Administrator’s Guide Version 3.3 46 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
This feature is only available if you enabled the Cloud Identy Engine in
Configuraons > Integraons > Cloud Identy Engine.
1. Import AD Group.
2. Set the following parameters in the Import Group from Acve Directory window.
-Import AD Group—Specify the parcular Acve Directory group in the field and select
whether the AD group can be found in All, OUs, or Groups.
-Specify a Descripon.
-Role—Select a role that you want to designate for this user group, where only a single
role can be assigned to a group.
3. Import the user group.
• Create a new user group for a number of different system users or groups.
1. Select New Group.
2. Set the following parameters in the New Custom Group window.
-Specify the Name and Descripon for the user group.
-Role—Select a role that you want to designate for this user group, where only a single
role can be assigned to a group.
-Users—Select the user(s) that you want to belong to this user group, where you can also
use the search field to narrow down the list of users.
-Nested Groups—(oponal) Select the nested group(s) that you want associated with this
user group.
3. Create the user group.
• Save an exisng group as a new group.
1. Select the user group or right-click the user group, and select Save as New Group.
2. Set the following parameters in the New Custom Group window.
-Specify the Name and Descripon for the user group.
-Role—Leave the designated role or select a new role that you want to designate for this
user group.
-Users—Leave the current user(s) or select the user(s) that you want to belong to this
user group. You can also use the search field to narrow down the list of users.
Cortex® XDR Pro Administrator’s Guide Version 3.3 47 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
-Nested Groups—Leave the current nested group(s), select the nested group(s) that you
want associated with this user group, or remove all nested groups if you don’t want any
defined.
3. Create the user group.
• Edit a user group.
1. Select the user group or right-click the user group, and select Edit Group.
2. Set the following parameters in the Edit Custom Group window.
-Update the Name and Descripon for the user group.
-Role—Leave the designated role or select a new role that you want to designate for this
user group.
-Users—Leave the current user(s) or select the user(s) that you want to belong to this
user group. You can also use the search field to narrow down the list of users.
-Nested Groups—Leave the current nested group(s), select the nested group(s) that you
want associated with this user group, or remove all nested groups if you don’t want any
defined.
3. Save your changes.
• Remove a user group.
1. To remove more than one user group, select the user groups, right-click, and select
Remove Groups.
To remove one user group, select the user group or right-click the user group, and select
Remove Group.
2. Click Delete in the window that is displayed.
• Copy text to clipboard to copy text from a specific row field in the row of a user group.
• Copy enre row to copy the text from all the fields in a row of a user group.
Cortex® XDR Pro Administrator’s Guide Version 3.3 48 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Some features are license-dependent. Accordingly, users may not see a specific feature
if the feature is not supported by the license type or if they do not have access based on
their assigned role.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Cortex® XDR Pro Administrator’s Guide Version 3.3 49 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
File
Retrieval
File
Search
Destroy
Files
Allow
List/Block
List
Disable
Response
Acons
Cortex® XDR Pro Administrator’s Guide Version 3.3 50 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Remediaon
Delete
Quaranned
files
Agent Scripts — —
Library
Run Standard
Script
Run High-
Risk
Script
Script
Configuraons
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Cortex® XDR Pro Administrator’s Guide Version 3.3 51 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Endpoints
Endpoint — —
Administraons
Endpoint
Management
Retrieve
Endpoint
Data
Endpoint
Scan
Change
Managing
Server
Pause
Protecon
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 52 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Device — —
Control
Rules
Excepons
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Cortex® XDR Pro Administrator’s Guide Version 3.3 53 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Instance Administrator
The Cortex XDR predefined user role called Instance Administrator provides full access to the app
instance for which this role is assigned.
The Instance Administrator can also make other users an Instance Administrator for the app
instance. If the app has predefined or custom roles, the Instance Administrator can assign those
roles to other users.
The Instance Administrator can only assign permissions to the other user from the Cortex
XDR Management Console.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Cortex® XDR Pro Administrator’s Guide Version 3.3 54 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Terminate
Process
Quaranne
EDL
File
Retrieval
File
Search
Destroy
Files
Allow
List/Block
List
Disable
Response
Acons
Remediaon
Delete
Quaranned
files
Agent Scripts — —
Library
Run Standard
Script
Run High-
Risk
Script
Cortex® XDR Pro Administrator’s Guide Version 3.3 55 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Script
Configuraons
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
Retrieve
Endpoint
Data
Endpoint
Scan
Cortex® XDR Pro Administrator’s Guide Version 3.3 56 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Change
Managing
Server
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
Excepons
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Cortex® XDR Pro Administrator’s Guide Version 3.3 57 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Alert — — —
Noficaons
Pathfinder
Applet
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Deployment Admin
The Cortex XDR predefined user role called Deployment Admin is used to manage and control
endpoints and installaons, and configure broker VMs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 58 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
EDL
—
File Retrieval
—
Cortex® XDR Pro Administrator’s Guide Version 3.3 59 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
File Search
—
Destroy Files
—
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Live Terminal — — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 60 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
Retrieve
Endpoint
Data
—
Endpoint
Scan
—
Change
Managing
Server
Cortex® XDR Pro Administrator’s Guide Version 3.3 61 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Excepons
—
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Cortex® XDR Pro Administrator’s Guide Version 3.3 62 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Alert — — —
Noficaons
Pathfinder
Applet
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Invesgator
The Cortex XDR predefined user role called Invesgator is used to view and triage alerts and
incidents.
Table 4: Investigator
Cortex® XDR Pro Administrator’s Guide Version 3.3 63 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
EDL
—
File Retrieval
—
Cortex® XDR Pro Administrator’s Guide Version 3.3 64 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
File Search
—
Destroy Files
—
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Live Terminal — — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 65 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
—
Endpoint
Scan
—
Cortex® XDR Pro Administrator’s Guide Version 3.3 66 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Excepons
—
Sengs
Cortex® XDR Pro Administrator’s Guide Version 3.3 67 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Invesgaon Admin
The Cortex XDR predefined user role called Invesgaon Admin is used to view and triage alerts
and incidents, configure rules, view endpoint profiles and policies, and Analycs management
screens.
Cortex® XDR Pro Administrator’s Guide Version 3.3 68 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
EDL
Cortex® XDR Pro Administrator’s Guide Version 3.3 69 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
File Retrieval
—
File Search
—
Destroy Files
—
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Cortex® XDR Pro Administrator’s Guide Version 3.3 70 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
—
Endpoint
Scan
Cortex® XDR Pro Administrator’s Guide Version 3.3 71 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
Excepons
Sengs
>General Auding — — —
Sengs
Cortex® XDR Pro Administrator’s Guide Version 3.3 72 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Responder
The Cortex XDR predefined user role called Responder is used to view and triage alerts, and
access all response capabilies excluding Live Terminal.
Cortex® XDR Pro Administrator’s Guide Version 3.3 73 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Table 6: Responder
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
File Retrieval
—
Cortex® XDR Pro Administrator’s Guide Version 3.3 74 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
File Search
—
Destroy Files
—
Allow
List/Block
List
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Live Terminal — — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 75 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
—
Endpoint
Scan
—
Cortex® XDR Pro Administrator’s Guide Version 3.3 76 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Excepons
—
Sengs
Cortex® XDR Pro Administrator’s Guide Version 3.3 77 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Privileged Invesgator
The Cortex XDR predefined user role called Privileged Invesgator is used to view and triage
alerts, incidents and rules, and view endpoint profiles and policies, and Analycs management
screens.
Cortex® XDR Pro Administrator’s Guide Version 3.3 78 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
EDL
Cortex® XDR Pro Administrator’s Guide Version 3.3 79 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
File Retrieval
—
File Search
—
Destroy Files
—
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Cortex® XDR Pro Administrator’s Guide Version 3.3 80 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
—
Endpoint
Scan
Cortex® XDR Pro Administrator’s Guide Version 3.3 81 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Excepons
—
Sengs
Cortex® XDR Pro Administrator’s Guide Version 3.3 82 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Privileged Responder
The Cortex XDR predefined user role called Privileged Responder is used to view and triage alerts
and incidents, access all response capabilies, and configure rules, policies, and profiles.
Cortex® XDR Pro Administrator’s Guide Version 3.3 83 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
File
Retrieval
Cortex® XDR Pro Administrator’s Guide Version 3.3 84 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
File
Search
Destroy
Files
Allow
List/Block
List
Disable
Response
Acons
—
Remediaon
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
Run High-
Risk
Script
Script
Configuraons
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
Cortex® XDR Pro Administrator’s Guide Version 3.3 85 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
Endpoint
Scan
Change
Managing
Server
—
Pause
Protecon
Cortex® XDR Pro Administrator’s Guide Version 3.3 86 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
Excepons
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Cortex® XDR Pro Administrator’s Guide Version 3.3 87 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
IT Admin
The Cortex XDR predefined user role called IT Admin is used to manage and control endpoints
and installaons, configure broker VMs, view endpoint profiles and policies, and view alerts.
Table 9: IT Admin
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Cortex® XDR Pro Administrator’s Guide Version 3.3 88 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
EDL
—
File Retrieval
—
File Search
—
Destroy Files
Cortex® XDR Pro Administrator’s Guide Version 3.3 89 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 90 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
Retrieve
Endpoint
Data
Endpoint
Scan
—
Change
Managing
Server
—
Pause
Protecon
—
Cortex® XDR Pro Administrator’s Guide Version 3.3 91 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Excepons
—
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Cortex® XDR Pro Administrator’s Guide Version 3.3 92 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Pathfinder
Applet
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Privileged IT Admin
The Cortex XDR predefined user role called Privileged IT Admin is used to manage and control
endpoints and installaons, configure brokers, create profiles and policies, view alerts, and iniate
Live Terminal.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Cortex® XDR Pro Administrator’s Guide Version 3.3 93 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
EDL
—
File
Retrieval
File
Search
Cortex® XDR Pro Administrator’s Guide Version 3.3 94 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Destroy
Files
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
Run High-
Risk
Script
Script
Configuraons
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
Cortex® XDR Pro Administrator’s Guide Version 3.3 95 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
Retrieve
Endpoint
Data
Endpoint
Scan
—
Change
Managing
Server
Pause
Protecon
Endpoint — — —
Groups
Endpoint — — —
Installaons
Cortex® XDR Pro Administrator’s Guide Version 3.3 96 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
Excepons
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
Cortex® XDR Pro Administrator’s Guide Version 3.3 97 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Cortex® XDR Pro Administrator’s Guide Version 3.3 98 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
File
Retrieval
File
Search
Destroy
Files
Allow
List/Block
List
Disable
Response
Acons
—
Remediaon
Cortex® XDR Pro Administrator’s Guide Version 3.3 99 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Delete
Quaranned
files
—
Agent Scripts — —
Library
Run Standard
Script
Run High-
Risk
Script
Script
Configuraons
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Cortex® XDR Pro Administrator’s Guide Version 3.3 100 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
Endpoint
Scan
Change
Managing
Server
—
Pause
Protecon
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Cortex® XDR Pro Administrator’s Guide Version 3.3 101 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Host Firewall — — —
Device — —
Control
Rules
Excepons
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Cortex® XDR Pro Administrator’s Guide Version 3.3 102 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Threat — — —
Intelligence
EDL — — —
Configuraon
Viewer
The Cortex XDR predefined user role called Viewer is used to view the majority of the features of
the Cortex XDR app for this instance.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 103 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
>Response Acon — —
Center
Isolate
—
Terminate
Process
—
Quaranne
—
EDL
—
File Retrieval
—
File Search
—
Destroy Files
—
Allow List/
Block List
—
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
Cortex® XDR Pro Administrator’s Guide Version 3.3 104 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Agent Scripts — —
Library
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Cortex® XDR Pro Administrator’s Guide Version 3.3 105 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Endpoints
Endpoint — —
Administraons
Endpoint
Management
—
Retrieve
Endpoint
Data
—
Endpoint
Scan
—
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Cortex® XDR Pro Administrator’s Guide Version 3.3 106 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
—
Excepons
—
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
Cortex® XDR Pro Administrator’s Guide Version 3.3 107 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Cortex® XDR Pro Administrator’s Guide Version 3.3 108 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Forensics — — —
Host Insights — — —
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
—
File
Retrieval
File
Search
Destroy
Files
Allow List/
Block List
—
Disable
Response
Acons
Remediaon
—
Delete
Quaranned
files
Cortex® XDR Pro Administrator’s Guide Version 3.3 109 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Agent Scripts — —
Library
Run Standard
Script
Run High-
Risk
Script
Script
Configuraons
—
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
—
Request
WildFire
Verdict
Change
—
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Cortex® XDR Pro Administrator’s Guide Version 3.3 110 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Endpoint — —
Administraons
Endpoint
Management
Retrieve
Endpoint
Data
Endpoint
Scan
Change
Managing
Server
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 111 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Device — —
Control
Rules
—
Excepons
—
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Cortex® XDR Pro Administrator’s Guide Version 3.3 112 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Threat — — —
Intelligence
EDL — — —
Configuraon
Security Admin
The Cortex XDR predefined user role called Security Admin is used to triage and invesgate alerts
and incidents, respond (excluding Live Terminal), and edit profiles and policies.
DASHBOARDS Dashboards — — —
& REPORTS
Ingeson — — —
Monitoring
Reports — — —
INCIDENT
RESPONSE
Personal — — —
Query
Library
Forensics — — —
Host Insights — — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 113 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
>Response Acon — —
Center
Isolate
Terminate
Process
Quaranne
EDL
File Retrieval
—
File Search
—
Destroy Files
—
Allow
List/Block
List
Disable
Response
Acons
—
Remediaon
—
Delete
Quaranned
files
—
Agent Scripts — —
Library
Cortex® XDR Pro Administrator’s Guide Version 3.3 114 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Run Standard
Script
—
Run High-
Risk Script
—
Script
Configuraons
—
Live Terminal — — —
DETECTIONS
& THREAT
INTEL
>Detecons Rules — —
Prevenon
Rules
Request
WildFire
Verdict
Change
Assets Network — — —
Configuraon
Compliance — — —
Asset — — —
Inventory
Endpoints
Endpoint — —
Administraons
Endpoint
Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 115 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Retrieve
Endpoint
Data
Endpoint
Scan
Change
Managing
Server
—
Pause
Protecon
—
Endpoint — — —
Groups
Endpoint — — —
Installaons
Endpoint — — —
Prevenon
Policies
Global — — —
Excepons
Endpoint — — —
extension
policies
Endpoint — — —
Profiles
Host Firewall — — —
Device — —
Control
Rules
Cortex® XDR Pro Administrator’s Guide Version 3.3 116 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Excepons
—
Sengs
>General Auding — — —
Sengs
General — — —
Configuraon
Alert — — —
Noficaons
Pathfinder
Applet
—
Pathfinder — — —
Data
Collecon
>Data Log — — —
Collecon Collecons
External — — —
Alerts
Mapping
Threat — — —
Intelligence
EDL — — —
Configuraon
Cortex® XDR Pro Administrator’s Guide Version 3.3 117 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Important: The rest of the funconal areas and their permissions in Cortex XDR do
not support SBAC. Accordingly, if these permissions are granted to a scoped user, the
user will be able to access all endpoints in the tenant within this funconal area. For
example, a scoped user with a permission to view incidents, can view all incidents in the
system without limitaon to a scope, however will not be able to create an alert or device
excepon.
Also note that the Agent Installaon widget is not available for scoped users.
STEP 2 | Select and right-click the user or users to which you want to assign a scope, and then select
Assign Endpoint Scope.
The Assign Endpoint Scope dialog box appears.
STEP 4 | Apply.
The users to whom you have scoped parcular endpoints are now able to use Cortex XDR only
within the scope of their assigned endpoints.
Make sure to assign the required default permissions for scoped users. This depends on
the structure and divisions within your organizaon, and the parcular purpose of each
organizaonal unit to which scoped users belong.
Cortex® XDR Pro Administrator’s Guide Version 3.3 118 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
For more informaon about user roles, see Manage User Roles.
Cortex® XDR Pro Administrator’s Guide Version 3.3 119 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
When using the Cloud Identy Engine (previously called Directory Sync Service (DSS))with
a Cortex XDR Pro license, you can use XQL Search to query the data using the
pan_dss_raw dataset.
Aer you finish the setup, Cortex XDR automacally updates when the Cloud Identy Engine
updates.
To set up the Cloud Identy Engine:
STEP 1 | Navigate and log into the hub.
STEP 2 | Acvate and configure your Cloud Identy Engine instance as described in the Cloud Identy
Engine Geng Started guide.
Acvang a Cloud Identy Engine instance on your Cortex XDR account will allow you to pair
your Cortex XDR tenant with the Acve Directory informaon collected by the Cloud Identy
Engine instance. During the Acvaon step, make sure to take note of the instance name you
create.
STEP 3 | Aer you complete the Cloud Identy Engine Geng Started steps, navigate and log into
your Cortex XDR management console.
Wait about ten minutes aer you have acvated the instance before you do this.
1. In the Cortex XDR app, select Sengs > Configuraon > Integraons > Cloud Identy
Engine.
2. Add the Cloud Identy Engine instance you want to Cortex XDR to use.
3. In the Add Cloud Identy Engine dialog, select the App Instance Name you created in
the hub and Save.
Cortex® XDR Pro Administrator’s Guide Version 3.3 120 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Cortex XDR Pro per Endpoint Grants ingeson and 30 The following are the storage
(PAN-XDR-ADV-EP) days retenon. If you want opons available with this
to save more than 30 days license.
of endpoint data, you need
• Hot storage EP—Minimum
to obtain addional Cold
of 1 month storage.
or Hot Storage according
to your requirements for • Cold storage EP—
all of your endpoints. For Minimum of 6 months
example, if you obtain 20,000 storage.
endpoints for 30 days and
then require an addional 6
months retenon, you need
to purchase retenon for 6
months for 20,000 endpoints.
Cortex XDR Cloud per Host Grants ingeson and 30 The following are the storage
(PAN-XDR-ADV-EP-CLOUD) days retenon. If you want opons available with this
to save more than 30 days license.
of cloud data, you need to
• Hot storage EP—Minimum
obtain addional Cold or Hot
of 1 month storage.
Storage according to your
requirements for all of your • Cold storage EP—
hosts. Minimum of 6 months
storage.
Cortex XDR Pro per TB Where each license adheres For retenon, each license
(PAN-XDR-ADV-1TB) to the following guidelines. provides you with a default
retenon of 30 days. If
• Allows ingesng up to 1
you want to save more
TB per month and no more
than 30 days of Pro per TB
than 33GB per day.
data, you need to obtain
addional Cold or Hot
Cortex® XDR Pro Administrator’s Guide Version 3.3 121 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
For more informaon on your storage license details, see Dataset Management.
To increase your capacity, contact your Palo Alto Network account representave.
To view your current Cortex XDR license.
From Cortex XDR, select Sengs > Cortex XDR License.
Data usage and storage license details are available in Dataset Management.
Cortex® XDR Pro Administrator’s Guide Version 3.3 122 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
STEP 6 | Define Endpoint Groups to which you can apply endpoint security policy.
STEP 7 | Customize your Endpoint Security Profiles and assign them to your endpoints.
Cortex XDR provides out-of-the box exploit and malware protecon. However, at minimum,
you must enable Data Collecon in an Agent Sengs profile to leverage endpoint data in
Cortex XDR apps. Data collecon for Windows endpoints is available with Traps 6.0 and later
releases and on endpoints running Windows 7 SP1 and later releases. Data collecon on
macOS and Linux endpoints are available with Traps 6.1 and later releases.
STEP 8 | (Oponal) Configure Device Control profiles to restrict file execuon on USB-connected
devices.
STEP 9 | Verify that the Cortex XDR agent can connect to your Cortex XDR instance.
If successful, Cortex XDR displays a Connected status. In your Cortex XDR console, navigate to
Endpoints > All Endpoints to view the status of all your agents.
Cortex® XDR Pro Administrator’s Guide Version 3.3 123 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
STEP 10 | Configure the internal networks that you want Cortex XDR to monitor.
1. From the Cortex XDR management console, navigate to Assets > Network Configuraon >
IP Address Ranges.
2. Define your IP Address Ranges.
This page provides a table of the IP address ranges Cortex XDR Analycs monitors, which is
pre-populated with the default IPv4 and IPv6 address spaces.
3. Define your Domain Names.
STEP 11 | If you have a Cortex XDR Pro per TB license, proceed to Set up Network Analysis. Otherwise
proceed to Configure XDR.
0. Calculate the bandwidth as needed For every 100,000 agents, you will need
required to support the number to allocate 120Mbps of bandwidth. The
of agents you plan to deploy. bandwidth requirement scales linearly. For
example, to support 300,000 agents, plan
to allocate 360Mbps of bandwidth (three
mes the amount required for 100,000
agents).
1. Install Cortex XDR on 1 week Install the Cortex XDR agent on a small
endpoints. number of endpoints (3 to 10).
Cortex® XDR Pro Administrator’s Guide Version 3.3 124 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
3. Complete the Cortex XDR 2 or more Broadly distribute the Cortex XDR agent
installaon. weeks throughout the organizaon unl all
endpoints are protected.
4. Define corporate policy and Up to 1 week Add protecon rules for third-party or in-
protected processes. house applicaons and then test them.
5. Refine corporate policy and Up to 1 week Deploy security policy rules to a small
protected processes. number of endpoints that use the
applicaons frequently. Fine tune the
policy as needed.
6. Finalize corporate policy and A few minutes Deploy protecon rules globally.
protected processes.
STEP 2 | In your firewall configuraon, enable access to Cortex XDR communicaon servers, storage
buckets, and resources.
For the complete list or resources, refer to Resources Required to Enable Access to Cortex.
With Palo Alto Networks firewalls, we recommend that you use the following App-IDs to allow
communicaon between Cortex XDR agents and the Cortex XDR management console when
you configure your security policy:
• cortex-xdr—Requires PAN-OS Applicaons and Threats content update version 8279 or
a later release.
• traps-management-service—Requires PAN-OS Applicaons and Threats content
update version 793 or a later release.
If you use App-ID in your security policy, you must also allow access for addional resources
that are not covered by the App-ID. If you do not use Palo Alto Networks firewalls with App-ID
you must allow access to the full list of resources.
Cortex® XDR Pro Administrator’s Guide Version 3.3 125 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
STEP 3 | (Oponal for endpoints running the following or later releases: Cortex XDR 7.5.1 Hotfix 1
and later, Cortex XDR 7.4.3 Hotfix 1 and later, Cortex XDR 7.3.4 Hotfix 1 and later, Traps
6.1.8 Hotfix 1 and later, Traps 6.1.7 Hotfix 1 and later, and Traps 5.0.12 Hotfix 1 and later) To
establish secure communicaon (TLS) to Cortex XDR, the endpoints, and any other devices
that iniate a TLS connecon with Cortex, you must have the following cerficates installed
on the operang system.
Cerficate Fingerprint
Cortex® XDR Pro Administrator’s Guide Version 3.3 126 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
the cerficate revocaon check, the endpoint needs HTTP access to a dynamic list of URLs,
based on the PEs that are executed or scanned on the endpoint.
1. If a system-wide proxy is defined for the endpoint (stacally or using a PAC file), Microso
Windows downloads the CRL lists through the proxy.
2. If a specific proxy is defined for the Cortex XDR agent, and the endpoint has no access to
the internet over HTTP, then Microso Windows will fail to download the CRL lists. As a
result, the cerficate revocaon check will fail and the cerficate will be considered valid by
the agent, while creang a latency in execung PEs. If the Cortex XDR agent is running in
an isolated environment that prohibits the successful compleon of cerficate revocaon
checks, the Palo Alto Networks Support team can provide a configuraon file that will
disable the revocaon checks and avoid unnecessary latency in the execuon me of PEs.
STEP 5 | (Supported on Cortex XDR agent 7.0 or a later for Windows endpoints and Cortex XDR
agent 7.3 or later for Mac and Linux endpoints) Enable peer-to-peer (P2) content updates.
By default, the Cortex XDR agent retrieves content updates from its peer Cortex XDR agents
on the same subnet. To enable P2P, you must enable UDP and TCP over port 33221. You can
change the port number or choose to download the content directly from the Cortex XDR
sever in the Agent sengs profile.
STEP 6 | Verify that you can access your Cortex XDR tenant.
Aer you download and install the Cortex XDR agent soware on your endpoints and
configure your endpoint security policy, verify that the Cortex XDR agents can check in with
Cortex XDR to receive the endpoint policy.
STEP 7 | If you use SSL decrypon and experience difficulty in connecng the Cortex XDR agent
to the server, we recommend that you add the FQDNs required for access to your SSL
Decrypon Exclusion list.
In PAN-OS 8.0 and later releases, you can configure the list in Device > Cerficate
Management > SSL Decrypon Exclusion.
Some of the IP addresses required for access are registered in the United States. As a
result, some GeoIP databases do not correctly pinpoint the locaon in which IP addresses
are used. All customer data is stored in your deployment region, regardless of the IP
address registraon and restricts data transmission through any infrastructure to that
region. For consideraons, see Plan Your Cortex XDR Deployment.
Throughout this topic, <xdr-tenant> refers to the chosen subdomain of your Cortex
XDR tenant and <region> is the region in which your Cortex Data Lake is deployed (see
Plan Your Cortex XDR Deployment for supported regions).
Cortex® XDR Pro Administrator’s Guide Version 3.3 127 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Refer to the following tables for the FQDNs, IP addresses, ports, and App-ID coverage for your
deployment.
• See Required Resources by Region Table
• Required Resources for Federal (United States - Government)
For IP address ranges in GCP, refer to the following tables for IP address coverage for your
deployment:
• hps://www.gstac.com/ipranges/goog.json—Refer to this list to look up and allow access to
the IP address ranges subnets.
• hps://www.gstac.com/ipranges/cloud.json—Refer to this list to look up and allow access to
the IP address ranges associated with your region.
distributions.traps.paloaltonetworks.com
• IP address—35.223.6.69 traps-management-
• Port—443 service
Used for the first request in
registraon flow where the
agent passes the distribuon
id and obtains the ch-<xdr-
tenant>.traps.paloaltonetworks.com
of its tenant
Cortex® XDR Pro Administrator’s Guide Version 3.3 128 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Cortex® XDR Pro Administrator’s Guide Version 3.3 129 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Cortex® XDR Pro Administrator’s Guide Version 3.3 130 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Broker VM Resources
Required for deployments that use Broker VM features
distributions.traps.paloaltonetworks.com
• IP address—35.223.6.69 traps-management-
• Port—443 service
identy.paloaltonetworks.com • IP address— —
34.107.215.35
(SSO)
• Port—443
login.paloaltonetworks.com • IP address— —
34.107.190.184
(SSO)
• Port—443
data.pendo.io Port—443 —
pendo- Port—443 —
stac-5664029141630976.storage.googleapis.com
Cortex® XDR Pro Administrator’s Guide Version 3.3 131 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Email Noficaons
— IP address by region. —
• US— 67.231.148.124
• EU—67.231.156.123
To Collect 3rd Party Data from Customer's SaaS and Cloud resources
Cortex® XDR Pro Administrator’s Guide Version 3.3 132 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Cortex® XDR Pro Administrator’s Guide Version 3.3 133 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
app- • IP address— —
104.155.148.118
proxy.federal.paloaltonetworks.com
• Port—443
api-<xdr- • IP address— —
130.211.195.231
tenant>.xdr.federal.paloaltonetworks.com
Used for API requests and • Port—443
responses.
Broker VM Resources
Required for deployments that use Broker VM features
br-<xdr- • IP address—34.71.185.11 —
tenant>.xdr.federal.paloaltonetworks.com:443
• Port—443
Cortex® XDR Pro Administrator’s Guide Version 3.3 134 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
identy.paloaltonetworks.com • IP address— —
34.107.215.35
(SSO)
• Port—443
login.paloaltonetworks.com • IP address— —
34.107.190.184
(SSO)
• Port—443
data.pendo.io Port—443 —
pendo- Port—443 —
stac-5664029141630976.storage.googleapis.com
To Collect 3rd Party Data from Customer's SaaS and Cloud resources
— IP addresses cortex-xdr
• 34.68.217.16
• 34.69.175.202
Proxy Communicaon
You can configure communicaon through proxy servers between the Cortex XDR server and the
Cortex XDR agents running on Windows, Mac, and Linux endpoints. The Cortex XDR agent uses
the proxy sengs defined as part of the Internet & Network sengs or WPAD protocol on the
endpoint. You can also configure a list of proxy servers that your Cortex XDR agent will use to
communicate the with Cortex XDR server.
Cortex XDR supports the following types of proxy configuraons:
• System-wide proxy—Use system-wide proxy to send all communicaon on the endpoint
including to and from the Cortex XDR agent through a proxy server configured for the
endpoint. Cortex XDR supports proxy communicaon for proxy sengs defined explicitly on
the endpoint, as well as proxy sengs configured in a proxy auto-config (PAC) file.
• Applicaon-specific proxy—(Available with Traps agent 5.0.9, Traps agent 6.1.2, and Cortex
XDR agent 7.0 and later releases) Configure a Cortex XDR specific proxy that applies only to
the Cortex XDR agent and does not enforce proxy communicaons with other apps or services
on your endpoint. You can set up to five proxy servers either during the Cortex XDR agent
Cortex® XDR Pro Administrator’s Guide Version 3.3 135 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
installaon process, or following agent installaon, directly from the Cortex XDR management
console.
If the endpoints in your environment are not connected directly to the internet, you can deploy
a Palo Alto Networks broker VM.
Applicaon-specific proxy configuraons take precedence over system-wide proxy configuraons.
The Cortex XDR agent retrieves the proxy list defined on the endpoint and tries to establish
communicaon with the Cortex XDR server first through app-specific proxies. Then, if
communicaon is unsuccessful, the agent tries to connect using the system-wide proxy, if defined.
If none are defined, the Cortex XDR agent aempts communicaon with the Cortex XDR server
directly. The Cortex XDR agent does not support proxy communicaon in environments where
proxy authencaon is required.
Cortex® XDR Pro Administrator’s Guide Version 3.3 136 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
STEP 2 | Configure firewalls to forward Cortex XDR-required logs to Cortex Data Lake.
The Cortex Data Lake provides centralized, cloud-based log storage for firewalls, and Panorama
provides an interface you can use to view the stored logs. The rich log data that firewalls
forward to the Cortex Data Lake provides the Cortex XDR analycs engine the network
visibility it requires to perform data analycs.
To support Cortex XDR, firewalls must forward at least Traffic logs to the Cortex Data Lake.
The complete set of log types that a firewall should forward to the Cortex Data Lake are:
Traffic (required)
Threat (spyware, an-exploit, an-malware, dns security, etc)
URL Filtering
User-ID
HIP
Enhanced applicaon logs (PAN-OS 8.1.1 or later)
Enhanced applicaon logs are designed to increase visibility into network acvity for Palo Alto
Networks Cloud Services apps, and Cortex XDR requires these logs to support certain features.
Follow the complete workflow to configure Panorama-managed firewalls to forward logs to the
Cortex Data Lake.
Cortex® XDR Pro Administrator’s Guide Version 3.3 137 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
STEP 2 | Configure the internal networks that you want Cortex XDR to monitor.
1. From the Cortex XDR management console, navigate to Assets > Network Configuraon.
2. Define your IP Address Ranges.
This page provides a table of the IP address ranges Cortex XDR Analycs monitors, which is
pre-populated with the default IPv4 and IPv6 address spaces.
3. Define your Domain Names.
STEP 3 | If you use GlobalProtect or Prisma Access, add the GlobalProtect VPN IP address pool for the
VPN traffic that you want to monitor.
1. To enable the Cortex XDR app to analyze your VPN traffic, add (+) a new segment and
specify the first and last IP address of your GlobalProtect VPN IP address pool.
2. Idenfy this network segment as Reserved for VPN. GlobalProtect dynamically assigns
IP addresses from the IP pool to the mobile endpoints that connect to your network. The
Cortex XDR analycs engine creates virtual enty profiles for network segments that are
reserved for VPN.
3. Save ( ) the network segment. If the Configuraon saved noficaon does not appear,
save again.
STEP 4 | If you selected a Cloud Identy Engine (Directory Sync instance) during the Cortex XDR
acvaon process, Set Up Cloud Identy Engine.
Cortex® XDR Pro Administrator’s Guide Version 3.3 138 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
STEP 2 | Aer you acvate Cortex XDR apps and services, wait 24 hours and then configure the
Cortex XDR analycs.
1. Specify the internal networks that you want Cortex XDR to monitor.
2. (Recommended) If you want to use Pathfinder to scan unmanaged endpoints, Acvate
Pathfinder.
3. Enable Cortex XDR - Analycs.
By default, Cortex XDR - Analycs is disabled. Acvang Cortex XDR - Analycs enables
the Cortex XDR analycs engine to analyze your endpoint data to develop a baseline and
raise Analycs and Analycs BIOC alerts when anomalies and malicious behaviors are
detected.
To create a baseline for enabling Analycs, Cortex XDR requires a minimum set of data;
EDR or Network logs from at least 30 endpoints over a minimum of 2 weeks or cloud
audit logs over a minimum of 5 days. Once this requirement is met, Cortex XDR allows to
enable analycs and begin triggering alerts within a few hours.
1. In Cortex XDR, select Sengs > Configuraons > Cortex XDR - Analycs.
The Enable opon will be grayed out if you do not have the required data set.
2. When available, Enable Cortex XDR - Analycs. The analycs engine will immediately
begin analyzing your Cortex data for anomalies.
Cortex® XDR Pro Administrator’s Guide Version 3.3 139 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
STEP 5 | (Oponal) Palo Alto Networks also automacally delivers behavioral indicators of
compromise (BIOCs) rules defined by the Palo Alto Networks threat research team to all
Cortex XDR tenants, but you can also import any addional indicators as rules, as needed.
To alert on specific BIOCs, Create a BIOC Rule. To immediately alert on known malicious
indicators of compromise (IOCs)—such as known malicious IP addresses—Create an IOC Rule
or Create a Correlaon Rule.
WildFire provides verdicts and analysis reports to Cortex XDR users without requiring a
license key. Using WildFire for next-generaon firewalls or other use-cases connues to
require an acve license.
Before you can view external threat intelligence in Cortex XDR incidents, you must obtain the
license key for the service and add it to the Cortex XDR Configuraon. Aer you integrate any
services, you will see the verdict or verdict score when you invesgate the incident..
To integrate an external threat intelligence service:
STEP 1 | Get your the API License Key for the service.
• Get your AutoFocus API key.
• Get your VirusTotal API key.
Cortex® XDR Pro Administrator’s Guide Version 3.3 140 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Select Timezone
Select your own specific mezone. Selecng a mezone affects the mestamps displayed in the
Cortex XDR management console, auding logs, and when exporng files.
In the Timezone secon, select the mezone in which you want to display your Cortex XDR
data.
Cortex® XDR Pro Administrator’s Guide Version 3.3 141 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
In the Timestamp Format secon, select the mestamp format in which you want to display
your Cortex XDR data.
In the Email Contacts secon, enter email addresses you want to include in a distribuon list.
Make sure to select aer each email address.
In the XQL Configuraon secon, you can either leave the toggle set to Case Sensivity
(case_sensive) to ensure field values are evaluated as case sensive (config
case_sensitive = true) throughout the enre applicaon (default) or disable the toggle,
so that field values are evaluated as case insensive (config case_sensitive = false)
throughout the applicaon.
This seng overwrites any other default configuraon except for BIOCs, which will
remain case insensive no maer what this configuraon is set to.
In the Define the Incident target MTTR per incident severity secon, enter within how many
days and hours you want incidents resolved according to the incident severity Crical, High,
Medium, and Low.
The defined MTTR is used to display the Resolved Incident MTTR dashboard widgets.
Cortex® XDR Pro Administrator’s Guide Version 3.3 142 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
In the Impersonaon Sengs secon, define the level and duraon of the permissions.
• Select one of the following Role permissions:
• Read-Only—Default seng, grants read only access to your tenant.
• Support related acons—Grants permissions to tech support file collecon, dump file
collecon, invesgaon query, Correlaon Rule, BIOC and IOC rule eding, alert starring,
exclusion and excepon eding.
• Full role permissions—No limitaons are applied, grants full permissions to all acons and
content on your tenant.
• Set the Permission Reset Timeframe.
If you selected Support related acons or Full role permissions in the Role field, set a
specific meframe for how long these permissions are valid. Select either 7 Days, 30 Days,
or No me limitaon.
We recommend that Role permissions are granted only for a specific meframe, and full
administrave permissions is granted only when specifically requested by the support team.
From the Cortex XDR management console, select Sengs > Configuraons > Security
Sengs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 143 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Under User Expiraon, define if you want to Deacvate Inacve User. By default, user
expiraon is Disabled, when Enabled enter the number of days aer which inacve users
should be deacvated.
Under Allowed Domains, specify one or more domain names that users in your organizaon
can be used in your distribuon list. For example, when generang a report, ensure the reports
are not sent to email addresses outside your organizaon.
Save.
Cortex® XDR Pro Administrator’s Guide Version 3.3 144 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Cortex® XDR Pro Administrator’s Guide Version 3.3 145 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Depending on your license and assigned role, you can explore the following areas in the app.
Interface Descripon
Dashboard & Reports From the Dashboard & Reports menu you can view
and manage your dashboards and reports from
the dashboard and incidents table, and view alert
exclusions.
• Dashboard—Provides dashboards that you can use
to view high-level stascs about your agents and
incidents.
• Reports—View all the reports that Cortex XDR
administrators have run.
• Customize—Create and manage new dashboard and
reports.
• Dashboards Manager—Add new dashboards with
customized widgets to surface the stascs that
maer to you most.
• Reports Templates—Build reports using pre-
defined templates, or customize a report. Reports
can generated on- demand scheduled.
• Widget Library—Search, view, edit, and create
widgets based on predefined widgets and user-
created custom widgets.
Incident Response From the Incident Response menu you can view,
manage, invesgate and take acon on all incidents.
• Incidents—Invesgate and manage your incidents.
Cortex® XDR Pro Administrator’s Guide Version 3.3 146 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Interface Descripon
• Invesgaon
• Query Builder—Build complex queries to
invesgate, idenfy connecons, and expose the
root cause of alerts from your data sources.
• Query Center—View and manage the results of
all simple and complex queries created from the
Query Builder.
• Scheduled Queries—View and manage all
scheduled and reoccurring queries created from
the Query Builder.
• Forensics—Streamline your incident response,
data collecon, threat hunng, and analyses of
you endpoint data to find the source and scope
of an aack.
• Host Inventory—
• Response
• Acon Center—Provides a central locaon
from which you can track the progress of all
invesgaon, response, and maintenance acons
performed on your endpoints.
• Live Terminal—Iniate a remote connecon to
an endpoint enabling you to remotely manage,
invesgate, and perform response acons on the
endpoint.
• EDL—Add malicious domains and IP addresses to
an external dynamic list enforceable on your Palo
Alto Networks firewall.
• Incident Configuraon—Create a starring
configuraon that automacally categorizes and
starts incidents when a related alert contains
specific aributes that you define as important.
Detecon From the Detecon menu, you can define specific rules
for which you want Cortex XDR to raise alerts.
Cortex® XDR Pro Administrator’s Guide Version 3.3 147 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Interface Descripon
• Detecon Rules
• IOC—Idenfy specific hashes, IP addresses,
domains, file names and paths that indicates a
threat.
• BIOC—Idenfy specific network, process, file, or
registry acvity that indicates a threat.
• Correlaons—Analyze correlaons of mul-
events from mulple sources.
• Excepons—Define excepon criteria for a IOC
or BIOC rule.
Assets From the Assets menu, you can define your network
parameters and view a list of all the assets in your
network.
• Network Configuraon—Define your internal IP
address ranges and domain names to idenfy and
track your network assets.
• Vulnerability Assessment—Idenfy and quanfy the
security vulnerabilies on an endpoint.
• User Scores—Invesgate user acvies and detect
compromised accounts and malicious devices using
the Cortex XDR calculated User Score.
• Asset Inventory—Provides a central locaon from
which you can view and invesgate informaon
relang to assets in your network.
• Cloud Inventory—Provides a unified, normalized
asset inventory for cloud assets in Google Cloud
Plaorm, Microso Azure, and Amazon Web
Services.
Cortex® XDR Pro Administrator’s Guide Version 3.3 148 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Interface Descripon
• Host Firewall—Control communicaons on your
endpoints by applying sets of rules that allow or
block internal and external traffic.
• Device Control Violaons—Monitor all instances
where end users aempted to connect restricted
USB-connected devices and Cortex XDR blocked
them on the endpoint.
• Disk Encrypon Visibility—View and manage
endpoints that were encrypted using BitLocker.
Quick Launcher Open an in-context shortcut that you can use to search
for informaon, perform common invesgaon tasks,
or iniate response acons from any place in the
Cortex XDR console.
Tenant Navigator View and switch to tenants to which you have access
to, divided per CSP account. You can also navigate
directly to the Cortex Gateway.
User From the User, see who is logged into Cortex Cortex
XDR. Right click and select:
• About to view addional version and tenant ID
informaon.
• What’s New to view selected new features available
for your license type.
• Log Out to terminate connecon with your Cortex
XDR Management Console.
The following topics describe addional management acons you can perform on page results.
• Filter Page Results
• Save and Share Filters
Cortex® XDR Pro Administrator’s Guide Version 3.3 149 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Manage Tables
Most pages in Cortex XDR present data in table format and provide controls to help you manage
and filter the results. If addional views or acons are available for a specific value, you can pivot
(right-click) from the value in the table. For example, you can view the incident details, or pivot to
the Causality View for an alert or you can pivot to the results for a query.
On most pages, you can also refresh ( ) the content on the page.
To manage tables in the app:
• Filter Page Results
• Export Results to File
• Save and Share Filters
• Show or Hide Results
• Manage Columns and Rows
• Display Quick Acons
Cortex® XDR Pro Administrator’s Guide Version 3.3 150 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
CMD fields have a 128 character limit. Shorten longer query strings to 127
characters and add an asterisk (*).
Alternavely, you can select Include empty values to create a filter that excludes or
includes results when the field has an empty values.
STEP 3 | To add addional filters, click +AND (within the filter brackets) to display results that must
match all specified criteria, or +OR to display results that match any of the criteria.
STEP 4 | Click out of the filter area into the results table to see the results.
Save a filter:
Saved filters are listed on the Filters tab for the table layout and filter manager menu.
1. Save ( ) the acve filter.
2. Enter a name to idenfy the filter.
You can create mulple filters with the same name. Saving a filter with an exisng name
will not override the exisng filter.
3. Choose whether to Share this filter or whether to keep it private for your own use only.
Cortex® XDR Pro Administrator’s Guide Version 3.3 151 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Share a filter:
You can share a filter across your organizaon.
1. Select the table layout and filter menu indicated by the three vercal dots, then select
Filters.
2. Select the filter to share and click the share icon.
3. If needed, you can later unshare ( ) or delete ( ) a filter.
Unsharing a filter will turn a public filter private. Deleng a shared filter will remove it for
all users.
CMD fields are limited to 128 characters. If you pivot on a CMD field with a truncated
value, the app shows or hides all results that match the first 128 characters.
The show or hide acon is a temporary means of filtering the results: If you navigate away from
the page and later return, any results you previously hid will appear again.
This opon is available for fields which have a finite list of opons.
To hide or show only results that match a specific field value:
STEP 1 | Right-click the matching field value by which you want to hide or show.
Cortex® XDR Pro Administrator’s Guide Version 3.3 152 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Cortex® XDR Pro Administrator’s Guide Version 3.3 153 ©2022 Palo Alto Networks, Inc.
Get Started with Cortex XDR Pro
Cortex® XDR Pro Administrator’s Guide Version 3.3 154 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Endpoint security features require a Cortex XDR Pro - Endpoint license.
155
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 156 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 157 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 158 ©2022 Palo Alto Networks, Inc.
Endpoint Security
• Periodic and automated scanning—Enables you to block dormant malware that has not yet
tried to execute on endpoints. Scanning requires Cortex XDR agent 7.1 or a later release.
Malware Protection for Linux
• WildFire integraon—Enables automac detecon of known malware and analysis of unknown
malware using WildFire threat intelligence. WildFire integraon requires Traps agent 6.0 or a
later release.
• Local stac analysis—Enables the Cortex XDR agent to use machine learning to analyze
unknown files and issue a verdict. The Cortex XDR agent uses the verdict returned by the local
analysis module unl it receives the WildFire verdict from Cortex XDR. Local analysis requires
Traps agent 6.0 or a later release.
• Behavioral threat protecon—Enables connuous monitoring of endpoint acvity to idenfy
and analyze chains of events—known as causality chains. This enables Cortex XDR to detect
malicious acvity that could otherwise appear legimate if inspected as individual events.
Behavioral threat protecon requires Traps agent 6.1 or a later release.
• ELF file protecon—Enables you to block known malicious and unknown ELF files executed
on a host server or within a container on a Cortex XDR-protected endpoint. Cortex XDR
automacally suspends the file execuon unl a WildFire or local analysis verdict is obtained.
ELF file protecon requires Traps agent 6.0 or a later release.
• Malware protecon modules—Targets the execuon behavior of a file—such as those
associated with reverse shell protecon.
Malware Protection for Android
• WildFire integraon—Enables automac detecon of known malware and grayware, and
analysis of unknown APK files using WildFire threat intelligence.
• APK files examinaon—Analyze and prevent malicious APK files from running.
• Evaluaon of trusted signers—Permits unknown files that are signed by trusted signers to run
on the Android device.
Cortex® XDR Pro Administrator’s Guide Version 3.3 159 ©2022 Palo Alto Networks, Inc.
Endpoint Security
When a user opens a non-executable file, such as a PDF or Word document, and the process that
opened the file is protected, the Cortex XDR agent seamlessly injects code into the soware.
This occurs at the earliest possible stage before any files belonging to the process are loaded
into memory. The Cortex XDR agent then acvates one or more protecon modules inside
the protected process. Each protecon module targets a specific exploitaon technique and is
designed to prevent aacks on program vulnerabilies based on memory corrupon or logic flaws.
In addion to automacally protecng processes from such aacks, the Cortex XDR agent reports
any security events to Cortex XDR and performs addional acons as defined in the endpoint
security policy. Common acons that the Cortex XDR agent performs include collecng forensic
data and nofying the user about the event.
The default endpoint security policy protects the most vulnerable and most commonly used
applicaons but you can also add other third-party and proprietary applicaons to the list of
protected processes.
Malware Protecon
The Cortex XDR agent provides malware protecon in a series of four evaluaon phases:
Cortex® XDR Pro Administrator’s Guide Version 3.3 160 ©2022 Palo Alto Networks, Inc.
Endpoint Security
that aempts to launch a restricted child process, the Cortex XDR agent blocks the child
processes from running and reports the security event to Cortex XDR. For example, if a user tries
to open a Microso Word document (using the winword.exe process) and that document has a
macro that tries to run a blocked child process (such as WScript), the Cortex XDR agent blocks the
child process and reports the event to Cortex XDR. If the parent process does not try to launch
any child processes or tries to launch a child process that is not restricted, the Cortex XDR agent
next moves to Phase 2: Evaluaon of the Restricon Policy.
Phase 2: Evaluation of the Restriction Policy
When a user or machine aempts to open an executable file, the Cortex XDR agent first evaluates
the child process protecon policy as described in Phase 1: Evaluaon of Child Process Protecon
Policy. The Cortex XDR agent next verifies that the executable file does not violate any restricon
rules. For example, you might have a restricon rule that blocks executable files launched from
network locaons. If a restricon rule applies to an executable file, the Cortex XDR agent blocks
the file from execung and reports the security event to Cortex XDR and, depending on the
configuraon of each restricon rule, the Cortex XDR agent can also nofy the user about the
prevenon event.
If no restricon rules apply to an executable file, the Cortex XDR] agent next moves to Phase 3:
Evaluaon of Hash Verdicts.
Phase 3: Hash Verdict Determination
The Cortex XDR agent calculates a unique hash using the SHA-256 algorithm for every file that
aempts to run on the endpoint. Depending on the features that you enable, the Cortex XDR
agent performs addional analysis to determine whether an unknown file is malicious or benign.
The Cortex XDR agent can also submit unknown files to Cortex XDR for in-depth analysis by
WildFire.
To determine a verdict for a file, the Cortex XDR agent evaluates the file in the following order:
1. Hash excepon—A hash excepon enables you to override the verdict for a specific file
without affecng the sengs in your Malware Security profile. The hash excepon policy is
evaluated first and takes precedence over all other methods to determine the hash verdict.
For example, you may want to configure a hash excepon for any of the following situaons:
• You want to block a file that has a benign verdict.
• You want to allow a file that has a malware verdict to run. In general, we recommend
that you only override the verdict for malware aer you use available threat intelligence
resources—such as WildFire and AutoFocus—to determine that the file is not malicious.
• You want to specify a verdict for a file that has not yet received an official WildFire verdict.
Aer you configure a hash excepon, Cortex XDR distributes it at the next heartbeat
communicaon with any endpoints that have previously opened the file.
When a file launches on the endpoint, the Cortex XDR agent first evaluates any relevant hash
excepon for the file. The hash excepon specifies whether to treat the file as malware. If the
file is assigned a benign verdict, the Cortex XDR agent permits it to open.
If a hash excepon is not configured for the file, the Cortex XDR agent next evaluates the
verdict to determine the likelihood of malware. The Cortex XDRagent uses a mul-step
evaluaon process in the following order to determine the verdict: Highly trusted signers,
WildFire verdict, and then Local analysis.
Cortex® XDR Pro Administrator’s Guide Version 3.3 161 ©2022 Palo Alto Networks, Inc.
Endpoint Security
2. Highly trusted signers (Windows and Mac)—The Cortex XDR agent disnguishes highly
trusted signers such as Microso from other known signers. To keep parity with the signers
defined in WildFire, Palo Alto Networks regularly reviews the list of highly trusted and known
signers and delivers any changes with content updates. The list of highly trusted signers
also includes signers that are included the allow list from Cortex XDR. When an unknown
file aempts to run, the Cortex XDR agent applies the following evaluaon criteria: Files
signed by highly trusted signers are permied to run and files signed by prevented signers are
blocked, regardless of the WildFire verdict. Otherwise, when a file is not signed by a highly
trusted signer or by a signer included in the block list, the Cortex XDR agent next evaluates
the WildFire verdict. For Windows endpoints, evaluaon of other known signers takes place if
WildFire evaluaon returns an unknown verdict for the file.
3. WildFire verdict—If a file is not signed by a highly trusted signer on Windows and Mac
endpoints, the Cortex XDR agent performs a hash verdict lookup to determine if a verdict
already exists in its local cache.
If the executable file has a malware verdict, the Cortex XDR agent reports the security event to
the Cortex XDR and, depending on the configured behavior for malicious files, the Cortex XDR
agent then does one of the following:
• Blocks the malicious executable file
• Blocks and quarannes the malicious executable file
• Nofies the user about the file but sll allows the file to execute
• Logs the issue without nofying the user and allows the file to execute.
If the verdict is benign, the Cortex XDR agent moves on to the next stage of evaluaon (see
Phase 4: Evaluaon of Malware Protecon Policy).
If the hash does not exist in the local cache or has an unknown verdict, the Cortex XDR agent
next evaluates whether the file is signed by a known signer.
4. Local analysis—When an unknown executable, DLL, or macro aempts to run on a Windows
or Mac endpoint, the Cortex XDRagent uses local analysis to determine if it is likely to be
malware. On Windows endpoints, if the file is signed by a known signer, the Cortex XDR agent
permits the file to run and does not perform addional analysis. For files on Mac endpoints
and files that are not signed by a known signer on Windows endpoints, the Cortex XDR agent
performs local analysis to determine whether the file is malware. Local analysis uses a stac
set of paern-matching rules that inspect mulple file features and aributes, and a stascal
model that was developed with machine learning on WildFire threat intelligence. The model
enables the Cortex XDR agent to examine hundreds of characteriscs for a file and issue a
local verdict (benign or malicious) while the endpoint is offline or Cortex XDR is unreachable.
The Cortex XDR agent can rely on the local analysis verdict unl it receives an official WildFire
verdict or hash excepon.
Local analysis is enabled by default in a Malware Security profile. Because local analysis always
returns a verdict for an unknown file, if you enable the Cortex XDR agent to Block files with
unknown verdict, the agent only blocks unknown files if a local analysis error occurs or local
analysis is disabled. To change the default sengs (not recommended), see Add a New Malware
Security Profile.
Phase 4: Evaluation of Malware Security Policy
If the prior evaluaon phases do not idenfy a file as malware, the Cortex XDR agent observes
the behavior of the file and applies addional malware protecon rules. If a file exhibits malicious
Cortex® XDR Pro Administrator’s Guide Version 3.3 162 ©2022 Palo Alto Networks, Inc.
Endpoint Security
behavior, such as encrypon-based acvity common with ransomware, the Cortex XDRagent
blocks the file and reports the security event to the Cortex XDR.
If no malicious behavior is detected, the Cortex XDR agent permits the file (process) to connue
running but connues to monitor the behavior for the lifeme of the process.
Cortex® XDR Pro Administrator’s Guide Version 3.3 163 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Unpatched Vulnerabilies — — —
Protecon
If you have Windows endpoints in
your network that are unpatched
and exposed to a known
vulnerability, Palo Alto Networks
strongly recommends that you
upgrade to the latest Windows
Update that has a fix for that
vulnerability. If you choose not to
patch the endpoint, the Unpatched
Vulnerabilies Protecon capability
allows the Cortex XDR agent to
apply a workaround to protect
the endpoints from the known
vulnerability.
Cortex® XDR Pro Administrator’s Guide Version 3.3 164 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Ransomware Protecon — — —
Targets encrypon based acvity
associated with ransomware to
analyze and halt ransomware before
any data loss occurs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 165 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Execuon Paths — — —
Many aack scenarios are based on
wring malicious executable files to
certain folders such as the local temp
or download folder and then running
them. Use this capability to restrict
the locaons from which executable
files can run.
Network Locaons — — —
To prevent aack scenarios that
are based on wring malicious files
to remote folders, you can restrict
access to all network locaons
except for those that you explicitly
trust.
Removable Media — — —
To prevent malicious code from
gaining access to endpoints using
external media such as a removable
drive, you can restrict the executable
files, that users can launch from
external drives aached to the
endpoints in your network.
Cortex® XDR Pro Administrator’s Guide Version 3.3 166 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Opcal Drive — — —
To prevent malicious code from
gaining access to endpoints using
opcal disc drives (CD, DVD,
and Blu-ray), you can restrict the
executable files, that users can
launch from opcal disc drives
connected to the endpoints in your
network.
An-Ransomware — — —
Targets encrypon-
based acvity
associated with
ransomware and has
the ability to analyze
and halt ransomware
acvity before any data
loss occurs.
APC Protecon — — —
Prevents aacks
that change the
execuon order of a
process by redirecng
an asynchronous
procedure call (APC) to
Cortex® XDR Pro Administrator’s Guide Version 3.3 167 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Behavioral Threat —
Prevents sophiscated
aacks that leverage
built-in OS executables
and common
administraon ulies
by connuously
monitoring endpoint
acvity for malicious
causality chains.
Child Process — — —
Protecon
Prevents script-based
aacks that are used
to deliver malware,
such as ransomware,
by blocking known
targeted processes
from launching child
processes that are
commonly used to
bypass tradional
security approaches.
CPL Protecon — — —
Protects against
vulnerabilies related
to the display roune
for Windows Control
Panel Library (CPL)
shortcut images,
which can be used as
Cortex® XDR Pro Administrator’s Guide Version 3.3 168 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Data Execuon — — —
Prevenon (DEP)
Prevents areas of
memory defined to
contain only data from
running executable
code.
DLL Hijacking — — —
Prevents DLL-hijacking
aacks where the
aacker aempts to
load dynamic-link
libraries on Windows
operang systems from
unsecure locaons
to gain control of a
process.
DLL Security — — —
Prevents access to
crucial DLL metadata
from untrusted code
locaons.
Dylib Hijacking — — —
Prevents Dylib-
hijacking aacks where
the aacker aempts to
load dynamic libraries
on Mac operang
systems from unsecure
locaons to gain control
of a process.
Cortex® XDR Pro Administrator’s Guide Version 3.3 169 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Font Protecon — — —
Prevents improper font
handling, a common
target of exploits.
Gatekeeper — — —
Enhancement
Enhances the
macOS gatekeeper
funconality that
allows apps to run
based on their digital
signature. This module
provides an addional
layer of protecon by
extending gatekeeper
funconality to bundles
and child processes so
you can enforce the
signature level of your
choice.
Hash Excepon
Halts execuon of files
that an administrator
idenfied as malware
regardless of the
WildFire verdict.
Java Deserializaon — — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 170 ©2022 Palo Alto Networks, Inc.
Endpoint Security
JIT — —
Prevents an aacker
from bypassing the
operang system's
memory migaons
using just-in-me (JIT)
compilaon engines.
Kernel Integrity — — —
Monitor (KIM)
Prevents rootkit
and vulnerability
exploitaon on Linux
endpoints. On the
first detecon of
suspicious rootkit
behavior, the behavioral
threat protecon (BTP)
module generates
an XDR Agent alert.
Cortex XDRstches
logs about the process
that loaded the kernel
module with other logs
relang to the kernel
module to aid in alert
invesgaon. When
the Cortex XDR agent
detects subsequent
rootkit behavior, it
blocks the acvity.
Local Analysis —
Examines hundreds of
characteriscs of an
unknown executable
file, DLL, or macro to
determine if it is likely
to be malware. The
local analysis module
Cortex® XDR Pro Administrator’s Guide Version 3.3 171 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Local Privilege —
Escalaon Protecon
Prevents aackers
from performing
malicious acvies
that require privileges
that are higher than
those assigned to the
aacked or malicious
process.
Network Packet — — —
Inspecon Engine
Analyze network packet
data to detect malicious
behavior already at
the network level. The
engine leverages both
Palo Alto Networks
NGFW content rules,
and new Cortex XDR
content rules created
by the Research Team
which are updated
through the security
content.
Null Dereference — — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 172 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Restricted Execuon - — — —
Local Path
Prevents unauthorized
execuon from a local
path.
Restricted Execuon - — — —
Network Locaon
Prevents unauthorized
execuon from a
network path.
Restricted Execuon - — — —
Removable Media
Prevents unauthorized
execuon from
removable media.
Reverse Shell — — —
Protecon
Blocks malicious
acvity where an
aacker redirects
standard input and
output streams to
network sockets.
ROP —
Protects against the
use of return-oriented
programming (ROP) by
protecng APIs used in
ROP chains.
SEH — — —
Prevents hijacking
of the structured
Cortex® XDR Pro Administrator’s Guide Version 3.3 173 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Shellcode Protecon — — —
Reserves and protects
certain areas of
memory commonly
used to house payloads
using heap spray
techniques.
ShellLink — — —
Prevents shell-link
logical vulnerabilies.
SO Hijacking — — —
Protecon
Prevents dynamic
loading of libraries from
unsecure locaons
to gain control of a
process.
SysExit — — —
Prevents using system
calls to bypass other
protecon capabilies.
UASLR — — —
Improves or altogether
implements ASLR
(address space layout
randomizaon) with
greater entropy,
robustness, and strict
enforcement.
Cortex® XDR Pro Administrator’s Guide Version 3.3 174 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Vulnerable Drivers — — —
Protecon
Detect aempts to load
vulnerable drivers.
WildFire
Leverages WildFire for
threat intelligence to
determine whether
a file is malware. In
the case of unknown
files, Cortex XDR can
forward samples to
WildFire for in-depth
analysis.
WildFire Post-
Detecon (Malware
and Grayware)
Idenfies a file that
was previously allowed
to run on an endpoint
that is now determined
to be malware. Post-
detecon events
provide noficaons for
each endpoint on which
the file executed.
Cortex® XDR Pro Administrator’s Guide Version 3.3 175 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 3 | Enter a unique Name and an oponal Descripon to idenfy the installaon package.
The package Name must be no more than 100 characters and can contain leers, numbers,
hyphens, underscores, commas, and spaces.
Cortex® XDR Pro Administrator’s Guide Version 3.3 176 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 177 ©2022 Palo Alto Networks, Inc.
Endpoint Security
to install the agent manually on the endpoint, unzip the ZIP folder and double-click the pkg
file.
• For Linux endpoints, you can download .rpm or .deb installers (according to the endpoint
Linux distribuon), and deploy the installers on the endpoints using the Linux package
manager. Alternavely, you can download a Shell installer and deploy it manually on the
endpoint.
When you upgrade a CortexXDR agent version without package manager, Cortex
XDR will upgrade the installaon process to package manager by default, according
to the endpoint Linux distribuon.
• For Kubernetes clusters on Linux endpoints, download the YAML file. Palo Alto Networks
strongly recommends that you do not edit this file.
• For Android endpoints, Cortex XDR creates a tenant-specific download link which you
can distribute to Android endpoints. When a newer agent version is available, Cortex XDR
idenfies older package versions as [Outdated].
Since Cortex XDR relies on the installaon package ID to approve agent registraon
during install, it is not recommended to delete the installaon package of acve
endpoints. If you install the CortexXDR agent from a package aer you delete it,
Cortex XDR denies the registraon request leaving the agent in an unprotected
state. Hiding the installaon package will remove it from the default list of
available installaon packages, and can be useful to eliminate confusion within
the management console main view. These hidden installaon can be viewed by
removing the default filter.
• Copy text to clipboard to copy the text from a specific field in the row of an installaon
package.
• Hide installaon packages. Using the Hide opon provides a quick method to filter out
results based on a specific value in the table. You can also use the filters at the top of the
page to build a filter from scratch. To create a persistent filter, save ( ) it.
In environments where agents communicate with the Cortex XDR server through a wide-system
proxy, you can now set an applicaon-specific proxy for the Traps and Cortex XDR agent without
affecng the communicaon of other applicaons on the endpoint. You can set the proxy in one
Cortex® XDR Pro Administrator’s Guide Version 3.3 178 ©2022 Palo Alto Networks, Inc.
Endpoint Security
of three ways: during the agent installaon or aer installaon using Cytool on the endpoint or
from All Endpoints in Cortex XDRas described in this topic. You can assign up to five different
proxy servers per agent. The proxy server the agent uses is selected randomly and with equal
probability. If the communicaon between the agent and the Cortex XDR server through the app-
specific proxies fails, the agent resumes communicaon through the system-wide proxy defined
on the endpoint. If that fails as well, the agent resumes communicaon with Cortex XDR directly.
STEP 1 | From Cortex XDR, select Endpoints > All Endpoints.
Cortex® XDR Pro Administrator’s Guide Version 3.3 179 ©2022 Palo Alto Networks, Inc.
Endpoint Security
package created for a Cortex XDR Agent 5.0.0 for Windows. The operang system version can be
different.
Cortex XDR does not support moving agents between FedRamp and commercial tenants.
Cortex® XDR Pro Administrator’s Guide Version 3.3 180 ©2022 Palo Alto Networks, Inc.
Endpoint Security
3. Enter the ID number of the installaon package you obtained in Step 1. If you selected
agents running on different operang systems, for example Windows and Linux, you
must provide an ID for each operang system. When done, click Move.
Cortex® XDR Pro Administrator’s Guide Version 3.3 181 ©2022 Palo Alto Networks, Inc.
Endpoint Security
• Windows, Mac, or Linux—Create new installaon packages and push the Cortex XDR agent
package to up to 5,000 endpoints from Cortex XDR.
STEP 4 | Right-click your selecon and select Endpoint Control > Upgrade Agent Version.
For each plaorm, select the name of the installaon package you want to push to the selected
endpoints.
Starng in the Cortex XDR agent 7.1 release, you can install the Cortex XDR agent on Linux
endpoints using package manager. When you upgrade an agent on a Linux endpoint that is not
using package manager, Cortex XDR upgrades the installaon process by default according to
the endpoint Linux distribuon. Alternavely, if you do not want to use the package manage,
clear the opon Upgrade to installaon by package manager.
The Cortex XDR agent keeps the name of the original installaon package aer every
upgrade.
STEP 5 | Upgrade.
Cortex XDR distributes the installaon package to the selected endpoints at the next heartbeat
communicaon with the agent. To monitor the status of the upgrades, go to Response > Acon
Center. From the Acon Center you can also view addional informaon about the upgrade
Cortex® XDR Pro Administrator’s Guide Version 3.3 182 ©2022 Palo Alto Networks, Inc.
Endpoint Security
(right-click the acon and select Addional data) or cancel the upgrade (right-click the acon
and select Cancel Agent Upgrade).
• During the upgrade process, the endpoint operang system might request for a
reboot. However, you do not have to perform the reboot for the Cortex XDR agent
upgrade process to complete successfully.
• Aer you upgrade to a Cortex XDR agent 7.2 or a later release on an endpoint with
Cortex XDR Device Control rules, you need to reboot the endpoint for the rules to
take effect.
Crical Environment Versions are designed for sensive and highly regulated environments
and do not contain all updates and content exisng in the standard version. Therefore, it is
recommended to restrict the use of these versions to the required minimum.
Seng an endpoint with a CE agent version requires you to define your Agent Configuraons
which then allows you to:
• Create a CE Agent Installaon Package
• Define the upgrade and auto-upgrade Agent Sengs Profile
To set a Cortex XDR agent CE version:
STEP 1 | Define your agent configuraon.
1. Navigate to Sengs > Configuraons > Agent Configuraons > Crical Environment
Versions.
2. Enable Crical Environment Versions to be Created and Installed in the Tenant.
Cortex® XDR Pro Administrator’s Guide Version 3.3 183 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Addionally, Cortex XDR automacally deletes agents aer a long period of inacvity:
• Standard agents are deleted aer 180 days of inacvity.
• VDI and TS agents are deleted aer 6 hours of inacvity.
The following workflow describes how to delete the Cortex XDR agent from one or more
Windows, Mac, or Linux endpoints.
STEP 1 | Select Endpoints > All Endpoints.
Before upgrading a Cortex XDRagent 7.0 or later running on macOS 10.15.4 or later, you
must ensure that the System Extensions were approved on the endpoint. Otherwise, if the
extensions were not approved, aer the upgrade the extensions remain on the endpoint
without any opon to remove them which could cause the agent to display unexpected
behavior. To check whether the extensions were approved, you can either verify that the
endpoint is in Fully Protected state in Cortex XDR, or execute the following command
line on the endpoint to list the extensions: systemextensionsctl list. If you
need to approve the extensions, follow the workflow explained in the Cortex XDR agent
administraon guide for approving System Extensions, either manually or using an MDM
profile.
The following workflow describes how to uninstall the Cortex XDR agent from one or more
Windows, Mac, or Linux endpoints. To uninstall the Cortex XDR app for Android, you must do so
from the Android endpoint.
Cortex® XDR Pro Administrator’s Guide Version 3.3 184 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 4 | Select the target endpoints (up to 100) for which you want to uninstall the Cortex XDR
agent.
STEP 6 | Review the acon summary and click Done when finished.
STEP 7 | To track the status of the uninstallaon, return to the Acon Center.
STEP 6 | Use the Quick Launcher to search the endpoints by alias across the Cortex XDR management
console.
The following uses Windows operang system installaon parameters and Cytool
argument examples.
Cortex® XDR Pro Administrator’s Guide Version 3.3 185 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 186 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Agent token is supported from Cortex XDR server version 3.3 and Cortex XDR agent
version 7.7.1. It is only supported for Windows and Mac.
STEP 1 | View agent password.
You can view the password of the selected agent. Whether the password is from a rolling token
or temporary token is indicated in the dialog.
1. Select Endpoints > All Endpoints > Endpoint Control > View Token.
2. Click the copy buon to copy the password displayed and then click Ok.
You can now use the password to run funcons at the agent.
Cortex® XDR Pro Administrator’s Guide Version 3.3 187 ©2022 Palo Alto Networks, Inc.
Endpoint Security
You can select a single or many endpoints at once to add a temporary token.
1. Select Endpoints > All Endpoints > Endpoint Control > Set Temporary Token.
2. In the Token Expiraon field, add the number of days for which to generate a temporary
token for the agent and then click the Add Token Expiraon blue arrow.
3. Click the copy buon to copy the password displayed and then click Create to begin
generang the token.
4. Go to the Acon Center to view which agent received the temporary token.
You can now use the password to run funcons at the agent.
Cortex® XDR Pro Administrator’s Guide Version 3.3 188 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 2 | Select either Create New to create an endpoint group from scratch or Upload From File,
using plain text files with new line separator, to populate a stac endpoint group from a file
containing IP addresses, hostnames, or aliases.
STEP 3 | Enter a Group Name and oponal Descripon to idenfy the endpoint group. The name you
assign to the group will be visible when you assign endpoint security profiles to endpoints.
• Stac—Select specific registered endpoints that you want to include in the endpoint group.
Use the filters, as needed, to reduce the number of results.
When you create a stac endpoint group from a file, the IP address, hostname, or alias of
the endpoint must match an exisng agent that has registered with Cortex XDR. You can
select up to 250 endpoints.
Disconnecng Cloud Identy Engine in your Cortex XDR deployment can affect
exisng endpoint groups and policy rules based on Acve Directory properes.
Cortex® XDR Pro Administrator’s Guide Version 3.3 189 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 190 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Starng with the Cortex XDR 7.1 agent release, Cortex XDR delivers to the agent the
content update in parts and not as a single file, allowing the agent to retrieve only the
updates and addions it needs.
• Default security policy including exploit, malware, restricon, and agent sengs profiles
• Default compability rules per module
• Protected processes
• Local analysis logic
• Trusted signers
• Processes included in your block list by signers
• Behavioral threat protecon rules
• Ransomware module logic including Windows network folders suscepble to ransomware
aacks
• Event Log for Windows event logs and Linux system authencaon logs
• Python scripts provided by Palo Alto Networks
• Python modules supported in script execuon
• Maximum file size for hash calculaons in File search and destroy
• List of common file types included in File search and destroy
• Network Packet Inspecon Engine rules
When a new update is available, Cortex XDR nofies the Cortex XDR agent. The Cortex XDR
agent then randomly chooses a me within a six-hour window during which it will retrieve the
content update from Cortex XDR. By staggering the distribuon of content updates, Cortex XDR
reduces the bandwidth load and prevents bandwidth saturaon due to the high volume and size of
the content updates across many endpoints. You can view the distribuon of endpoints by content
update version from the Cortex XDR Dashboard.
The Cortex XDR research team releases more frequent content updates in-between major
content versions to ensure your network is constantly protected against the latest and newest
threats in the wild. When you enable minor content updates, the Cortex XDR agent receives
minor content updates, starng with the next content releases. Otherwise, if you do not wish
to deploy minor content updates, your Cortex XDR agents will keep receiving content updates
for major releases which usually occur on a weekly basis. The content version numbering format
remains XXX-YYYY, where XXX indicates the version and YYYY indicates the build number. To
disnguish between major and minor releases, XXX is rounded up to the nearest ten for every
major release, and incremented by one for a minor release. For example, 180-<build_num> and
190-<build_num> are major releases, and 181-<build_num>, 182-<build_num>, and 191-
<build_num> are minor releases.
Cortex® XDR Pro Administrator’s Guide Version 3.3 191 ©2022 Palo Alto Networks, Inc.
Endpoint Security
To adjust content update distribuon for your environment, you can configure the following
oponal sengs:
• Content management sengs as part of the Cortex XDR global agent configuraons.
• Content download source, as part of the Cortex XDR agent seng profile.
Otherwise, if you want the Cortex XDR agent to retrieve the latest content from the server
immediately, you can force the Cortex XDR agent to connect to the server in one of the following
methods:
• (Windows and Mac only) Perform manual check-in from the Cortex XDR agent console.
• Iniate a check-in using the Cytool checkin command.
Cortex® XDR Pro Administrator’s Guide Version 3.3 192 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 193 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Aer you add the new security profile, you can Manage Endpoint Security Profiles.
2. Select the plaorm to which the profile applies and Exploit as the profile type.
3. Click Next.
Cortex® XDR Pro Administrator’s Guide Version 3.3 194 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 3 | Configure the acon to take when the Cortex XDR agent detects an aempt to exploit each
type of soware flaw.
For details on the different exploit protecon capabilies, see Endpoint Protecon Capabilies.
• Block—Block the exploit aack.
• Report—Allow the exploit acvity but report it to Cortex XDR.
• Disabled—Disable the module and do not analyze or report exploit aempts.
• Default—Use the default configuraon to determine the acon to take. Cortex XDR displays
the current default configuraon for each capability in parenthesis. For example, Default
(Block).
To view which processes are protected by each capability, see Processes Protected by Exploit
Security Policy .
For Known Vulnerable Process Protecon, enable to automacally protect endpoints from
aacks that try to leverage common operang system mechanisms for malicious purposes.
Select either to Block (default) or Report. When enabled, select whether to also enable the
Java Deserializaon Protecon. If enabled, the same acon mode defined for the Known
Vulnerable Process Protecon is inherited.
Aackers can use exisng mechanisms in the operang system to execute malicious code. By
enabling this capability, XDR agent Add the following secon in Windows Exploit ProfileKnown
Vulnerable Processes ProteconAcon Mode - Block (default) / Report / DisabledInhering
from acon mode - Java Deserializaon Protecon - Enabled / Disabled (default)When the
Acon mode of Known Vulnerable Processes Protecon is set to disabled the Jave protecon
becomes greyed out and is disabled as well regardless of its value.If enabled, the acon mode -
report or block is inherited from the main seng.
For Logical Exploits Protecon, you can also configure a block list for the DLL Hijacking
module. The block list enables you to block specific DLLs when run by a protected process.
The DLL folder or file must include the complete path. To complete the path, you can use
environment variables or the asterisk ( *) as a wildcard to match any string of characters (for
example, */windows32/).
For Exploit Protecon for Addional Processes, you also add one or more addional
processes.
In Exploit Security profiles, if you change the acon mode for processes, you must
restart the protected processes for the following security modules to take effect on the
process and its forked processes: Brute Force Protecon, Java Deserializaon, ROP, and
SO Hijacking.
Cortex® XDR Pro Administrator’s Guide Version 3.3 195 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 4 | (Windows only) Configure how to address unpatched known vulnerabilies in your network.
If you have Windows endpoints in your network that are unpatched and exposed to a
known vulnerability, Palo Alto Networks strongly recommends that you upgrade to the
latest Windows Update that has a fix for that vulnerability.
If you choose not to patch the endpoint, the Unpatched Vulnerabilies Protecon capability
allows the Cortex XDR agent to apply a workaround to protect the endpoints from the known
vulnerability. It takes the Cortex XDR agent up to 6 hours to enforce your configured policy on
the endpoints.
To address known vulnerabilies CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094,
you can Modify IPv4 and IPv6 sengs as follows:
• Do not modify system sengs (default)—Do not modify the IPv4 and IPv6 sengs
currently set on the endpoint, whether the current values are your original values or values
that were modified as part of this workaround.
• Modify system sengs unl the endpoint is patched—If the endpoint is already patched,
this opon does not modify any system sengs. For unpatched endpoints, the Cortex
XDR agent runs the following commands to temporarily modify the IPv4 and IPv6 sengs
unl the endpoint is patched. Aer the endpoint is patched for CVE-2021-24074,
CVE-2021-24086, and CVE-2021-24094, all modified Windows system sengs as part
of this workaround are automacally reverted to their values before modificaon. Palo
Alto Networks strongly recommends that you review these commands before applying this
workaround in your network to ensure your crical business components are not affected
or harmed:
netsh int ipv6 set global reassemblylimit=0, this command disables IPv6
fragmentaon on the endpoint.
netsh int ipv4 set global sourceroutingbehavior=drop, this command
disables LSR / loose source roung for IPv4.
• Revert system sengs to your previous sengs—Revert all Windows system sengs
to their values before modificaon as part of this workaround, regardless of whether the
endpoint was patched or not.
This workaround applies only to the specific Windows versions listed as exposed to
these CVEs, and requires a Cortex XDR agent 7.1 or later and content 167-51646
or later. This workaround in not recommended for non-persistent, stateless, or linked-
clone environments. In some cases, enabling this workaround can affect the network
funconality on the endpoint.
Cortex® XDR Pro Administrator’s Guide Version 3.3 196 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 197 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 198 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 199 ©2022 Palo Alto Networks, Inc.
Endpoint Security
2. Select the plaorm to which the profile applies and Malware as the profile type.
Cortex® XDR Pro Administrator’s Guide Version 3.3 200 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 3 | Configure the Cortex XDR agent to examine executable files, macros, or DLL files on
Windows endpoints, Mach-O files or DMG files on Mac endpoints, ELF files on Linux
endpoints, or APK files on Android endpoints.
1. Configure the Acon Mode—the behavior of the Cortex XDR agent—when malware is
detected:
• Block—Block aempts to run malware.
• Report—Report but do not block malware that aempts to run.
• (Android only) Prompt—Enable the Cortex XDR agent to prompt the user when
malware is detected and allow the user to choose to allow malware, dismiss the
noficaon, or uninstall the app.
• Disabled—Disable the module and do not examine files for malware.
2. Configure addional acons to examine files for malware.
By default, Cortex XDR uses the sengs specified in the default malware security profile
and displays the default configuraon in parenthesis. When you select a seng other
than the default, you override the default configuraon for the profile.
• (Windows, Mac starng with Cortex XDR agent 7.4, Linux starng with Cortex XDR
agent 7.5) Quaranne Malicious Executables / Mach-O / ELF files—By default, the
Cortex XDR agent blocks malware from running but does not quaranne the file.
Enable this opon to quaranne files depending on the verdict issuer (local analysis,
WildFire, or both local analysis and WildFire).
The quaranne feature is not available for malware idenfied in network drives.
• Upload <file_type> files for cloud analysis—Enable the Cortex XDR agent to send
unknown files to Cortex XDR, and for Cortex XDR to send the files to WildFire for
analysis. With macro analysis, the Cortex XDR agent sends the Microso Office file
containing the macro. The file types that the Cortex XDR agent analyzes depend on
the plaorm type. WildFire accepts files up to 100MB in size.
• Treat Grayware as Malware—Treat all grayware with the same Acon Mode you
configure for malware. Otherwise, if this opon is disabled, grayware is considered
benign and is not blocked.
• Acon on Unknown to WildFire—Select the behavior of the Cortex XDR agent
when an unknown file tries to run on the endpoint (Allow, Run Local Analysis, or
Block). With local analysis, the Cortex XDRagent uses embedded machine learning to
determine the likelihood that an unknown file is malware and issues a local verdict for
the file. If you block unknown files but do not run local analysis, unknown files remain
blocked unl the Cortex XDR agent receives an official WildFire verdict.
• (Cortex XDR agent 7.5 and later for Windows only)Acon when WildFire verdict is
Benign with Low Confidence—Select the behavior of the Cortex XDR agent when a
file with Benign Low Confidence verdict from WildFire tries to run on the endpoint
(Allow, Run Local Analysis, or Block). With local analysis, the Cortex XDR agent
uses embedded machine learning to determine the likelihood that an unknown file
is malware and issues a local verdict for the file. If you block these files but do not
run local analysis, they remain blocked unl the Cortex XDR agent receives a high-
Cortex® XDR Pro Administrator’s Guide Version 3.3 201 ©2022 Palo Alto Networks, Inc.
Endpoint Security
confidence WildFire verdict. To enable this capability, ensure that WildFire analysis
scoring is enabled in your Global Agent Sengs.
• For opmal user experience, Palo Alto Networks recommends you set the
acon mode to either Allow or Run Local Analysis.
• Acon on Benign LC verdict is supported from agent version 7.5 and
above. For agent version 7.4.X, acon on Benign LC verdict is the same as
the acon for files with Unknown verdict.
• (Windows only) Examine Office Files From Network Drives—Enable the Cortex XDR
agent to examine Microso Office files in network drives when they contain a macro
that aempts to run. If this opon is disabled, the Cortex XDR agent will not examine
macros in network drives.
(Windows only) As part of the an-malware security flow, the Cortex XDR
agent leverages the OS capability to idenfy revoked cerficates for executables
and DLL files that aempt to run on the endpoint by accessing the Windows
Cerficate Revocaon List (CRL). To allow the Cortex XDR agent access the CRL,
you must enable internet access over port 80 for Windows endpoints running
Traps 6.0.3 and later releases, Traps 6.1.1 and later releases, or Cortex XDR
7.0 and later releases. If the endpoint is not connected to the internet, or you
experience delays with executables and DLLs running on the endpoint, please
contact Palo Alto Networks Support.
3. (Oponal) Add files and folders to your allow list to exclude them from examinaon.
1. +Add a file or folder.
2. Enter the path and press Enter or click the check mark when done. You can also use
a wildcard to match files and folders containing a paral name. Use ? to match a
single character or * to match any string of characters. To match a folder, you must
terminate the path with * to match all files in the folder (for example, c:\temp\*).
3. Repeat to add addional files or folders.
4. Add signers to your allow list to exclude them from examinaon.
When a file that is signed by a signer you included in your allow list aempts to run,
1. +Add a trusted signer.
2. Enter the name of the trusted signer (Windows) or the SHA1 hash of the cerficate
that signs the file (Mac) and press Enter or click the check mark when done. You can
also use a wildcard to match a paral name for the signer. Use ? to match any single
character or * to match any string of characters.
3. Repeat to add addional folders.
Cortex XDR agent evaluates the signer name using the CN (Common Name)
value in the digital signature, while the Cortex XDR console can display in the
Alerts table both the O (Organizaon) value and the CN (Common Name).
Cortex® XDR Pro Administrator’s Guide Version 3.3 202 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 4 | (Windows, Mac, and Linux only) Configure Behavioral Threat Protecon.
Behavioral threat protecon requires Traps agent 6.0 or a later release for Windows
endpoints, and Traps 6.1 or later versions for Mac and Linux endpoints.
With Behavioral threat protecon, the agent connuously monitors endpoint acvity to
idenfy and analyze chains of events—known as causality chains. This enables the agent to
detect malicious acvity in the chain that could otherwise appear legimate if inspected
individually. A causality chain can include any sequence of network, process, file, and registry
acvies on the endpoint. Behavioral threat protecon can also idenfy behavior related
to vulnerable drivers on Windows endpoints. For more informaon on data collecon for
Behavioral Threat Protecon, see Endpoint Data Collected by Cortex XDREndpoint Data
Collecon.
Palo Alto Networks researchers define the causality chains that are malicious and distribute
those chains as behavioral threat rules. When the Cortex XDRagent detects a match to a
behavioral threat protecon rule, the Cortex XDR agent carries out the configured acon
(default is Block). In addion, the Cortex XDR agent reports the behavior of the enre event
chain up to the process, known as the causality group owner (CGO), that the Cortex XDR agent
idenfied as triggering the event sequence.
To configure Behavioral Threat Protecon:
1. Define the Acon mode to take when the Cortex XDR agent detects malicious causality
chains:
• Block (default)—Block all processes and threads in the event chain up to the CGO.
• Report—Allow the acvity but report it to Cortex XDR.
• Disabled—Disable the module and do not analyze or report the acvity.
2. Define whether to quaranne the CGO when the Cortex XDR agent detects a malicious
event chain.
• Enabled—Quaranne the CGO if the file is not signed by a highly trusted signer.
When the CGO is signed by a highly trusted signer or powershell.exe, wscript.exe,
cscript.exe, mshta.exe, excel.exe, word.exe or powerpoint.exe, the Cortex XDR agent
Cortex® XDR Pro Administrator’s Guide Version 3.3 203 ©2022 Palo Alto Networks, Inc.
Endpoint Security
parses the command-line arguments and instead quarannes any scripts or files called
by the CGO.
• Disabled (default)—Do not quaranne the CGO of an event chain nor any scripts or
files called by the CGO.
3. (Windows only, requires a Cortex XDR agent 7.2 or a later release) Define the Acon
Mode for Vulnerable Drivers Protecon.
Behavioral threat protecon rules can also detect aempts to load vulnerable drivers. As
with other rules, Palo Alto Networks threat researchers can deliver changes to vulnerable
driver rules with content updates.
• Block (default)—Block all aempts to run vulnerable drivers.
• Report—Allow vulnerable drivers to run but report the acvity.
• Disabled—Disable the module and do not analyze or report the acvity.
4. (Oponal) Add files that you do not want the Cortex XDR agent to terminate when a
malicious causality chain is detected to your allow list. The allow list does not apply to
vulnerable drivers.
1. +Add a file path.
2. Enter the file path you want to exclude from evaluaon. Use ? to match a single
character or * to match any string of characters.
3. Click the checkmark to confirm the file path.
4. Repeat the process to add any addional file paths to your allow list.
This module is supported with Cortex XDR agent 7.3.0 and later release.
1. Select the Acon Mode to take when the Cortex XDR agent detects remote malicious
causality chains:
• Enabled (default)—Terminate connecon and block IP address of the remote
connecon.
• Disabled—Do not block remote IP addresses.
2. To allow specific and known safe IP address or IP address ranges that you do not want
the Cortex XDR to block, add these IP addresses to your allow list.
+Add and then specify the IP address.
Cortex® XDR Pro Administrator’s Guide Version 3.3 204 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 7 | (Windows only) Configure the Cortex XDR agent to Prevent Malicious Child Process
Execuon.
1. Select the Acon Mode to take when the Cortex XDR agent detects malicious child
process execuon:
• Block—Block the acvity.
• Report—Allow the acvity but report it to Cortex XDR.
2. To allow specific processes to launch child processes for legimate purposes, add the
child process to your allow list with oponal execuon criteria.
+Add and then specify the allow list criteria including the Parent Process Name, Child
Process Name, and Command Line Params. Use ? to match a single character or * to
match any string of characters.
If you are adding child process evaluaon criteria based on a specific security
event, the event indicates both the source process and the command line
parameters in one line. Copy only the command line parameter for use in the
profile.
Cortex® XDR Pro Administrator’s Guide Version 3.3 205 ©2022 Palo Alto Networks, Inc.
Endpoint Security
is powered-on again. The scheduling of future scans is not affected by this delay. To beer
understand how the agent scans the endpoint, refer to Scan an Endpoint for Malware.
When periodic scanning is enabled in your profile, the Cortex XDR agent iniates an
inial scan when it is first installed on the endpoint, regardless of the periodic scanning
scheduling me.
1. Configure the Acon Mode for the Cortex XDRagent to periodically scan the endpoint
for malware: Enabled to scan at the configured intervals, Disabled (default) if you don’t
want the Cortex XDR agent to scan the endpoint.
2. To configure the scan schedule, set the frequency (Run Weekly or Run Monthly) and day
and me at which the scan will run on the endpoint.
Just as with an on-demand scan, a scheduled scan will resume aer a reboot, process
interrupon, or operang system crash.
3. (Windows only) To include removable media drives in the scheduled scan, enable the
Cortex XDR agent to Scan Removable Media Drives.
4. Add folders you your allow list to exclude them from examinaon.
1. Add (+) a folder.
2. Enter the folder path. Use ? to match a single character or * to match any string of
characters in the folder path (for example, C:\*\temp).
3. Press Enter or click the check mark when done.
4. Repeat to add addional folders.
STEP 9 | (Windows Vista and later Windows releases) Enable Password The Protecon.
Select Enabled to enable the Cortex XDR agent to prevent aacks that use the Mimikatz
tool to extract passwords from memory. When set to Enabled, the Cortex XDR agent silently
prevents aempts to steal credenals (no noficaons are provided when these events occur).
The Cortex XDR agent enables this protecon module following the next endpoint reboot. If
you don’t want to enable the module, select Disabled.
This module is supported with Traps agent 5.0.4 and later release.
Cortex® XDR Pro Administrator’s Guide Version 3.3 206 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex XDR content rules created by the Research Team which are updated through the
security content.
This module is supported with Cortex XDR agent 7.5.0 and later release.
1. Define the Acon mode to take when the Cortex XDR agent detects malicious behavior:
• Terminate Session (default)—Drop the malicious connecons. In case of an outgoing
connecon, also terminate all associated processes.
• Report—Allow the packets in your network but report it to Cortex XDR.
• Disabled—Disable the module and do not analyze or report the acvity.
This module is supported with Cortex XDR agent 7.2.0 and later release.
1. Select the Acon Mode to take when the Cortex XDR agent detects the malicious
behavior.
• Enable—Enable the Cortex XDR agent to analyze the endpoint for PHP files arriving
from the web server and alert of any malicious PHP scripts.
• Disable—Disable the module and do not analyze or report the acvity.
2. Quaranne malicious files.
When Enabled, the Cortex XDR agents quaranne malicious PHP files on the endpoint.
The agent quarannes newly created PHP files only, and does not quaranne updated
files.
3. (Oponal) Add files and folders to your allow list to exclude them from examinaon.
1. +Add a file or folder.
2. Enter the path and press Enter or click the check mark when done. You can also use
* to match files and folders containing a paral name. To match a folder, you must
terminate the path with * to match all files in the folder (for example, /usr/bin/*).
3. Repeat to add addional files or folders.
Cortex® XDR Pro Administrator’s Guide Version 3.3 207 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 208 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 209 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 210 ©2022 Palo Alto Networks, Inc.
Endpoint Security
2. Select the plaorm to which the profile applies and Restricons as the profile type.
3. Click Next.
Cortex® XDR Pro Administrator’s Guide Version 3.3 211 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
Created Time Date and me at which the security profile was
created.
Modificaon Time Date and me at which the security profile was
modified.
Cortex® XDR Pro Administrator’s Guide Version 3.3 212 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Export profile.
1. From Endpoints > Policy Management > Prevenon > Profiles, right-click the security
profile and select Export Profile.
2. Verify the profile you want to export.
Cortex® XDR Pro Administrator’s Guide Version 3.3 213 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Agent Profiles
Disk Space —
Customize the amount
of disk space the Cortex
XDR agent uses to store
logs and informaon
about events.
User Interface — —
Determine whether
and how end users can
access the Cortex XDR
console.
Traps Tampering — —
Protecon
Prevent users from
tampering with the
Cortex XDR agent
components by
restricng access.
Uninstall Password — —
Change the default
uninstall password to
prevent unauthorized
users from uninstalling
the Cortex XDR agent
soware.
Cortex® XDR Pro Administrator’s Guide Version 3.3 214 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Windows Security — — —
Center Configuraon
Configure your Windows
Security Center
preferences to allow
registraon with the
Microso Security
Center, to allow
registraon with
automated Windows
patch installaon, or to
disable registraon.
Forensics — — —
Change forensic data
collecon and upload
preferences.
Response Acons —
Manual response acons
that you can take on
the endpoint aer a
malicious file, process,
or behavior is detected.
For example, you can
terminate a malicious
process, isolate the
infected endpoint from
the network, quaranne
a malicious file, or
perform addional
acon as necessary to
remediate the endpoint.
Content Updates —
Cortex® XDR Pro Administrator’s Guide Version 3.3 215 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Global Uninstall —
Password
Set the uninstall
password for all agents in
the system.
Content Bandwidth —
Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 216 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Advanced Analysis —
Enable Cortex XDR to
automacally upload
alert data for secondary
verdict verificaon and
security policy tuning.
Cortex® XDR Pro Administrator’s Guide Version 3.3 217 ©2022 Palo Alto Networks, Inc.
Endpoint Security
2. Select the plaorm to which the profile applies and Agent Sengs as the profile type.
3. Click Next.
STEP 3 | (Windows, Mac, and Linux only) Configure the Disk Space to allot for Cortex XDR agent logs.
Specify a value in MB from 100 to 10,000 (default is 5,000).
STEP 4 | (Windows and Mac only) Configure User Interface opons for the Cortex XDR console.
By default, Cortex XDR uses the sengs specified in the default agent sengs profile and
displays the default configuraon in parenthesis. When you select a seng other than the
default, you override the default configuraon for the profile.
• Tray Icon—Choose whether you want the Cortex XDR agent icon to be Visible (default) or
Hidden in the noficaon area (system tray).
• XDR Agent Console Access—Enable this opon to allow access to the Cortex XDR console.
• XDR Agent User Noficaons—Enable this opon to operate display noficaons in the
noficaons area on the endpoint. When disabled, the Cortex XDR agent operates in silent
mode where the Cortex XDR agent does not display any noficaons in the noficaon
area. If you enable noficaons, you can use the default noficaon messages, or provide
custom text for each noficaon type. You can also customize a noficaon footer.
• Live Terminal User Noficaons—Choose whether to Nofy the end user and display a
pop-up on the endpoint when you iniate a Live Terminal session. For Cortex XDR agents
7.3 and later releases only, you can choose to Request end-user permission to start the
session. If the end user denies the request, you will not be able to iniate a Live Terminal
session on the endpoint.
• (Cortex XDR agent 7.3 and later releases only) Live Terminal Acve Session Indicaon—
Enable this opon to display a blinking light ( ) on the tray icon (or in the status bar for
Mac endpoints) for the duraon of the remote session to indicate to the end user that a live
terminal session is in progress.
Cortex® XDR Pro Administrator’s Guide Version 3.3 218 ©2022 Palo Alto Networks, Inc.
Endpoint Security
them when the endpoint connects to a Wi-Fi network. If configured, the data usage seng on
the Android endpoint takes precedence over this configuraon.
STEP 6 | (Windows and Mac only) Configure Agent Security opons that prevent unauthorized access
or tampering with the Cortex XDR agent components.
Use the default agent sengs or customize them for the profile. To customize agent security
capabilies:
1. Enable XDR Agent Tampering Protecon.
2. (Windows only) By default, the Cortex XDR agent protects all agent components,
however you can configure protecon more granularly for Cortex XDR agent services,
processes, files, and registry values. With Traps 5.0.6 and later releases, when protecon
is enabled, access will be read-only. In earlier Traps releases, enabling protecon disables
all access to services, processes, files, and registry values.
Cortex® XDR Pro Administrator’s Guide Version 3.3 219 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Windows Defender from endpoints that are running Windows Server versions and where
the Cortex XDR agent is installed.
• Enabled (No Patches)—For the Cortex XDR agent 5.0 release only, select this opon if you
want to register the agent to the Windows Security Center but prevent from Windows to
automacally install Meltdown/Spectra vulnerability patches on the endpoint.
• Disabled—The Cortex XDR agent does not register to the Windows Acon Center. As a
result, Windows Acon Center could indicate that Virus protecon is Off, depending on
other security products that are installed on the endpoint.
When you Enable the Cortex XDR agent to register to the Windows Security Center,
Windows shuts down Microso Defender on the endpoint automacally. If you
sll want to allow Microso Defender to run on the endpoint where Cortex XDR
is installed, you must Disable this opon. However, Palo Alto Networks does not
recommend running Windows Defender and the Cortex XDRagent on the same
endpoint since it might cause performance issues and incompability issues with
Global Protect and other applicaons.
STEP 10 | (Requires a Cortex XDR Pro per Endpoint license) Enable and configure Cortex XDR Pro
Endpoint capabilies on the endpoint, including enhanced data collecon, advanced
responses, and available Pro add-ons.
1. Enable XDR Pro Endpoints Capabilies to configure which Pro capabilies to acvate on
the endpoint.
The Pro features are hidden unl you enable the capability. Enabling this capability
consumes a Cortex XDR Pro per Endpoint license.
2. (Supported on Cortex XDR agent 6.0 or a later for Windows endpoints and Cortex XDR
agent 6.1 or later for Mac and Linux endpoints) Enable Monitor and Collect Enhanced
Endpoint Data.
By default, the Cortex XDR agent collects informaon about events that occur on the
endpoint. If you enable Behavioral Threat Protecon in a Malware Security profile, the
Cortex XDR agent also collects informaon about all acve file, process, network, and
registry acvity on an endpoint (see Endpoint Data Collected by Cortex XDREndpoint
Data Collecon). When you enable the Cortex XDR agent to monitor and collect
enhanced endpoint data, you enable Cortex XDR to share the detailed endpoint
informaon with other Cortex apps. The informaon can help to provide the endpoint
context when a security event occurs so that you can gain insight on the overall event
scope during invesgaon. The event scope includes all acvies that took place during
Cortex® XDR Pro Administrator’s Guide Version 3.3 220 ©2022 Palo Alto Networks, Inc.
Endpoint Security
an aack, the endpoints that were involved, and the damage caused. When disabled, the
Cortex XDR agent will not share endpoint acvity logs.
3. (Requires Host Insights add-on and Cortex XDR agent 7.1 or later releases) Enable Host
Insights Capabilies.
• Enable Endpoint Informaon Collecon to allow the Cortex XDR agent to collect
Host Inventory informaon such as users, groups, services, drivers, hardware, and
network shares, as well as informaon about applicaons installed on the endpoint,
including CVE and installed KBs for Vulnerability Assessment.
• (Supported on Cortex XDR agent 7.2 or a later for Windows endpoints and Cortex
XDR agent 7.3 or later for Mac endpoints) Enable File Search and Destroy Acon
Mode to allow the Cortex XDR agent to collect detailed informaon about files on the
endpoint to create a files inventory database. The agent locally monitors any acons
performed on these files and updates the local files database in real-me.
With this opon you can also choose the File Search and Destroy Monitored File
Types where Cortex XDR monitors all file types or only common file types. If you
choose Common file types, Cortex XDR monitors the following file types:
• Windows—bat, bmp, c, cab, cmd, cpp, csv, db, dbf, doc, docb,
docm, docx, dotm, dotx, dwg, dxf, exe, exif, gif, gz, jar,
java, jpeg, jpg, js, keynote, mdb, mdf, msi, myd, pages,
pdf, png, pot, potm, ppam, pps, ppsm, ppsx, ppt, pptm,
pptx, ps1, pub, py, rar, rtf, sdf, sldm, sldx, sql, sqlite,
sqlite3, svg, tar, txt, url, vb, vbe, vbs, vbscript, vsd,
vsdx, wsf, xla, xlb, xlm, xls, xlsm, xlsx, xlt, xltm, xltx,
xps, zip, and 7z.
• Mac—acm, apk, ax, bat, bin, bundle, csv, dll, dmg, doc,
docm, docx, dylib, efi, hta, jar, js, jse, jsf, lua, mpp,
mppx, mui, o, ocx, pdf, pkg, pl, plx, pps, ppsm, ppsx, ppt,
pptm, pptx, py, pyc, pyo, rb, rtf, scr, sh, vds, vsd, wsf,
xls, xlsm, xlsx, xsdx, and zip.
Addionally, you can exclude files that exist under a specific local path on the
endpoint from inclusion in the files database.
4. (Requires Forensics Add-on and Cortex XDR agent 7.4 or a later for Windows endpoints)
Enable Monitor and Collect Forensics Data allow the Cortex XDR agent to collect
detailed informaon about what happened on your endpoint to create a forensics
Cortex® XDR Pro Administrator’s Guide Version 3.3 221 ©2022 Palo Alto Networks, Inc.
Endpoint Security
database. Define the following if to enable collecon and in what me intervals of the
following enty types:
• Process Execuon
• File Access
• Persistence
• Command History
• Network
• Remote Access
• Search Collecons
Data collected by the agent is displayed in the Forensic Data Analysis page.
5. (Supported on Cortex XDR agent 7.5 or a later for Windows endpoints and requires
to15) Enable Distributed Network Scan to allow the Cortex XDR agent to scan your
network using Ping to provide updated idenfiers of your unmanaged network assets,
such as IP addresses and OS plaorms. The result scans can be viewed in the Asset
Management table.
1. Enable the Acon Mode.
2. In Scan Mode, select Nmap or Ping.
3. Select is you want any Excluded IP Address Ranges. The IP address ranges are
populated from your Network Configuraons.
4. If you selected Nmap, enable or disable OS Fingerprinng.
Cortex® XDR Pro Administrator’s Guide Version 3.3 222 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 12 | (Supported on Cortex XDR agent 7.0 or a later for Windows endpoints and Cortex XDR
agent 7.3 or later for Mac and Linux endpoints) Specify the Content Configuraon for your
Cortex XDR agents.
• Content Auto-update—By default, Cortex XDR agent always retrieves the most updated
content and deploys it on the endpoint so it is always protected with the latest security
measures. However, you can Disable the automac content download. Then, the agent
stops retrieving content updates from the Cortex XDR Server and keeps working with the
current content on the endpoint.
• If you disable content updates for a newly installed agent, the agent will retrieve
the content for the first me from Cortex XDR and then disable content updates
on the endpoint.
• When you add a Cortex XDR agent to an endpoints group with disabled content
auto-upgrades policy, then the policy is applied to the added agent as well.
• Content Rollout—The Cortex XDR agent can retrieve content updates Immediately as they
are available, or aer a pre-configured Delayed period. When you delay content updates,
the Cortex XDR agent will retrieve the content according to the configured delay. For
example, if you configure a delay period of two days, the agent will not use any content
released in the last 48 hours.
STEP 13 | Enable Agent Auto Upgrade for your Cortex XDR agents.
To ensure your endpoints are always up-to-date with the latest Cortex XDR agent release,
enable automac agent upgrades.
1. Select the Automac Upgrade Scope:
• Latest agent release
• Only maintenance release
• Only maintenance release in a specific version
• Upgrade to a specific version
2. Select the Upgrade Rollout:
• Immediate
• Delayed—Specify the Delay Period In Days using a numeric value. Oponal values are
7 through 45.
To control the agent auto upgrade scheduler and number of parallel upgrades in your
network, see Configure Global Agent Sengs.
Automac upgrades are not supported with non-persistent VDI and temporary
sessions.
3. (Oponal) For Crical Environment (CE) versions, make sure to select if you want to
upgrade your CE versions only within the CE lines. It can take up to 15 minutes for new
and updated auto-upgrade profile sengs to take effect on your endpoints.
Cortex® XDR Pro Administrator’s Guide Version 3.3 223 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 14 | (Supported on Cortex XDR agent 7.0 or a later for Windows endpoints and Cortex XDR
agent 7.3 or later for Mac and Linux endpoints) Specify the Download Source for agent and
content updates.
To reduce your external network bandwidth loads during updates, you can choose the
Download Source(s) from which the Cortex XDR agent retrieves agent release upgrades and
content updates: from a peer agent in the local network, from the Palo Alto Networks Broker
VM, or directly from the Cortex XDR server. If all opons are selected in your profile, then the
aempted download order is first using P2P, then from Broker VM, and lastly from the Cortex
Server.
• (Requires Cortex XDR agents 7.4 and later for P2P agent upgrade) P2P—Cortex XDR
deploys serverless peer-to-peer P2P distribuon to Cortex XDR agents in your LAN
network by default. Within the six hour randomizaon window during which the Cortex
XDR agent aempts to retrieve the new version, it will broadcast its peer agents on the
same subnet twice: once within the first hour, and once again during the following five
hours. If the agent did not retrieve the files from other agents in both queries, it will proceed
to the next download source defined in your profile.
To enable P2P, you must enable UDP and TCP over the defined PORT in Download Source.
By default, Cortex XDR uses port 33221. You can configure another port number.
• (Requires Cortex XDR agents 7.4 and later releases and Broker VM 12.0 and later) Broker
VM—If you have a Palo Alto Networks Broker VM in your network, you can leverage the
Local Agent Sengs applet to cache release upgrades and content updates. When enabled
and configured, the Broker retrieves from Cortex XDR the latest installers and content
every 15 minutes and stores them for a 30-days retenon period since an agent last asked
for them. If the files were not available on the Broker VM at the me of the ask, the agent
proceeds to download the files directly from the Cortex XDR server.
If you enable the Broker download opon, proceed to select one or more available brokers
from the list. Cortex XDR enables you to select only brokers that are connected and for
which the caching is configured. When you select mulple brokers, the agent chooses
randomly which broker to use for each download request.
• Cortex Server—To ensure your agents remain protected, the Cortex Server download source
is always enabled to allow all Cortex XDR agents in your network to retrieve the content
directly from the Cortex XDR server on their following heartbeat.
Cortex® XDR Pro Administrator’s Guide Version 3.3 224 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 15 | Enable Network Locaon Configuraon for your Cortex XDR agents.
(Requires Cortex XDR agents 7.1 and later releases) If you configure host firewall rules in your
network, you must enable Cortex XDR to determine the network locaon of your device, as
follows:
1. A domain controller (DC) connecvity test— When Enabled, the DC test checks whether
the device is connected to the internal network or not. If the device is connected to the
internal network, then it is in the organizaon. Otherwise, if the DC test failed or returned
an external domain, Cortex XDR proceeds to a DNS connecvity test.
2. A DNS test—In the DNS test, the Cortex XDR agent submits a DNS name that is known
only to the internal network. If the DNS returned the pre-configured internal IP, then the
device is within the organizaon. Otherwise, if the DNS IP cannot be resolved, then the
device is located elsewhere. Enter the IP Address and DNS Server Name for the test.
If the Cortex XDR agent detects a network change on the endpoint, the agent triggers the
device locaon test, and re-calculates the policy according to the new locaon.
STEP 16 | (Supported for Cortex XDR 7.7 or later for Linux only) Define the Agent Operaon Mode.
1. Select with which Mode you want the Cortex XDR to run the Linux endpoint. You can
select either Kernel (default) or User Space.
2. Enable whether you want to run User Space mode when Kernel mode is unavailable. By
default, the User Space fall-back is disabled.
Cortex® XDR Pro Administrator’s Guide Version 3.3 225 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 3 | Manage the content updates bandwidth and frequency in your network.
• Enable bandwidth control—Palo Alto Networks allows you to control your Cortex XDR
agent network consumpon by adjusng the bandwidth it is allocated. Based on the
number of agents you want to update with content and upgrade packages, acve or future
agents, the Cortex XDR calculator configures the recommended amount of Mbps (Megabits
per second) required for a connected agent to retrieve a content update over a 24 hour
period or a week. Cortex XDR supports between 20 - 10000 Mbps, you can enter one of
the recommended values or enter one of your own.For opmized performance and reduced
bandwidth consumpon, it is recommended that you install and update new agents with
Cortex XDR agents 7.3 and later that include the content package built in using SCCM.
• Enable minor content version updates—The Cortex XDR research team releases more
frequent content updates in-between major content versions to ensure your network is
constantly protected against the latest and newest threats in the wild. When you enable
minor content version updates, the Cortex XDR agent receives minor content updates,
starng with the next content releases. To learn more about the minor content numbering
format, refer to the About Content Updates topic.
STEP 5 | Configure the Cortex XDR agent auto upgrade scheduler and number of parallel upgrades.
If Agent Auto Upgrades are enabled for your Cortex XDR agents, you can control the
automac upgrade process in your network. To beer control the rollout of a new Cortex
XDR agent release in your organizaon, during the first week only a single batch of agents
is upgraded. Aer that, auto-upgrades connue to be deployed across your network with
number of parallel upgrades as configured.
• Amount of Parallel Upgrades—Set the number of parallel agent upgrades, while the
maximum is 500 agents.
• Days in week—You can schedule the upgrade task for specific days of the week and a
specific me range. The minimum range is four hours.
Cortex® XDR Pro Administrator’s Guide Version 3.3 226 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 6 | Configure automated Advanced Analysis of Cortex XDR Agent alerts raised by exploit
protecon modules.
Advanced Analysis is an addional verificaon method you can use to validate the verdict
issued by the Cortex XDR agent. In addion, Advanced Analysis also helps Palo Alto Networks
researchers tune exploit protecon modules for accuracy.
To iniate addional analysis you must retrieve data about the alert from the endpoint. You
can do this manually on an alert-by-alert basis or you can enable Cortex XDR to automacally
retrieve the files.
Aer Cortex XDR receives the data, it automacally analyzes the memory contents and
renders a verdict. When the analysis is complete, Cortex XDR displays the results in the
Advanced Analysis field of the Addional data view for the data retrieval acon on the Acon
Center. If the Advanced Analysis verdict is benign, you can avoid subsequent blocked files for
users that encounter the same behavior by enabling Cortex XDR to automacally create and
distribute excepons based on the Advanced Analysis results.
1. Configure the desired opons:
• Enable Cortex XDR to automacally upload defined alert data files for advanced
analysis. Advanced Analysis increases the Cortex XDR exploit protecon module
accuracy
• Automacally apply Advanced Analysis excepons to your Global Excepons
list. This will apply all Advanced Analysis excepons suggested by Cortex XDR,
regardless of the alert data file source
2. Save the Advanced Analysis configuraon.
STEP 7 | Configure the Cortex XDR Agent license revocaon and deleon period.
This configuraon applies to standard endpoints only and does not impact the license status of
agents for VDIs or Temporary Sessions.
1. Configure the desired opons:
• Connecon Lost (Days)—Configure the number of days aer which the license should
be returned when an agent loses the connecon to Cortex XDR. Default is 30 days;
Range is 2 to 60 days.
• Agent Deleon (Days)—Configure the number of days aer which the agent and
related data is removed from the Cortex XDR management console and database.
Default is 180 days; Range is 3 to 360 days and must exceed the Connecon Lost
value.
2. Save the Agent Status configuraon.
STEP 8 | Enable WildFire analysis scoring for files with Benign verdicts.
The WildFire analysis score for files with Benign verdict is used to indicate the level of
confidence WildFire has in the Benign verdict. For example, a file by a trusted signer or a file
that was tested manually gets a high confidence Benign score, whereas a file that did not
display any suspicious behavior at the me of tesng gets a lower confidence Benign score. To
add an addional verificaon method to such files, enable this seng. Then, when Cortex XDR
receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile
Cortex® XDR Pro Administrator’s Guide Version 3.3 227 ©2022 Palo Alto Networks, Inc.
Endpoint Security
sengs you currently have in place (Run local analysis to determine the file verdict, Allow, or
Block).
Disabling this capability takes immediate effect on new hashes, fresh agent
installaons, and exisng security policies. It could take up to a week to take effect on
exisng agents in your environment pending agent caching.
If you have any Cortex XDR filters, starring policies, exclusion policies, scoring rules,
log forwarding queries, or automaon rules configured for XSOAR/3rd party SIEM, we
advise you to update those to support the changes before acvang the feature. For
example, change the query to include the previous descripon that is sll available in
the new descripon, instead of searching for an exact match.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 228 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
Process Creaon Time Part of process unique ID per boot session (PID +
creaon me)
Cortex® XDR Pro Administrator’s Guide Version 3.3 229 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 230 ©2022 Palo Alto Networks, Inc.
Endpoint Security
• Connect • Session ID
User Presence (Traps 6.1 and User Detecon Detecon when a user is
later) present or idle per acve user
session on the computer.
Cortex® XDR Pro Administrator’s Guide Version 3.3 231 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Event Log See the Windows Event Logs table for the list of Windows
Event Logs that can be sent to the server.
In Traps 6.1.3 and later releases, Cortex XDR and Traps agents can send the following Windows
Event Logs to the server:
Applicaon EMET
Cortex® XDR Pro Administrator’s Guide Version 3.3 232 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 233 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 234 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 235 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 236 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 237 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 238 ©2022 Palo Alto Networks, Inc.
Endpoint Security
When imporng a policy, select whether to enable the associated policy targets.
Rules within the imported policy are managed as follows:
• New rules are added to top of the list.
• Default rules override the default rule in the target tenant.
• Rules without a defined target are disabled unl target is specified.
• Select Endpoints > Policy Management > Prevenon > Profiles, right-click the profile you
want to assign and Create a new policy rule using this profile.
STEP 2 | Define a Policy Name and oponal Descripon that describes the purpose or intent of the
policy.
STEP 3 | Select the Plaorm for which you want to create a new policy.
STEP 4 | Select the desired Exploit, Malware, Restricons, and Agent Sengs profiles you want to
apply in this policy.
If you do not specify a profile, the Cortex XDR agent uses the default profile.
STEP 6 | Use the filters to assign the policy to one or more endpoints or endpoint groups.
Cortex XDR automacally applies a filter of the plaorm you selected and, if exists, the Group
Name according to the groups within your defined user scope.
STEP 8 | In the Policy Rules table, change the rule posion, if needed, to order the policy relave to
other policies.
The Cortex XDR agent evaluates policies from top to boom. When the Cortex XDR agent
finds the first match it applies that policy as the acve policy. To move the rule, select the
arrows and drag the policy to the desired locaon in the policy hierarchy.
Right-click to View Policy Details, Edit, Save as New, Disable, and Delete.
Cortex® XDR Pro Administrator’s Guide Version 3.3 239 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 240 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Behavioral Threat Protecon Rule Excepon An excepon disabling a specific BTP rule
across all processes.
Local File Threat Examinaon Excepon (Linux only) An excepon allowing specific
PHP files.
To help you manage and asses your BIOC/IOC rules, Cortex XDR automacally creates a System
Generated rule excepon if the same BIOC/IOC rule is detected by the same iniator hash within
a 3 day meframe on 100 different endpoints.
Each me a BIOC/IOC alert is detected, the 3 day meframe begins counng down. If aer 3 days
without an alert, the 3 day meframe is reset. For example:
Example A
Cortex® XDR Pro Administrator’s Guide Version 3.3 241 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Example B
2. Select the plaorm to which the profile applies and Excepons as the profile type.
3. Click Next.
Cortex® XDR Pro Administrator’s Guide Version 3.3 242 ©2022 Palo Alto Networks, Inc.
Endpoint Security
for this profile. To apply the process excepon on all security modules, Select all. To
apply the process excepon on all exploit security modules, select Disable Injecon.
4. Click the adjacent arrow.
5. Aer you’ve added all processes, click Create.
You can return to the Process Excepon profile from the Endpoints Profile page at any
point and edit the sengs, for example if you want to add or remove more security
modules.
To configure a Support Excepon:
1. Import the json file you received from Palo Alto Networks support team by either
browsing for it in your files or by dragging and dropping the file on the page.
2. Click Create.
To configure module specific excepons relevant for the selected profile plaorm:
• Behavioral Threat Protecon Rule Excepon—When you view an alert for a Behavioral
Threat event which you want to allow in your network from now on, right-click the alert and
Create alert excepon. Review the alert data (Plaorm and Rule name) and select from the
following opons as needed.
- CGO hash—Causality Group Owner (CGO) hash value.
- CGO signer—CGO signer enty (for Windows and Mac only).
- CGO process path—Directory path of the CGO process.
- CGO command arguments—CGO command arguments. This opon is available only if
CGO process path is selected, and only if you are using Cortex XDR Agent 7.5 or later on
your endpoints. Aer selecng this opon, check the full path of each relevant command
argument within quote marks. You can edit the displayed paths if needed.
From Excepon Scope, select Profile and click Create.
• Digital Signer Excepon—When you view an alert for a Digital Signer Restricon which
you want to allow in your network from now on, right-click the alert and Create alert
excepon. Cortex XDR displays the alert data (Plaorm, Signer, and Generang Alert ID).
Select Excepon Scope: Profile and select the excepon profile name. Click Add.
• Java Deserializaon Excepon—When you idenfy a Suspicious Input Deserializaon
alert that you believe to be benign and want to suppress future alerts, right-click the
alert and Create alert excepon. Cortex XDR displays the alert data (Plaorm, Process,
Java executable, and Generang Alert ID). Select Excepon Scope: Profile and select the
excepon profile name. Click Add.
• Local File Threat Examinaon Excepon—When you view an alert for a PHP file which you
want to allow in your network from now on, right-click the alert and Create alert excepon.
Cortex XDR displays the alert data (Process, Path, and Hash). Select Excepon Scope:
Profile and select the excepon profile name. Click Add
• Gatekeeper Enhancement Excepon—When you view a Gatekeeper Enhancement security
alert for a bundle or specific source-child combinaon you want to allow in your network
from now on, right-click the alert and Create alert excepon. Cortex XDR displays the
alert data (Plaorm, Source Process, Target Process, and Alert ID). Select Excepon Scope:
Profile and select the excepon profile name. Click Add. This excepon allows Cortex
Cortex® XDR Pro Administrator’s Guide Version 3.3 243 ©2022 Palo Alto Networks, Inc.
Endpoint Security
XDR to connue enforcing the Gatekeeper Enhancement protecon module on the source
process running other child processes.
At any point, you can click the Generang Alert ID to return to the original alert from which
the excepon was originated. You cannot edit module specific excepons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 244 ©2022 Palo Alto Networks, Inc.
Endpoint Security
apply the process excepon on all exploit security modules, select Disable Injecon.
Click the adjacent arrow to add the excepon.
STEP 2 | Review the alert data (plaorm and rule name) and then select from the following opons as
needed:
1. CGO hash—Causality Group Owner (CGO) hash value.
2. CGO signer—CGO signer enty (for Windows and Mac only).
3. CGO process path—Directory path of the CGO process.
4. CGO command arguments—CGO command arguments. This opon is available only if
CGO process path is selected, and only if you are using Cortex XDR Agent 7.5 or later on
your endpoints. Aer selecng this opon, check the full path of each relevant command
argument within quote marks. You can edit the displayed paths if needed.
5. From Excepon Scope, select Global.
Cortex® XDR Pro Administrator’s Guide Version 3.3 245 ©2022 Palo Alto Networks, Inc.
Endpoint Security
return to the original alert from which the excepon was originated. To delete a specific global
excepon, select it and click X.
You cannot edit global excepons generated from a BTP security event.
STEP 2 | Review the alert data (plaorm and rule name) and select Excepon Scope: Global.
Cortex® XDR Pro Administrator’s Guide Version 3.3 246 ©2022 Palo Alto Networks, Inc.
Endpoint Security
return to the original alert from which the excepon was originated. To delete a specific global
excepon, select it and click X. You cannot edit global excepons generated from a digital
signer restricon security event.
Cortex® XDR Pro Administrator’s Guide Version 3.3 247 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 248 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
Created Time Date and me at which the profile was created.
Modificaon Time Date and me at which the profile was modified.
Cortex® XDR Pro Administrator’s Guide Version 3.3 249 ©2022 Palo Alto Networks, Inc.
Endpoint Security
To apply the profiles, from Endpoints > Policy Management > Extensions > Policy Rules, you can
view all the policy rules per operang system. Rules associated with one or more targets that are
beyond your defined user scope are locked and cannot be edited.
The following table describes for each capability the supported plaorms and minimal agent
version. A dash (—) indicates the seng is not supported.
Hardened endpoint security capabilies are not supported for Android endpoints.
Device Control X X —
Protects endpoints from Cortex XDR agent Cortex XDR agent
loading malicious files from 7.0 and later 7.2 and later
USB-connected removable
For VDI, Cortex
devices (CD-ROM, disk
XDR agent 7.3 and
drives, floppy disks and
later
Windows portable devices
drives).
Host Firewall X X —
Protects endpoints from Cortex XDR agent Cortex XDR agent
aacks originang in 7.1 and later 7.2 and later
network communicaons
to and from the endpoint.
Disk Encrypon X X —
Provides visibility into Cortex XDR agent Cortex XDR agent
endpoints that encrypt 7.1 and later 7.2 and later
their hard drives using
BitLocker or FileVault.
Host Inventory X X X
Provides full visibility Cortex XDR agent Cortex XDR agent Cortex XDR agent
into the business and IT 7.1 and later 7.1 and later 7.1 and later
operaonal data on all your
endpoints.
Vulnerability Assessment X — X
Idenfies and quanfies Cortex XDR agent Cortex XDRR agent
the security vulnerabilies 7.1 and later 7.1 and later
(CVEs) that exist for
applicaons installed on
you endpoints.
Cortex® XDR Pro Administrator’s Guide Version 3.3 250 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Device Control
By default, all external USB devices are allowed to connect to your Cortex XDR endpoints. To
protect endpoints from connecng USB-connected removable devices—such as disk drives, CD-
ROM drives, floppy disk drives, and other portable devices—that can contain malicious files,
Cortex XDR provides device control.
For example, with device control, you can:
• Block all supported USB-connected devices for an endpoint group.
• Block a USB device type but add to your allow list a specific vendor from that list that will be
accessible from the endpoint.
• Temporarily block only some USB device types on an endpoint.
Depending on your defined user scope permissions, creang device profiles, policies,
excepons, and violaons may be disabled.
The following are prerequisites to enforce device control policy rules on your endpoints:
If you are running Cortex XDR agents 7.3 or earlier releases, device control rules take
effect on your endpoint only aer the Cortex XDR agent deploys the policy. If you already
had a USB device connected to the endpoint, you have to disconnect it and connect it
again for the policy to take effect.
Cortex® XDR Pro Administrator’s Guide Version 3.3 251 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Profile Descripon
Device Configuraon and Device Excepons profiles are set for each operang system separately.
Aer you configure a device control profile, Apply Device Control Profiles to Your Endpoints.
Cortex® XDR Pro Administrator’s Guide Version 3.3 252 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Currently, the default is set to Use Default (Allow) however Palo Alto Networks may
change the default definion at any me.
To view in XQL Search connect and disconnect events of USB devices that are reported
by the agent, the Device Configuraon must be set to Block. Otherwise, the USB
events are not captured. The events are also captured when a group of device types are
blocked on the endpoints with a permanent or temporary excepon in place. For more
informaon, see Ingest Connect and Disconnect Events of USB Devices.
You cannot edit or delete the default profiles pre-defined in Cortex XDR .
STEP 6 | (Oponal) To define excepons to your Device Configuraon profile, Add a New Excepons
Profile.
Cortex® XDR Pro Administrator’s Guide Version 3.3 253 ©2022 Palo Alto Networks, Inc.
Endpoint Security
When imporng a policy, select whether to enable the associated policy targets. Rules
within the imported policy are managed as follows:
• New rules are added to top of the list.
• Default rules override the default rule in the target tenant.
• Rules without a defined target are disabled unl target is specified.
Cortex® XDR Pro Administrator’s Guide Version 3.3 254 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 255 ©2022 Palo Alto Networks, Inc.
Endpoint Security
the results. For each violaon event Cortex XDR logs the event details, the plaorm, and the
device details that are available.
If you see a violaon for which you’d like to define an excepon on the device that triggered it,
right-click the violaon and select one of the following opons:
• Add device to permanent excepons—To ensure this device is always allowed in your
network, select this opon to add the device to the Device Permanent Excepons list.
• Add device to temporary excepons—To allow this device only temporarily on the selected
endpoint or on all endpoints, select this opon and set the allowed me frame for the
device.
• Allow device to a profile excepon—Select this opon to allow the device within an exisng
Device Excepons profile.
Cortex® XDR Pro Administrator’s Guide Version 3.3 256 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 257 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 3 | Save.
The new device class is now available in Cortex XDR as all other device classes.
The Cortex XDR Query Language (XQL) supports the ingeson of connect and disconnect events
of USB devices that are reported by the agent. To view these USB device events in XQL Search
, you must set the Device Configuraon of the endpoint profile to Block. Otherwise, the USB
events are not captured. The events are also captured when a group of device types are blocked
on the endpoints with a permanent or temporary excepon in place. For more informaon, see
Add a New Configuraon Profile.
You can use XQL Search to query for this data and build widgets based on the xdr_data dataset,
where the following use cases are supported:
• Displaying devices by Vendor ID, Vendor Name, Product ID, and Product Name.
• Displaying hosts that a specific device, based on serial number, is connected.
• Query for USB devices that are connected to specific hosts or groups of hosts.
Examples of XQL queries that query the USB device data.
Cortex® XDR Pro Administrator’s Guide Version 3.3 258 ©2022 Palo Alto Networks, Inc.
Endpoint Security
dataset = xdr_data
| filter event_type = DEVICE and event_sub_type = DEVICE_PLUG
| fields action_device_usb_product_name
preset = device_control
| filter event_type = DEVICE
| fields action_device_usb_vendor_name
Host Firewall
The Cortex XDR host firewall enables you to control communicaons on your endpoints. To
use the host firewall, you set rules that allow or block the traffic on the devices and apply them
to your endpoints using Cortex XDR host firewall policy rules. Addionally, you can configure
different sets of rules based on the current locaon of your endpoints - within or outside your
organizaon network. The Cortex XDR host firewall rules leverage the operang system firewall
APIs and enforce these rules on your endpoints, but not your Windows or Mac firewall sengs.
The following are prerequisites to apply Cortex XDR host firewall policy rules on your endpoints:
Cortex® XDR Pro Administrator’s Guide Version 3.3 259 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 260 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex XDR 3.0, or edit an already exisng rule that was created in an old Cortex XDR release
and add one of these unsupported parameters, the agent could display unexpected behavior
and the host firewall policy will be disabled on the endpoint.
As a result, all migrated rules are set not to report matching traffic by default and
enforcement events are not included in the Host Firewall Events table.
Set Up the Host Firewall
Set up your rule groups and host firewall profile.
Create a Rules Group
Group rules into Rules Groups that you can reuse across all host firewall profiles. A host firewall
group includes one or more host firewall unique rules. The rules are enforced according to their
order of appearance within the group, from top to boom. Aer you create a rules group, you can
assign the group to a host firewall profile. When you edit, re-priorize, disable, or delete a rule
from a group, the change takes effect in all policies where this group is included. To support this
scalability and structure, every rule in Cortex XDR is assigned a unique ID and must be contained
within a group. Addionally, you can import exisng firewall rules into Cortex XDR , or export
them in JSON format.
STEP 1 | Create a group.
From Endpoints > Host Firewall > Host Firewall Rules Groups, click +New Group on the upper
bar.
Cortex® XDR Pro Administrator’s Guide Version 3.3 261 ©2022 Palo Alto Networks, Inc.
Endpoint Security
For every group, you need to create its own list of rules. Each rule is assigned a unique ID and
can be associated with a single group only.
When selecng ICMP protocol, you must enter a the ICMP Type and Code.
Without these values the ICMP protocol is ignored by the Windows and
macOS Cortex XDR agents.
• Direcon—Select the direcon of the communicaon this rule applies to: Inbound
communicaon to the endpoint, Outbound communicaon from the endpoint, or
Both.
• Acon—Select whether the rule acon is to Allow or Block the communicaon on the
endpoint.
• Local/Remote IP Address—Configure the rule for specific local or remote IP addresses
s and/or Ports. You can set a single IP address, mulple IP addresses separated by
a comma, range of IP addresses separated by a hyphen, or a combinaon of these
opons.
• Depending on the type of plaorm you selected, define the Applicaon, Service, and
Bundle IDs of the Windows Sengs and/or macOS Sengs—Configure the rule for
all applicaons/services or specific ones only by entering the full path and name. If
you use system variables in the path definion, you must re-enforce the policy on the
endpoint every me the directories and/or system variables on the endpoint change.
• Report Matched Traffic—When Enabled, enforcement events captured by this rule are
reported periodically to Cortex XDR and displayed in the Host Firewall Events table,
Cortex® XDR Pro Administrator’s Guide Version 3.3 262 ©2022 Palo Alto Networks, Inc.
Endpoint Security
whether the rule is set to Allow or Block the traffic. When Disabled, the rule is applied
but enforcement events are not reported periodically.
2. Save rule.
Aer you fill-in all the details, you need to save the rule. If you know you need to create
a similar rule, click Create another to save this rule and leave the specified parameters
available for edit for the next rule. Otherwise, to save the rule and exit, click Create.
STEP 5 | Save.
When you are done, click Create. The new rules group is created and can be associated with a
host firewall profile.
Cortex® XDR Pro Administrator’s Guide Version 3.3 263 ©2022 Palo Alto Networks, Inc.
Endpoint Security
group, the rules are also enforced from top to boom). You can also configure profiles based on
the device locaon within your internal network. When you edit, re-priorize, disable, or delete a
rules group from a profile, the change takes effect on the next heartbeat in all policies where this
profile is included.
STEP 1 | Create a profile.
From Endpoints > Policy Management > Extensions and select + Add Profile or Import from
File.
STEP 2 | Select the plaorm and click Host Firewall > Next.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 264 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
Creaon Time Date and me of when the rule was created.
4. (Oponal) Select View Rules to view a list of all the rule details within the rules group.
The table is filtered according to the rules associated with the plaorm profile you are
creang.
5. Allow or Block the Default Acon for Inbound/Outbound Traffic in the profile if you
want to allow all network connecons that have not been matched to any other rule in
the profile.
Cortex® XDR Pro Administrator’s Guide Version 3.3 265 ©2022 Palo Alto Networks, Inc.
Endpoint Security
When imporng a policy, select whether to enable the associated policy targets. Rules
within the imported policy are managed as follows:
• New rules are added to top of the list.
• Default rules override the default rule in the target tenant.
• Rules without a defined target are disabled unl target is specified.
• The data is aggregated and reported periodically every 60 minutes since the first me
the host firewall policy was enforced on the endpoint, not every round hour.
• The table lists enforcement events only for rules set to Report Matching Traffic.
Every enforcement event includes addional data such as the me of the first rule hit, the rule
acon, protocol, and more.
Collect Detailed Log Files
To gain deeper visibility into all the host firewall acvity that occurred on an endpoint, you
can retrieve a log file lisng all single acons the agent performed for all rules (whether set to
Report Matched Traffic or not). The logs are stored in a cyclic 50MB file on the endpoint, which
is constantly being re-wrien and overriding older logs. When you upload the file, the logs are
Cortex® XDR Pro Administrator’s Guide Version 3.3 266 ©2022 Palo Alto Networks, Inc.
Endpoint Security
loaded to the Host Firewall Events table. You can filter the table using the Event Source field to
view only the aggregated periodic logs, or only non-aggregated on-demand logs.
To collect the log file, right-click the event containing the endpoint you are interested in and
select Collect Detailed Host Firewall Logs. Alternavely, you can perform this acon for mulple
endpoints from Endpoints Administraon.
In Cortex XDR 3.0, no change was made to the Host Firewall Configuraon or operaon
on macOS endpoints. All exisng policies configured in Cortex XDR 2.9 sll apply and will
connue to work as expected with Cortex XDR agent 7.2 or a later release. Enforcement
events triggered by macOS endpoints are not included in the Host Firewall Events table.
To configure the Cortex XDR host firewall in your network, follow this high-level workflow:
• Ensure you meet the host firewall requirements and prerequisites.
• Enable Network Locaon Configuraon
• Add a New Host Firewall Profile
• Apply Host Firewall Profiles to Your Endpoints
• Monitor the Host Firewall Acvity on your Endpoint
Enable Network Location Configuration
If you want to apply locaon based host firewall rules, you must first enable network locaon
configuraon in your Agent Sengs Profile. On every heartbeat, and if the Cortex XDR agent
detects a network change on the endpoint, the agent triggers the device locaon test and re-
calculates the policy according to the new locaon.
Add a New Host Firewall Profile
Configure host firewall profiles that contain one or more rules groups. The groups are enforced
according to their order of appearance within the profile, from top to boom (and within each
group, the rules are also enforced from top to boom). You can also configure profiles based on
the device locaon within your internal network. When you edit, re-priorize, disable, or delete a
rules group from a profile, the change takes effect on the next heartbeat in all policies where this
profile is included.
Rules created on macOS 10 and Cortex XDR agent 7.5 and prior are managed only in the Legacy
Host Firewall Rules and do not appear in the Rule Groups tables.
STEP 1 | Log in to Cortex XDR.
Go to Endpoints > Policy Management > Extensions Profiles > Profiles and select + New
Profile or Import from File. Select the Plaorm and click Host Firewall > Next
Cortex® XDR Pro Administrator’s Guide Version 3.3 267 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
Creaon Time Date and me of when the rule was created.
Cortex® XDR Pro Administrator’s Guide Version 3.3 268 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
4. (Oponal) Select View Rules to view a list of all the rule details within the rules group.
The table is filtered according to the rules associated with the plaorm profile you are
creang.
Any type protocol and specific ports cannot be edited. If saved as a new rule, the specific
ports previously defined are removed from the cloned rule.
5. Allow or Block the Default Acon for Inbound/Outbound Traffic in the profile if you
want to allow all network connecons that have not been matched to any other rule in
the profile.
Cortex® XDR Pro Administrator’s Guide Version 3.3 269 ©2022 Palo Alto Networks, Inc.
Endpoint Security
When imporng a policy, select whether to enable the associated policy targets. Rules
within the imported policy are managed as follows:
• New rules are added to top of the list.
• Default rules override the default rule in the target tenant.
• Rules without a defined target are disabled unl target is specified.
Disk Encrypon
Cortex XDR provides full visibility into encrypted Windows and Mac endpoints that were
encrypted using BitLocker and FileVault, respecvely. Addionally, you can apply Cortex XDR
Cortex® XDR Pro Administrator’s Guide Version 3.3 270 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Disk Encrypon rule on the endpoints by creang disk encrypon rules and policies that leverage
BitLocker and FileVault capabilies.
Before you start applying disk encrypon policy rules, ensure you meet the following
requirements and refer to these known limitaons:
Disk Encrypon Scope You can enforce XDR disk • You can enforce XDR disk
encrypon policy rules only encrypon policy rules
on the Operang System only on the Operang
volume. System volume.
• The Cortex XDR Disk
Encrypon profile for
Mac can encrypt the
endpoint disk, however it
cannot decrypt it. Aer
you disable the Cortex
XDR policy rule on the
endpoint, you can decrypt
the endpoint manually.
Cortex® XDR Pro Administrator’s Guide Version 3.3 271 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Follow this high-level workflow to deploy the Cortex XDR disk encrypon in your network:
• Monitor the Endpoint Encrypon Status in Cortex XDR
• Configure a Disk Encrypon Profile
• Apply Disk Encrypon Profile to Your Endpoints
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 272 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Field Descripon
is compliant with the Cortex XDR disk
encrypon policy.
• Not Compliant—Indicates that the Cortex
XDR agent encrypon status on the
endpoint is not compliant with the Cortex
XDR disk encrypon policy.
• Not Configured—Indicates that no disk
encrypon rules are configured on the
endpoint.
• Not Supported—Indicates that the
operang system running on the endpoint
is not supported by Cortex XDR.
• Unmanaged—Indicates that the endpoint
encrypon is not managed by Cortex XDR.
Last Reported Date and me of the last change in the agent’s
status. For more details, see View Details
About an Endpoint.
You can also monitor the endpoint Encrypon Status in your Endpoint Administraon table. If the
Encrypon Status is missing from the table, add it.
Cortex® XDR Pro Administrator’s Guide Version 3.3 273 ©2022 Palo Alto Networks, Inc.
Endpoint Security
STEP 5 | (Windows only) Specify the Encrypon methods per operang system.
For each operang system (Windows 7, Windows 8-10, Windows 10 (1511) and above), select
the encrypon method from the corresponding list.
You must select the same encrypon method configured by the Microso Windows
Group Policy in your organizaon for the target endpoints. Otherwise, if you select a
different encrypon method than the one already applied through the Windows Group
Policy, Cortex XDR will display errors.
Cortex® XDR Pro Administrator’s Guide Version 3.3 274 ©2022 Palo Alto Networks, Inc.
Endpoint Security
When imporng a policy, select whether to enable the associated policy targets. Rules
within the imported policy are managed as follows:
• New rules are added to top of the list.
• Default rules override the default rule in the target tenant.
• Rules without a defined target are disabled unl target is specified.
STEP 5 | Select one ore more policies, right-click and select Export Policies. You can choose to include
the associated Policy Targets, Global Excepons, and endpoint groups.
Cortex® XDR Pro Administrator’s Guide Version 3.3 275 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Host Inventory
With Host Inventory, you gain full visibility and inventory into the business and IT operaonal data
on all your endpoints. By reviewing inventory for all your hosts in a single place, you can quickly
idenfy IT and security issues that exist in your network, such as idenfying a suspicious service
or autorun that were added to an endpoint.
The Cortex XDR agent scans the endpoint every 24 hours for any updates and displays the data
found over the last 30 days. Alternavely, you can rescan the endpoint to retrieve the most
updated data. It can take Cortex XDR up to 6 hours to collect inial data from all endpoints in your
network.
The following are prerequisites to enable Host Inventory for your Cortex XDR instance:
Requirement Descripon
Supported Plaorms • Windows, Mac, and Linux starng with Cortex XDR agent 7.1
Setup and • Ensure Host Inventory Data Collecon is enabled for your Cortex
Permissions XDR agent.
The Cortex XDR Host inventory includes the following enes and informaon, according to the
operang system running on the endpoint:
Accessibility — —
Applicaons
Autoruns
Daemons —
Disks
Drivers —
Extensions — —
Groups
Mounts —
Services — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 276 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Shares
System Informaon
Users
Users to Groups
For each enty, Cortex XDR lists all the details about the enty, and the details about the
endpoint it applies to. For example, the default Services view lists a separate row for every service
on every endpoint:
Alternavely, to beer understand the overall presence of each enty on the total number of
endpoints, you can switch to aggregated view (click ) and group the data by the main enty.
You can also sort and filter according the number of affected endpoints. For example, in the
Services aggregated view, you can sort by the number of affected endpoints to idenfy the least
Cortex® XDR Pro Administrator’s Guide Version 3.3 277 ©2022 Palo Alto Networks, Inc.
Endpoint Security
commonly deployed service in your network. To get a closer view on all endpoints, right-click and
select View affected endpoints:
Data Descripon
Accessibility Details about installed applicaons that require and were allowed
special permissions to enable a camera, microphone, accessibility
features, full disk access, or screen captures.
Autoruns Details about executables that start automacally when the user logs in
or boots the endpoint.
Cortex® XDR Pro Administrator’s Guide Version 3.3 278 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Data Descripon
Cortex XDR displays informaon about autoruns that are configured in
the endpoint Registry, startup folders, scheduled tasks, services, drivers,
daemons, extensions, Crond tasks, login items, login and logout hooks.
For each autorun, Cortex XDR lists the autorun type and configuraon,
such as startup method, CMD, user details, and image path.
Extensions Details about the system and kernel extensions currently running on
your Mac endpoints.
For each extension, Cortex XDR lists the following details:
• Extension type, name, path, and version.
• Extension state, indicang whether it is running, requires enabling, or
unloaded.
Mounts Details about all the drives, volumes, and disks that were mounted on
endpoints.
For each mount, Cortex XDR lists the mount point directory, file system
type, mount spec and GUID.
Cortex® XDR Pro Administrator’s Guide Version 3.3 279 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Data Descripon
Users to Groups A list mapping all the users, local and in your domain, to the exisng
user groups on an endpoint.
Cortex® XDR Pro Administrator’s Guide Version 3.3 280 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Data Descripon
• Cortex XDR includes only the first 10,000 results per
endpoint.
• Cortex XDR lists only users that belong to each group
directly, and does not include users who belong to a group
within the main group.
• If a local users group includes a domain user (whose
credenals are stored on the Domain Controller server
and not on the endpoint), Cortex XDR will include this
user in the user-to-group mapping, but will not include it
in the users insights view.
Vulnerability Assessment
Cortex XDR vulnerability assessment enables you to idenfy and quanfy the security
vulnerabilies on an endpoint in Cortex XDR. Relying on the informaon from Cortex XDR, you
can easily migate and patch these vulnerabilies on all endpoints in your organizaon.
To provide you with a comprehensive understanding of the vulnerability severity, Cortex XDR
retrieves the latest data for each CVE from the NIST Naonal Vulnerability Database, including
CVE severity and metrics. You can use Cortex XDRto evaluate the extent and severity of each
CVE in your network, gain full visibility in to the risks to which each endpoint is exposed, and
assess the vulnerability status of an installed applicaon in your network.
You can access the Vulnerability Assessment panel from: Assets > Vulnerability Assessment.
Collecng the inial data from all endpoints in your network could take up to 6 hours. Aer that,
Cortex XDR iniates periodical recalculaons to rescan the endpoints and retrieve the updated
data. If at any point you want to force data recalculaon, click Recalculate.
The following are prerequisites for Cortex XDR to perform vulnerability assessment of your
endpoints:
Requirement Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 281 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Requirement Descripon
well as from the Microso Security Response Center
(MSRC).
• For endpoints running Windows Insider, Cortex XDR
cannot guarantee an accurate CVE assessment.
• Cortex XDR does not display open CVEs for
endpoints running Windows releases for which
Microso no longer fixes CVEs.
• Linux—Cortex XDR agent 7.1 or a later release.
• Mac—For macOS versions prior to 10.5, Cortex
XDR collects only the applicaons list without CVE
calculaon. Newer macOS versions are currently not
supported.
Setup and Permissions • Ensure Host Inventory Data Collecon is enabled for
your Cortex XDR agent.
CVE Analysis
To evaluate the extent and severity of each CVE across your endpoints, you can drill down in to
each CVE in Cortex XDR and view all the endpoints and applicaons in your environment that are
impacted by the CVE. Cortex XDR retrieves the latest informaon from the NIST public database.
From Add-ons > Host Insights > Vulnerability Assessment, select CVEs on the upper-right bar. For
each vulnerability, Cortex XDR displays the following default and oponal values:
Value Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 282 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Value Descripon
You can perform the following acons from Cortex XDR as you analyze the exisng vulnerabilies:
• View CVE details—Le-click the CVE to view in-depth details about it on a panel that appears
on the right. Use the in-panel links as needed.
• View a complete list of all endpoints in your network that are impacted by a CVE—Right-click
the CVE and then select View affected endpoints.
• Learn more about the applicaons in your network that are impacted by a CVE—Right-click
the CVE and then select View applicaons.
• Exclude irrelevant CVEs from your endpoints and applicaons analysis—Right-click the CVE
and then select Exclude. You can add a comment if needed, as well as Report CVE as incorrect
for further analysis and invesgaon by Palo Alto Networks. The CVE is grayed out and labeled
Excluded and no longer appears on the Endpoints and Applicaons views in Vulnerability
Assessment, or in the Host Insights widgets. To restore the CVE, you can right-click the CVE
and Undo exclusion at any me.
The CVE will be removed/reinstated to all views, filters, and widgets aer the next
vulnerabilies recalculaon.
Endpoint Analysis
To help you assess the vulnerability status of an endpoint, Cortex XDR provides a full list of
all installed applicaons and exisng CVEs per endpoint and also assigns each endpoint a
vulnerability severity score that reflects the highest NIST vulnerability score detected on the
endpoint. This informaon helps you to determine the best course of acon for remediang each
endpoint. From Add-ons > Host Insights > Vulnerability Assessment, select Endpoints on the
upper-right bar. For each endpoint, Cortex XDR displays the following default and oponal values:
Value Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 283 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Value Descripon
Last Reported Timestamp The date and me of the last me the Cortex
XDR agent started the process of reporng its
applicaon inventory to Cortex XDR.
You can perform the following acons from Cortex XDR as you invesgate and remediate your
endpoints:
• View endpoint details—Le-click the endpoint to view in-depth details about it on a panel that
appears on the right. Use the in-panel links as needed.
• View a complete list of all applicaons installed on an endpoint—Right-click the endpoint and
then select View installed applicaons. This list includes the applicaon name, version, and
installaon path on the endpoint. If an installed applicaon has known vulnerabilies, Cortex
XDR also displays the list of CVEs and the highest Severity.
• (Windows only) Isolate an endpoint from your network—Right-click the endpoint and then
select Isolate the endpoint before or during your remediaon to allow the Cortex XDR agent to
communicate only with Cortex XDR.
• (Windows only) View a complete list of all KBs installed on an endpoint—Right-click the
endpoint and then select View installed KBs. This list includes all the Microso Windows
Cortex® XDR Pro Administrator’s Guide Version 3.3 284 ©2022 Palo Alto Networks, Inc.
Endpoint Security
patches that were installed on the endpoint and a link to the Microso official Knowledge Base
(KB) support arcle.
• Retrieve an updated list of applicaons installed on an endpoint—Right-click the endpoint and
then select Rescan endpoint.
Applicaon Analysis
You can assess the vulnerability status of applicaons in your network using the Host inventory.
Cortex XDR compiles an applicaon inventory of all the applicaons installed in your network
by collecng from each Cortex XDR agent the list of installed applicaons. For each applicaon
on the list, you can see the exisng CVEs and the vulnerability severity score that reflects the
highest NIST vulnerability score detected for the applicaon. Any new applicaon installed on the
endpoint will appear in Cortex XDR with 24 hours. Alternavely, you can re-scan the endpoint to
retrieve the most updated list.
Starng with macOS 10.15, Mac built-in system applicaons are not reported by the
Cortex XDR agent and are not part of the Cortex XDR Applicaon Inventory.
From Add-ons > Host Insights > Host Inventory, select Applicaons.
• To view the details of all the endpoints in your network on which an applicaon is installed,
right-click the applicaon and select View endpoints.
• To view in-depth details about the applicaon, le-click the applicaon name.
Cortex® XDR Pro Administrator’s Guide Version 3.3 285 ©2022 Palo Alto Networks, Inc.
Endpoint Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 286 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
> Cortex XDR Rules > Invesgate Files
> Search Queries > Forensic Data Analysis
> Invesgate Incidents > Response Acons
> Invesgate Arfacts and Assets > Playbooks
> Invesgate Alerts > Scripts
> Invesgate Endpoints
287
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 288 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
BACKWARDS SCAN STATUS Status of the Cortex XDR search for the first
10,000 matches when the BIOC rule was created
or edited. Status can be:
• Done
• Failed
• Pending
• Queued
BACKWARDS SCAN TIMESTAMP Timestamp of the Cortex XDR search for the first
10,000 matches in your Cortex XDR when the
BIOC rule was created or edited.
BACKWARDS SCAN RETRIES Number of mes Cortex XDR searched for the
first 10,000 matches in your Cortex XDR when
the BIOC rule was created or edited.
Cortex® XDR Pro Administrator’s Guide Version 3.3 289 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
INSERTION DATE Date and me when the BIOC rule was created.
MITRE ATT&CK TACTIC Displays the type of MITRE ATT&CK tacc the
BIOC rule is aempng to trigger on.
MODIFICATION DATE Date and me when the BIOC was last modified.
Cortex® XDR Pro Administrator’s Guide Version 3.3 290 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Reconnaissance
• Tampering
SOURCE User who created this BIOC, the file name from
which it was created, or Palo Alto Networks if
delivered through content updates.
Field Descripon
INSERTION DATE Date and me when the BIOC rule was created.
MITRE ATT&CK TACTIC Displays the type of MITRE ATT&CK tacc the
BIOC rule is aempng to trigger on.
MODIFICATION DATE Date and me when the BIOC was last modified.
Cortex® XDR Pro Administrator’s Guide Version 3.3 291 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
To ensure your BIOC rules raise alerts efficiently and do not overcrowd your Alerts table,
Cortex XDR automacally disables BIOC rules that reach 5000 or more hits over a 24
hour period.
Cortex® XDR Pro Administrator’s Guide Version 3.3 292 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
dataset = xdr_data
| filter event_type = PROCESS and
event_sub_type = PROCESS_START and
action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
The following describes the event_type values for which you can create a BIOC rule.
• FILE—Events relang to file create, write, read, and rename according to the file name and
path.
• INJECTION—Events related to process injecons.
• LOAD_IMAGE—Events relang to module IDs of processes.
• NETWORK—Events relang to incoming and outgoing network, filed IP addresses, port, host
name, and protocol.
• PROCESS—Events relang to execuon and injecon of a process name, hash, path, and CMD.
• REGISTRY—Events relang to registry write, rename and delete according to registry path.
• STORY—Events relang to a combinaon of firewall and endpoint logs over the network.
• EVENT_LOG—Events relang to Windows event logs and Linux system authencaon logs.
To create a BIOC rule:
STEP 1 | From Cortex XDR, select Detecon & Threat Intel > Detecon Rules > BIOC.
STEP 3 | Configure your BIOC criteria using one of the following methods.
• Build the rule query with XQL Search.
1. Click XQL Search.
2. The XQL query field is where you define the parameters of your query for the BIOC rule.
To help you create an effecve XQL query, the search field provides suggesons as you
type. The XQL query must at a minimum filter on the event_type field in order for
it to be a valid BIOC rule. In addion, you can create BIOC rules using the xdr_data
and cloud_audit_log datasets and presets for these datasets. Currently, you cannot
create a BIOC rule on customized datasets and only the filter stage, alter stage,
and funcons without any aggregaons are supported for XQL queries that define a
BIOC. For BIOC rules, the field values in XQL are evaluated as case insensive (config
case_sensitive = false). Aer configuring the XQL query for your BIOC rule and
Cortex® XDR Pro Administrator’s Guide Version 3.3 293 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
For the purpose of showing you the expected behavior of the rule before you
save it, Cortex XDR tests the BIOC on historical logs. Aer you save a BIOC rule,
it will operate on both historical logs (up to 10,000 hits) and new data received
from your log sensors.
4. (Oponal) Use the Schema tab to view schema informaon for every field found in
the result set. This informaon includes the field name, data type, descripve text (if
available), and the dataset that contains the field. In order for a field to appear in the
Schema tab, it must contain a non-NULL value at least once in the result set.
5. Add as BIOC the new query rule configured.
• Build the BIOC rule query through a specific enty in a similar way that you create a search
with Query Builder.
1. Select a parcular enty icon. Define any relevant acvity or characteriscs for the
enty type. Create a new BIOC rule in the same way that you create a search with Query
Builder. You use XQL to define the rule. The XQL query must filter on an event_type in
order for it to be a valid BIOC rule.
2. Test your BIOC rule. Rules that you do not refine enough can create thousands of alerts.
As a result, it is highly recommended that you test the behavior of a new or edited BIOC
rule before you save it. For example, if a rule will return thousands of hits because you
negated a single parameter, it is a good idea to test the rule before you save it and make
it acve.
When you test the rule, Cortex XDR immediately searches for rule matches across all
your Cortex XDR tenant data. If there are surprises, now is the me to see them and
adjust the rule definion.
For the purpose of showing you the expected behavior of the rule before you
save it, Cortex XDR tests the BIOC on historical logs. Aer you save a BIOC rule,
it will operate on both historical logs (up to 10,000 hits) and new data received
from your log sensors.
3. Save your BIOC rule.
Cortex® XDR Pro Administrator’s Guide Version 3.3 294 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 295 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
You can only add to exisng profiles you created, Cortex XDR Default profiles will
not appear as an opon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 296 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Auto-disable will turn off both the BIOC rule detecon and the BIOC
prevenon rule.
• Prevenon BIOC Rules table—Filter and maintain the BIOC rules applied to this
specific Restricon Profile. Right-click to Delete a rule or Go to BIOC Rules table.
5. Save your changes if necessary.
6. Invesgate the BIOC prevenon rules alerts.
• Select Incident Response > Incidents > Alerts Table.
• Filter the fields as follows:
• Alert Source: XDR Agent
• Acon: Prevention (<profile action mode>)
• Alert Name: Behavioral Threat
• In the Descripon field you can see the rule name that raised the prevenon alert.
Import Rules
You can use the import feature of Cortex XDR to import BIOCs from external feeds or that you
previously exported. The export/import capability is useful for rapid copying of BIOCs across
different Cortex XDR instances.
You can only import files that were exported from Cortex XDR. You can not edit an
exported file.
STEP 1 | From Cortex XDR, select Detecon & Threat Intel > Detecon Rules > BIOC.
STEP 3 | Drag and drop the file on the import rules dialog or browse to a file.
STEP 5 | Refresh the BIOC Rules page to view matches (# of Hits) in your historical data.
Cortex® XDR Pro Administrator’s Guide Version 3.3 297 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 6 | To invesgate any matches, view the Alerts page and filter the Alert Name by the name of
the BIOC rule.
Cortex® XDR Pro Administrator’s Guide Version 3.3 298 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• Full path
• File name
• Domain
• Desnaon IP address
• MD5 hash
• SHA256 hash
Aer you define or load IOCs, the app checks for matches in the endpoint data collected from
Cortex XDR agents. Checks are both retroacve and ongoing: The app looks for IOC matches in all
data collected in the past and connues to evaluate new any new data it receives in the future.
Alerts for IOCs are idenfied by a source type of IOC (see Alerts for more informaon).
• IOC Rule Details
• Create an IOC Rule
• Manage Exisng Indicators
Field Descripon
EXPIRATION DATE The date and me at which the IOC will be removed
automacally.
INSERTION DATE Date and me when the IOC was created.
MODIFICATION DATE Date and me when the IOC was last modified.
Cortex® XDR Pro Administrator’s Guide Version 3.3 299 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• C - Fairly Reliable
• D - Not Usually Reliable
• E - Unreliable
SEVERITY IOC severity that was defined when the IOC was
created.
SOURCE User who created this IOC, or the file name from
which it was created, or one of the following
keywords:
• Public API—the indicator was uploaded using
the Insert Simple Indicators, CSV or Insert Simple
Indicators, JSON REST APIs.
• XSOAR TIM—the indicator was retrieved from
XSOAR.
To ensure your IOC rules raise alerts efficiently and do not overcrowd your Alerts table,
Cortex XDR automacally:
• Disables any IOC rules that reach 5000 or more hits over a 24 hour period.
• Creates a Rule Excepon based on the PROCESS SHA256 field for IOC rules that hit
more than 100 endpoints over a 72 hour period.
Cortex® XDR Pro Administrator’s Guide Version 3.3 300 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 1 | From Cortex XDR, select Detedon & Threat Intel > Detecon Rules > IOC.
STEP 4 | (Oponal) Define any expiraon criteria for your IOC rules.
If desired, you can also configure addional expiraon criteria per IOC type to apply to all IOC
rules. In most cases, IOC types like Desnaon IP or Host Name are considered malicious only
for a short period of me since they are soon cleaned and then used by legimate services,
from which me they only cause false posives. For these types of IOCs, you can set a defined
expiraon period. The expiraon criteria you define for an IOC type will apply to all exisng
Cortex® XDR Pro Administrator’s Guide Version 3.3 301 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
rules and addional rules that you create in the future. By default, Cortex XDR does not apply
an expiraon date set on IOCs.
1. Select Default Rule Expiraon.
2. Set the expiraon for any relevant IOC type. Opons are Never, 7 Days, 30 days, 90
days, or 180 days.
3. Click Save.
Correlaon Rules help you analyze correlaons of mul-events from mulple sources by using the
Cortex XDR XQL-based engine for creang scheduled rules called Correlaon Rules. Alerts can
then be triggered based on these Correlaon Rules with a defined me frame and set schedule,
including every X minutes, once a day, once a week, or a custom me.
Once you have configured your Correlaon Rules, you can manage the Correlaon Rules in the
Correlaon Rules page, view and analyze the alerts generated from the Correlaon Rules in the
Alerts and Incidents pages. In addion, these Correlaon Rules are factored into the number of
incidents displayed on the Cortex XDR Dashboard.
• Correlaon Rule Details
• Create a Correlaon Rule
Correlaon Rules require a Cortex XDR Pro license. There may be future changes to the
Correlaon Rules offerings, which can impact your licensing agreements. You will receive
noficaon ahead of me before any changes are implemented.
If you are assigned a role that enables Invesgaon > Rules privileges, you can view all user-
defined Correlaon Rules from Detecon & Threat Intel > Detecon Rules > Correlaons.
By default, the Correlaon Rules page displays all enabled rules. To search for a specific rule, use
the filters above the results table to narrow the results. From the Correlaon Rules page, you can
also manage exisng rules using the right-click pivot menu.
In addion, the Correlaon Rules page helps you easily idenfy and resolve Correlaon Rules
errors. The number of errors are indicated at the top of the page in a red font using the format
<number> errors found. You can change the view to only display the Correlaon Rules with errors
by selecng Show Errors Only. The LAST EXECUTION column in the table indicates a Correlaon
Rule with an error by displaying the last execuon me in a red font and providing a descripon
of the Correlaon Rule Error when hovering over the field. The following error messages are
displayed in the applicable scenarios.
• Invalid query
• Query meout
• Dependency correlaon did not complete
Cortex® XDR Pro Administrator’s Guide Version 3.3 302 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• Unknown error
• Delayed rule—This rule is running past its scheduled me, which can cause delayed results.
• Dataset does not exist: <name of dataset>
Only an administrator or a user with a predefined user role can create and view
queries built with an unknown dataset that currently does not exist in Cortex XDR.
A noficaon is also displayed in Cortex XDR to indicate these Correlaon Rules errors.
The following table describes the fields that are available for each Correlaon Rule in alphabecal
order.
Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is
exposed by default.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 303 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Dataset name—When your resulng acon for
the rule was configured to Save to dataset.
Cortex® XDR Pro Administrator’s Guide Version 3.3 304 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Dataset does not exist: <name of dataset>
INSERTION DATE Date and me when the Correlaon Rule was
created.
LAST EXECUTION* Date and me when the Correlaon Rule was last
executed. Indicates a Correlaon Rule with an
error by displaying the last execuon me in a red
font and providing a descripon of the Correlaon
Rule Error when hovering over the field.
MITRE ATT&CK TACTIC* Displays the type of MITRE ATT&CK tacc the
Correlaon Rule is aempng to trigger on.
MODIFICATION DATE* Date and me when the Correlaon Rule was last
modified.
Cortex® XDR Pro Administrator’s Guide Version 3.3 305 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
can be Informaonal, Low, Medium, High,
Crical, and Customized.
Whenever an alert is generated with a severity
type of Medium and above based on the
Correlaon Rule, a new incident is automacally
opened.
SUPPRESSION DURATION* The duraon me for how long to ignore other
events that match the alert suppression criteria
that was configured when the rule was created.
This is required to configure.
SUPPRESSION FIELDS* The fields that the alert suppression is based on,
which was configured when the rule was created.
The fields listed are based on the XQL query result
set for the rule. This is oponal to configure.
Correlaon Rules requires a Cortex XDR Pro license. There may be future changes to the
Correlaon Rules offerings, which can impact your licensing agreements. You will receive
noficaon ahead of me before any changes are implemented.
You can create a new Correlaon Rule from either the Correlaon Rules page or when building a
query in XQL Search.
Cortex® XDR Pro Administrator’s Guide Version 3.3 306 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 307 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | Use XQL to define the Correlaon Rule in XQL Search field.
Define the Correlaon Rule in the XQL Search field. Aer wring at least one line in XQL, you
can Open full query mode to display the query in XQL Search. You can Test the XQL definion
for the rule whenever you want.
When you open the New Correlaon Rule editor from XQL Search, this XQL Search
field is already populated with the XQL query that you defined.
An administrator or a user with a predefined user role can create and view queries
built with an unknown dataset that currently does not exist in Cortex XDR. All other
users, can only create and view queries built with an exisng dataset.
When you finish wring the XQL for the Correlaon Rule definion, select Connue eding
rule to bring you back to the New Correlaon Rule editor, and the complete query you set is
added to the XQL Search field.
The XQL features for transaction, call, and wildcards in datasets (dataset in
(<dataset prefix>_*)) are not currently supported in Correlaon Rules. If you
add them to the XQL definion, you will not be able to Create or Save the Correlaon
Rule.
Using the current_me() funcon in your XQL query for a correlaon rule may yield
unexpected results when there are lags or during downme. This happens if the
correlaon rule doesn’t run exactly at the me of the data inside the meframe, for
example when a rule is dependent on another rule, or when a rule is stuck due to an
error, and then runs in recovery mode.
Cortex® XDR Pro Administrator’s Guide Version 3.3 308 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Search. The minimum query frequency is every 10 minutes and is already configured. You
can also set a parcular Timezone.
• Timezone—(Oponal) You can only set the Timezone when the Time Schedule is set to
Daily or Custom. Otherwise, the opon is disabled.
• Query me frame—Set the me frame for running a query, which can be up to 7 days.
Specify a number in the field and in the other field select either Minute/s, Hour/s, or Day/s.
By default, the query is to run once an hour (1 Hour/s).
Cortex® XDR Pro Administrator’s Guide Version 3.3 309 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex XDR will expand the dataset schema as needed. The dataset you configure for
the Correlaon Rule contains the following addional fields.
• _rule_id
• _rule_name
• _insert_time
When you are finished configuring the Target Dataset, you can either Save for later the
Correlaon Rule or Create the Correlaon Rule.
2. Configure the Alert Sengs.
• Alert Name—Specify a name. You can incorporate a variable based on a query output
field in the format $fieldName.
• Severity—Select the severity type whenever an alert is generated for this Correlaon
Rule as one of the following.
• Informaonal
• Low
• Medium
• High
• Crical
• User Defined—Select fields from inside the query.
Whenever the severity type is Medium or above for the alert generated, an
incident is automacally opened.
• Category—Select the type of alert that is generated, which can be any of the
following.
• Collecon
• Credenal Access
• Dropper
• Evasion
• Execuon
Cortex® XDR Pro Administrator’s Guide Version 3.3 310 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• Evasive
• Exfiltraon
• File Privilege Manipulaon
• File Type Obfuscaon
• Infiltraon
• Lateral Movement
• Persistence
• Privilege Escalaon
• Reconnaissance
• Tampering
• Other
• User Defined—Select fields from inside the query.
• Alert Descripon—(Oponal) Specify a descripon of the behavior that will raise the
alert. You can include dollar signs ($), which represent the fields names (i.e. output
columns) in XQL Search.
For example.
Output.
There is no validaon or auto complete for these parameters and the values
can be null or empty. In these scenarios, Cortex XDR does not display the null
or empty values, but adds the text NULL or EMPTY in the descripons.
• Drill-Down Query—(Oponal) You can configure a Drill-Down Query for addional
informaon about the alert for further invesgaon using XQL. This XQL query can
accept parameters from the alert output for the Correlaon Rule. Yet, keep in mind
that when you create the Correlaon Rule, Cortex XDRdoes not know in advance if
the parameters exist or contain the correct values. As a result, Cortex XDR enables
you to save the query, but the query can fail when you try and run it. You can also
refer to field names using dollar signs ($) as explained in the Alert Descripon.
Once configured any alert generated for the Correlaon Rule has a right-click
pivot menu Open Drilldown Query opon, an Open drilldown query link aer you
Invesgate Contribung Events, and a quick acon Open Drilldown Query icon ( )
that is accessible in the Alerts page, which opens a new browser tab in XQL Search
Cortex® XDR Pro Administrator’s Guide Version 3.3 311 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
to run this query. If you do not define a Drill-Down Query, no right-click pivot menu
opon, link, or icon is displayed.
• Drill-Down Query Time Frame—Select the me frame used to run the Drill-Down
Query from one of the following opons, which provides more informave details
about the alert generated by the Correlaon Rule.
• Generated Alert—Uses the me frame of the alert that is triggered, which is the
first event and last event mestamps for the alert (default opon). If there is only
one event, the event mestamp is the me frame used for the query.
• XQL Search—Uses the me frame from when the Correlaon Rule was run in XQL
Search.
• MITRE ATT&CK—(Oponal) Select the MITRE Taccs and MITRE Techniques you
want to associate with the alert using the MITRE ATT&CK matrix.
1. You can access the matrix by selecng the MITRE ATT&CK bar or Open complete
MITRE matrix link underneath the bar on the right.
2. Select the MITRE Taccs listed in the first row of the matrix and the applicable
MITRE techniques and Sub-Techniques, which are listed in the other rows in
the table. You can select either MITRE Taccs only, MITRE techniques and Sub-
Techniques only, or a combinaon of both.
3. Click Select and the matrix window closes and the MITRE ATT&CK secon in
the New Correlaon Rule editor lists the number of Taccs and Techniques
configured, which is also listed in the bar. For example, in the following image,
there are 3 Taccs and 4 Techniques configured. The three MITRE Taccs are
Resource Development with 2 Techniques configured, Credenal Access with 1
Technique configured, and Discovery with 1 Technique configured.
3. (Oponal) Configure the Alerts Fields Mappings.
You can map the alert fields, so that the mapped fields are displayed in the Alerts page
to provide important informaon in analyzing your alerts. In addion, mapping the fields
helps to improve incident grouping logic and enables Cortex XDR to list the arfacts
and assets based on the map fields in the incident. The opons available can change
depending on your Correlaon Rule definions in XQL Search. There are two ways to
map the alert fields.
• Use the Cortex XDR default incident enrichment—Select this opon if you want
Cortex XDR to automacally map the fields for you. This checkbox only displays when
your Correlaon Rule can be configured to use Cortex XDR incident enrichment and
then it is set as the default opon. We recommend using this opon whenever it is
available to you.
• Manually map the alert fields by selecng the fields that you want to map. When you
create the Correlaon Rule, Cortex XDR does not know whether the alert fields that
you mapped manually are valid. If the fields are invalid according to your mapping, null
values are assigned to those fields.
In a case where Use the Cortex XDR default incident enrichment is not
selected and you have not mapped any alert fields, the alert is dispatched
into a new incident.
Cortex® XDR Pro Administrator’s Guide Version 3.3 312 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
For Analycs BIOC rules, you can only disable and enable rules.
Cortex® XDR Pro Administrator’s Guide Version 3.3 313 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 2 | Right-click anywhere in a rule, and then select View associated alerts.
Cortex XDR displays a filtered query of alerts associated with the Rule ID.
STEP 2 | Right-click anywhere in the rule, and then select Open in query builder.
Cortex® XDR™ populates a query using the criteria of the BIOC rule.
Edit a Rule
Aer you create a rule, it may be necessary to tweak or change the rule sengs. You can open the
rule configuraon from the Rules page or from the pivot menu of an alert triggered by the rule. To
edit the rule from the Rules page:
STEP 1 | From Cortex XDR, select Detecon & Threat Intel > Detecon Rules and the type of rule
(BIOC or IOC).
STEP 4 | Edit the rule sengs as needed, and then click OK.
If you make any changes, Test and then Save the rule.
Cortex® XDR Pro Administrator’s Guide Version 3.3 314 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | Right click any of the rows, and select Export selected.
The exported file is not editable, however you can use it as a source to import rules at a later
date.
STEP 3 | Right click anywhere in the rule row and then select Save as New to create a duplicate rule.
STEP 1 | From Cortex XDR, select Detecon & Threat Intel > Detecon Rules and the type of rule
(BIOC or IOC).
STEP 3 | Right click anywhere in the rule row and then select Remove to permanently delete the rule,
or Disable to temporarily stop the rule. If you disable a rule you can later return to the rule
page to Enable it.
Cortex XDR only supports excepons with one aribute. See Add an Alert Exclusion
Policy to create advanced excepons based on your filtered criteria.
STEP 1 | From Cortex XDR, select Detecon & Threat Intel > Detecon Rules > Excepons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 315 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | Configure the indicators and condions for which you want to set the excepon.
STEP 4 | Choose the scope of the excepon, whether the excepon applies to IOCs, BIOCs, or both.
STEP 2 | In the Excepons table, locate the excepon rule you want to export. You can select mulple
rules.
Cortex® XDR Pro Administrator’s Guide Version 3.3 316 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Search Queries
• Cortex XDR Query Builder
• Query Center
• Scheduled Queries
• Quick Launcher
• Research a Known Threat
The Query Builder provides queries for the following types of enes:
Cortex® XDR Pro Administrator’s Guide Version 3.3 317 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• Process—Search on process execuon and injecon by process name, hash, path, command-
line arguments, and more. See Create a Process Query.
• File—Search on file creaon and modificaon acvity by file name and path. See Create a File
Query.
• Network—Search network acvity by IP address, port, host name, protocol, and more. See
Create a Network Query.
• Registry—Search on registry creaon and modificaon acvity by key, key value, path, and
data. See Create a Registry Query.
• Event Log—Search Windows event logs and Linux system authencaon logs by username, log
event ID (Windows only), log level, and message. See Create an Event Log Query.
• Network Connecons—Search security event logs by firewall logs, endpoint raw data over your
network. See Create a Network Connecons Query.
• All Acons—Search across all network, registry, file, and process acvity by endpoint or
process. See Query Across All Enes.
The Query Builder also provides flexibility for both on-demand query generaon and scheduled
queries.
XQL Search
The XDR Query Language (XQL) enables you to query data ingested into Cortex XDR for rigorous
endpoint and network event analysis returning up to 1M results. XQL forms queries in stages.
Each stage performs a specific query operaon and is delimited by a pipe (|). Queries require a
dataset, or data source, to run against. Unless otherwise specified, the query will run against the
xdr_data dataset, which contains all log informaon that Cortex XDR collects. You can also
configure Cortex XDR to query addional datasets.
It is possible to create a dataset with uppercase characters in its name, but when creang a query,
the dataset name only uses lowercase characters.
To streamline your invesgaons, the XQL search provides the following aids to help you
construct and visualize your queries.
• XQL query—The XQL query field is where you define the parameters of your query. To help
you create an effecve XQL query, the search field provides suggesons and definions as you
type.
• Translate to XQL— Converts your exisng Splunk queries to the XQL syntax. When building
your XQL query and you move the toggle to Translate to XQL, both a SPL query field and XQL
query field are displayed, so you can easily add a Splunk query, which is converted to XQL in
the XQL query field. This opon is disabled by default, so only the XQL query field is displayed.
• Query Results—Aer you create and run an XQL query, you can view, filter, and visualize your
Query Results.
• XQL Helper—Describes common stage commands and provides of examples that you can use
to build a query.
• Query Library—Contains common, predefined queries that you can use or modify to your liking.
In addion, a Personal Query Library for saving and managing your own queries that you can
also share with others, and queries shared with you.
Cortex® XDR Pro Administrator’s Guide Version 3.3 318 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• Schema—Contains schema informaon for every field found in the result set. This informaon
includes the field name, data type, descripve text (if available), and the dataset that contains
the field. In order for a field to appear in the Schema tab, it must contain a non-NULL value at
least once in the result set.
In the XQL, every user field included in the raw data, for network, authencaon, and login
events, has an equivalent normalized user field associated with it that displays the user
informaon in the following standardized format:
<company domain>\<username>
For example, the login_data field has the login_data_dst_normalized_user
field to display the content in the standardized format. We recommend that you use these
normalized_user fields when building your queries to ensure the most accurate results.
For further help construcng queries, use the Cortex XDR XQL Language Reference.
Create an XQL Query
Use XQL Search to analyze raw log data stored in Cortex XDR. The following task demonstrates
how to create a query that uses the coalesce funcon to derive a single username by
examining mulple field names.
The XQL Language Reference provides more informaon about valid commands, such as the ones
used in this example, and general XQL syntax.
STEP 1 | From Cortex XDR, select Incident Response > Invesgaon > Query Builder > XQL Search.
Cortex® XDR Pro Administrator’s Guide Version 3.3 319 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Language Reference for a list of the datasets that are available to you, depending on your
configuraon.
An administrator or a user with a predefined user role can create and view queries
built with an unknown dataset that currently does not exist in Cortex XDR. All other
users, can only create and view queries built with an exisng dataset.
You can specify a dataset using one of the following formats, which is based on the data
retenon offerings available in Cortex XDR.
• Hot Storage queries are performed on a dataset using the format dataset = <dataset
name>. This is the default opon.
dataset = xdr_data
• Cold Storage queries are performed using the format cold_dataset = <dataset
name>.
cold_dataset = xdr_data
You can also build a query that invesgates data in both a cold_dataset and hot
dataset in the same query. In addion, since the hot storage dataset format is the
default opon and represents the fully searchable storage, for invesgaon and threat
hunng, this format is used throughout this guide. For more informaon on hot and
cold storage, see Dataset Management.
From the first leer that you type, the query field provides you with suggesons of commands
and their definions.
When you select a command, you will see available operators.
Aer selecng the operator, the query field presents available values.
STEP 4 | Hit the return key and enter a pipe (|) followed by the first stage of your query.
This stage uses the fields command to declare which fields are returned in the results. If you
use this stage, then following stages can only operate on the fields specified in it.
STEP 6 | Specify the me period against which you want to run your query.
The opons are last 24H (hours), last 7D (days), last 1M (month), or select a Custom me
period.
Cortex® XDR Pro Administrator’s Guide Version 3.3 320 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 8 | (Oponal) Aer your query is complete, you can save the query as one of the following rules.
• BIOC Rule—Save as > BIOC Rule. The XQL query must at a minimum filter on the
event_type field in order for it to be a valid BIOC rule that you can save. For more
informaon, see Working with BIOCs.
• Correlaon Rule—Save as > Correlaon Rule. For more informaon, see Working with
Correlaon Rules.
Cortex® XDR Pro Administrator’s Guide Version 3.3 321 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
We recommend for Integer, Boolean, and mestamp, such as _Time, fields that you
use the Filter as opposed to the Free text search to retrieve the most accurate query
results.
For Table and Advanced displays, Cortex XDR provides a Fields menu on the le side of the
query results that you use to filter the results. To quickly set a filter, Cortex XDR displays the
top 10 results from which you can choose to build your filter. From within the Fields menu,
click on any field (excluding JSON and array fields) to see a histogram of all the values found in
the result set for that field. This histogram includes a count of the total number of mes a value
was found in the result set, the value's frequency as a percentage of the total number of values
found for the field, and a bar chart showing the value's frequency. In order for Cortex XDR to
provide a histogram for a field, the field must not contain an array or a JSON object.
You can also manage your queries, which includes viewing query results, from the Query
Center.
Cortex® XDR Pro Administrator’s Guide Version 3.3 322 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 12 | (Oponal) Add a file path to your exing Malware Profile allowed list.
Right-click a <path> fields, for example, target_process_path, file_path, or os_parent_path, and
select Add <path type> to malware profile allow list.
Translate to XQL
To help you easily convert your exisng Splunk queries to the Cortex XDR Query Language
(XQL) syntax, Cortex XDR includes in XQL Search a new toggle called Translate to XQL. When
building your XQL query and this opon is selected, both a SPL query field and XQL query field
are displayed, so you can easily add a Splunk query, which is converted to XQL in the XQL query
field. This opon is disabled by default, so only the XQL query field is displayed.
This feature is sll in a Beta state and you will find that not all Splunk queries can be
converted to XQL. This feature will be improved upon in the upcoming releases to support
greater Splunk query translaons to XQL.
The following table details the supported funcons in Splunk that can be converted to XQL in
Cortex XDR with an example of a Splunk query and the resulng XQL query. In each of these
examples, the xdr_data dataset is used.
Cortex® XDR Pro Administrator’s Guide Version 3.3 323 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 324 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 325 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
ltrim(<str>,<trim_chars>)index=xdr_data dataset in
| eval (xdr_data)
trimed_agent=ltrim("agent_hostname",
| alter
"agent_") trimed_agent =
ltrim("agent_hostname",
"agent_")
Cortex® XDR Pro Administrator’s Guide Version 3.3 326 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 327 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 328 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 329 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 330 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 2 | Toggle to Translate to XQL, where both a SPL query field and XQL query field are displayed.
Cortex® XDR Pro Administrator’s Guide Version 3.3 331 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 332 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 333 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 334 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | Enter the search criteria for the file events query.
• File acvity—Select the type or types of file acvity you want to search: All, Create, Read,
Rename, Delete, or Write.
• File aributes—Define any addional process aributes for which you want to search.
Use a pipe (|) to separate mulple values (for example notepad.exe|chrome.exe). By
default, Cortex XDR will return the events that match the aribute you specify. To exclude
an aribute value, toggle the = opon to =!. Aributes are:
• NAME—File name.
• PATH—Path of the file.
• PREVIOUS NAME—Previous name of a file.
• PREVIOUS PATH—Previous path of the file.
• MD5—MD5 hash value of the file.
• SHA256—SHA256 hash value of the file.
• DEVICE TYPE—Type of device used to run the file: Unknown, Fixed, Removable Media,
CD-ROM.
• DEVICE SERIAL NUMBER—Serial number of the device type used to run the file.
To specify an addional excepon (match this value except), click the + to the right of the
value and specify the excepon value.
Select and specify one or more of the following aributes for the acng (parent)
process.
Use a pipe (|) to separate mulple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to iniate the parent process including any arguments, up to
128 characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid
Signature, Weak Hash
• SIGNER—Enty that signed the cerficate of the parent process.
• PID—Process ID of the parent process.
• Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execuon chain that the Cortex
XDR agent idenfied as being responsible for iniang the process tree. The OS actor is
the parent process that creates an OS process on behalf of a different iniator. By default,
Cortex® XDR Pro Administrator’s Guide Version 3.3 335 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
this opon is enabled to apply the same search criteria to iniang processes. To configure
different aributes for the parent or iniang process, clear this opon.
STEP 6 | Specify the me period for which you want to search for events.
Opons are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom me period.
Cortex® XDR Pro Administrator’s Guide Version 3.3 336 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 337 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Select and specify one or more of the following aributes for the acng (parent)
process.
Use a pipe (|) to separate mulple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to iniate the parent process including any arguments, up to
128 characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid
Signature, Weak Hash
• SIGNER—Enty that signed the cerficate of the parent process.
• PID—Process ID of the parent process.
• Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execuon chain that the Cortex
XDR agent idenfied as being responsible for iniang the process tree. The OS actor is
the parent process that creates an OS process on behalf of a different iniator. By default,
this opon is enabled to apply the same search criteria to iniang processes. To configure
different aributes for the parent or iniang process, clear this opon.
STEP 6 | Specify the me period for which you want to search for events.
Opons are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom me period.
Cortex® XDR Pro Administrator’s Guide Version 3.3 338 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | Enter the search criteria for the network events query.
• Network traffic type—Select the type or types of network traffic alerts you want to search:
Incoming, Outgoing, or Failed.
• Network aributes—Define any addional process aributes for which you want to search.
Use a pipe (|) to separate mulple values (for example 80|8080). By default, Cortex XDR
will return the events that match the aribute you specify. To exclude an aribute value,
toggle the = opon to =!. Opons are:
• REMOTE COUNTRY—Country from which the remote IP address originated.
• REMOTE IP—Remote IP address related to the communicaon.
• REMOTE PORT—Remote port used to make the connecon.
• LOCAL IP—Local IP address related to the communicaon. Matches can return addional
data if a machine has more than one NIC.
• LOCAL PORT—Local port used to make the connecon.
• PROTOCOL—Network transport protocol over which the traffic was sent.
To specify an addional excepon (match this value except), click the + to the right of the
value and specify the excepon value.
Cortex® XDR Pro Administrator’s Guide Version 3.3 339 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Select and specify one or more of the following aributes for the acng (parent)
process.
Use a pipe (|) to separate mulple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to iniate the parent process including any arguments, up to
128 characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid
Signature, Weak Hash
• SIGNER—Enty that signed the cerficate of the parent process.
• PID—Process ID of the parent process.
• Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execuon chain that the Cortex
XDR agent idenfied as being responsible for iniang the process tree. The OS actor is
the parent process that creates an OS process on behalf of a different iniator. By default,
this opon is enabled to apply the same search criteria to iniang processes. To configure
different aributes for the parent or iniang process, clear this opon.
STEP 6 | Specify the me period for which you want to search for events.
Opons are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom me period.
Cortex® XDR Pro Administrator’s Guide Version 3.3 340 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | Enter the search criteria for the image load acvity query.
• Type of image acvity: All, Image Load, or Change Page Protecon.
• Idenfying informaon about the image module: Full Module Path, Module MD5, or
Module SHA256.
By default, Cortex XDR will return the acvity that matches all the criteria you specify. To
exclude a value, toggle the = opon to =!.
Select and specify one or more of the following aributes for the acng (parent)
process.
Use a pipe (|) to separate mulple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to iniate the parent process including any arguments, up to
128 characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid
Signature, Weak Hash
• SIGNER—Enty that signed the cerficate of the parent process.
• PID—Process ID of the parent process.
• Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execuon chain that the Cortex
XDR agent idenfied as being responsible for iniang the process tree. The OS actor is
the parent process that creates an OS process on behalf of a different iniator. By default,
this opon is enabled to apply the same search criteria to iniang processes. To configure
different aributes for the parent or iniang process, clear this opon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 341 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 6 | Specify the me period for which you want to search for events.
Opons are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom me period.
Cortex® XDR Pro Administrator’s Guide Version 3.3 342 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | Enter the search criteria for the registry events query.
• Registry acon—Select the type or types of registry acons you want to search: Key Create,
Key Delete, Key Rename, Value Set, or Value Delete.
• Registry aributes—Define any addional registry aributes for which you want to search.
By default, Cortex XDR will return the events that match the aribute you specify. To
exclude an aribute value, toggle the = opon to =!. Aributes are:
• KEY NAME—Registry key name.
• DATA—Registry key data value.
• REGISTRY FULL KEY—Full registry key path.
• KEY PREVIOUS NAME—Name of the registry key before modificaon.
• VALUE NAME—Registry value name.
To specify an addional excepon (match this value except), click the + to the right of the
value and specify the excepon value.
Select and specify one or more of the following aributes for the acng (parent)
process.
Use a pipe (|) to separate mulple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to iniate the parent process including any arguments, up to
128 characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid
Signature, Weak Hash
• SIGNER—Enty that signed the cerficate of the parent process.
• PID—Process ID of the parent process.
• Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execuon chain that the Cortex
XDR agent idenfied as being responsible for iniang the process tree. The OS actor is
the parent process that creates an OS process on behalf of a different iniator. By default,
this opon is enabled to apply the same search criteria to iniang processes. To configure
different aributes for the parent or iniang process, clear this opon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 343 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 6 | Specify the me period for which you want to search for events.
Opons are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom me period.
STEP 3 | Enter the search criteria for your Windows or Linux event log query.
Define any event aributes for which you want to search. By default, Cortex XDR will return
the events that match the aribute you specify. To exclude an aribute value, toggle the =
opon to =!. Aributes are:
• PROVIDER NAME—The provider of the event log.
• USERNAME—The username associated with the event.
• EVENT ID—The unique ID of the event.
• LEVEL—The event severity level.
• MESSAGE—The descripon of the event.
To specify an addional excepon (match this value except), click the + to the right of the value
and specify the excepon value.
Cortex® XDR Pro Administrator’s Guide Version 3.3 344 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 5 | Specify the me period for which you want to search for events.
Opons are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom me period.
STEP 8 | Specify the me period for which you want to search for events.
Opons are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom me period.
Cortex® XDR Pro Administrator’s Guide Version 3.3 345 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | Enter the search criteria for the network events query.
• Network aributes—Define any addional process aributes for which you want to search.
Use a pipe (|) to separate mulple values (for example 80|8080). By default, Cortex XDR
will return the events that match the aribute you specify. To exclude an aribute value,
toggle the = opon to =!. Opons are:
• APP ID—App ID of the network.
• PROTOCOL—Network transport protocol over which the traffic was sent.
• SESSION STATUS
• FW DEVICE NAME—Firewall device name.
• FW RULE—Firewall rule.
• FW SERIAL ID—Firewall serial ID.
• PRODUCT
• VENDOR
To specify an addional excepon (match this value except), click the + to the right of the
value and specify the excepon value.
STEP 4 | (Oponal) To limit the scope to a specific source, click the + to the right of the value and
specify the excepon value.
Specify one or more aributes for the source.
Use a pipe (|) to separate mulple values. Use an asterisk (*) to match any string of characters.
• HOST NAME—Name of the source.
• HOST IP—IP address of the source.
• HOST OS—Operang system of the source.
• PROCESS NAME—Name of the process.
• PROCESS PATH—Path to the process.
• CMD—Command-line used to iniate the process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the process.
• SHA256—SHA256 hash value of the process.
• PROCESS USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signature Unavailable, Signed, Invalid
Signature, Unsigned, Revoked, Signature Fail.
• PID—Process ID of the parent process.
• IP—IP address of the process.
• PORT—Port number of the process.
• USER ID—ID of the user who executed the process.
• Run search for both the process and the Causality actor—The causality actor—also referred
to as the causality group owner (CGO)—is the parent process in the execuon chain that app
idenfied as being responsible for iniang the process tree. Select this opon if you want
Cortex® XDR Pro Administrator’s Guide Version 3.3 346 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
to apply the same search criteria to the causality actor. If you clear this opon, you can then
configure different aributes for the causality actor.
STEP 6 | Specify the me period for which you want to search for events.
Opons are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom me period.
Select the calendar icon to schedule a query to run on or before a specific date, Run in
background to run the query as resources are available, or Run to run the query immediately
and view the results in the Query Center.
Cortex® XDR Pro Administrator’s Guide Version 3.3 347 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 348 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Select and specify one or more of the following aributes for the acng (parent)
process.
Use a pipe (|) to separate mulple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to iniate the parent process including any arguments, up to
128 characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid
Signature, Weak Hash
• SIGNER—Enty that signed the cerficate of the parent process.
• PID—Process ID of the parent process.
• Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execuon chain that the Cortex
XDR agent idenfied as being responsible for iniang the process tree. The OS actor is
the parent process that creates an OS process on behalf of a different iniator. By default,
this opon is enabled to apply the same search criteria to iniang processes. To configure
different aributes for the parent or iniang process, clear this opon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 349 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 5 | Specify the me period for which you want to search for events.
Opons are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom me period.
Query Center
From the Query Center you can manage and view the results of all simple and complex queries
created from the Query Builder. The Query Center displays informaon about the query including
the query parameters and allows you to adjust and rerun queries as needed.
The following table describes the fields that are available for each query in alphabecal order.
Certain fields are exposed and hidden by default. An asterisks (*) is beside every field that
is exposed by default.
Field Descripon
COMPUTE UNIT USAGE Displays how many query units were used to
execute the API query and Cold Storage query.
Cortex® XDR Pro Administrator’s Guide Version 3.3 350 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
SIMULATED COMPUTE UNITS Displays how many query units were used to
execute the Hot Storage query.
Cortex® XDR Pro Administrator’s Guide Version 3.3 351 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 352 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 2 | Right-click anywhere in the query row, select Show results, and choose whether to open the
query in the same tab or a new tab.
STEP 3 | (Oponal) If you want to refine your results, you can Modify a query from the query results.
STEP 4 | (Oponal) If desired, Export to file to export the results to a tab-separated values (TSV) file.
Modify a Query
Aer you run a query you might find you need to change your search parameters such as to
narrow the search results or correct a search parameter. There are two ways you can modify a
query: You can edit it in the Query Center, or you can edit it from the results page. Both methods
populate the criteria you specified in the original query in a new query which you can modify and
save.
Select the calendar icon to schedule a query to run on or before a specific date, Run
in background to run the query as resources are available, or Run to run the query
immediately and view the results in the Query Center.
Cortex® XDR Pro Administrator’s Guide Version 3.3 353 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Select the calendar icon to schedule a query to run on or before a specific date, Run
in background to run the query as resources are available, or Run to run the query
immediately and view the results in the Query Center.
Select the calendar icon to schedule a query to run on or before a specific date, Run
in background to run the query and review the result at a later me, or Run to run the
query immediately and view the results in the Query Center.
Cortex® XDR Pro Administrator’s Guide Version 3.3 354 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Rename a Query
If needed, you can rename a query at any me. If you later rerun the query, the new query will run
using the new name. You can also edit the name of a query when you Modify a Query.
STEP 1 | Select Invesgaon > Query Center.
STEP 2 | Right click anywhere in the query and then select Rename.
Quick Launcher
The Quick Launcher provides a quick, in-context shortcut that you can use to search for
informaon, perform common invesgaon tasks, or iniate response acons from any place in
the Cortex XDR app. The tasks that you can perform with the Quick Launcher include:
Cortex® XDR Pro Administrator’s Guide Version 3.3 355 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• Search for host, username, IP address, domain, filename, or filepath, mestamp to easily launch
the arfact and assets views.
For hosts, Cortex XDR displays results for exact matches but supports the use of
wildcard (*) which changes the search to return matches that contain the specified
text. For example a search of compy-7* will return any hosts beginning with
compy-7 such as compy-7000, compy-7abc and so forth.
• Search in the Asset Inventory table for a specific Asset Name or IP address. In addion, 2
acons are available when searching for Asset Inventory data.
• Change search to <host name of asset> to display addional acons related to that host.
This opon is only relevant when searching for an IP address that is connected to an asset.
• Open in Asset Inventory is a pivot available when the host name of an asset is selected.
• Begin Go To mode. Enter forward slash (/) followed by your search string to filter and navigate
to Cortex XDR pages. For example, / rules searches for all pages that include rules and
allows you to navigate to those pages. Select Esc to exit Go To mode.
• Add a processes by SHA256 hash to the allow list or block list
• Add domains or IP addresses to the EDL block list
• Create a new IOC for an IP address, domain, hash, filename, or filepath
• Isolate an endpoint
• Open a terminal to a given endpoint
• Iniate a malware scan on an endpoint
You can bring up the Quick Launcher either using the default keyboard shortcut— Ctrl-Shift
+X on Windows or CMD+Shift+X on macOS, by using the Quick Launcher icon located in the
top navigaon bar, or from the applicaon menus. To change the default keyboard shortcut, select
Sengs > Configuraons > General > Server Sengs > Keyboard Shortcuts. The shortcut value
must be a keyboard leer, A through Z, and cannot be the same as the Arfact and Asset Views
defined shortcut.
You can also prepopulate searches in Quick Launcher by selecng text in the app or selecng a
node in the Causality or Timeline Views.
By default, Cortex XDR opens the Quick Launcher in the center of the page. To change the default
posion, drag the Quick Launcher to another preferred locaon. The next me you open the
Quick Launcher, it opens in the previous locaon. To close the Quick Launcher, click Esc or click
out of the Quick Launcher dialog.
Scheduled Queries
From the Scheduled Queries page, you can easily view all scheduled and reoccurring queries
created from the Query Builder. The Scheduled Queries page displays informaon about the
query including the query parameters and allows you to adjust or modify the schedule as needed.
To edit a query schedule, right click the query and select the desired acon.
The following table describes the fields that are available for each query in alphabecal order.
Cortex® XDR Pro Administrator’s Guide Version 3.3 356 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
QUERY NAME For saved queries, the Query Name idenfies the query
specified by the administrator. For scheduled queries,
the Query Name idenfies the auto-generated name
of the parent query. Scheduled queries also display an
icon to the le of the name to indicate that the query is
reoccurring.
Cortex® XDR Pro Administrator’s Guide Version 3.3 357 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 2 | Locate the scheduled query for which you want to view previous execuons.
If necessary, use the Filter to reduce the number of queries Cortex XDR displays.
STEP 3 | Right-click anywhere in the query row, select Show executed queries, and choose whether to
open the query in the same tab or a new tab.
Cortex XDR filters the queries on the Query Center and displays the results in a new window.
STEP 3 | Right click anywhere in the query row and then select Edit.
STEP 4 | Adjust the schedule sengs as needed, and then click OK.
STEP 3 | Right click anywhere in the query row and then select Remove to permanently remove the
scheduled query, or Disable to temporarily stop the query from running at the scheduled
me. If you disable a query you can later return to the Scheduled Queries page and Enable it.
STEP 3 | Right click anywhere in the query row and then select Rename.
STEP 4 | Edit the query name as desired, and then click OK.
Cortex® XDR Pro Administrator’s Guide Version 3.3 358 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 1 | Use the threat intelligence you have to build a query using Cortex XDR Query Builder.
For example, if external threat intelligence indicates a confirmed threat that involves specific
files or behaviors, search for those characteriscs.
STEP 2 | View the Results of a Queryand refine as needed to filter out noise.
See Modify a Query.
STEP 4 | Open the Timeline View to view the sequence of events over me.
STEP 5 | Inspect the informaon again, and idenfy any characteriscs you can use to Create a BIOC
Rule or Create a Correlaon Rule.
If you can create a BIOC or Correlaon Rule, test and tune it as needed.
Cortex® XDR Pro Administrator’s Guide Version 3.3 359 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate Incidents
The Incidents page displays all incidents in the Cortex XDR management console to help you
priorize, track, triage, invesgate and take remedial acon.
To begin invesgang your incidents:
• Learn about Cortex XDR Incidents
• Set up External Integraons
• Manage your Incident Starring
• Create an Incident Scoring Rule
• Triage your Incidents
• Manage your Incidents
Incidents
An aack can affect several hosts or users and raises different alert types stemming from a single
event. All arfacts, assets, and alerts from a threat event are gathered into an Incident.
The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules
which take into account different aributes. Examples of alert aributes include alert source, type,
and me period. The app extracts a set of arfacts related to the threat event, listed in each alert,
and compares it with the arfacts appearing in exisng alerts in the system. Alerts on the same
causality chain are grouped with the same incident if an open incident already exists. Otherwise,
the new incoming alert will create a new incident.
To keep incidents fresh and relevant, Cortex XDR provides thresholds aer which an incident
stops adding alerts:
• 30 days aer the incident was created
• 14 days since the last alert in the incident was detected (excludes backward scan alerts)
Aer the incident reaches either threshold, it stops accepng alerts and Cortex XDR groups
subsequent related alerts in a new incident. You can track the grouping threshold status in the
Alerts Grouping Status field in the Incidents table:
• Enabled—The incident is open to accepng new related alerts.
• Disabled—Grouping threshold is reached and the incident is closed to further alerts or if the
incident reached the 1,000 alert limit. To view the exact reason for a Disabled status, hover
over the status field.
You can select to view the Incidents page in a table format or split pane mode. Use to toggle
between the views. By default, Cortex XDR displays the split pane mode. Any changes you make
to the incident fields, such as descripon, resoluon status, filters, and sort selecons persist
when you toggle between the modes.
The split pane mode displays a side-by-side view of the your incidents list and the corresponding
incident details.
Cortex® XDR Pro Administrator’s Guide Version 3.3 360 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
The table view displays only the incident fields in a table format. Right-click an incident to view
the incident details, and invesgate the related assets, arfacts, and alerts. For more informaon
see Invesgate Incidents.
The following table describes both the default and addional oponal fields that you can view in
the Incidents table and lists the fields in alphabecal order.
Incidents created prior to Cortex XDR version 2.9 are updated as follows:
• MITRE Aack Taccs, MITRE Aack Techniques, and Alert Categories fields will remain
empty.
• WildFire Hits field will begin with an empty value, however when a new alert is added
to the incident the filed is updated.
• Crical, High Severity, Medium Severity, Low Severity, Alert Grouping Status fields are
updated with the corresponding value.
• If an incident is merged or moved with other incidents, Cortex XDR will recalculate and
update the fields.
Field Descripon
Creaon Time Date and me when the incident was created.
Cortex® XDR Pro Administrator’s Guide Version 3.3 361 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
High Severity Alerts Number of high severity alerts that are part of
the incident.
Low Severity Alerts Number of low severity alerts that are part of
the incident.
Resolved Timestamp Displays the date and me when the incident
was set with a resolved status.
Cortex® XDR Pro Administrator’s Guide Version 3.3 362 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
alert matches include a star by the incident
name in the Incident details view and a value of
Yes in this field.
External Integraons
To aid you with threat invesgaon, Cortex XDR displays the WildFire-issued verdict for each
Key Arfacn an incident. To provide addional verificaon sources, you can integrate external
threat intelligenceservice with Cortex XDR which can then be displayed for each Key Arfacn an
incident. Cortex XDR supports the following integraons.
Integraon Descripon
Threat Intelligence
Cortex® XDR Pro Administrator’s Guide Version 3.3 363 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Integraon Descripon
Incident Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 364 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Integraon Descripon
an owner. To get started, see the Cortex XDR API
Reference.
STEP 2 | From the Incident List, locate the incident you want to star.
STEP 4 | Enter a descripve Comment that idenfies the reason or purpose of the starring
configuraon.
STEP 5 | Use the alert filters to build the match criteria for the policy.
You can also right-click a specific value in the alert to add it as match criteria. The app refreshes
to show you which alerts in the incident would be included.
Cortex® XDR Pro Administrator’s Guide Version 3.3 365 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
A sub-rule score is only applied to an alert if the top-level rule was a match.
Within each incident, Cortex XDR aggregates the alert scores and assigns the incident a total
score. The incident score is displayed in the Incidents Table as filterable field, Score, allowing you
to priorize the Incident Table according to the incident score. You can also view the score while
invesgang in the Incident View.
To create an incident scoring rule:
STEP 1 | In the Cortex XDR Management Console, navigate to Incident Response > Incident
Configuraon > Scoring Rules.
The Scoring Rules table displays the rules and, if applicable, the sub-rules currently in your
Cortex XDR tenant.
STEP 3 | In the Create New Scoring Rule dialog, define the following:
1. Rule Name—Enter a unique name for your rule.
2. Score—Set a numeric value that is applied to an alert matching the rule criteria.
3. Base Rule—Select whether to create a top-level rule, Root, or sub-rule, listed Rule Name
(ID:#). By default, rules are defined at root level.
4. Comment—Enter an oponal comment.
5. Mark whether to Apply score only to first alert of incident—By selecng this opon you
choose to apply the score only to the first alert that matches the defined rule. Subsequent
alerts of the same incident will not receive a score from this rule again. By default, a score is
applied only to the first alert that matches the defined rule and sub-rule.
6. Determine which alert aribute you want to use as the rule match criteria. Use the filter at
the top of the table to build your rule criteria.
Cortex® XDR Pro Administrator’s Guide Version 3.3 366 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 4 | Review the rule criteria and Create the incident rule.
You are automacally redirected to the Scoring Rules table.
STEP 7 | (Oponal) Invesgate and manage incidents scoring rules from the Incident Table or View.
Triage Incidents
To help you triage and invesgate your incidents, Cortex XDR displays your incidents in a split-
pane view allowing you to easily invesgate the enre scope and cause of an event, view all
relevant assets, suspicious arfacts, and alerts within the incident details.
Navigate to Incident Response > Incidents. The Incident split-pane view is divided into two main
secons:
• Incident List
• Details Pane
The Details Pane supports Advanced View for incidents created aer Cortex XDR 3.0.
Incidents created before Cortex XDR 3.0, are displayed in a Legacy view. To enable
flexibility, you can select to display incidents created aer Cortex XDR 3.0 Cortex using
either the Legacy view or Advanced view.
The Incident List enables you to filter and sort according to the incident fields, such as status,
score, severity, and mestamp. Each incident displays a summary of the incident severity,
assignee, status, creaon me, descripon, and assets. From the Incident List you can also review
addional informaon.
The Details pane displays the informaon of the selected incident in the Incident List. The pane is
made up of the following tabs that allow you to further invesgate and manage each incident.
• Overview—Made up of an Incident Header lisng the incident details, the MITRE taccs
and techniques, summarized meline, and widgets to visualize the number of alerts, type of
Cortex® XDR Pro Administrator’s Guide Version 3.3 367 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
sources, hosts, and users associated with the incident. Select the pin icon next to the tab name
to always display a specific tab first when you invesgate incidents.
• Key Assets & Arfacts—Displays the incident asset and arfact informaon of hosts, users, and
key arfacts associated with the incident.
• Alerts & Insights—Displays a table of the alerts and insights associated with the incident.
• Timeline—A chronological representaon of alerts and acons relang to the incident.
• Execuons—Displays the causality chains associated with the incident.
Manage Incidents
The Incident view allows you track incidents, invesgate incident details and take remedial acon.
Navigate to Incident Response > Incidents and locate the incident you want to invesgate.
To begin managing your incidents:
• Review Incident List Details
• Update Incident Details
• Invesgate Incident Overview
• Invesgate Incident Key Assets and Arfacts
• Invesgate Incident Alerts and Insights
• Invesgate Incident Timeline
• Invesgate Incident Execuons
View the incident severity, score, and assignee. Select whether to you want to Star the incident.
View the status of the incident and when it was last updated.
Cortex® XDR Pro Administrator’s Guide Version 3.3 368 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Assign an incident.
Select the assignee (or Unassigned) and begin typing the assignee’s email address for
automated suggesons. Users must have logged in to the app to appear in the auto-generated
list.
Cortex® XDR Pro Administrator’s Guide Version 3.3 369 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Merge incidents.
To merge incidents you think belong together, select the ellipsis icon, Merge Incidents and
enter the target incident ID you want to merge the incident with.
Incident scoring is managed as follows:
• Rule Based Score recalculates the incident score to include the merged incident scores.
• Manual Score allows to enter a score and override the rule-based score.
Incident assignees are managed as follows:
• If both incidents have been assigned—Merged incident takes the target incident assignee.
• If both incidents are unassigned—Merged incident remains unassigned.
• If the target incident is assigned and the source incident unassigned —Merged incident takes
the target assignee
• If the target incident is unassigned and the source incident is assigned—Merged incident
takes the exisng assignee
Create an exclusion.
Select the ellipsis icon, Create Exclusion and enter the Policy Name. Select the alerts to include
in the policy by filtering the Alert table and Create the exclusion.
Cortex® XDR Pro Administrator’s Guide Version 3.3 370 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
The Overview tab supports Advanced View for incidents created aer Cortex XDR 3.0.
Incidents created before Cortex XDR 3.0, are displayed in a Legacy view. To enable
flexibility, you can select to display incidents created aer Cortex XDR 3.0 Cortex using
either the Legacy view or Advanced view.
In some cases the number of alerts associated with the techniques will not be aligned
with the number of the parent tacc because of missing tags or in case an alert belongs
to several techniques.
Cortex® XDR Pro Administrator’s Guide Version 3.3 371 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate informaon about the Alerts, Sources, and Assets associated with the incident.
• In the Alerts widget:
• Select See All to pivot to the Alerts & Insights table.
• Review the Total number of alerts and the colored line indicang the alert severity. Select
the severity tag to pivot to the Alerts & Insights table filtered according to the selected
severity.
• In the Sources widget:
• Select See All to pivot to the Alerts & Insights table.
• Select each of the alert source types to pivot to the Alerts & Insights table filtered
according to the selected alert source.
• In the Assets widget:
• Select See All to pivot to the Key Assets and Arfacts tab.
• Select the host names to display the Details panel. The panel is only available for hosts
with Cortex XDR agent installed and displays the host name, whether it’s connected,
along with the Endpoint Details, Agent Details, Network, and Policy informaon. Use
the available acons listed in the top right-hand corner to take remedial acons.
• Review Users that are marked as Featured.
• If available, review the User Score allocated to each user.
Cortex® XDR Pro Administrator’s Guide Version 3.3 372 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate arfacts.
In the Arfacts secon, search for and review the arfacts associated with the incident. Each
arfact displays, if available, the following arfact informaon and available acons according
to the type of arfact; File, IP Address, and Domain.
File Arfact
• File Details
• File name
• SHA256 value
• Number of alerts in the incident that include the file
• Signature status and signer
• WildFire Report. Select to view the Wildfire Analysis Report.
• AutoFocus (AF) tags. Select the tag to display the Source, Tag Class, and Descripon.
• VirusTotal (VT) Score. You can select the score to pivot to the VirusTotal report.
• Number of alerts in the incident that include the file according to severity
• Ellipses File Acons
• Open in Quick Launcher
• Go to VirusTotal
• Go to AutoFocus
• Search File on all Endpoints
• Open Hash View
• View Related Alerts
• Add to Block List
• Add to Allow List
IP Address Arfact
• IP Address Details
• IP Address value and name
• Number of alerts in the incident that include the IP address
• Whether the IP address in External or Internal.
• Whois informaon. Hover to display the Net Range, Registered Date, Registered name,
Organizaon, Updated Date details.
• VirusTotal (VT) Score. You can select the score to pivot to the VirusTotal report.
• Number of alerts in the incident that include the IP address according to severity
• Ellipsis IP Address Acons
• Open in Quick Launcher
• Go to VirusTotal
• Open IP View
Cortex® XDR Pro Administrator’s Guide Version 3.3 373 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate hosts.
In the Hosts secon, search for and review the hosts associated with the incident. Each host
displays, if available, the following host informaon and available acons:
• Host Details
• Icons represenng whether a Cortex XDR Agent is installed on the host and the
operang system plaorm. A green icon indicates the host is connected.
• Host Name
• IP address associated with the host.
• Number of alerts that include the host according to severity.
• Ellipsis Host Acons
You can choose to perform an acon on mulple hosts by marking the entries you want to
include or Select All.
• Security Operaons > Isolate Endpoint, Iniate Malware Scan, Retrieve Endpoint Files,
Iniate Live Terminal
• Open in Quick Launcher
• Open Asset View
• View Related Alerts
To further invesgate the host:
Select the host name to display the Details panel. The panel is only available for hosts with
Cortex XDR agent installed and displays the host name, whether it’s connected, along with the
Endpoint Details, Agent Details, Network, and Policy informaon details. In addion, you can
perform the available acons listed in the top right-hand corner.
Cortex® XDR Pro Administrator’s Guide Version 3.3 374 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate users.
In the Users secon, search for and review the users associated with the incident. Each user
displays, if available, the following user informaon and available acons:
• User Details
• User Name
• Whether the user is Featured
• The User Score if available.
• Acve Directory and Organizaon Unit names. Hover to display the if the name is an
Acve Directory or OU.
• Workday icon. Hover to display the Workday informaon.
• Number of alerts that include the user according to severity.
• Ellipsis User Acons
• View Related Alerts
• Open User View
Filter the Alerts and Insights tables as you would in the dedicated Cortex XDR pages.
Cortex® XDR Pro Administrator’s Guide Version 3.3 375 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Select an alert or insight to display the corresponding Details panel. The panel displays the
following alert details, if available.
• Alert
• Alert name, severity, alert source, and rule name
• General
• MITRE ATT&CK
• Host
• Rule
• Network Connecons
• Insight
• Insight name, type, source, and descripon
• General
• MITRE ATT&CK
• Host
• Rule
• Process Execuon
Use the available acons listed in the top right-hand corner to take remedial acons.
Navigate to the Timeline tab and filter the acons according to following acon types:
• All acons
• Alerts
• Response Acons
• Incident Management Acons
• Automac Incident Updates
Cortex® XDR Pro Administrator’s Guide Version 3.3 376 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
arfact in an interacve link. Depending on the type of acon, you can select the entry, host
names, and arfacts to further invesgate the acon:
• Locate the acon you want to invesgate:
• Response and Management Acons ( )—Add and view comments relang to this
acon.
• Alert and Automac Updates ( )—Display the Details panel. In the panel, navigate to
the Alerts tab to view the Alerts table filtered according to the Alert ID, the Key Assets
to view a list of Hosts and Users associated to the alert, and an opon to add Comments.
• Select the Host name to display, if available, the endpoint data.
• Select the Arfact to display the following type of informaon:
• Hash Arfact—Displays the Verdict, File name, and Signature status of the hash value.
Select the hash value to view the Wildfire Analysis Report, Add to Block list, Add to
Allow list and Search file.
• Domain Arfact—Displays the IP address and VT score of the domain. Select the domain
name to Add to EDL.
• IP Address—Display whether the IP address is Internal or External, the Whois findings,
and the VT score. Expand Whois to view the findings and Add to EDL.
• In acon entries that involved more arfacts, expand Addional arfacts found to further
invesgate.
Cortex® XDR Pro Administrator’s Guide Version 3.3 377 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 378 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate an IP Address
The IP Address View provides a powerful way to invesgate and take acon on IP addresses by
reducing the number of steps it takes to collect, research, and threat hunt related incidents. Cortex
XDR automacally aggregates and displays a summary of all the informaon Cortex XDR and
threat intelligence services have regarding a specific IP address over a defined 24-hour or 7-day
me frame.
To help you determine whether an IP address is malicious, the IP Address View displays an
interacve visual representaon of the collected acvity for a specific IP address.
To invesgate an IP address:
STEP 1 | Open the IP View for an IP address.
You can access the view from an IP address in Cortex XDR console, where available, by
either right-click > Open IP View, selecng the IP address or using the default keyboard
shortcut Ctrl/CMD+Shift+E combinaon, or searching for a specific IP address in the Quick
Launcher.
To change the default keyboard shortcut, select Sengs > Configuraons > General > Server
Sengs > Keyboard Shortcuts. The shortcut value must be a keyboard leer, A through Z, and
cannot be the same as the Quick Launcher defined shortcut.
Cortex® XDR Pro Administrator’s Guide Version 3.3 379 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Requires a license key. Select Sengs > Configuraons > Integraons >
Threat Intelligence.
• Whois idenficaon data for the specific IP address.
• IOC Rule, if applicable, including the IOC Severity, Number of hits, and Source.
• EDL IP address if the IP address was added to an EDL.
6. Review any related incidents:
Related Incidents lists the most recent incidents that contain the specific IP address
as part of the incident Key Arfacts according to the Last Updated mestamp. If the
IP address belongs to an endpoint with a Cortex XDR agent installed, the incidents are
displayed according to the host name rather than the IP address. To dive deeper into
specific incidents, select the Incident ID. To view all the related incidents, select View All.
Cortex XDR displays Recently Updated Incidents which filters incidents for those that
contain the IP address.
Cortex® XDR Pro Administrator’s Guide Version 3.3 380 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Filter Descripon
Node Size The node size to display for the type of values.
• Number of Connecons
• Total Traffic
• Total Download
• Total Upload
Cortex® XDR Pro Administrator’s Guide Version 3.3 381 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Filter Descripon
• Top 3
• Boom 5
• Boom 3
Select to apply your selecons and update the informaon displayed in the visualizaon
pane. If necessary, Refresh to retrieve data.
STEP 5 | Aer reviewing the available informaon for the IP address, take acon if desired:
Depending on the current IOC and EDL status, select Acons to:
• Edit Rule
• Disable Rule
• Delete Rule
• Add to EDL
Invesgate an Asset
The Asset View provides a powerful way to invesgate assets by reducing the number of steps it
takes to collect and research hosts. Cortex XDR automacally aggregates informaon on hosts
and displays the host insights and a list of related incidents.
To invesgate an asset:
Cortex® XDR Pro Administrator’s Guide Version 3.3 382 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Filter Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 383 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Filter Descripon
Select to apply your selecons and update the informaon displayed in the visualizaon
pane.
Cortex® XDR Pro Administrator’s Guide Version 3.3 384 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 385 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Filter Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 386 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Filter Descripon
• 7 Days
Select to apply your selecons and update the informaon displayed in the visualizaon
pane. If necessary, Refresh to retrieve data.
STEP 4 | Review the selected data. For more informaon, select Recent Process Execuons to view
the most recent processes executed by the hash. Search all Process Execuons to run a
query on the hash.
STEP 5 | Aer reviewing the available informaon for the hash, take acon if desired:
• Select File Search to iniate a search for this hash across your network.
• Depending on the current hash status, select Acons to:
• Add the hash to a Allow List.
• Add the hash to a Block List.
• Create an IOC rule.
Invesgate a User
The User View provides a powerful way to invesgate user type assets by reducing the number of
steps it takes to collect and research a user. Cortex XDR, using Identy Analycs, automacally
aggregates informaon on a user and displays the user insights.
To invesgate the user:
STEP 1 | Open the User View.
You can access the view from:
• Users secon of the Incident View Key Assets & Arfacts tab
• User Scores Table
• Analycs Alert View User Node
• Top 5 Notable Users Widget
STEP 2 | Select to view the User details over either the Last 7 Days, Last 14 Days, or Last 30 Days.
Cortex® XDR Pro Administrator’s Guide Version 3.3 387 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 388 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
( ). Hover over a User defined score to display the Rule name that contributed to the
User Score.
Select an incident and pivot to the Incident View. Incidents that no longer exist or have
been merged are grayed out.
• User Associated Insights
Displays all the insights associated with the user filtered.
• Top 5 Hosts Logged Into
Top 5 hosts the user logged into.
• Top 5 Authencaon Target Hosts
Top 5 host names which the user requested access.
• Top 5 Authencaon Source Hosts
Top 5 host names where the user started authencaon.
• Recent Login
Displays the recent user login details.
• Recent Authencaons
Displays the recent user authencaon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 389 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate Alerts
• Alerts
• Triage Alerts
• Manage Alerts
• Alert Exclusions
• Causality View
• Network Causality View
• Cloud Causality View
• Timeline View
• Analycs Alert View
Alerts
The Alerts page displays a table of all alerts in Cortex XDR.
The Alerts page consolidates non-informaonal alerts from your detecon sources to enable you
to efficiently and effecvely triage the events you see each day. By analyzing the alert, you can
beer understand the cause of what happened and the full story with context to validate whether
an alert requires addional acon. Cortex XDR supports saving 2M alerts per 4000 agents or 20
terabytes, half of the alerts are allocated for informaonal alerts, and half for severity alerts.
To view detailed informaon for an alert, you can also view details in the Causality Viewand
Timeline View. From these views you can also view related informaonal alerts that are not
presented on the Alerts page.
By default, the Alerts page displays the alerts that it received over the last seven days (to modify
the me period, use the page filters). Every 12 hours, Cortex XDR enforces a cleanup policy to
remove the oldest alerts that exceed the maximum alerts limit.
Cortex XDR processes and displays the name of users in the following standardized format, also
termed “normalized user”.
<company domain>\<username>
As a result, any alert triggered based on network, authencaon, or login events, displays the User
Name in the standardized format in the Alerts and Incidents pages. This impacts every alert for
Cortex XDR Analycs and Cortex XDR Analycs BIOC, including Correlaon, BIOC and IOC alerts
triggered on one of these event types.
The following table describes both the default fields and addional oponal fields that you can
add to the alerts table using the column manager and lists the fields in alphabecal order.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 390 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 391 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Prevented (Override-Lockout)
• Prevented (Post Detected)
• Prevented (Prompt Block)
• Prevented (Random-Drop)
• Prevented (Silently Dropped The Session
With An ICMP Unreachable Message To The
Host Or Applicaon)
• Prevented (Terminated The Session And
Sent a TCP Reset To Both Sides Of The
Connecon)
• Prevented (Terminated The Session And Sent
a TCP Reset To The Client)
• Prevented (Terminated The Session And Sent
a TCP Reset To The Server)
• N/A
AGENT OS SUB TYPE The operang system subtype of the agent from
which the alert was triggered.
ALERT NAME Module that triggered the alert. If the alert was
generated by Cortex XDR, the Alert Name will
be the specific Cortex XDR rule that created the
alert (BIOC, IOC, or Correlaon Rule name). If
from an external system, it will carry the name
assigned to it by Cortex XDR. Alerts that match
an alert starring policy also display a purple star.
flag.
Alerts associated with the Identy Analycs are
displayed with an Identy Analycs tag.
Cortex® XDR Pro Administrator’s Guide Version 3.3 392 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
CGO MD5 The MD5 value of the CGO that iniated the
alert.
CGO SHA256 The SHA256 value of the CGO that iniated the
alert.
Cortex® XDR Pro Administrator’s Guide Version 3.3 393 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Unknown
CLOUD PROVIDER The name of the cloud provider where the alert
occurred:
• AWS
• GCP
• Azure
Cortex® XDR Pro Administrator’s Guide Version 3.3 394 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
CONTAINS FEATURED HOST Displays whether the alert includes a host name
that has been flagged as a Featured Alert Field.
CONTAINS FEATURED USER Displays whether the alert includes a user name
that has been flagged as a Featured Alert Field.
DNS Query Name The domain name queried in the DNS request.
Cortex® XDR Pro Administrator’s Guide Version 3.3 395 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Registry Event
FW SERIAL NUMBER The serial number of the firewall that raised the
firewall alert.
Cortex® XDR Pro Administrator’s Guide Version 3.3 396 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 397 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
NGFW VSYS NAME Name of the virtual system for the Palo Alto
Networks firewall that triggered an alert.
Cortex® XDR Pro Administrator’s Guide Version 3.3 398 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
OS PARENT USER NAME Name of the user associated with the parent
operang system.
PROCESS EXECUTION SIGNER Signer of the process that triggered the alert.
RESOLUTION STATUS The status that was assigned to this alert when
it was triggered (or modified): New, Under
Invesgaon, Resolved. Right-click an alert to
Change Status.
Any update made to an alert impacts the
associated incident. An incident with all
its associated alerts marked as resolved is
automacally set to Auto-Resolved. Cortex XDR
connues to group Alerts to an Auto-Resolved
Incident for up to 6 hours. In the case where an
Cortex® XDR Pro Administrator’s Guide Version 3.3 399 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
alert is triggered during this duraon, Cortex
XDR will re-open the Incident.
SOURCE ZONE NAME The source zone name of the connecon for
firewall alerts.
TARGET FILE SHA256 The SHA256 hash vale of an external DLL file
that triggered the alert.
TIMESTAMP The date and me when the alert was triggered.
Right-click to Show rows 30 days prior or 30
days aer the selected mestamp field value.
USER NAME The name of the user that iniated the behavior
that triggered the alert. If the user is a domain
user account, this field also idenfies the
domain.
Cortex® XDR Pro Administrator’s Guide Version 3.3 400 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Any alert triggered based on network,
authencaon, or login events, displays the
User Name in the follow standardized format in
the Alerts and Incidents pages.
<company domain>\<username>
From the Alerts page, you can also perform addional acons to manage alerts and pivot on
specific alerts for deeper understanding of the cause of the event.
• Manage Alerts
• Causality View
• Timeline View
• Analycs Alert View
Triage Alerts
When the Cortex XDR management console displays a new alert on the Alerts page, use the
following steps to invesgate and triage the alert:
STEP 1 | Review the data shown in the alert such as the command-line arguments (CMD), process info,
etc.
For more informaon about the alert fields, see Alerts.
STEP 3 | Review the Timeline View of review the sequence of events over me.
The meline is available for alerts that have been stched with endpoint data.
STEP 4 | If deemed malicious, consider responding by isolang the endpoint from the network.
STEP 5 | Remediate the endpoint and return the endpoint from isolaon.
STEP 6 | Inspect the informaon again to idenfy any behavioral details that you can use to Create a
BIOC Ruleand Create a Correlaon Rule.
If you can create a BIOC or Correlaon rule, test and tune the logic for the rule, and then save
it.
Cortex® XDR Pro Administrator’s Guide Version 3.3 401 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Manage Alerts
From the Incident Response > Incidents > Alerts Table, you can manage the alerts you see and the
informaon Cortex XDR displays about each alert.
The opons available can change depending on the Alert Source.
• Copy Alerts
• Analyze an Alert
• Pivot to Views
• Create Profile Excepons
• Add File Path to Malware Profile Allow List
• Create a Featured Alert Field
• View Generang BIOC or IOC Rule
• Retrieve Addional Alert Details
• Export Alert Details to a File
• Add an Alert Exclusion Policy
• Invesgate Contribung Events
• Open Drilldown Query
Copy Alerts
You can copy an alert into memory as follows:
• Copy the URL of the alert record
• Copy the value for an alert field
• Copy the enre row of alert record
With either opon, you can paste the contents of memory into an email to send. This is helpful if
you need to share or discuss a specific alert with someone. If you copy a field value, you can also
easily paste it into a search or begin a query.
Cortex® XDR Pro Administrator’s Guide Version 3.3 402 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Analyze an Alert
To help you understand the full context of an alert, Cortex XDR provides a powerful analysis view
that empowers you to make a thorough analysis very quickly.
The Causality View is available for XDR agent alerts that are based on endpoint data and for alerts
raised on network traffic logs that have been stched with endpoint data.
To view the analysis:
STEP 1 | From the Alerts page, locate the alert you want to analyze.
STEP 2 | Right-click anywhere in the alert, and select Invesgate Causality Chain.
STEP 3 | Choose whether to open the Causality View card for an alert in a new tab or the same tab.
You can also view the causality chain over me using the Timeline view.
STEP 4 | Review the chain of execuon and available data for the process and, if available, navigate
through the processes tree.
Pivot to Views
From any listed alert you can pivot to the following alert-related views:
• Open Asset View—Open the Asset View panel and view informaon related to the alert there.
• View full endpoint details—View the full details of the endpoint to which the alert relates.
• View related incident—View informaon about an incident related to the alert.
• View Observed Behaviors—View informaon about observed behaviors that are related to the
alert.
To pivot to any of these views:
STEP 1 | Right-click a listed alert.
STEP 2 | From the pop-up menu, select the view to which you want to pivot.
Cortex® XDR Pro Administrator’s Guide Version 3.3 403 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 2 | Right-click and select Add <path type> to malware profile allow list.
STEP 3 | In the Add <path type> to malware profile allow list dialog, select from your exisng Profiles
and Modules to which you want to add the file path to the allow list.
Cortex® XDR Pro Administrator’s Guide Version 3.3 404 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 2 | In the field type table, Add featured <field-type> to define a list of alert fields you want
flagged in the Alerts Table. You can either Create New featured alert field from scratch or
Upload from File.
• To create a new alert field:
1. Enter one or more field-type values of the and Add to the list.
2. (Oponal) Add a comment.
3. Add the featured alert field.
• To import fields:
1. Browse or Drag and Drop your CSV file of field values. Download example file to ensure
you using the correct format.
2. Import your file.
Featured Acve Directory values are displayed in the User and Host fields
accordingly.
• (Oponal) Create an Incident Scoring Rule using the Alert table Contains Featured Field
Name fields to further highlight and priorize alerts containing the Host, User, and IP
address aributes.
STEP 2 | Right-click the row, and select Manage Alert > View generang rule.
Cortex XDR opens the BIOC rule that generated the alert in the BIOC Rules page. If the rule
has been deleted, an empty table is displayed.
Cortex® XDR Pro Administrator’s Guide Version 3.3 405 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 2 | Right-click anywhere in the alert, and select one of the following opons:
• Retrieve alert data—Cortex XDR can provide addional analysis of the memory contents
when an exploit protecon module raises an XDR Alert. To perform the analysis you
must first retrieve alert data consisng of the memory contents at the me the alert was
raised. This can be done manually for a specific alert, or you can enable Cortex XDR to
automacally retrieve alert data for every relevant XDR Alert. Aer Cortex XDR receives
the data and performs the analysis, it issues a verdict for the alert. You can monitor the
retrieval and analysis progress from the Acon Center (pivot to view Addional data). When
analysis is complete, Cortex XDR displays the verdict in the Advanced Analysis field.
• Retrieve related files—To further examine files that are involved in an alert, you can request
the Cortex XDR agent send them to the Cortex XDR management console. If mulple files
are involved, Cortex XDR supports up to 20 files and 200MB in total size. The agent collects
all requested files into one archive and includes a log in JSON format containing addional
status informaon. When the files are successfully uploaded, you can download them from
the Acon Center for up to one week.
• For PAN NGFW source type alerts, Download triggering packet—Download the session
PCAP containing the first 100 bytes of the triggering packet directly from Cortex XDR. To
access the PCAP, you can download the file from the Alerts table, Incident, or Causality
view.
If you require assistance from Palo Alto Networks Support to invesgate the alert,
ensure to provide the downloaded ZIP file.
STEP 2 | When you are sasfied with the results, click the download icon ( ).
The icon is grayed out when there are no results.
Cortex XDR exports the filtered result set to the TSV file.
Exclude Alert
To exclude an alert.
Cortex® XDR Pro Administrator’s Guide Version 3.3 406 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 1 | From the Alerts page, locate the alert you want to exclude.
STEP 2 | Right-click the row, and select Manage Alert > Exclude Alert.
A noficaon displays indicang the exclusion is in progress.
STEP 2 | Right-click the row, and select Manage Alert > Invesgate Contribung Events.
Cortex® XDR Pro Administrator’s Guide Version 3.3 407 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Alert Exclusions
The Incident Response > Incident Configuraon > Alerts Exclusions page displays all alert
exclusion policies in Cortex XDR.
An alert exclusion is a policy that contains a set of alert match criteria that you want to suppress
from Cortex XDR. You can Add an Alert Exclusion Policy from scratch or you can base the
exclusion off of alerts that you invesgate in an incident. Aer you create an exclusion policy,
Cortex XDR excludes and no longer saves any of the future alerts that match the criteria from
incidents and search query results. If you choose to apply the policy to historic results as well as
future alerts, the app idenfies the historic alerts as grayed out.
The following table describes both the default fields and addional oponal fields that you can
add to the alert exclusions table and lists the fields in alphabecal order.
Field Descripon
Check box to select one or more alert exclusions on which you want to
perform acons.
BACKWARD SCAN Exclusion policy status for historic data, either enabled if you want to
STATUS apply the policy to previous alerts or disabled if you don’t want to apply
the policy to previous alerts.
DESCRIPTION Text summary of the policy that displays the match criteria.
MODIFICATION Date and me when the exclusion policy was created or modified.
DATE
Cortex® XDR Pro Administrator’s Guide Version 3.3 408 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
If an incident contains only alerts with exclusions, Cortex XDR changes the incident status
to Resolved - False Positive and sends an email noficaon to the incident
assignee (if set).
There are two ways to create an exclusion policy. You can define the exclusion criteria when you
invesgate an incident or you can create an alert exclusion from scratch.
• Build an Alert Exclusion Policy from Alerts in an Incident
• Build an Alert Exclusion Policy from Scratch
Build an Alert Exclusion Policy from Alerts in an Incident
If aer reviewing the incident details, if you want to suppress one or more alerts from appearing
in the future, create an exclusion policy based on the alerts in the incident. When you create an
incident from the incident view, you can define the criteria based on the alerts in the incident. If
desired, you can also Create Alert Exclusions from scratch.
STEP 1 | From the Incident view in Cortex XDR, select Acons > Create Exclusion.
STEP 3 | Enter a descripve Comment that idenfies the reason or purpose of the alert exclusion
policy.
STEP 4 | Use the alert filters to add any the match criteria for the alert exclusion policy.
You can also right-click a specific value in the alert to add it as match criteria. The app refreshes
to show you which alerts in the incident would be excluded. To see all matching alerts including
those not related to the incident, clear the opon to Show only alerts in the named incident.
Cortex® XDR Pro Administrator’s Guide Version 3.3 409 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 4 | Enter any comments to explain the purpose or intent behind the policy.
This acon is irreversible: All historic excluded alerts will remain excluded if you disable
or delete the policy.
STEP 7 | Create and then select Yes to confirm the alert excepon policy.
Causality View
The Causality View provides a powerful way to analyze and respond to alerts. The scope of
the Causality View is the Causality Instance (CI) to which this alert pertains. The Causality View
presents the alert (generated by Cortex XDR or sent to Cortex XDR from a supported alert source
such as the Cortex XDR agent) and includes the enre process execuon chain that led up to the
alert. On each node in the CI chain, Cortex XDR provides informaon to help you understand
what happened around the alert.
The Causality View comprises five secons:
Context
Summarizes informaon about the alert you are analyzing, including the host name, the process
name on which the alert was raised, and the host IP and MAC address . For alerts raised on
endpoint data or acvity, this secon also displays the endpoint connecvity status and operang
system.
Cortex® XDR Pro Administrator’s Guide Version 3.3 410 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• Visualizaon of the branch between the CGO and the actor process of the alert/event.
• Display up to nine addional process branches that reveal alerts related to the alert/event.
Branches containing alerts with the nearest mestamp to the original alert/event are displayed
first.
• Causality cards that contain more causality data display a Showing Paral Causality flag. You
can manually add addional child or parent processes branches by right-clicking on the process
nodes displayed in the graph.
The Causality View provides an interacve way to view the CI chain for an alert. You can move
it, extend it, and modify it. To adjust the appearance of the CI chain, you can enlarge/shrink the
chain for easy viewing using the size controls on the right. You can also move the chain around by
selecng and dragging it. To return the chain to its original posion and size, click in the lower-
right of the CI graph.
The process node displays icons to indicate when an RPC protocol or code injecon event were
executed on another process from either a local or remote host.
• Injected Node
• Remote IP address
Hover over a process node to display a Process Informaon pop-up lisng useful informaon
about the process. If available, the pop-up includes the process Analycs Profiles.
• Path of the process.
• Command line of the process.
• SHA256 value of the process.
• Username of the user that iniated the process.
• Signature associated with the process, if available.
• WildFire verdict, if available.
• Running me of the process.
From any process node, you can also right-click to display addional acons that you can perform
during your invesgaon:
• Show parents and children—If the parent is not presented by default, you can display it. If the
process has children, Cortex XDR open a dialog displaying the Children Process Start Time,
Name, CMD, and Username details.
• Hide branch—Hide a branch from the Causality View.
• Add to block list or allow list, terminate, or quaranne a process—If aer invesgang the
acvity in the CI chain, you want to take acon on the process, you can select the desired
acon to allow or block process across your organizaon.
In the causality view of a Detecon (Post Detected) type alert, you can also Terminate process
by hash.
• Depending on the type of node—file, process, or IP address—open the arfact view:
• Open Hash View to display detailed informaon about the files and processes relang to the
hash.
• Open IP View to display detailed informaon about the IP address.
Cortex® XDR Pro Administrator’s Guide Version 3.3 411 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Enty Data
Provides addional informaon about the enty that you selected. The data varies by the type of
enty but typically idenfies informaon about the enty related to the cause of the alert and the
circumstances under which the alert occurred.
For example, device type, device informaon, remote IP address.
When you invesgate command-line arguments, click {***} to obfuscate or decode the base64-
encoded string.
For connued invesgaon, you can copy the enre enty data summary to the clipboard.
Response Acons
You can choose to isolate the host, on which the alert was triggered, from the network or iniate a
live terminal session to the host to connue invesgaon and remediaon.
Events Table
Displays up to 100,000 related events for the process node which matches the alert criteria that
were not triggered in the alert table but are informaonal.
To connue invesgaon, you can perform the following acons from the right-click pivot menu:
• View in XQL to populate the event in an XQL search query that you can further refine, if
needed.
• Add <path type> to malware profile allow list from the Process and File table <path> fields. For
example, target_process_path, src_process_path, file_path, or os_parent_path.
• For the behavioral threat protecon results, you can take acon on the iniator to add it to an
allow list or block list, terminate it, or quaranne it.
• Revise the event results to see possible related events near the me of an event using an
updated mestamp value to Show rows 30 days prior or 30 days aer.
To view stascs for files on VirusTotal, you can pivot from the Iniator MD5 or SHA256
value of the file on the Files tab.
Cortex® XDR Pro Administrator’s Guide Version 3.3 412 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
The network causality view displays only the informaon it collects from the detectors. It is
possible that the CI may not show some of the firewall or agent processes.
Secon Descripon
Host Isolaon You can choose to isolate the host, on which the
alert was triggered, from the network or iniate
a live terminal session to the host to connue
invesgaon and remediaon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 413 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Secon Descripon
• Show parents and children—If the parent is
not presented by default, you can display it. If
the process has children, XDR app displays the
number of children beneath the process name
and allows you to display them for addional
informaon.
• Hide branch—Hide a branch from the Causality
View.
• Add to block list or allow list, terminate, or
quaranne a process—If aer invesgang the
acvity in the CI chain, you want to take acon
on the process, you can select the desired acon
on the process across your organizaon.
In the causality view of a Detecon (Post
Detected) type alert, you can also Terminate
process by hash.
When selecng the Network Appliance node in the
Network Causality View, the event mestamp is
now displayed in the Enty Data secon of the card.
The color of a process node also correlates to the
WildFire verdict.
• Blue—Benign.
• Yellow—Grayware.
• Red—Malware.
• Light gray—Unknown verdict.
• Dark gray—The verdict is inconclusive.
To view and download the WildFire
report, in the Enty Data secon, click
.
Events Table Displays all related events for the process node
which matches the alert criteria that were not
triggered in the alert table but are informaonal.
You can also export the table results to a tab-
separated values (TSV) file.
Cortex® XDR Pro Administrator’s Guide Version 3.3 414 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Secon Descripon
For the Behavioral Threat Protecon table, right-
click to add to allow list or block list, terminate, and
quaranne a process.
Context
Summarizes informaon about the alert you are analyzing, including the type of Cloud Provider,
Project, and Region on which the event occurred. Select View Raw Log to view the raw log as
provided by the Cloud Provider in JSON format.
Cortex® XDR Pro Administrator’s Guide Version 3.3 415 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
2. Select the Identy node to display in the Enty Data secon addional informaon about the
Identy enty.
3. Select the Alert icon to display in the Enty Data secon addional informaon about the alert.
IP Address Node
Displays the IP address associated with the Identy.
Operaons
Lists the type of operaons performed by the identy on the cloud resources. Hover over the
operaon to display the original operaon name as provided by the Cloud Provider.
Cloud Resource Node
Displays the referenced resource on which the operaon was performed. Cortex XDR displays
informaon on the following resources:
• —Compute Instance Resource
• —Disk Resource
• —General Resource
• —Image Resource
• —Network Interface Resource
• —Security Group (FW Rule) Resource
• —Storage Bucket Resource
• —Virtual Private Cloud (VPC) Resource
To further invesgate the resource:
1. Hover over a Resource node to display, if available, the resource Analycs Profiles and
Resource Editors stascs.
2. Select the Resource node to display in the Enty Data secon addional informaon about the
Resource enty.
Enty Data
Provides addional informaon about the enty that you selected. The data varies by the type of
enty but typically idenfies informaon about the enty related to the cause of the alert and the
circumstances under which the alert occurred.
Events Table
Displays up to 100,000 related events and up to 1,000 related alerts.
To connue invesgaon, in the Alerts table, you can perform the following acons from the
right-click pivot menu:
• Invesgate Causality Chain of the associated alert.
• Open in XQL to populate the event in an XQL search query that you can further refine, if
needed.
• Manage Alert to perform available acons.
• Pivot to views to view related incident.
Cortex® XDR Pro Administrator’s Guide Version 3.3 416 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
In the All Events table, Cortex XDR displays detailed informaon about each of the related events.
To simplify your invesgaon, Cortex XDR scans your Cortex XDR data aggregang the events
that have the same Identy or Resource and displays the entry with an aggregated icon. Right-
click and select Show Grouped Events to view the aggregated entries.
Entries highlighted in red indicate that the specific event triggered an alert. To connue
invesgaon, right-click to View in XQL.
Timeline View
The Timeline provides a forensic meline of the sequence of events, alerts, and informaonal
BIOCs and Correlaon Rules involved in an aack. While the Causality View of an alert surfaces
related events and processes that Cortex XDR idenfies as important or interesng, the Timeline
displays all related events, alerts, and informaonal BIOCs and Correlaon Rules over me.
Cortex XDR presents the Timeline in four parts:
Secon Descripon
CGO (and process Cortex XDR displays the Causality Group Owner (CGO) and the
instances that are part of host on which the CGO ran in the top le of the meline. The
the CGO) CGO is the parent process in the execuon chain that Cortex XDR
idenfied as being responsible for iniang the process tree. In
the example above, wscript.exe is the CGO and the host it
ran on was HOST488497. You can also click the blue corner of
the CGO to view and filter related processes from the Timeline.
This will add or remove the process and related events or alerts
associated with the process from the Timeline.
Timespan By default, Cortex XDR displays a 24-hour period from the start
of the invesgaon and displays the start and end me of the
CGO at either end of the mescale. You can move the slide bar
to the le or right to focus on any me-gap within the mescale.
You can also use the me filters above the table to focus on set
me periods.
Cortex® XDR Pro Administrator’s Guide Version 3.3 417 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Secon Descripon
connecons are indicated by a dot. One dot indicates one
connecon while many dots indicates mulple connecons.
Uploads and Downloads are indicated by a bar graph that
shows the size of the upload and download.
The lanes depict when acvity occurred and provide addional
stascs that can help you invesgate. For BIOC, Correlaon
Rules, and Alerts, the lanes also depict acvity nodes—highlighted
with their severity color: high (red), medium (yellow), low (blue), or
informaonal (gray)—and provide addional informaon about the
acvity when you hover over the node.
Related events, alerts, and Cortex XDR displays up to 100,000 alerts, BIOCs and Correlaon
informaonal BIOCs Rules (triggered and informaonal), and events. Click on a node in
the acvity area of the Timeline to filter the results you see here.
Similar to other pages in Cortex XDR, you can create filters to
search for specific events.
Secon Descripon
1. Context For Analycs alerts, the analycs view indicates the endpoint for
which the alert was raised.
For Analycs BIOC alerts, the Analycs view summarizes informaon
about the alert, including the source host name, IP address, the process
name on which the alert was raised, and the corresponding process ID.
2. Alert summary (Analycs alerts only) Describes the behavior that triggered the alert
and acvity impact.
3. Graphic summary Similar to the Causality View, the analycs view provides a graphic
representaon of the acvity that triggered the alert and an interacve
way to view the chain of behavior for an Analycs alert. You can move
the graphic, extend it, and modify it. To adjust the appearance, you
can enlarge/shrink the chain for easy viewing using the size controls
on the right. You can also move the chain around by selecng and
dragging it. To return the chain to its original posion and size, click
Cortex® XDR Pro Administrator’s Guide Version 3.3 418 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Secon Descripon
User node— Hover over to display the User Informaon and user
Analycs Profile data.
4. Alert descripon The alert descripon provides details and stascs related to the
acvity. Beneath the descripon, you can also view the alert name,
severity assigned to the alert, me of the acvity, alert tacc (category)
and type, and links to the MITRE summary of the aack tacc.
When selecng a User node, Identy User Details, such as Acve
Directory Group, Organizaonal Unit, and Role associated with the
user are displayed. If available, Login Details also appear.
Cortex® XDR Pro Administrator’s Guide Version 3.3 419 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Secon Descripon
Mul-Event—Displays the events associated with the alert according to
the type event type. Right-click to View in XQL and further Invesgate
with XQL the event details.
6. Response acons Acons you can take in response to an Analycs alert. These acons
can include isolang a host from the network, iniang a live terminal
session, and adding an IP address or domain name to an external
dynamic list (EDL) that is enforceable in your Palo Alto Networks
firewall security policy.
Cortex® XDR Pro Administrator’s Guide Version 3.3 420 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate Endpoints
Endpoint invesgaon requires either a Cortex XDR Prevent or a Cortex XDR Pro per
Endpoint license.
• Acon Center
• View Details About an Endpoint
• Retrieve Files from an Endpoint
• Retrieve Support Logs from an Endpoint
• Scan an Endpoint for Malware
Acon Center
The Acon Center provides a central locaon from which you can track the progress of all
invesgaon, response, and maintenance acons performed on your Cortex XDR-protected
endpoints. The main All Acons tab of the Acon Center displays the most recent acons iniated
in your deployment. To narrow down the results, click Filter on the top right.
You can also jump to filtered Acon Center views for the following acons:
• Quaranne—View details about quaranned files on your endpoints. You can also switch to an
Aggregated by SHA256 view that collapses results per file and lists the affected endpoints in
the Scope field.
• Block List/Allow List—View files that are permied and blocked from running on your
endpoints regardless of file verdict.
Blocking files on endpoints is enforced by the endpoint malware profile. To block a hash
value, ensure the hash value is configured in the Malware Security Profile.
Select Override Report mode to allow the agent to block hashes even if the Malware
Profile is set to Report.
• Scripts Library—View Palo Alto Networks and administrator-uploaded scripts that you can run
on your endpoints.
• Isolaon—View the endpoints in your organizaon that have been isolated from the network.
For more informaon, refer to Isolate an Endpoint.
• External Dynamic List—View the list of IP addresses and domain names in your EDL. For more
informaon, refer to Manage External Dynamic Lists
• Endpoint Blocked IP Addresses—View remote IP addresses that the Cortex XDR agent
has automacally blocked from communicang with endpoints in your network. For more
informaon, refer to Add a New Malware Security Profile.
For acons that can take a while to complete, the Acon Center tracks the acon progress and
displays the acon status and current progress descripon for each stage. For example, aer
iniang an agent upgrade acon, Cortex XDR monitors all stages from the Pending request
unl the acon status is Completed. Throughout the acon lifeme, you can view the number of
endpoints on which the acon was successful and the number of endpoints on which the acon
failed. Aer a period of 90 days since the acon creaon, the acon is removed from Cortex XDR
Cortex® XDR Pro Administrator’s Guide Version 3.3 421 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
and is no longer displayed in the Acon Center. You cannot delete acons manually from the
Acon Center.
The following table describes both the default and addional oponal fields that you can view
from the All Acons tab of the Acon Center and lists the fields in alphabecal order.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 422 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Pending Abort—No endpoint has started to
perform the acon yet.
• Aborted—The acon was canceled for all
endpoints aer at least one endpoint has
started performing it.
• Expired—The acon expired before any
endpoint has started performing it.
• Completed with Paral Success—The
acon was completed on all endpoints.
However, some endpoints did not complete
it successfully. Depending on the acon type,
it may have failed, been canceled, expired, or
failed to retrieve all data.
• Completed Successfully—The acon was
completed successfully on all endpoints.
• Failed—The acon failed on all endpoints.
• Timeout—The acon med-out on all
endpoints.
Addional data—If addional details are available for an acon or for specific endpoints, you
can pivot (right-click) to the Addional data view. You can also export the addional data to a
TSV file. The page can include details in the following fields but varies depending on the type of
acon.
Acon Last Update Time at which the last status update occurred
for the acon.
Addional Data | Malicious Files Addional data, if any is available, for the acon.
For malware scans, this field is tled Malicious
Cortex® XDR Pro Administrator’s Guide Version 3.3 423 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Files and indicates the number of malicious files
idenfied during the scan.
STEP 2 | Select the acon you want to iniate and follow the required steps and parameters you need
to define for each acon.
Cortex XDR displays only the endpoints eligible for the acon you want to perform.
Cortex® XDR Pro Administrator’s Guide Version 3.3 424 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Acon
Cortex® XDR Pro Administrator’s Guide Version 3.3 425 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Acon
• Change Endpoint Alias
• Upgrade Agent Version
The following table describes both the default and addional oponal fields that you can view in
the Endpoints table and lists. The table lists the fields in alphabecal order.
Field Descripon
Acve Directory Lists all Acve Directory Groups and Organizaonal Units to which the
user belongs.
Auto Upgrade Status When Agent Auto Upgrades are enabled, indicates the acon status is
either:
Cortex® XDR Pro Administrator’s Guide Version 3.3 426 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• In progress—Indicates that the Cortex XDR agent upgrade is in
progress on the endpoint.
• Up to date—Indicates that the current Cortex XDR agent version on
the endpoint is up to date.
• Failure—Indicates that the Cortex XDR agent upgrade failed aer
three retries.
• Not configured—Indicates that automac agent upgrades are not
configured for this endpoint.
• Pending—Indicates that the Cortex XDR agent version running
on the endpoint is not up to date, and the agent is waing for the
upgrade message from Cortex XDR.
• Not supported—Indicates this endpoint type does not support
automac agent upgrades. Relevant for VDI, TS, or Android
endpoints.
To include or exclude one or more endpoints from auto upgrade, right-
click and select Endpoint Control > <Exclude/Include> endpoints from
auto upgrade
Cloud Info Displays IBM and Alibaba Cloud metadata reported by the endpoint.
Content Auto Update Indicates whether automac content updates are Enabled or Disabled
for the endpoint. See Agent Sengs profile.
Content Release Displays the me and date of when the current content version was
Timestamp released.
Content Rollout If you configured delayed content rollout, the number of days for delay
Delay (days) is displayed here. See Agent Sengs profile.
Content Status Displays the status of the content version on the relevant endpoint.
Cortex XDR aempts to contact an endpoint and check the content
version over a 7 day period. Aer this period Cortex XDR displays one
of the following statuses:
• Up to Date - The endpoint is running with the latest content version
• Waing for Update - Cortex XDR is in the process of updang the
new content version. Depending on your bandwidth and network
connecon, updang the content version may take me.
• Outdated - The endpoint is running on an outdated content version.
Cortex® XDR Pro Administrator’s Guide Version 3.3 427 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Offline - The endpoint is disconnected.
Content Version Content update version used with the Cortex XDR agent.
Disabled Capabilies A list of the capabilies that were disabled on the endpoint. To disable
one or more capabilies, right-click the endpoint name and select
Endpoint Control > Disable Capabilies. Opons are:
• Live Terminal
• Script Execuon
• File Retrieval
You can disable these capabilies during the Cortex XDR agent
installaon on the endpoint or through Endpoint Administraon.
Disabling any of these acons is irreversible, so if you later want to
enable the acon on the endpoint, you must uninstall the Cortex XDR
agent and install a new package on the endpoint.
Endpoint Alias If you assigned an alias to represent the endpoint in Cortex XDR, the
alias is displayed here. To set an endpoint alias, right-click the endpoint
name, and select Change endpoint alias. The alias can contain any of
the following characters: a-Z, 0-9, !@#$%^&()-'{}~_.
Cortex® XDR Pro Administrator’s Guide Version 3.3 428 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Endpoint Name Hostname of the endpoint. If the agent enables Pro features, this field
also includes a PRO badge. For Anrdoid endpoints, the hostname
comprises the <firstname>—<lastname> of the registered user,
with a separang dash.
Endpoint Status Registraon status of the Cortex XDR agent on the endpoint:
• Connected—The Cortex XDR agent has checked in within 10
minutes for standard endpoints, and within 3 hours for mobile
endpoints.
• Connecon Lost—The Cortex XDR agent has not checked in within
30 to 180 days for standard endpoints, and between 90 minutes
and 6 hours for VDI and temporary sessions.
• Disconnected—The Cortex XDR agent has checked in within the
defined inacvity window: between 10 minutes and 30 days for
standard and mobile endpoints, and between 10 minutes and 90
minutes for VDI and temporary sessions.
• VDI Pending Log-on—(Windows only) Indicates a non-persistent
VDI endpoint is waing for user logon, aer which the Cortex XDR
agent consumes a license and starts enforcing protecon.
• Uninstalled—The Cortex XDR agent has been uninstalled from the
endpoint.
Endpoint Version Versions of the Cortex XDR agent that runs on the endpoint.
First Seen Date and me the Cortex XDR agent first checked in (registered) with
Cortex XDR.
Golden Image ID For endpoints with a System Type of Golden Image, the image ID is a
unique idenfier for the golden image.
Group Names Endpoint Groups to which the endpoint is a member, if applicable. See
Define Endpoint Groups.
Cortex® XDR Pro Administrator’s Guide Version 3.3 429 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Isolaon Date Date and me of when the endpoint was Isolated. Displayed only for
endpoints in Isolated or Pending Isolaon Cancellaon status.
Install Date Date and me at which the agent was first installed on the endpoint.
Installaon Package Installaon package name used to install the Cortex XDR agent.
Last Content Update Displays the me and date when the agent last deployed a content
Time update.
Last Origin IP Represents the last IP address from which the Cortex XDR agent
connected.
Last Scan Date and me of the last malware scan on endpoint.
Last Seen Date and me of the last change in an agent's status. This can occur
when Cortex XDR receives a periodic status report from the agent
(once an hour), a user performed a manual Check In, or a security event
occurred.
Last Used Proxy The IP address and port number of proxy that was last used for
communicaon between the agent and Cortex XDR.
Linux Operaon (Cortex XDR agent 7.7 and later for Linux) Displays the type of
Mode operaon mode your Linux endpoint is running by Cortex XDR agent.
The operaon modes available are; Kernel, User Space, or Kernel
Disabled.
Cortex® XDR Pro Administrator’s Guide Version 3.3 430 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Network Locaon (Cortex XDR agent 7.1 and later for Windows and Cortex XDR agent
7.2 and later for macOS and Linux) Endpoint locaon is reported by
the Cortex XDR agent when you enable this capability in the Agent
Sengs profile:
• Internal
• External
• Not Supported—The Cortex XDR agent is running a prior agent
version that does not support network locaon reporng.
• Disabled—The Cortex XDR agent was unable to idenfy the
network locaon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 431 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Tags created in the Cortex XDR agent are displayed with a shield icon.
Users User that was last logged into the endpoint. On Android endpoints,
the Cortex XDR app idenfies the user from the email prefix specified
during app acvaon.
STEP 3 | Select the operang system and enter the paths for the files you want to retrieve, pressing
ADD aer each completed path.
You cannot define a path using environment variables on Mac and Linux endpoints.
STEP 5 | Select the target endpoints (up to 10) from which you want to retrieve files.
If needed, Filter the list of endpoints. For more informaon, refer to Filiter Page
Results.
STEP 7 | Review the acon summary and click Done when finished.
To track the status of a files retrieval acon, return to the Acon Center. Cortex XDR retains
retrieved files for up to 30 days.
If at any me you need to cancel the acon, you can right-click it and select Cancel for pending
endpoint. You can cancel the retrieval acon only if the endpoint is sll in Pending status and
Cortex® XDR Pro Administrator’s Guide Version 3.3 432 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
no files have been retrieved from it yet. The cancellaon does not affect endpoints that are
already in the process of retrieving files.
STEP 8 | To view addional data and download the retrieved files, right-click the acon and select
Addional data.
This view displays all endpoints from which files are being retrieved, including their IP Address,
Status, and Addional Data such as error messages of names of files that were not retrieved.
STEP 9 | When the acon status is Completed Successfully, you can right-click the acon and
download the retrieved files logs.
Cortex XDR retains retrieved files for up to 30 days.
Disabling File Retrieval does not take effect on file retrieval acons that are in progress.
Cortex® XDR Pro Administrator’s Guide Version 3.3 433 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 2 | Navigate back to the Acon Center, locate your Support File Retrieval acon type and wait
for the Status field to display Completed Successfully.
If at any me you need to cancel the acon, you can right-click it and select Cancel for pending
endpoint. You can cancel the retrieval acon only if the endpoint is sll in Pending status and
no files have been retrieved from it yet. The cancellaon does not affect endpoints that are
already in the process of retrieving files.
STEP 3 | When the status is Completed Successfully, right-click and select Addional data.
In the Acons table, you can see the endpoints from which support files were retrieved.
STEP 4 | Select an endpoint, right-click and select to either Download files or Generate support file
link.
XDR retains retrieved files for up to 30 days.
The secured link is valid for only 7 days. Following the 7 day period, in order to access the files
you will need to iniate a new support file link.
Cortex® XDR Pro Administrator’s Guide Version 3.3 434 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 4 | Select the target endpoints (up to 100) on which you want to scan for malware.
Scanning is available on Windows and Mac endpoints only. Cortex XDR automacally filters
out any endpoints for which scanning is not supported. Scanning is also not available for
inacve endpoints.
STEP 6 | Review the acon summary and click Done when finished.
Cortex XDR iniates the acon at the next heart beat and sends the request to the agent to
iniate a malware scan.
Cortex® XDR Pro Administrator’s Guide Version 3.3 435 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Invesgate Files
• Manage File Execuon
• Manage Quaranned Files
• Review WildFire® Analysis Details
• Import File Hash Excepons
Linux ELF
STEP 6 | You are automacally redirected to the Block List or Allow List that corresponds to the
acon in the Acon Center.
Cortex® XDR Pro Administrator’s Guide Version 3.3 436 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 7 | To manage the file hashes on the Block List or the Allow List, right-click the file and select
one of the following:
• Disable—The file hash remains on the list but will not be applied on your Cortex XDR
agents.
• Move to Block List or Move to Allow List—Removes this file hash from the current list and
adds it to the opposite one.
• Edit Incident ID—Select to either Link to exisng incident or Remove incident link.
• Edit Comment—Enter a comment.
• Delete—Delete the file hash from the list altogether, meaning this file hash will no longer be
applied to your endpoints.
• Open in VirusTotal—Directs you to the VirusTotal analysis of this hash.
• (Cortex XDR Pro License only) Open Hash View—Pivot the hash view of the hash.
• Open in Quick Launcher—Open the quick launcher search results for the hash.
Cortex® XDR Pro Administrator’s Guide Version 3.3 437 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
This will restore all files with the same hash on all of your endpoints.
Cortex® XDR Pro Administrator’s Guide Version 3.3 438 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex XDR displays the preview of WildFire reports that were generated within
the last couple of years only. To view a report that was generated more than two
years ago, you can Download the WildFire report.
2. Analyze the WildFire report.
On the le side of the report you can see all the environments in which the Wildfire
service tested the sample. If a file is low risk and WildFire can easily determine that it
is safe, only stac analysis is performed on the file. Select the tesng environment on
the le, for example Windows 7 x64 SP1, to review the summary and addional details
for that tesng environment. To learn more about the behavior summary, see WildFire
Analysis Reports—Close Up.
3. (Oponal) Download the WildFire report.
If you want to download the WildFire report as it was generated by the WildFire service,
click ( ). The report is downloaded in PDF format.
Cortex® XDR Pro Administrator’s Guide Version 3.3 439 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 440 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Requirement Descripon
The Cortex XDR Forensics page displays the following enes where you can perform a deep dive
into a single endpoint or search for arfacts across all your endpoints. For advanced detecve
work, you can use the XQL Search feature to query across all data, including endpoint, network,
cloud, and identy data, using the applicable dataset. Datasets and Presets contains a list of all
datasets included with the Forensics add-on.
Enty Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 441 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Enty Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 442 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Enty Descripon
devices. This is also called the Windows
Timeline.
Cortex® XDR Pro Administrator’s Guide Version 3.3 443 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Enty Descripon
• Scheduled Tasks—Tasks used to execute
Windows programs or scripts at specified
intervals.
• Services—Windows applicaons that run
in the background and do not require user
interacon.
• Shim Databases—Databases used by the
Applicaon Compability Infrastructure to
apply shims to executables for backwards
compability. These databases can be used
to inject malicious code into legimate
processes and maintain persistence on an
endpoint.
• Startup Folder—Contents of the shortcut
.lnk files found in the StartUp folder for
both the system and users. The folders are
used to automacally launch applicaons
during system startup or user logon
processes.
• WMI—List of WMI EventConsumers and
any EventFilters that are bound to them
using a FilterToConsumerBinding. WMI
EventConsumers can be used as a method
of fileless malware persistence.
Cortex® XDR Pro Administrator’s Guide Version 3.3 444 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Enty Descripon
• Hosts File—Full lisng of entries from the
etc/hosts file.
• Network Connecvity Usage—A table in
the System Resource Usage database that
stores stascs pertaining to network
connecons, containing the start me
and duraon of the connecons for each
network interface.
• Network Data Usage—A table in the
System Resource Usage database that
stores stascs pertaining to network data
usage for running applicaons. Includes
applicaon path, network interface, bytes
sent, and bytes received.
Cortex® XDR Pro Administrator’s Guide Version 3.3 445 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Enty Descripon
• Volale—Volale forensic arfacts
including: ARP Cache, DNS Cache,
Handles, Net Sessions, Port Lisng, and
Process Lisng.
• Configuraon—Custom Forensics Triage
configuraons created and saved for use in
online or offline triage collecons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 446 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 447 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• Persistence
• Suspicious Indicators
• Anvirus Events
• Powershell Events
• Network Events
• Sysmon Events
• Authencaon Events
STEP 1 | In the Search Collecons page, select Add Collecon to Create New Search Collecon.
1. Enter the Collecon Name and oponal Descripon.
2. In the Search table, select the searches you want to include in the search collecon.
Filter the table according to the table fields to narrow your rules.
3. Aer you have selected the rules you want to include in your collecon, Create Search
Collecon.
Review the search collecons you created.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 448 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 449 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 450 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 451 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 452 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
the most recent execuons, and a record of all of the files opened for a set duraon
aer the applicaon was started.
• Recentfilecache—A cache created by the Applicaon Compability Infrastructure to
store the details of executed or installed programs (Windows 7 only).
• Shimcache—A registry key used by the Applicaon Compability Infrastructure to
cache details about local executables.
• UserAssist—A registry value that records a count for each applicaon that a user
launches via the Windows UI.
• Windows Acvies—A database containing user acvity for a parcular Microso
user account, potenally across mulple devices. This is also called the Windows
Timeline.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 453 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
STEP 2 | To triage an endpoint, locate the process execuon, right-click and select Triage endpoint.
Cortex® XDR Pro Administrator’s Guide Version 3.3 454 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Review Persistence
The Persistence table displays a normalized table containing an overview of all of the applicaon
persistence arfacts collected from the endpoints. Invesgate the following detailed fields:
You must have Host Insights add-on acvated in order to view the data.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 455 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 456 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 457 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 458 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Review Network
The Network table displays an overview of the different types of network arfacts collected on
the endpoints. Invesgate the following detailed fields:
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 459 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 460 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 461 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Review Triage
The triage funconality in the Forensics add-on collects detailed system informaon, including a
full file lisng for all of the connected drives, full event logs, and registry hives, to provide you with
a complete, holisc picture of an endpoint.
The Triage table displays an overview of the different types of triage collecons that were
executed on an endpoint.
Drill down to further invesgate the following types of collecons:
• All—List of all files collected via Forensic Triage and their current status.
• File—Full file lisngs for $MFT files collected during Forensic Triage.
• Registry—Full registry lisngs for registry hives collected during Forensic Triage.
• Event Logs—Full lisng of the events found in the Windows event log (*.evtx) files.
• Browser History—Browser history from Chrome, Edge, Firefox, and Internet Explorer.
• Volale—Volale forensic arfacts including: ARP Cache, DNS Cache, Handles, Net Sessions,
Port Lisng, and Process Lisng.
• Configuraon—Custom Forensics Triage configuraons created and saved for use in online or
offline triage collecons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 462 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 463 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Response Acons
Aer or during the invesgaon of malicious acvity in your network, Cortex XDR offers various
response acons that enable you invesgate the endpoint and take immediate acon to remediate
it. For example, when you detect a compromised endpoint, you can isolate it from your network to
prevent it from communicang with any other internal or external device and thereby reducing an
aacker’s mobility on your network. The available response acons in Cortex XDR are:
• Iniate a Live Terminal Session
• Isolate an Endpoint
• Pause Endpoint Protecon
• Run Scripts on an Endpoint
• Remediate Changes from Malicious Acvity
• Search and Destroy Malicious Files
• Manage External Dynamic Lists
For response acons that rely on a Cortex XDR agent, the following table describes the supported
plaorms and minimal agent version. A dash (—) indicates the seng is not supported.
Isolate an Endpoint X X —
Halts all network access Cortex XDR agent Cortex XDR agent
on the endpoint except 6.0 and later 7.3 and later on
for traffic to Cortex macOS 10.15.4 and
XDR to prevent a later
compromised endpoint
from communicang
Cortex® XDR Pro Administrator’s Guide Version 3.3 464 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Run Scripts on an X X X
Endpoint
Cortex XDR agent Cortex XDR agent Cortex XDR agent
Allows execung 7.1 and later 7.1 and later 7.1 and later
Python 3.7 scripts on
your endpoints directly
from Cortex XDR,
including pre-canned
scripts provided by
Cortex XDR or your
own Python scripts and
code snippets.
Remediate Changes X — —
from Malicious Acvity
Cortex XDR agent
Invesgates suspicious 7.2 and later
causality process chains
and incidents on your
endpoints, and displays
a list of suggested
acons to remediate
processes, files and
registry keys on your
endpoint that were
changed as a result of
malicious acvity.
Cortex® XDR Pro Administrator’s Guide Version 3.3 465 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
using a remote procedure call. Live Terminal enables you to manage remote endpoints.
Invesgave and response acons that you can perform include the ability to navigate and
manage files in the file system, manage acve processes, and run the operang system or Python
commands.
Live Terminal is supported for endpoints that meet the following requirements:
If the endpoint supports the necessary requirements, you can iniate a Live Terminal session from
the Endpoints page.
You can run PowerShell 5.0 or a later release on Live Terminal of Windows.
You can also iniate a Live Terminal as a response acon from a security event. If the endpoint is
inacve or does not meet the requirements, the opon is disabled.
Aer you terminate the Live Terminal session, you also have the opon to save a log of the
session acvity. All logged acons from the Live Terminal session are available for download as a
text file report when you close the live terminal session.
You can fine tune the Live Terminal session visibility on the endpoint by adjusng the User
Interface opons in your Agent Sengs Profile.
STEP 1 | Start the session.
From a security event or endpoint details, select Incident Response > Response > Live
Terminal. It can take the Cortex XDR agent a few minutes to facilitate the connecon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 466 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 2 | Use the Live Terminal to invesgate and take acon on the endpoint.
• Manage Processes
• Manage Files
• Run Operang System Commands
• Run Python Commands and Scripts
STEP 3 | When you are done, Disconnect the Live Terminal session.
You can oponally save a session report containing all acvity you performed during the
session.
The following example displays a sample session report:
Jun 27th 2019 13:56:13 Live Terminal session has started [success]
Jun 27th 2019 14:00:45 Kill process calc.exe (4920) [success]
Jun 27th 2019 14:11:46 Live Terminal session end request [success]
Jun 27th 2019 14:11:47 Live Terminal session has ended [success]
Manage Processes
From the Live Terminal you can monitor processes running on the endpoint. The Task Manager
displays the task aributes, owner, and resources used. If you discover an anomalous process
while invesgang the cause of a security event, you can take immediate acon to terminate the
process or the whole process tree, and block processes from running.
STEP 1 | From the Live Terminal session, open the Task Manager to navigate the acve processes on
the endpoint.
You can toggle between a sorted list of processes and the default process tree view ( ). You
can also export the list of processes and process details to a comma-separated values file.
If the process is known malware, the row displays a red indicator and idenfies the file using a
malware aribute.
Cortex® XDR Pro Administrator’s Guide Version 3.3 467 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Manage Files
The File Explorer enables you to navigate the file system on the remote endpoint and take
remedial acon to:
• Create, manage (move or delete), and download files, folders, and drives, including connected
external drives and devices such as USB drives and CD-ROM.
• View file aributes, creaon and last modified dates, and the file owner.
• Invesgate files for malicious content.
To navigate and manage files on a remote endpoint:
STEP 1 | From the Live Terminal session, open the File Explorer to navigate the file system on the
endpoint.
STEP 2 | Navigate the file directory on the endpoint and manage files.
To locate a specific file, you can:
• Search for any filename rows on the screen from the search bar.
• Double click a folder to explore its contents.
Cortex® XDR Pro Administrator’s Guide Version 3.3 468 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
On Windows endpoints, you cannot run GUI-based cmd commands like winver or
appwiz.cpl
Cortex® XDR Pro Administrator’s Guide Version 3.3 469 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | When you are done, Disconnect the Live Terminal session.
Choose whether to save the live terminal session report including files and tasks marked as
interesng. Administrator acons are not saved to the endpoint.
STEP 3 | When you are done, Disconnect the Live Terminal session.
Choose whether to save the live terminal session report including files and tasks marked as
interesng. Administrator acons are not saved to the endpoint.
Disabling Live Terminal does not take effect on sessions that are in progress.
Isolate an Endpoint
When you isolate an endpoint, you halt all network access on the endpoint except for traffic to
Cortex XDR. This can prevent a compromised endpoint from communicang with other endpoints
thereby reducing an aacker’s mobility on your network. Aer the Cortex XDR agent receives
the instrucon to isolate the endpoint and carries out the acon, the Cortex XDR console shows
an Isolated check-in status. To ensure an endpoint remains in isolaon, agent upgrades are not
available for isolated endpoints.
Network isolaon is supported for endpoints that meet the following requirements:
Cortex® XDR Pro Administrator’s Guide Version 3.3 470 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 3 | Enter a Comment to provide addional background or other informaon that explains why
you isolated the endpoint.
Aer you isolate an endpoint, Cortex XDR will display the Isolaon Comment on the Acon
Center > Isolaon. If needed, you can edit the comment from the right-click pivot menu.
STEP 5 | Select the target endpoint that you want to isolate from your network.
If needed, Filter the list of endpoints. To learn how to use the Cortex XDR filters, refer
to Filter Page Results Filter Page Results.
Cortex® XDR Pro Administrator’s Guide Version 3.3 471 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 7 | Review the acon summary and click Done when finished.
In the next heart beat, the agent will receive the isolaon request from Cortex XDR.
STEP 8 | To track the status of an isolaon acon, select Incident Response > Response > Acon
Center > Currently Applied Acons > Endpoint Isolaon.
If aer iniang an isolaon acon, you want to cancel, right-click the acon and select
Cancel for pending endpoint. You can cancel the isolaon acon only if the endpoint is sll in
Pending status and has not been isolated yet.
STEP 9 | Aer you remediate the endpoint, cancel endpoint isolaon to resume normal
communicaon.
You can cancel isolaon from the Acons Center (Isolaon page) or from Endpoints > Endpoint
Management > Endpoint Administraon. From either place right-click the endpoint and select
Endpoint Control > Cancel Endpoint Isolaon.
Pausing your endpoint protecon modules leaves your machines exposed to risks.
STEP 2 | In the All Endpoints page, select the endpoints you want to pause protecon on, right-click
and select Endpoint Control > Pause Endpoint Protecon.
STEP 3 | Verify the endpoints, add an oponal comment that appears in the Management Audit log,
and Pause the protecon.
Endpoints that have been paused appear with a pause icon in the Endpoint Name field, and
depending on the acon progress, one of the following statuses in Manual Protecon Pause
field:
• Protecon Acve
• Pending Pause
• Protecon Paused
• Pending Acvaon
STEP 4 | When you are ready to resume protecon, select the endpoints, right-click and select
Endpoint Control > Resume Endpoint Protecon and Resume protecon on the listed
endpoints.
The All Endpoint table fields are updated accordingly.
Cortex® XDR Pro Administrator’s Guide Version 3.3 472 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 5 | (Oponal) Track your pause and resume endpoint protecon acons.
Navigate to Incident Response > Response > Acon Center and locate Acon Type Pause
Endpoint Protecon or Resume Endpoint Protecon.
Endpoints that are part of the incident view and do not meet the required criteria
are excluded from the remediaon analysis.
• In the Causality View, either:
• Right-click any process node involved in the causality chain and select Remediaon
Suggeson.
• Navigate to Acons > Remediaon Suggesons.
Analysis can take a few minutes. If desired, you can minimize the analysis pop-up while
navigang to other Cortex XDR pages.
Cortex® XDR Pro Administrator’s Guide Version 3.3 473 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
ORIGINAL EVENT DESCRIPTION Summary of the inial event that triggered the
malicious causality chain.
ORIGINAL EVENT TIMESTAMP Timestamp of the inial event that triggered the
malicious causality chain.
Cortex® XDR Pro Administrator’s Guide Version 3.3 474 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
• Delete File
• Restore File
• Rename File
• Delete Registry Value
• Restore Registry Value
• Terminate Process—Available when selecng
Remediaon Suggesons for a node in the
Causality View.
• Terminate Causality—Terminate the enre causality
chain of processes that have been executed under
the process tree of the listed Causality Group
Owner (GCO) process name.
• Manual Remediaon—Requires you to take manual
acon to revert or restore.
STEP 3 | Select one or more Original Event Descripons and right-click to Remediate.
Cortex® XDR Pro Administrator’s Guide Version 3.3 475 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
and track the script execuon on the endpoints, as well as store and display the execuon results
per endpoint.
The following are pre-requisites to execung scripts on your endpoints:
• Cortex XDR Pro Per Endpoint license
• Endpoints running the Cortex XDR agent 7.1 and later releases. Since the agent uses its built-
in capabilies and many available Python modules to execute the scripts, no addional setup is
required on the endpoint.
• Role in the hub with the following permissions to run and configure scripts:
• Run Standard scripts
• Run High-risk scripts
• Script configuraon (required to upload a new script, run a snippet, and edit an exisng
script)
• Scripts (required to view the Scripts Library and the script execuon results)
Running snippets requires both Run High-risk scripts and Script configuraon
permissions. Addionally, all scripts are executed as System User on the endpoint.
Use the following work flow to start running scripts on your endpoints:
• Manage All Scripts in the Scripts Library
• Upload Your Scripts
• Run a Script on Your Endpoints
• Track Script Execuon and View Results
• Troubleshoot Script Execuon
• Disable Script Execuon
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 476 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
Modificaon Date Last date and me in which the script or its
aributes were edited in Cortex XDR.
From the Scripts Library, you can perform the following addional acons:
• Download script—To see exactly what the script does, right-click and Download the Python
code file locally.
• View / Download definions file—To view or download the script meta-data, right-click the
script and select the relevant opon.
• Run—To run the selected script, right-click and select Run. Cortex XDR redirects you to the
Acon Center with the details of this script already populang the new acon fields.
• Edit—To edit the script code or meta-data, right-click and Edit. This opon is not available for
pre-canned scripts provided by Palo Alto Networks.
By default, Palo Alto Networks provides you with a variety of pre-canned scripts that you can use
out-of-the-box. You can view the script, download the script code and meta-data, and duplicate
the script, however you cannot edit the code or definions of pre-canned scripts.
The following table lists the pre-canned scripts provided by Palo Alto Networks, in alphabecal
order. New pre-canned scripts are connuously uploaded into Cortex XDR though content
updates, and are labeled New for a period of three days.
Cortex® XDR Pro Administrator’s Guide Version 3.3 477 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
*Since all scripts are running under System context, you cannot perform any Registry
operaons on user-specific hives (HKEY_CURRENT_USER of a specific user).
Cortex® XDR Pro Administrator’s Guide Version 3.3 478 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• Input—Set the starng execuon point of your script code. To execute the script line by
line, select Just run. Alternavely, to set a specific funcon in the code as the entry point,
Cortex® XDR Pro Administrator’s Guide Version 3.3 479 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
select Run by entry point. Select the funcon from the list, and specify for each funcon
parameter its type.
• Output—If your script returns an output, Cortex XDR displays that informaon in the script
results table.
• Single parameter—If the script returns a single parameter, select the Output type from
the list and the output will be displayed as is. To detect the type automacally, select
Auto Detect.
• Diconary—If the script returns more than a single value, select Diconary from the
Output type list. By default, Cortex XDR displays in the script results table the diconary
value as is. To improve the script results table display and be able to filter according to
the returned value, you can assign a user friendly name and type to some or all of your
diconary keys, and Cortex XDR will use that in the results table instead.
To retrieve files from the endpoint, add to the diconary the files_to_get key to include
an array of paths from which files on the endpoint will be retrieved from the endpoint.
Cortex® XDR Pro Administrator’s Guide Version 3.3 480 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
For the purpose of this example, we are showing each parameter in a new line. However,
when you create your file, you must remove any \n or \t characters.
{
"name":"script name",
"description":"script description",
"outcome":"High Risk|Standard",
"platform":"Windows,macOS,Linux",
"timeout":600,
"entry_point":"entry_point_name",
"entry_point_definition":{
"input_params":[
{"name":"registry_hkey","type":"string"},
{"name":"registry_key_path","type":"number"},
{"name":"registry_value","type":"number"}],
"output_params":{"type":"JSON","value":[
{"name":"output_auto_detect","friendly_name":"name1","type":"auto_detect"},
{"name":"output_boolean","friendly_name":"name2","type":"boolean"},
{"name":"output_number","friendly_name":"name3","type":"number},
{"name":"output_string","friendly_name":"name4","type":"string"},
{"name":"output_ip","friendly_name":"name5","type":"ip"}]
}
}
Cortex® XDR Pro Administrator’s Guide Version 3.3 481 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
{
"name":"scrpit name",
"description":"script description",
"outcome":"High Risk|Standard",
"platform":"Windows,macOS,Linux",
"timeout":600,
"entry_point":"",
"entry_point_definition":{}
}
Cortex® XDR Pro Administrator’s Guide Version 3.3 482 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 483 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
In Interacve Mode, Cortex XDR displays general informaon that includes the scope of target
endpoints and a list of all the scripts that are being executed in this session. For each script on the
executed scripts list, you can view the following:
• The script name, date and me the script execuon acon was iniated, and a list of input
parameters.
• A progress bar that indicates in real-me the number of endpoints for which the script
execuon is In Progress, Failed, or Completed. When you hover over the progress bar, you
can drill-down for more informaon about the different sub-statuses included in each group.
Cortex® XDR Pro Administrator’s Guide Version 3.3 484 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Similarly, you can also view this informaon on the scripts list to the le in the form of a pie
chart that is dynamically updated per script as it is being executed.
Cortex XDR does not include disconnected endpoints in the visualizaon of the script
execuon progress bar or pie chart. If a disconnected endpoint later gets connected,
Cortex XDR will execute the script on that endpoint and the graphic indicators will
change accordingly to reflect the addional run and its status.
• Dynamic script results that are connuously updated throughout the script execuon progress.
Cortex XDR lists the results, and graphically aggregates results only if they have a small variety
of values. When both views are available, you can switch between them.
While in Interacve Mode, you can connuously execute more scripts and add code snippets that
will be immediately executed on the target endpoints scope. Cortex XDR logs all the scripts and
code snippets you execute in Interacve Mode, and you can later view them in the Acon Center.
To add another script, select the script from the Cortex XDR scripts library, or start typing a
Code Snippet. Set the script meout and input parameters as necessary, and Run when you
are done. The script is added to the executed scripts list and its runme data is immediately
displayed on screen.
Cortex® XDR Pro Administrator’s Guide Version 3.3 485 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Status Descripon
Pending The Cortex XDR agent has not yet pulled the
script execuon request from the Cortex XDR
server.
Cortex® XDR Pro Administrator’s Guide Version 3.3 486 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Status Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 487 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
You can filter the results to adjust the endpoints considered in the aggregaon. You can also
generate a PDF report of the aggregated results view.
Cortex® XDR Pro Administrator’s Guide Version 3.3 488 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
• Main results view—A detailed table lisng all target endpoints and their details.
In addion the endpoint details (name, IP, domain, etc), the following table describes both
the default and addional oponal fields that you can view per endpoint. The fields are in
alphabecal order.
Field Descripon
*Returned values If your script returned values, the values are also
listed in the addional data table according to
your script output definions.
Execuon mestamp The date and me the Cortex XDR agent started
the script execuon on the endpoint. If the
execuon has not started yet, this field is empty.
Failed files The number of files the Cortex XDR agent failed
to retrieve from the endpoint.
Retenon date The date aer which the retrieved file will no
longer be available for download in Cortex XDR.
The value is 90 days from the execuon date.
Cortex® XDR Pro Administrator’s Guide Version 3.3 489 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Field Descripon
For each endpoint, you can right-click and download the script stdout, download retrieved
files if there are any, and view returned excepons if there are any. You can also Export to file
to download the detailed results table in TSV format.
Open Script Interactive Mode
In Interacve Mode, Cortex XDR enables you to dynamically track the script execuon progress
on all target endpoints and view the results as they are being received in real-me. Addionally,
you can start execung more scripts on the same scope of target endpoints.
To iniate Interacve Mode for an already running script:
From the Acon Center, right-click the execuon acon of the relevant script and select Open
in interacve mode.
Rerun a Script
STEP 1 | From the Acon Center, right-click the script you want to rerun and select Rerun.
You are redirected to the final summary stage of the script execuon acon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 490 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Disabling Script Execuon does not take effect on scripts that are in progress.
The Cortex XDR agent does not include the following informaon in the local files
inventory.
• Informaon about files that existed on the endpoint and were deleted before the Cortex
XDR agent was installed.
• Informaon about files where the file size exceeds the maximum file size for hash
calculaons that is preconfigured in Cortex XDR.
• If the Agent Sengs Profile on the endpoint is configured to monitor common file
types only, then the local files inventory includes informaon about these file types
only. You cannot search or destroy file types that are not included in the list of common
file types.
The following are prerequisites to enable Cortex XDR to search and destroy files on your
endpoints:
Cortex® XDR Pro Administrator’s Guide Version 3.3 491 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Requirement Descripon
Setup and Permissions • Ensure File Search and Destroy is enabled for
your Cortex XDR agent.
•
Search a File
You can search for files on the endpoint by file hash or file path. The search returns all instances of
this file on the endpoint. You can then immediately proceed to destroy all the file instances on the
endpoint, or upload the file to Cortex XDR for further invesgaon.
You can search for a file using the Query Builder or XQL Search or use the Acon Center wizard as
described in the following workflow.
STEP 1 | From the Acon Center select +New Acon > File Search.
Cortex® XDR Pro Administrator’s Guide Version 3.3 492 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
If not all endpoints in the query scope are connected or the search has not completed, the
search acon remains in Pending status in the Acon Center.
Destroy a File
When you know a file is malicious, you can destroy all its instances on your endpoints directly
from Cortex XDR. You can destroy a file immediately from the File search acon result, or iniate
Cortex® XDR Pro Administrator’s Guide Version 3.3 493 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
a new acon from the Acon Center. When you destroy a file, the Cortex XDR agent deletes all
the file instances on the endpoint.
• To destroy a file from the file search results, refer to Step 6 above.
• To destroy a file from the Acon Center wizard.
STEP 1 | From the Acon Center select +New Acon > Destroy File.
STEP 2 | To destroy by hash, provide the SHA25 of the file. To destroy by path, specify the exact file
path and file name. Click Next.
STEP 2 | Record the IP Addresses EDL URL and the Domains EDL URL. You will need these URLs in
the coming steps to point the firewall to these lists.
Cortex® XDR Pro Administrator’s Guide Version 3.3 494 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
STEP 5 | Set the Cortex XDR EDL as the source for a firewall EDL.
For more detailed informaon about how Palo Alto Networks firewall EDLs work, how you can
use EDLs, and how to configure them, review how to Use an External Dynamic List in Policy.
1. On the firewall, select Objects > External Dynamic Lists and Add a new list.
2. Define the list Type as either IP List or Domain List.
3. Enter the IP Addresses Block List URL or the Domains Block List URL that you recorded
in the last step as the list Source.
4. Select the Cerficate Profile that you created in the last step.
5. Select Client Authencaon and enter the username and password that the firewall
must use to access the Cortex XDR EDL.
6. Use the Repeat field to define how frequently the firewall retrieves the latest list from
Cortex XDR.
7. Click OK to add the new EDL.
STEP 6 | Select Policies > Security and Add or edit a security policy rule to add the Cortex XDR EDL
as match criteria to a security policy rule.
Review the different ways you can Enforce Policy on an External Dynamic List; this topic
describes the complete workflow to add an EDL as match criteria to a security policy rule.
1. Select Policies > Security and Add or edit a security policy rule.
2. In the Desnaon tab, select Desnaon Zone and select the external dynamic list as
the Desnaon Address.
3. Click OK to save the security policy rule and Commit your changes.
You do not need to perform addional commit or make any subsequent configuraon
changes for the firewall to enforce the EDL as part of your security policy; even as you
update the Cortex XDR EDL, the firewall will enforce the list most recently retrieved
from Cortex XDR.
You can also use the Cortex XDR domain list as part of a URL Filtering profile
or as an object in a custom An-Spyware profile; when aached to a security
policy rule, a URL Filtering profile allows you to granularly control user access to
the domains on the list.
Cortex® XDR Pro Administrator’s Guide Version 3.3 495 ©2022 Palo Alto Networks, Inc.
Invesgaon and Response
Make sure EDL sizes don’t exceed your firewall model limit.
To add an IP address or Domain from the Acon Center, Iniate an Endpoint Acon to Add to
EDL. You can choose to enter the IP address or Domain you want to add Manually or choose
to Upload File.
During invesgaon, you can also Add to EDL from the Acons menu that is available from
invesgaon pages such as the Incidents View, Causality View, IP View, or Quick Launcher.
STEP 8 | At any me, you can view and make changes to the IP addresses and domain names lists.
1. Navigate to Incident Response > Response > Acon Center > Currently Applies Acons
> External Dynamic List.
2. Review your IP addresses and domain names lists.
3. If desired, select New Acon to add addional IP addresses and domain names.
4. If desired, select one or more IP addresses or domain names, right-click and Delete any
entries that you no longer want included on the lists.
Cortex® XDR Pro Administrator’s Guide Version 3.3 496 ©2022 Palo Alto Networks, Inc.
Broker VM
497
Broker VM
Broker VM Overview
The Palo Alto Networks Broker is a secured virtual machine (VM), integrated with Cortex XDR,
that bridges your network and Cortex XDR. By seng up the broker, you establish a secure
connecon in which you can route your endpoints, and collect and forward logs and files for
analysis.
The Broker can be leveraged for running different services separately on the VM using the same
Palo Alto Networks authencaon. Once installed, the broker automacally receives updates and
enhancements from Cortex XDR, providing you with new capabilies without having to install a
new VM.
Cortex® XDR Pro Administrator’s Guide Version 3.3 498 ©2022 Palo Alto Networks, Inc.
Broker VM
Per your Cortex XDR license, the following figure illustrates the different Broker VM features that
could be available on your organizaon side.
Cortex® XDR Pro Administrator’s Guide Version 3.3 499 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR Pro Administrator’s Guide Version 3.3 500 ©2022 Palo Alto Networks, Inc.
Broker VM
Set up Broker VM
The Palo Alto Networks Broker VM is a secured virtual machine (VM), integrated with Cortex
XDR, that bridges your network and the Cortex XDR app. By seng up the broker VM, you
establish a secure connecon in which you can route your endpoints, collect logs, and forward
logs and files for analysis.
Cortex XDR can leverage the broker VM to run different services separately using the same Palo
Alto Networks authencaon. Aer you complete the inial setup, the broker VM automacally
receives updates and enhancements from Cortex XDR, providing you with new capabilies
without having to install a new VM or manually update the exisng VM.
• Configure the Broker VM
• Acvate the Local Agent Sengs
• Acvate the Syslog Collector
• Acvate the Apache Kaa Collector
• Acvate the CSV Collector
• Acvate the Database Collector
• Acvate the Files and Folders Collector
• Acvate the FTP Collector
• Acvate the NetFlow Collector
• Acvate the Network Mapper
• Acvate Pathfinder
• Acvate the Windows Event Collector
The broker VM comes with a 512GB disk. Therefore, deploy the broker VM with
thin provisioning, meaning the hard disk can grow up to 512GB but will do so only if
needed.
Bandwidth is higher than 10mbit/s.
Cortex® XDR Pro Administrator’s Guide Version 3.3 501 ©2022 Palo Alto Networks, Inc.
Broker VM
VM compable with:
Enable communicaon between the Broker Service, and other Palo Alto Networks services and
apps.
Cortex® XDR Pro Administrator’s Guide Version 3.3 502 ©2022 Palo Alto Networks, Inc.
Broker VM
Enable Access to Cortex XDR from the broker VM to allow communicaon between agents and
the Cortex XDR app.
If you use SSL decrypon in your firewalls, you need to add a trusted self-signed
cerficate authority on the broker VM to prevent any difficules with SSL decrypon.
If adding a CA cerficate to the broker is not possible, ensure that you’ve added the
Broker Service FQDNs to the SSL Decrypon Exclusion list on your firewalls.
Configure your broker VM as follows:
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs.
STEP 2 | Download and install the broker VM images for your corresponding infrastructure:
• Amazon Web Services (AWS)—Use the VMDK to Create a Broker VM Amazon Machine
Image (AMI).
• Google Cloud Plaorm—Use the VMDK image to Set up the Broker VM on Google Cloud
Plaorm (GCP).
• Microso Hyper-V 2012—Use the VHD image.
• Microso Azure—Use the VHD (Azure) image to Create a Broker VM Azure Image.
• Alibaba Cloud—Use the QCOW2 image to Create a Broker VM Image for Alibaba Cloud.
• Nutanix Hypervisor—Use the QCOW2 image to Create a Broker VM Image for a Nutanix
Hypervisor.
• Ubuntu—Use the QCOW2 image to Create a Broker VM Image for Ubuntu.
• VMware ESXi—Use the OVA image.
The token is valid only for 24 hours. A new token is generated each me you select
Generate Token.
Cortex® XDR Pro Administrator’s Guide Version 3.3 503 ©2022 Palo Alto Networks, Inc.
Broker VM
When DHCP is not enabled in your network and you don’t have an IP address for
your broker VM, you need to configure the broker VM with a stac IP using the serial
console menu of the broker VM.
STEP 5 | Log in with the default password !nitialPassw0rd and then define your own unique
password.
The password must contain a minimum of eight characters, contain leers and
numbers, and at least one capital leer and one special character.
Cortex® XDR Pro Administrator’s Guide Version 3.3 504 ©2022 Palo Alto Networks, Inc.
Broker VM
• If you choose Stac, define the following and Save your configuraons:
• Stac IP address
• Netmask
• Default Gateway
• DNS Server
2. (Requires Broker VM 14.0.42 and later) (Oponal) Internal Network
Specify a network subnet to avoid the broker VM dockers colliding with your internal
network. By default, the Network Subnet is set to 172.17.0.1/16.
You can configure another broker VM as a Proxy Server for this broker
VM by selecng the HTTP type. When selecng HTTP to route broker VM
communicaon, you need to add the IP Address and Port number (set when
acvang the Agent Proxy) for the other broker VM registered in your tenant
that you want to designate as a proxy for this broker VM.
• Specify the proxy Address (IP or FQDN), Port, and an oponal User and Password.
Select the pencil icon to specify the password.
• Save your configuraons.
4. (Oponal) (Requires Broker VM 8.0 and later) Configure your NTP servers.
Specify the required server addresses using the FQDN or IP address of the server.
5. (Requires Broker VM 8.0 and later) (Oponal) In the SSH Access secon, Enable or
Disable SSH connecons to the broker VM. SSH access is authencated using a public
key, provided by the user. Using a public key grants remote access to colleagues and
Cortex® XDR Pro Administrator’s Guide Version 3.3 505 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex XDR support who the private key. You must have Instance Administrator role
permissions to configure SSH access.
To enable connecon, generate an RSA Key Pair, enter the public key in the SSH Public
Key secon. Once one SSH public key is added, you can +Add Another. When you are
finished, Save your configuraon.
When using PuTTYgen to create your public and private key pairs, you need to copy
the public key generated in the Public key for pasng into OpenSSH authorized_keys
file box, and paste it in the broker VM SSH Public Key secon as explained above. This
public key is only available when the PuTTYgen console is open aer the public key is
generated. If you close the PuTTYgen console before pasng the public key, you will need
to generate a new public key.
6. (Requires Broker VM 10.1.9 and later) (Oponal) In the SSL Server Cerficate secon,
upload your signed server cerficate and key to establish a validated secure SSL
connecon between your endpoints and the broker VM. When you configure the server
cerficate and the key files in the Broker VM UI, Cortex XDR automacally updates them
in the tenant UI. Cortex XDR validates that the cerficate and key match, but does not
validate the Cerficate Authority (CA).
The Palo Alto Networks Broker supports only strong cipher SHA256-based
cerficates. MD5/SHA1-based cerficates are not supported.
7. In the Trusted CA Cerficate secon, upload your signed Cerficate Authority (CA)
cerficate or Cerficate Authority chain file in a PEM format. If you use SSL decrypon
in your firewalls, you need to add a trusted self-signed CA cerficate on the broker VM
to prevent any difficules with SSL decrypon. For example, when configuring Palo Alto
Networks NGFW to decrypt SSL using a self-signed cerficate, you need to ensure the
broker VM can validate a self-signed CA by uploading the cert_ssl-decrypt.crt file
on the broker VM.
If adding a CA cerficate to the broker is not possible, ensure that you’ve added
the Broker Service FQDNs to the SSL Decrypon Exclusion list on your firewalls.
See Enable Access to Cortex XDR.
8. (Requires Broker VM 8.0 and later) (Oponal) Collect and Generate New Logs. Your
Cortex XDR logs will download automacally aer approximately 30 seconds.
STEP 7 | Register and enter your unique Token, created in the Cortex XDR console.
Cortex® XDR Pro Administrator’s Guide Version 3.3 506 ©2022 Palo Alto Networks, Inc.
Broker VM
Be sure you set up an AWS VM Import role (vmimport) before you connue with the steps to
convert the image as it is required for the import-image CLI command. You can use a different
role, if the role vmimport doesn't exist or doesn't have the required permissions. For more
informaon on seng up an AWS VM Import role and the permissions required, see Required
service role.
To convert the image.
Set up AWS CLI
(Oponal) If you haven’t done so already, set up your AWS CLI as follows:
STEP 1 | Install the AWS zip file by running the following command on your local machine:
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o
"awscli-bundle.zip"unzip awscli-bundle.zipsudo /usr/local/bin/
python3.7 awscli-bundle/install -i /usr/local/aws -b /usr/local/
bin/aws
aws configure
STEP 2 | In the AWS Console, navigate to Services > Storage > S3 > Buckets.
STEP 3 | In the S3 buckets page, + Create bucket to upload your broker image to.
STEP 4 | Upload the Broker VM VMDK you downloaded from Cortex XDR to the AWS S3 bucket.
Run
[ { "Description":"<Broker VM Version>",
"Format":"vmdk", "UserBucket":{
"S3Bucket":"<your_bucket>", "S3Key":"<broker-vm-
version.vmdk>" } }]
Cortex® XDR Pro Administrator’s Guide Version 3.3 507 ©2022 Palo Alto Networks, Inc.
Broker VM
To track the progress, use the task id value from the output and run:
.
Completed status output example:
{ "ImportImageTasks":[ { "...",
"SnapshotDetails":[ {
"Description":"Broker VM version", "DeviceName":"/
dev/<name>", "DiskImageSize":2976817664.0,
"Format":"VMDK", "SnapshotId":"snap-1234567890",
"Status":"completed", "UserBucket":
{ "S3Bucket":"broker-vm",
"S3Key":"broker-vm-<version>.vmdk" } }
], "Status":"completed", "..." } ]}
STEP 7 | (Oponal) Aer the AMI image has been created, you can define a new name for the image.
Navigate to Services > EC2 > IMAGES > AMIs and locate your AMI image using the task ID.
Select the pencil icon to enter a new name.
Launch an Instance
STEP 2 | Search for your AMI image and Launch the file.
STEP 3 | In the Launch Instance Wizard define the instance according to your company requirements
and Launch.
STEP 4 | (Oponal) In the Instances page, locate your instance and use the pencil icon to rename the
instance Name.
Cortex® XDR Pro Administrator’s Guide Version 3.3 508 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR Pro Administrator’s Guide Version 3.3 509 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | Create a new storage blob on your Azure account by uploading the VHD file. You can use to
upload either from Microso Windows or Ubuntu.
Uploading from Microso Windows.
1. Verify you have:
• Windows PowerShell version 5.1 or later.
• .NET Framework 4.7.2 or later.
2. Open PowerShell and execute Set-ExecutionPolicy unrestricted.
• [Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
• Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201-
Force
3. Install azure cmdlets.
Install-Module -Name Az -AllowClobber
4. Connect to your Azure account.
Connect-AzAccount
5. Start the upload.
az storage blob upload -f <vhd to upload> -n <vhd name> -c
<container name> --account-name <account name>.
STEP 3 | In the Azure home page, navigate to Azure services > Disks and +Add a new disk.
Cortex® XDR Pro Administrator’s Guide Version 3.3 510 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 4 | In the Create a managed disk > Basics page define the following informaon:
Project details
• Resource group—Select your resource group.
Disk details
• Disk name—Enter a name for the disk object.
• Region—Select your preferred region.
• Source type—Select Storage Blob. Addional field are displayed, define as follows:
• Source blob—Select Browse. You are directed to the Storage accounts page. From the
navigaon panel, select the bucket and then container to which you uploaded the Cortex
XDR VHD image.
In the Container page, Select your VHD image.
• OS type—Select Linux
• VM generaon—Select Gen 1
Review + create to check you sengs.
Creang the VM can take up to 15 minutes. The broker VM Web UI is not accessible
during this me.
Cortex® XDR Pro Administrator’s Guide Version 3.3 511 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | From G Cloud, create a Google Cloud Storage bucket to store the broker VM image.
1. Create a project in GCP and enable Google Cloud Storage, for example: brokers-project.
Make sure you have defined a Default Network.
2. Create a bucket to store the image, such as broker-vms.
STEP 4 | Upload the VMDK image to the bucket, run the following.
Cortex® XDR Pro Administrator’s Guide Version 3.3 512 ©2022 Palo Alto Networks, Inc.
Broker VM
The import tool uses Cloud Build API, which must be enabled in your project. For
image import to work, Cloud Build service account must have compute.admin and
iam.serviceAccountUser roles. When using the Google Cloud console to import
the image, you will be prompted to add these permissions automacally.
• gcloud CLI
Before imporng a GCP image using the gcloud CLI, ensure that you update the Google
Cloud components to version 371.0.0 and above using the following command.
The following command uses the minimum required parameters. For more informaon on
permissions and available parameters, refer to the Google Cloud SDK.
Open a command prompt and run the following.
Cortex® XDR Pro Administrator’s Guide Version 3.3 513 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 6 | When the Google Compute completes the image creaon, create a new instance.
1. From the Google Cloud Plaorm, select Compute Engine > VM instances.
2. Create instance.
3. In Boot disk opon, choose Custom images and select the image you created.
4. In the Firewall secon, Allow HTTPS traffic.
5. Set up the instance according to your needs.
If you are using the broker VM to facilitate only Agent Proxy, use e2-startdard-2. If you
are using the broker VM for mulple applets, use e2-standard-4.
Cortex® XDR Pro Administrator’s Guide Version 3.3 514 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR Pro Administrator’s Guide Version 3.3 515 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | Upload the image file to Alibaba Cloud using the ulity file you downloaded.
The command is dependent on the operang system and architecture you are using. Below
are a few examples of the commands to use based on the different operang systems and
architectures, which you may need to modify based on your system requirements.
• Linux (using CLI)
• Format
• Example
• Example
D:\ossutil>ossutil64.exe cp Downloads\QCOW2_broker-
vm-14.0.1.qcow2 oss://kvm-images-qcow2/XDR-broker-
vm-14.0.1.qcow2
For Linux and Windows uploads, you can use Alibaba Cloud’s graphical management
tool called ossbrowser.
Cortex® XDR Pro Administrator’s Guide Version 3.3 516 ©2022 Palo Alto Networks, Inc.
Broker VM
example, in the step above the <directory name> used in the examples provided is kvm-
images-qcow2.
The Object Storage Service must be created in the same Region as the image of
the virtual machine.
3. From the list of images displayed, find the row for the Broker VM QCOW2 image that
you uploaded, and click View Details.
4. In the URL field of the View Details right-pane displayed, copy the internal link for
the image in Alibaba cloud. The URL that you copy ends with .com and you should not
include any of the text displayed aer this.
5. Select Hamburger menu > Elasc Compute Service > Instances & Images > Images.
6. In the Import Images area on the Images page, click Import Images.
7. In the Import Images window, set the following parameters.
• OSS Object Address—This field is a combinaon of the internal link that you copied
for the Broker VM image and the <file name for uploaded image> using this format
<internal link>/<file name for uploaded image>. Paste the internal link for the Broker
VM QCOW2 image in Alibaba Cloud that you copied, and add the following text aer
the .com: /<file name for uploaded image>.
• Image Name—Specify a name for the image.
• Operang System/Plaorm—Leave Linux configured and change CentOS to Ubuntu.
• System Architecture—Leave the default x86_64 selected.
• Leave the rest of the fields as defined by the default or change them according to your
system requirements.
8. Click OK.
A noficaon is displayed indicang that image was imported successfully. Once the
Status for the imported image in the Images page changes to Available, you will know
the process is complete. This can take a few minutes.
Cortex® XDR Pro Administrator’s Guide Version 3.3 517 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR Pro Administrator’s Guide Version 3.3 518 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 5 | Reboot the Broker VM before logging in for the first me.
Saving the image to Nutanix hypervisor can take me as it’s a large file.
Cortex® XDR Pro Administrator’s Guide Version 3.3 519 ©2022 Palo Alto Networks, Inc.
Broker VM
Creang the VM can take up to 15 minutes. The broker VM Web user interface is
not accessible during this me.
Cortex® XDR Pro Administrator’s Guide Version 3.3 520 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | Click the New VM icon ( ) to open the Create a new virtual machine wizard.
STEP 3 | In the Step 1 screen of the wizard, select Import exisng disk image, and click Forward.
STEP 8 | In the Step 4 screen of the wizard, set a Name for your new VM.
Cortex® XDR Pro Administrator’s Guide Version 3.3 521 ©2022 Palo Alto Networks, Inc.
Broker VM
• Enable Broker caching—To reduce your external network bandwidth loads, you can cache
Cortex XDR agent installaons, upgrades, and content updates on your Cortex XDR Broker
VM. The Broker VM retrieves from Cortex XDR the latest installers and content files every 15
minutes and stores them for a 30-days retenon period since an agent last asked for them.
If the files were not available on the Broker VM at the me of the ask, the agent proceeds to
download the files directly from the Cortex XDR server. If asked by an agent, the Broker VM
can also cache a specific installer that is not on the list of latest installers.
The following are prerequisites and limitaons for the Local Agent Sengs applet.
Requirement Descripon
Agent Installer and Content Caching • Supported with Cortex XDR agent version 7.4
and later releases and Broker VM 12.0 and later.
• Requires a Broker VM with an 8-core processor
to support caching for 10K endpoints.
• Requires the Broker to have an FQDN record in
your local DNS server.
• Requires you upload a strong cipher SHA256-
based SSL cerficates when you setup the
Broker VM.
• Requires adding the Broker as a download
source in your Agent Sengs Profile.
Aer you configured and registered your Palo Alto Networks Broker VM, proceed to setup you
Local Agent Sengs applet.
STEP 1 | In Cortex XDR, go to Sengs > Configuraons > Data Broker > Broker VMs and locate your
broker VM.
Cortex® XDR Pro Administrator’s Guide Version 3.3 522 ©2022 Palo Alto Networks, Inc.
Broker VM
When you install your Cortex XDR agents, you must configure the IP address of
the broker VM and a port number during the installaon. You can use the default
8888 port or set a custom port. You are not permied to configure port numbers
between 0-1024 and 63000-65000, or port numbers 4369, 5671, 5672, 5986,
6379, 8000, 9100, 15672, 25672. Addionally, you are not permied to reuse
port numbers you already assigned to the Syslog Collector applet.
STEP 4 | Aer a successful acvaon, the Apps field displays Local Agent Sengs - Acve. Hover
over it to view the applet status and resource usage.
To help you easily troubleshoot connecvity issues for a Local Agent Sengs applet on the
Palo Alto Networks Broker VM, Cortex XDR displays a list of Denied URLs. These URLs are
displayed when you hover over the Local Agent Sengs applet to view the Connecvity
Status. As a result, in a situaon where the Local Agent Sengs applet is reported as acvated
with a failed connecon, you can easily determine the URLs that need to be allowed in your
network environment.
Cortex® XDR Pro Administrator’s Guide Version 3.3 523 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 5 | Manage the local agent sengs. Aer the local agent sengs have been acvated, right-click
your broker VM.
• To change your sengs, click Local Agent Sengs > Configure.
• To disable the local agent sengs altogether, click Local Agent Sengs > Deacvate.
To receive Syslog data from an external source, you must first set up the Syslog Collector applet
on a Broker VM within your network. The Syslog Collector supports a log ingeson rate of 90,000
logs per second (lps) with the recommended Broker VM setup.
To increase the log ingeson rate, you can add addional CPUs to the broker VM. The Syslog
Collector listens for logs on specific ports and from any or specific IP addresses.
STEP 1 | If you haven’t already done so, Configure the Broker VM.
STEP 2 | In Cortex XDR, navigate to Sengs > Configuraons > Data Broker > Broker VMs and
locate your broker VM.
STEP 3 | Right-click the broker VM and select Syslog Collector > Acvate.
Once configured, you cannot change the Port/PROTOCOL. If you don’t want to use
a data source, ensure to remove the data source from the list as explained in Step 7.
• Add a new Syslog Collector data source. See Step 6.
Cortex® XDR Pro Administrator’s Guide Version 3.3 524 ©2022 Palo Alto Networks, Inc.
Broker VM
• The Vendor and Product defaults to Auto-Detect when the Log Format is
set to CEF or LEEF.
• For a Log Format set to CEF or LEEF, Cortex XDR reads events row by
row to look for the Vendor and Product configured in the logs. When the
values are populated in the event log row, Cortex XDR uses these values
even if you specified a value in the Vendor and Product fields in the Syslog
Collector sengs. Yet, when the values are blank in the event log row,
Cortex XDR uses the Vendor and Product that you specified in the Syslog
Collector sengs. If you did not specify a Vendor or Product in the Syslog
Collector sengs and the values are blank in the event log row, the values
for both fields are set to unknown.
• Vendor—Specify a parcular vendor for the Syslog format defined or leave the default
Auto-Detect seng.
• Product—Specify a parcular product for the Syslog format defined or leave the
default Auto-Detect seng.
• Source Network—Specify the IP address or Classless Inter-Domain Roung (CIDR). If
you leave this blank, Cortex XDR will allow receipt of logs from any source IP address
or CIDR that transmits over the specified protocol and port. When you specify
overlapping addresses in the Source Network field in mulple rows, such as 10.0.0.10
in the first row and 10.0.0.0/24 in the second row, the order of the addresses maer.
In this example, the IP address 10.0.0.10 is only captured from the first row definion.
For more informaon on priorizing the order of the syslog formats, see Step #7.
Aer each configuraon, select to save the changes and then Done to update the
Syslog Collector with your sengs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 525 ©2022 Palo Alto Networks, Inc.
Broker VM
Because some port numbers are reserved by Cortex XDR, you must choose a
port number that is not:
-In the range of 0-1024 (except for 514)
-In the range of 63000-65000
-Values of 4369, 5671, 5672, 5986, 6379, 8000, 8888, 9100, 15672, or
28672
• When configuring the Protocol as Secure TCP, these addional General Sengs are
available:
• Server Cerficate—Browse to your server cerficate to configure server
authencaon.
• Private Key—Browse to your private key for the server cerficate.
• Oponal CA Cerficate—(Oponal) Browse to your CA cerficate for mutual
authencaon.
• Minimal TLS Version—Select either 1.0 or 1.2 (default) as the minimum TLS version
allowed.
Cortex XDR will nofy you when your cerficates are about to expire.
Cortex® XDR Pro Administrator’s Guide Version 3.3 526 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 7 | Make addional changes to the Syslog Collector data sources configured.
• To remove a Syslog Collector data source, right-click the row aer the Port/Protocol entry,
and select Remove.
• To priorize the order of the Syslog formats listed for the protocols and ports configured,
drag and drop the rows to the order you require.
STEP 9 | (Oponal) To view metrics about the Syslog Collector, hover over the Syslog Collector link in
the Apps field.
Cortex XDR displays the following informaon.
• Connecvity Status—Whether the applet is connected to Cortex XDR.
• Logs Received and Logs Sent—Number of logs received and sent by the applet per second
over the last 24 hours. If the number of incoming logs received is larger than the number of
logs sent, it could indicate a connecvity issue.
• Resources—Displays the amount of CPU, Memory, and Disk space the applet is using.
Apache Kaa is an open-source distributed event streaming plaorm for high-performance data
pipelines, streaming analycs and data integraon. Apache Kaa records are organized into
Topics. The parons for each Topic are spread across the bootstrap servers in the Apache Kaa
cluster. The bootstrap servers are responsible for transferring data from Producers to Consumer
Groups, which enable the Apache Kaa server to save offsets of each paron in the Topic
consumed by each group.
The broker VM provides an Apache Kaa Collector applet that enables you to monitor and
collect events from Topics on self-managed on-prem Apache Kaa clusters directly to your log
repository for query and visualizaon purposes. The applet supports Apache Kaa setups with no
authencaon, with SSL authencaon, and SASL SSL authencaon.
Aer you acvate the Kaa Collector applet, you can collect events as datasets
(<Vendor>_<Product>_raw) by defining the following.
• Apache Kaa connecon details including the Bootstrap Server List and Authencaon
Method.
Cortex® XDR Pro Administrator’s Guide Version 3.3 527 ©2022 Palo Alto Networks, Inc.
Broker VM
• Topics Collecon configuraon for the Apache Kaa topics that you want to collect.
Following are the prerequisites for seng up the Apache Kaa Collector applet.
• Apache Kaa version 2.5.1 and above.
• Apache Kaa cluster set up on premises, from which the data will be ingested.
• Privileges to manage Broker Service configuraon, for example Instance Administrator).
Complete the following tasks before you begin seng up the Kaa Collector applet.
• Create a user in the Apache Kaa cluster with the necessary permissions and the following
authencaon details.
• Broker Cerficate and Private Key for an SSL connecon.
• Username and Password for an SASL SSL connecon.
• Configure the Broker VM.
Acvate the Apache Kaa Collector.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs and locate your
broker VM.
STEP 2 | Right-click the broker VM and select Kaa Collector > Acvate.
Cortex® XDR Pro Administrator’s Guide Version 3.3 528 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR Pro Administrator’s Guide Version 3.3 529 ©2022 Palo Alto Networks, Inc.
Broker VM
named file.log) in the cluster are processed by the collector as JSON, and any
entry that does not comply with the JSON format are dropped.
• Specify the Vendor and Product which will be associated with each entry in the
dataset. The vendor and product are used to define the name of your XQL dataset
(<Vendor>_<Product>_raw).
For CEF and LEEF logs, Cortex XDR takes the vendor and product names
from the log itself, regardless of what you configure on this page.
5. (Oponal)Add Topic to create another Topic Collecon. Each topic can be added for a
server only once.
6. (Oponal) Other available opons for Topic Collecon.
As needed, you can manage your Topic Collecon sengs. Here are the acons available
to you.
• Edit the Topics Collecon details.
• Disable/Enable a Topics Collecon by hovering over the top area of the Topics
Collecon secon, on the opposite side of the Topics Collecon name, and selecng
the applicable buon.
• Rename a Topics Collecon by hovering over the top area of the Topics Collecon
secon, on the opposite side of the Topics Collecon name, and selecng the pen
icon.
• Delete a Topics Collecon by hovering over the top area of the Topics Collecon
secon, on the opposite side of the Topics Collecon name, and selecng the delete
icon.
STEP 4 | (Oponal)Add Connecon to create another Apache Kaa Connecon for collecng data.
STEP 6 | Save to commit changes. Save is enabled only when all the mandatory fields are filled in.
STEP 7 | (Oponal) To view metrics about the Apache Kaa Collector, in the Broker VM screen, hover
over the Kaa Collector link in the Apps field for your broker VM.
Cortex XDR displays Resources, including the amount of CPU, Memory, and Disk space the
applet is using.
Cortex® XDR Pro Administrator’s Guide Version 3.3 530 ©2022 Palo Alto Networks, Inc.
Broker VM
The broker VM provides a CSV Collector applet that enables you to monitor and collect CSV
(comma-separated values) log files from a shared Windows directory directly to your log
repository for query and visualizaon purposes. Aer you acvate the CSV Collector applet on
a broker VM in your network, you can ingest CSV files as datasets by defining the list of folders
mounted to the broker VM and seng the list of CSV files to monitor and upload to Cortex XDR
using a username and password.
Be sure you do the following tasks before you begin seng up the CSV Collector applet.
• Configure the Broker VM.
• Ensure that you share the applicable CSV files.
• Know the complete file path for the Windows directory.
Acvate the CSV Collector.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs and locate your
broker VM.
STEP 2 | Right-click the broker VM and select CSV Collector > Acvate.
Cortex® XDR Pro Administrator’s Guide Version 3.3 531 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 3 | Configure your CSV Collector by defining the list of folders mounted to the broker VM and
specifying the list of CSV files to monitor and upload to Cortex XDR. You must also specify a
username and password.
1. Mounted Folders
• FOLDER PATH—Specify the complete file path to the Windows directory containing
the shared CSV files using the format: //host/<folder_path>. For example, //
testenv1pc10/CSVFiles.
• USERNAME—Specify the username for accessing the Windows directory.
• PASSWORD—Specify the password for accessing the Windows directory.
Aer you configure the mounted folder details, Add ( ) details to the applet.
2. Monitored CSV Files
• FOLDER PATH+NAME—Select the monitored Windows directory and specify the name
of the CSV file. Use a wildcard file search using these characters in the name of the
directory, CSV file name, and Path Exclusion.
- ?—Matches a single char, such as 202?-report.csv.
- *—Matches either mulple characters, such as 2021-report*.csv, or all CSV files
with *.csv.
-**—Searches all directories and subdirectories
For example, if you want to include all the CSV files in the directory and any
subdirectories, use the syntax //host/<folder_path>/**/*.csv.
When you implement a wildcard file search, ensure that the CSV files share the
same columns and header rows as all other logs that are collected from the CSV
files to create a single dataset.
• PATH EXCLUSION—(Oponal) Specify the complete file path for any files from the
Windows directory that you do not want included. The same wildcard file search
characters are allowed in this field as explained above for the FOLDER PATH+NAME
field. For example, if you want to exclude any CSV file prefixed with 'exclude_' in
the directory and subdirectories of //host/<folder_path>, use the syntax //
host/<folder_path>/**/exclude_*.csv>.
• TAGS—(Oponal) To easily query the CSV data in the database, you can add a tag to the
collected CSV data. This tag is appended to the data using the format <data>_<tag>.
• TARGET DATASET—Either select the target dataset for the CSV data or create a new
dataset by specifying the name for the new dataset.
The CSV Collector checks for new CSV files every 10 minutes.
Cortex® XDR Pro Administrator’s Guide Version 3.3 532 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 5 | (Oponal) To view metrics about the CSV Collector, hover over the CSV Collector link in the
Apps field.
Cortex XDR displays Resources, including the amount of CPU, Memory, and Disk space the
applet is using.
The broker VM provides a Database Collector applet that enables you to collect data from a client
relaonal database directly to your log repository for query and visualizaon purposes. Aer you
acvate the Database Collector applet on a broker VM in your network, you can collect records as
datasets (<Vendor>_<Product>_raw) by defining the following.
• Database connecon details, where the connecon type can be MySQL, PostgreSQL, MSSQL,
and Oracle. Cortex XDR uses Open Database Connecvity (ODBC) to access the databases.
• Sengs related to the query details for collecng the data from the database to monitor and
upload to Cortex XDR.
Complete the following task before you begin seng up the FTP Collector applet.
• Configure the Broker VM
Acvate the Database Collector.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs and locate your
broker VM.
STEP 2 | Right-click the broker VM and select Database Collector > Acvate.
Cortex® XDR Pro Administrator’s Guide Version 3.3 533 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR Pro Administrator’s Guide Version 3.3 534 ©2022 Palo Alto Networks, Inc.
Broker VM
the Database Collector applet replaces the queson mark with the latest checkpoint
value (i.e. start value) for the Retrieval Value.
• Generate Preview—Select Generate Preview to display up to 10 rows from the SQL
Query and Preview the results. The Preview works based on the Database Collector
sengs, which means that if aer running the query no results are returned, then the
Preview returns no records.
• Add Query—(oponal) To define another Query for data collecon on the configured
database connecon, select Add Query. Another Query secon is displayed for you to
configure.
STEP 4 | (oponal) Add Connecon to define another database connecon to collect data from
another client relaonal database.
STEP 7 | (Oponal) To view metrics about the Database Collector, hover over the Database Collector
link in the Apps field.
Cortex XDR displays Resources, including the amount of CPU, Memory, and Disk space the
applet is using.
Cortex® XDR Pro Administrator’s Guide Version 3.3 535 ©2022 Palo Alto Networks, Inc.
Broker VM
The broker VM provides a Files and Folders Collector applet that enables you to monitor and
collect logs from files and folders in a network share for a Windows or Linux directory, directly to
your log repository for query and visualizaon purposes. The Files and Folders collector applet
only starts to collect files that are more than 256 bytes. Aer you acvate the Files and Folders
Collector applet, you can collect files as datasets (<Vendor>_<Product>_raw) by defining the
following.
• Details of the folder path on the network share containing the files that you want to monitor
and upload to Cortex XDR.
• Sengs related to the list of files to monitor and upload to Cortex XDR, where the log format is
either Raw (default), JSON, CSV, TSV, PSV, CEF, LEEF, Corelight, or Cisco.
Complete the following task before you begin seng up the Files and Folders Collector applet.
• Configure the Broker VM
• Know the complete path to the files and folders that you want Cortex XDR to monitor.
• Ensure that the user permissions for the network share include the ability to rename and delete
files in the folder that you want to configure collecon.
Acvate the Files and Folders Collector.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs and locate your
broker VM.
STEP 2 | Right-click the broker VM and select Files and Folder Collector > Acvate.
Cortex® XDR Pro Administrator’s Guide Version 3.3 536 ©2022 Palo Alto Networks, Inc.
Broker VM
The image above is displaying the File and Folder Sengs secon with the Batch Mode
selected to display all opons available. Yet, the Tail Mode is selected by default.
When using the Linux file share, including the Linux share with nfs, a
Username and Password is not required, so these fields are grayed out in
the screen.
• Recursive—Select this checkbox to configure the Files and Folders Collector applet to
recursively examine any subfolders for new files as long as the folders are readable.
This is not configured by default.
• Username—Specify the username to access the shared resource using a User Principal
Name (UPN) format.
• Password—Specify the password to access the shared resource.
• Test Connecon—Select to validate the connecon and permissions.
2. Configure the File and Folder Sengs.
• Mode—Select the mode to use for collecng logs, where the fields displayed change
depending on your selecon.
• Tail—Connuously monitors files for new data (default).
• Batch—Reads enre file and then renames/deletes uploaded files.
In Batch mode, the Files and Folders Collector supports collecng logs
from a network share for a maximum file size of 500 MB.
• Collect Every—Specify the execuon frequency of collecon by designang a number
and then selecng the unit as either Minutes, Hours, or Days. This opon is only
displayed in Batch Mode.
• Aer Files Uploaded—Select what to do with the files aer they are uploaded to the
Cortex XDR server. You can either select Rename files with a suffix (default) and then
you must specify the Suffix or Delete files. When adding a suffix, the suffix is added at
Cortex® XDR Pro Administrator’s Guide Version 3.3 537 ©2022 Palo Alto Networks, Inc.
Broker VM
the end of the original file name using the format <file name>.<suffix>, which
becomes the new name of the file. This opon is only displayed in Batch Mode.
• Include—Specify the files and folders that must match to be monitored by Cortex
XDR. Mulple values are allowed with commas separang the values.
Allowed wildcard:
• '?' matches a single alphabet character in a specific posion.
• '*' matches any character or set of characters, including no character.
Example: log*.json includes any JSON file starng with 'log'.
• Exclude—(oponal) Specify the files and folders that must match to not be monitored
by Cortex XDR. Mulple values are allowed with commas separang the values.
Allowed wildcard:
• '?' matches a single alphabet character in a specific posion.
• '*' matches any character or set of characters, including no character.
Example: *.backup excludes any file ending with '.backup'.
• Log Format—Select the Log Format from the list as either Raw (default), JSON, CSV,
TSV, PSV, CEF, LEEF, Corelight, or Cisco. This seng defines the parser used to parse
all the processed files as defined in the Include and Exclude fields, regardless of the
file names and extension. For example, if the Include field is set * and the Log Format
is JSON, all files (even those named file.log) in the specified folder are processed
by the Files and Folders Collector as JSON, and any entry that does not comply with
the JSON format are dropped.
When uploading JSON files, Cortex XDR only parses the first level of nesng
and only supports single line JSON format, such that every new line means a
separate entry.
• # of Lines to Skip—(oponal) Specify the number of lines to skip at the beginning of
the file. This is set to 0 by default.
3. Configure Data Source Mapping sengs.
Vendor and Product—Specify the Vendor and Product for the type of data being
collected. The vendor and product are used to define the name of your XQL dataset
(<Vendor>_<Product>_raw).
• The Vendor and Product defaults to Auto-Detect when the Log Format is set
to CEF or LEEF.
4. Generate Preview.
Select Generate Preview to display up to 10 rows from the first file and Preview the
results. The Preview works based on the Files and Folders Collector sengs, which
means that if all the files that were configured to be monitored were already processed,
then the Preview returns no records.
STEP 4 | (oponal) Add Connecon to define another Files and Folders connecon for collecng logs
from files and folders in a shared resource.
Cortex® XDR Pro Administrator’s Guide Version 3.3 538 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 7 | (Oponal) To view metrics about the Files and Folders, hover over the Files and Folders
Collector link in the Apps field.
Cortex XDR displays Resources, including the amount of CPU, Memory, and Disk space the
applet is using.
The broker VM provides a FTP Collector applet that enables you to monitor and collect
logs from files and folders via FTP, FTPS, and SFTP directly to your log repository for query
and visualizaon purposes. A maximum file size of 500 MB is supported. Aer you acvate
the FTP Collector applet on a broker VM in your network, you can collect files as datasets
(<Vendor>_<Product>_raw) by defining the following.
• FTP, FTPS, or SFTP (default) connecon details with the path to the folder containing the files
that you want to monitor and upload to Cortex XDR.
• Sengs related to the list of files to monitor and upload to Cortex XDR, where the log format
is either Raw (default), JSON, CSV, TSV, PSV, CEF, LEEF, Corelight, or Cisco. Once the files are
Cortex® XDR Pro Administrator’s Guide Version 3.3 539 ©2022 Palo Alto Networks, Inc.
Broker VM
uploaded to Cortex XDR, you can define whether in the source directory the files are renamed
or deleted.
Complete the following tasks before you begin seng up the FTP Collector applet.
• Configure the Broker VM
• Ensure that the user permissions for the FTP, SFTP, or FTPS include the ability to rename and
delete files in the folder that you want to configure collecon.
• When seng up an FTPS Collector with a server using a Self-signed cerficate, you must
upload the cerficate first to the broker VM as a Trusted CA cerficate.
Acvate the FTP Collector.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs and locate your
broker VM.
STEP 2 | Right-click the broker VM and select FTP Collector > Acvate.
Cortex® XDR Pro Administrator’s Guide Version 3.3 540 ©2022 Palo Alto Networks, Inc.
Broker VM
to a Private Key. When this connecon is established with a server using a Self-signed
cerficate, you must upload it first to the broker VM as a Trusted CA Cerficate.
When configuring an SFTP connecon, Cortex XDR expects the private key to
be in the RSA format that is included in the -----BEGIN RSA PRIVATE
KEY----- tag. Cortex XDR does not support providing the private key
in the OpenSSH format from the -----BEGIN OPENSSH PRIVATE
KEY----- tag.
When using ssh-keygen using a Mac, you get the OpenSSH format by
default. The command for geng the RSA format is:
• Folder Path—Specify the path to the folder on the FTP site where the files are located
that you want to collect.
• Recursive—Select this checkbox to configure the FTP Collector applet to recursively
examine any subfolders for new files as long as the folders are readable. This is not
configured by default.
• Test Connecon—Select to validate the FTP connecon.
2. Configure the FTP Sengs.
• Collect Every—Specify the execuon frequency of collecon by designang a number
and then selecng the unit as either Minutes, Hours, or Days.
• Aer Files Uploaded—Select what to do with the files aer they are uploaded to the
Cortex XDR server. You can either select Rename files with a suffix (default) and then
you must specify the Suffix or Delete files. When adding a suffix, the suffix is added at
the end of the original file name using the format <file name>.<suffix>, which
becomes the new name of the file.
• Include—Specify the files and folders that must match to be monitored by Cortex
XDR. Mulple values are allowed with commas separang the values.
Allowed wildcard:
• '?' matches a single alphabet character in a specific posion.
• '*' matches any character or set of characters, including no character.
Example: log*.json includes any JSON file starng with 'log'.
• Exclude—(Oponal) Specify the files and folders that must match to not be monitored
by Cortex XDR. Mulple values are allowed with commas separang the values.
Allowed wildcard:
• '?' matches a single alphabet character in a specific posion.
• '*' matches any character or set of characters, including no character.
Example: *.backup excludes any file ending with '.backup'.
• Log Format—Select the Log Format from the list as either Raw (default), JSON, CSV,
TSV, PSV, CEF, LEEF, Corelight, or Cisco, which indicates to Cortex XDR how to parse
the data in the file. This seng defines the parser used to parse all the processed
files as defined in the Include and Exclude fields, regardless of the file names and
Cortex® XDR Pro Administrator’s Guide Version 3.3 541 ©2022 Palo Alto Networks, Inc.
Broker VM
extension. For example, if the Include field is set * and the Log Format is JSON, all
files (even those named file.log) in the specified folder are processed by the FTP
Collector as JSON, and any entry that does not comply with the JSON format are
dropped.
When uploading JSON files, Cortex XDR only parses the first level of nesng
and only supports single line JSON format, such that every new line means a
separate entry.
• # of Lines to Skip—(Oponal) Specify the number of lines to skip at the beginning of
the file. This is set to 0 by default.
3. Configure the Data Source Mapping.
Vendor and Product—Specify the Vendor and Product for the type of data being
collected. The vendor and product are used to define the name of your XQL dataset
(<Vendor>_<Product>_raw).
• The Vendor and Product defaults to Auto-Detect when the Log Format is set
to CEF or LEEF.
4. Generate Preview.
Select Generate Preview to display up to 10 rows from the first file and Preview the
results. The Preview works based on the FTP Collector sengs, which means that if all
the files that were configured to be monitored were already processed, then the Preview
returns no records.
STEP 4 | (Oponal) Add Connecon to define another FTP connecon for collecng logs from files
and folders via FTP, FTPS, or SFTP.
STEP 7 | (Oponal) To view metrics about the FTP Collector, hover over the FTP Collector link in the
Apps field.
Cortex XDR displays Resources, including the amount of CPU, Memory, and Disk space the
applet is using.
Cortex® XDR Pro Administrator’s Guide Version 3.3 542 ©2022 Palo Alto Networks, Inc.
Broker VM
To receive NetFlow flow records from an external source, you must first set up the NetFlow
Collector applet on a broker VM within your network. NetFlow versions 5, 9, and IPFIX are
supported.
To increase the log ingeson rate, you can add addional CPUs to the broker VM. The NetFlow
Collector listens for flow records on specific ports either from any, or from specific IP addresses.
Aer the NetFlow Collector is acvated, the NetFlow Exporter sends flow records to the NetFlow
Collector, which receives, stores, and pre-processes that data for later analysis.
The following setups are required to meet your performance needs.
• 4 CPUs for up to 50K flows per second (FPS).
• 8 CPUs for up to 100K FPS.
Since mulple network devices can send data to a single NetFlow Collector, we
recommend that you configure a maximum of 50 NetFlow Collectors per broker VM
applet, with a maximum aggregated rate of approximately 50K flows per second (FPS) to
maintain system performance.
Complete the following task before seng up the NetFlow Collector applet.
• Configure the Broker VM.
Acvate the NetFlow Collector.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs and locate your
broker VM.
STEP 2 | Right-click the broker VM and select NetFlow Collector > Acvate.
Cortex® XDR Pro Administrator’s Guide Version 3.3 543 ©2022 Palo Alto Networks, Inc.
Broker VM
Since Cortex XDR reserves some port numbers, it is best to select a port
number that is not in the range of 0-1024 (except for 514), in the range of
63000-65000 or has one of the following values: 4369, 5671, 5672, 5986,
6379, 8000, 8888, 9100, 15672, or 28672.
2. Define Custom Sengs.
• Source Network—Specify the IP address or a Classless Inter-Domain Roung (CIDR)
of the source network device that sends the flow records to Cortex XDR. Leave the
field empty to receive data from any device on the specified port (default). If you do
not specify an IP address or a CIDR, Cortex XDR can receive data from any source
IP address or CIDR that transmits via the specified port. If IP addresses overlap in
mulple rows in the Source Network field, such as 10.0.0.10 in the first row and
10.0.0.0/24 in the second row, the NetFlow Collector captures the IP address in the
first row.
• Vendor and Product—Specify a parcular vendor and product to be associated with
each dataset entry or leave the default IP Flow seng.
The Vendor and Product values are used to define the name of your XQL dataset
<Vendor>_<Product>_raw. If you do not define a vendor or product, Cortex XDR
uses the default values with the resulng dataset name ip_flow_ip_flow_raw.
Consider changing the default values in order to uniquely idenfy the source network
device.
Aer each configuraon, select to save your changes and then select Done to
update the NetFlow Collector with your sengs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 544 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 5 | (Oponal) Make addional changes to the NetFlow Collector data sources.
• You can make addional changes to the Port by right-clicking the applicable UDP port and
selecng the following.
• Edit—To change the UDP Port, Source Network, Vendor, or Product defined.
• Remove—To delete a Port.
• You can make addional changes to the Source Network by right-clicking on the Source
Network value.
The opons available change, according to the set Source Network value.
• Edit—To change the UDP Port, Source Network, Vendor, or Product defined.
• Remove—To delete a Port.
• Copy enre row—To copy the Source Network, Product, and Vendor informaon.
• Open IP View—To view network operaons and to view any open incidents on this IP
within a defined period. This opon is only available when the Source Network value is a
specific IP address or CIDR.
• Open in Quick Launcher—To search for informaon using the Quick Launcher shortcut.
This opon is only available when the Source Network value is a specific IP address or
CIDR.
• To priorize the order of the NetFlow formats listed for the configured data source, drag
and drop the rows to change their order.
STEP 7 | (Oponal) To view NetFlow Collector metrics, hover over the NetFlow Collector link in the
Apps field.
Cortex XDR displays the following informaon:
• Connecvity Status—Whether the applet is connected to Cortex XDR.
• Logs Received and Logs Sent—Number of logs that the applet received and sent per
second over the last 24 hours. If there are more logs received than sent, this may indicate a
connecvity issue.
• Resources—Displays the amount of CPU, Memory, and Disk space the applet uses.
Cortex® XDR Pro Administrator’s Guide Version 3.3 545 ©2022 Palo Alto Networks, Inc.
Broker VM
Acvang the Network Mapper requires a Cortex XDR Pro per Endpoint or Cortex XDR
Pro per TB license.
STEP 1 | In Cortex XDR , select Sengs > Configuraons > Data Broker > Broker VMs and locate
your broker VM.
STEP 3 | In the Acvate Network Mapper window, define the following parameters:
• Scan Method—Select the either ICMP echo or TCP SYN scan method to idenfy your
network hosts. When selecng TCP SYN you can enter single ports and ranges together, for
example 80-83, 443.
• Scan Requests per Second—Define the maximum number of scan requests you want to
send on your network per second. By default, the number of scan requests are defined as
1000.
Each IP address range can receive mulple scan requests based on it's availability.
• Scanning Scheduler—Define when you want to run the network mapper scan. You can
select either daily, weekly, or monthly at a specific me.
• Scanned Ranges—Select from the list of exing IP address ranges to scan. Make sure to
aer each selecon.
IP address ranges are displayed according to what you defined as your Network
Parameters.
Cortex® XDR Pro Administrator’s Guide Version 3.3 546 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 5 | In the Apps field, select Network Mapper to view the following scan and applet metrics:
• Scan Details
• Connecvity Status—Whether the applet is connected to Cortex XDR .
• Scan Status—State of the scan.
• Scan Start Time—Timestamp of when the scan started.
• Scan Duraon—Period of me in minutes and seconds the scan is running.
• Scan Progress—How much of the scan has been completed in percentage and IP address
rao.
• Detected Hosts—Number of hosts idenfied from within the IP address ranges.
• Scan Rate—Number of IP addresses scanned per second.
• Applet Metrics
• Resources—Displays the amount of CPU, Memory, and Disk space the applet is using.
Acvate Pathfinder™
Aer you have configured and registered your broker VM, acvate the Pathfinder applicaon.
To acvate Pathfinder, you must have a Cortex XDR Pro per Endpoint or Cortex XDR Pro
per TB license.
Pathfinder™ is a highly recommended, but oponal component integrated with the Broker VM
that deploys a non-persistent data collector on network hosts, servers, and workstaons that
are not managed by a Cortex XDR agent. The collector is automacally triggered by Analycs
type alerts with a severity of High and Medium as described in the Cortex XDR Analycs Alert
Reference, providing insights into assets that you would previously be unable to scan.
When an alert is triggered, the data collector is able to run for up to 2 weeks gathering EDR data
from unmanaged hosts. You can track and manage the collector directly from the Cortex XDR
console, and invesgate the EDR data by running a query from the Query Center.
Cortex XDR supports acvang Pathfinder on Windows operang systems with PowerShell
version 3 and above, excluding Vanilla Windows 7.
Acvate the Pathfinder app to deploy and query the data collector.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs and locate your
broker VM.
Cortex® XDR Pro Administrator’s Guide Version 3.3 547 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR Pro Administrator’s Guide Version 3.3 548 ©2022 Palo Alto Networks, Inc.
Broker VM
as of broker VM version 9.0 and later, you can define Pathfinder to access target hosts
using credenals stored in your CyberArk vault.
When selecng Kerberos, the Broker has access to domain controllers over
port 88 and is able to acquire the authencaon cket. It is recommended to
use Kerberos for beer security.
• Define the access credenals using either Domain Credenals or your CyberArk AAM
parameters.
To define the access credenals, enter:
• User Name—User name used by Pathfinder to access your target host.
• Password—Password used by Pathfinder to access your target host.
To allow Pathfinder to use credenals stored in your CyberArk vault, enter the
following parameters. Make sure you are following the CyberArk guidelines.
• URL—Your CyberArk AAM URL address.
• Port—Your CyberArk AAM port number.
• App ID—The applicaon ID configured in your CyberArk AAM. The ID allows you
to access the path to where credenals are stored in the CyberArk vault.
• Query—Define the CyberArk AAM path to the credenals required by Pathfinder
to access the host. Make sure you are following the CyberArk formang
guidelines.
• Browse for your Client Cerficate, Client Key, and CA Cerficate you use to
idenfy. Cortex XDR will nofy you when your cerficates are about to expire.
Credenals are not stored on the broker VM, Pathfinder queries CyberArk
each me according to the defined parameters.
• Test the credenals and pathfinder permissions to ensure the broker VM can
successfully collect data from your defined hosts.
Tesng may take a few minutes to complete but ensures that pathfinder can
indeed deploy a data collector.
Cortex® XDR Pro Administrator’s Guide Version 3.3 549 ©2022 Palo Alto Networks, Inc.
Broker VM
Select Next.
2. Define the data collector sengs.
• Select on which Targets to deploy the data collector. Target types are detected
according to your operang system.
• All—Deploy on all assets within your network.
• Servers—Deploy only on servers.
• Workstaons—Deploy only on workstaons.
• Define the Proxy Sengs.
By default the proxy sengs are disabled, data collected is sent directly to the cloud.
If you want to enable the proxy, select one of the following opons:
• Use Agent Proxy Sengs—Data collected will be routed using the sengs
provided in the Agent Proxy Applet. Agent proxy applet must be enabled for this
sengs to work.
• Use Custom Proxy—Define the IP address and port to route the data.
Select Next.
3. Select the IP Address Ranges to scan from the your defined Network Configuraons and
deploy the data collector. You can Add IP Address Ranges if you don’t see a range in the
populated list.
By default, every IP address range will use the Pathfinder credenals and sengs you
defined in the Credenals secon, and is labeled as an Applet Configuraon.
If you want configure other credenals for a specific range, use the right pane to override
the sengs. IP address ranges you edit are labeled as a Custom Configuraon. Make
sure to Test the credenals for this specific range.
The Pathfinder configuraon must contain at least one IP address range to run.
To avoid collision, IP address ranges can only be associated with one pathfinder
applet.
STEP 4 | In the Apps filed, select Pathfinder to view the following applet metrics:
• Connecvity Status—Whether the applet is connected to Cortex XDR.
• Handled Tasks—How many collectors are in progress, pending, or successfully running out
of the number of collectors that need to be setup.
• Failed Tasks—How many collectors have failed
• Resources—Displays the amount of CPU, Memory, and Disk space the applet is using.
Cortex® XDR Pro Administrator’s Guide Version 3.3 550 ©2022 Palo Alto Networks, Inc.
Broker VM
The data collector is only deployed on unmanaged hosts, if you want to install the
Cortex XDR agent on an unmanaged host you must first remove the collector.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 551 ©2022 Palo Alto Networks, Inc.
Broker VM
Field Descripon
• Running
• Completed
• Failed
• Removed
Cortex® XDR Pro Administrator’s Guide Version 3.3 552 ©2022 Palo Alto Networks, Inc.
Broker VM
The WEF, a WinRM plugin, runs under the Network Service account. Therefore, you need to
provide the WEFs with the relevant cerficates and grant the account access permissions to the
private key used for client authencaon, for example, authencate with WEC.
You can also acvate the Windows Event Collector on Windows Core. For more
informaon, see Acvate the Windows Event Collector on Windows Core.
Ensure you meet the following prerequisites before acvang the collector.
• Cortex XDR Pro per TB license
• Broker VM version 8.0 and later
• You have knowledge of Windows Acve Directory and Domain Controllers.
• Broker VM is registered in the DNS, its FQDN is resolvable from the events forwarder
(Windows server), and the Broker VM FQDN is configured. For more informaon on
configuring the Broker VM FQDN, see Edit Your Broker VM Configuraon.
• Windows Server 2012 r2 or later.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VM and locate your
broker VM.
STEP 3 | In the Windows Event Collecon Configuraon window, define the following.
Define the events collected by the applet. This lists event sources from which you want to
collect events.
• Source—Select from the pre-populated list with the most common event sources on
Windows Servers. The event source is the name of the soware that logs the events.
A source provider can only appear once in your list. When selecng event sources,
depending on the type event you want to forward, ensure the event source is enabled, for
Cortex® XDR Pro Administrator’s Guide Version 3.3 553 ©2022 Palo Alto Networks, Inc.
Broker VM
example auding security events. If the source is not enabled, the source configuraon in
the given row will fail.
• Min. Event Level—Minimum severity level of events that are collected.
• Event IDs Group—Whether to Include, Exclude, or collect All event ID groups.
• Event IDs—(Oponal) Define specific event IDs or event ID ranges you want to collect.
Make sure to select aer each entry.
• Minimal TLS Version—Select either 1.0 or 1.2 (default) as the minimum TLS version allowed.
Ensure that you verify that all Windows event forwarders are supporng the minimal
defined TLS version.
For example, to forward all the Windows Event Collector events to the broker VM, define as
follows:
• Source—ForwardedEvents
• Min. Event Level—Verbose
• Event IDs Group—All
By default, Cortex XDR collects Palo Alto Networks predefined Security events that are
used by the Cortex XDR detectors. Removing the Security collector interferes with the
Cortex XDR detecon funconality. Restore to Default to reinstate the Security event
collecon.
STEP 5 | In the Windows Event Forwarder Configuraon window, perform the following tasks.
1. (copy) the Subscripon Manage URL. This will be used when you configure the
subscripon manager in the GPO (Global Policy Object) on your domain controller.
2. Define Client Cerficate Export Password used to secure the downloaded WEF
cerficate used to establish the connecon between your DC/WEF and the WEC. You
will need this password when the cerficate is imported to the events forwarder.
3. Download the WEF cerficate in a PFX format to your local machine.
To view your Windows Event Forwarding configuraon details at any me, select your
Broker VM, right-click and navigate to Windows Event Collector > Configure Forwarder.
Cortex XDR monitors the cerficate and triggers a Cerficate Expiraon noficaon 30 days
prior to the expiraon date. The noficaon is sent daily specifying the number of days le on
the cerficate, or if the cerficate has already expired.
Cortex® XDR Pro Administrator’s Guide Version 3.3 554 ©2022 Palo Alto Networks, Inc.
Broker VM
You must install the WEF cerficate on every Windows Server, whether DC or not, for
the WEFs that are supposed to forward logs to the Windows Event Collector applet on
the broker VM.
1. Locate the PFX file you downloaded from the Cortex XDR console and double-click to
open the Cerficate Import Wizard.
2. In the Cerficate Import Wizard:
1. Select Local Machine followed by Next.
2. Verify the File name field displays the PFX cerficate file you downloaded and select
Next.
3. In the Passwords field, specify the Client Cerficate Export Password you defined in
the Cortex XDR console followed by Next.
4. Select Automacally select the cerficate store based on the type of cerficate
followed by Next and Finish.
3. From a command prompt, run certlm.msc.
4. In the file explorer, navigate to Cerficates and verify the following for each of the
folders.
• In the Personal > Cerficates folder, ensure the cerficate
forwarder.wec.paloaltonetworks.com appears.
• In the Trusted Root Cerficaon Authories > Cerficates folder, ensure the CA
ca.wec.paloaltonetworks.com appears.
5. Navigate to Cerficates > Personal > Cerficates.
6. Right-click the cerficate and navigate to All tasks > Manage Private Keys.
7. In the Permissions window, select Add and in the Enter the object name secon, specify
NETWORK SERVICE followed by Check Names to verify the object name. The object
name is displayed with an underline when valid. and then OK.
Cortex® XDR Pro Administrator’s Guide Version 3.3 555 ©2022 Palo Alto Networks, Inc.
Broker VM
8. Select OK, verify the Group or user names appear, and then Apply Permissions for privet
keys.
STEP 7 | Add the Network Service account to the domain controller Event Log Readers group.
You must install the WEF cerficate on every Windows Server, whether DC or not, for
the WEFs that are supposed to forward logs to the Windows Event Collector applet on
the broker VM.
1. To enable events forwarders to forward events, the Network Service account must be
a member of the Acve Directory Event Log Readers group. In PowerShell, execute the
following command on the domain controller that is acng as the event forwarder:
Cortex® XDR Pro Administrator’s Guide Version 3.3 556 ©2022 Palo Alto Networks, Inc.
Broker VM
fileMax: 1
Make sure you grant access on each of your domain controller hosts.
STEP 8 | Create a WEF Group Policy that applies to every Windows server you want to configure as a
WEF.
1. In a command prompt, open gpmc.msc.
2. In the Group Policy Management window, navigate to Domains > your domain name >
Group Policy Object, right-click and select New.
3. In the New GPO window, enter your group policy Name: Windows Event
Forwarding followed by OK.
4. Navigate to Domains > your domain name > Group Policy Objects > Windows Event
Forwarding, right-click and select Edit.
Cortex® XDR Pro Administrator’s Guide Version 3.3 557 ©2022 Palo Alto Networks, Inc.
Broker VM
configured on your domain controller. In addion, you should ensure that all relevant
audit events that you want collected, such as the success and failure of account logins
for Windows Event ID 4625, are properly configured, parcularly for those that you
want Cortex XDR to apply grouping and analycs inspecon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 558 ©2022 Palo Alto Networks, Inc.
Broker VM
the following audit events:, select to Success and Failure followed by Apply and
OK.
Repeat for Audit Kerberos Service Ticket Operaons.
6. Configure the subscripon manager.
Navigate to Computer Configuraon > Policies > Administrave Templates: Policy
definions > Windows Components > Event Forwarding, right-click Configure target
Subscripon Manager and select Edit.
Cortex® XDR Pro Administrator’s Guide Version 3.3 559 ©2022 Palo Alto Networks, Inc.
Broker VM
You must type out the name, do not select the name from the browse buon.
• Select Apply and OK to save your changes, and close the Group Policy Management
Editor window.
8. Configure the Windows Firewall.
If Windows Firewall is enabled on your event forwarders, you will have to define
an outbound rule to enable the WEF to reach port 5986 on the WEC.
In the Group Policy Management window, select Computer Configuraon > Policies >
Windows Sengs > Security Sengs > Windows Firewall with Advanced Security >
Outbound Rules, right-click and select New Rule.
In the New Outbound Rule Wizard define the following Steps.
1. Rule Type—Select Port followed by Next.
2. Protocols and Ports— Select TCP and in the Specific Remote Ports field enter 5986
followed by Next.
3. Acon—Select Allow the connecon followed by Next.
4. Profile—Select Domain and disable Private and Public followed by Next.
5. Name—Specify Windows Event Forwarding.
6. Select Finish to save your configuraons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 560 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 12 | (Oponal) In the Apps field, select Windows Event Collector to view the following applet
metrics.
• Connecvity Status—Whether the applet is connected to Cortex XDR.
• Logs Received and Logs Sent—Number of logs received and sent by the applet per second
over the last 24 hours. If the number of incoming logs received is larger than the number of
logs sent, it could indicate a connecvity issue.
• Resources—Displays the amount of CPU, Memory, and Disk space the applet is using.
Cortex® XDR Pro Administrator’s Guide Version 3.3 561 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 3 | In the Windows Event Collecon Configuraon window, define the following.
Define the events collected by the applet. This lists event sources from which you want to
collect events.
• Source—Select from the pre-populated list with the most common event sources on
Windows Servers. The event source is the name of the soware that logs the events.
A source provider can only appear once in your list. When selecng event sources,
depending on the type event you want to forward, ensure the event source is enabled, for
example auding security events. If the source is not enabled, the source configuraon in
the given row will fail.
• Min. Event Level—Minimum severity level of events that are collected.
• Event IDs Group—Whether to Include, Exclude, or collect All event ID groups.
• Event IDs—(Oponal) Define specific event IDs or event ID ranges you want to collect.
Make sure to select aer each entry.
• Minimal TLS Version—Select either 1.0 or 1.2 (default) as the minimum TLS version allowed.
Ensure that you verify that all Windows event forwarders are supporng the minimal
defined TLS version.
For example, to forward all the Windows Event Collector events to the broker VM, define as
follows:
• Source—ForwardedEvents
• Min. Event Level—Verbose
• Event IDs Group—All
By default, Cortex XDR collects Palo Alto Networks predefined Security events that are
used by the Cortex XDR detectors. Removing the Security collector interferes with the
Cortex XDR detecon funconality. Restore to Default to reinstate the Security event
collecon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 562 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 5 | In the Windows Event Forwarder Configuraon window, perform the following tasks.
1. (copy) the Subscripon Manage URL. This will be used when you Configure the
subscripon manager in the GPO (Global Policy Object) on your domain controller.
2. Define Client Cerficate Export Password used to secure the downloaded WEF
cerficate used to establish the connecon between your DC/WEF and the WEC. You
will need this password when the cerficate is imported to the events forwarder.
3. Download the WEF cerficate in a PFX format to your local machine.
To view your Windows Event Forwarding configuraon details at any me, select your
Broker VM, right-click and navigate to Windows Event Collector > Configure Forwarder.
Cortex XDR monitors the cerficate and triggers a Cerficate Expiraon noficaon 30 days
prior to the expiraon date. The noficaon is sent daily specifying the number of days le on
the cerficate, or if the cerficate has already expired.
PowerShell
2. Copy the PFX file that you downloaded to the local Core machine in one of the following
ways.
• If you're able to RDP to your server, open Notepad, and select File > Open to copy
and paste files from your local machine directly to the server. If you have any local
drives mapped through the RDP opons, the local drives are also displayed. We
recommend this method as it's the simplest.
• If you have enabled WinRM for remote PowerShell execuon, you can copy over
PowerShell using this command.
For example.
Cortex® XDR Pro Administrator’s Guide Version 3.3 563 ©2022 Palo Alto Networks, Inc.
Broker VM
\temp\forwarder.wec.paloaltonetworks.com.pfx' –ToSession
$session
• Use SSH on server core. This includes enabling SSH on server core and using winscp
to drag and drop the PFX file.
• Use SMB to open the file share c$ on the \\server1\c$ server. You can only use
this opon if you are an administrator and the firewall on your network isn't set to
block file sharing.
You can also launch PowerShell and run the following command to tell the remote
server to copy a file from your local computer using SMB.
For example.
Cortex® XDR Pro Administrator’s Guide Version 3.3 564 ©2022 Palo Alto Networks, Inc.
Broker VM
–Destination '\\windows-core-server\c$
\forwarder.wec.paloaltonetworks.com.pfx
For example.
You will need to enter the Client Cerficate Export Password you defined in the Cortex
XDR console.
When the import is complete, the following message is displayed.
certutil -store My
$store = New-Object
System.Security.Cryptography.X509Certificates.X509Store("My","LocalMac
$store.Open("ReadWrite")
echo $store.Certificates
Cortex® XDR Pro Administrator’s Guide Version 3.3 565 ©2022 Palo Alto Networks, Inc.
Broker VM
$store = New-Object
System.Security.Cryptography.X509Certificates.X509Store("My","LocalMac
$store.Open("ReadWrite")
$cert = $store.Certificates | where {$_.Thumbprint -eq
$thumbprint}
$csp.CryptoKeySecurity.AddAccessRule($access)
3. Aer the script runs, validate the permissions are now set correctly.
Cortex® XDR Pro Administrator’s Guide Version 3.3 566 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 7 | Add the Network Service account to the domain controller Event Log Readers group.
You must install the WEF cerficate on every Windows Server, whether DC or not, for
the WEFs that are supposed to forward logs to the Windows Event Collector applet on
the broker VM.
1. To enable events forwarders to forward events, the Network Service account must be
a member of the Acve Directory Event Log Readers group. In PowerShell, execute the
following command on the domain controller that is acng as the event forwarder:
Make sure you grant access on each of your domain controller hosts.
Cortex® XDR Pro Administrator’s Guide Version 3.3 567 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 8 | Create a WEF Group Policy that applies to every Windows server you want to configure as a
WEF.
As a Group Policy Management Console is not available on Core servers, it’s not possible
to fully edit a Group Policy Object (GPO) either with PowerShell or using a web soluon. As
a result, follow this alternave method, which is based on configuring a group policy from
another Windows DC by remotely configuring the group policy.
1. Use any DC that has the Group Policy Management Console available in the same
domain as the Core server, and verify the connecon between the servers with a simple
ping.
2. Run cmd as an administrator.
3. Run the following command.
For example.
4. In the Group Policy Management window, navigate to Domains > your domain name >
Group Policy Object, right-click and select New.
5. In the New GPO window, enter your group policy Name: Windows Event
Forwarding followed by OK.
6. Navigate to Domains > your domain name > Group Policy Objects > Windows Event
Forwarding, right-click and select Edit.
Cortex® XDR Pro Administrator’s Guide Version 3.3 568 ©2022 Palo Alto Networks, Inc.
Broker VM
such as Kerberos, you should ensure all relevant audit events for authencaon are
configured on your domain controller. In addion, you should ensure that all relevant
audit events that you want collected, such as the success and failure of account logins
for Windows Event ID 4625, are properly configured, parcularly for those that you
want Cortex XDR to apply grouping and analycs inspecon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 569 ©2022 Palo Alto Networks, Inc.
Broker VM
the following audit events:, select to Success and Failure followed by Apply and
OK.
Repeat for Audit Kerberos Service Ticket Operaons.
8. Configure the subscripon manager.
Navigate to Computer Configuraon > Policies > Administrave Templates: Policy
definions > Windows Components > Event Forwarding, right-click Configure target
Subscripon Manager and select Edit.
Cortex® XDR Pro Administrator’s Guide Version 3.3 570 ©2022 Palo Alto Networks, Inc.
Broker VM
You must type out the name, do not select the name from the browse buon.
• Select Apply and OK to save your changes, and close the Group Policy Management
Editor window.
10. Configure the Windows Firewall.
If Windows Firewall is enabled on your event forwarders, you will have to define
an outbound rule to enable the WEF to reach port 5986 on the WEC.
In the Group Policy Management window, select Computer Configuraon > Policies >
Windows Sengs > Security Sengs > Windows Firewall with Advanced Security >
Outbound Rules, right-click and select New Rule.
In the New Outbound Rule Wizard define the following Steps.
1. Rule Type—Select Port followed by Next.
2. Protocols and Ports— Select TCP and in the Specific Remote Ports field enter 5986
followed by Next.
3. Acon—Select Allow the connecon followed by Next.
4. Profile—Select Domain and disable Private and Public followed by Next.
5. Name—Specify Windows Event Forwarding.
6. Select Finish to save your configuraons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 571 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 12 | (Oponal) In the Apps field, select Windows Event Collector to view the following applet
metrics.
• Connecvity Status—Whether the applet is connected to Cortex XDR.
• Logs Received and Logs Sent—Number of logs received and sent by the applet per second
over the last 24 hours. If the number of incoming logs received is larger than the number of
logs sent, it could indicate a connecvity issue.
• Resources—Displays the amount of CPU, Memory, and Disk space the applet is using.
Aer you receive a noficaon for renewing your WEC CA cerficate, we recommend
that you do not add any new WEF clients unl the WEC cerficaon renewal process is
complete. Events from these WEF clients that are added aerwards will not be collected
by the server unl the WEC cerficates are renewed.
• In the Broker VMs page, the health status of the Windows Event Collector applet is yellow.
When your mouse hovers over the health status, a warning message is displayed indicang that
Your Windows Event Collector server cerficate expires in X days.
• Unl you renew your broker VM WEC server cerficate, a warning message is displayed in the
Windows Event Forwarder Configuraons window.
Cortex® XDR Pro Administrator’s Guide Version 3.3 572 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR Pro Administrator’s Guide Version 3.3 573 ©2022 Palo Alto Networks, Inc.
Broker VM
You must install the WEF cerficate on every Windows Server, whether DC
or not, for the WEFs that are supposed to forward logs to the Windows Event
Collector applet on the broker VM.
1. Locate the PFX file you downloaded from the Cortex XDR console and double-click to
open the Cerficate Import Wizard.
2. In the Cerficate Import Wizard:
1. Select Local Machine followed by Next.
2. Verify the File name field displays the PFX cerficate file you downloaded and
select Next.
3. In the Passwords field, enter the Client Cerficate Export Password you defined in
the Cortex XDR console followed by Next.
4. Select Automacally select the cerficate store based on the type of cerficate
followed by Next and Finish.
3. From a command prompt, run certlm.msc.
4. In the file explorer, navigate to Cerficates and verify the following for each of the
folders:
• In the Personal > Cerficates folder, ensure the cerficate
forwarder.wec.paloaltonetworks.com appears.
• In the Trusted Root Cerficaon Authories > Cerficates folder, ensure the CA
ca.wec.paloaltonetworks.com appears.
Cortex® XDR Pro Administrator’s Guide Version 3.3 574 ©2022 Palo Alto Networks, Inc.
Broker VM
8. Select OK, verify the Group or user names appear, and then Apply Permissions for
privet keys.
Cortex® XDR Pro Administrator’s Guide Version 3.3 575 ©2022 Palo Alto Networks, Inc.
Broker VM
You should only perform this step under the following condions.
• You have completed the WEF cerficaon renewal process for ALL clients in your
environment. Otherwise, events from the WEFs that you did not install the new
client cerficate will not be collected by the WEC.
• You are approaching the WEC server CA cerficate expiraon date, which is 2 years
aer the Windows Event Collector applet acvaon, and receive a noficaon in
the Cortex XDR console.
1. In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs, and locate
your broker VM.
2. Right-click and select Windows Event Collector > Renew WEC Server Cerficate.
3. Click Renew.
Once Cortex XDR renews the WEC server cerficate, the status of the Windows Event
Collector on the Broker VMs machine is Acve, Connected indicang the applet is
running. In addion, the health status of the Windows Event Collector applet is now
Cortex® XDR Pro Administrator’s Guide Version 3.3 576 ©2022 Palo Alto Networks, Inc.
Broker VM
green instead of yellow and the warning message that appeared when you hovered over
the health status no longer appears. Your WEC server cerficate is issued with a lifespan
of 12 months.
We also suggest that in XQL Search that you run the following query to verify that your
event logs are being captured.
dataset = XDR_data
| filter _product = "Windows"
| fields
_vendor,_product,action_evtlog_level,action_evtlog_event_id
| sort desc _time | limit 20
If this query does not display results with a mestamp from aer the renewal
process, it could indicate that the renewal process is not complete, so wait a few
minutes before running another query. If you are sll having a problem, contact
Technical Support.
Cortex® XDR Pro Administrator’s Guide Version 3.3 577 ©2022 Palo Alto Networks, Inc.
Broker VM
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 578 ©2022 Palo Alto Networks, Inc.
Broker VM
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 579 ©2022 Palo Alto Networks, Inc.
Broker VM
Field Descripon
For AWS and Azure cloud environments, the field
displays the Internal IP value.
Cortex® XDR Pro Administrator’s Guide Version 3.3 580 ©2022 Palo Alto Networks, Inc.
Broker VM
manager. The Broker VM FQDN sengs affect the WEC and Agent Installer and Content
Caching.
• (Requires Broker VM 8.0 and later) (Oponal) Internal Network
Specify a network subnet to avoid the broker VM dockers colliding with your internal
network. By default, the Network Subnet is set to 172.17.0.1/16.
• Auto Upgrade
Enable or Disable automac upgrade of the broker VM. By default, auto upgrade is
enabled at Any me for all 7 days of the week, but you can also set the Days in Week and
Specific me for the automac upgrades. If you disable auto-upgrade, new features and
improvements will require manual upgrade.
• Monitoring
Enable or Disable of local monitoring of the broker VM usage stascs in Prometheus
metrics format, allowing you to tap in and export data by navigang to http://
<broker_vm_address>:9100/metrics/. By default, monitoring your broker VM is
disabled.
• (Oponal) SSH Access
• (For Broker VM 7.4.5 and earlier) Enable/Disable ssh Palo Alto Networks support team
SSH access by using a Cortex XDR token.
Enabling allows Palo Alto Networks support team to connect to the broker VM remotely,
not the customer, with the generated password. If you use SSL decrypon in your
firewalls, you need to add a trusted self-signed CA cerficate on the broker VM to
prevent any difficules with SSL decrypon. For example, when configuring Palo Alto
Networks NGFW to decrypt SSL using a self-signed cerficate, you need to ensure the
broker VM can validate a self-signed CA by uploading the cert_ssl-decrypt.crt file
on the broker VM.
Make sure you save the password before closing the window. The only way to re-
generate a password is to disable ssh and re-enable.
• (Requires Broker VM 14.0.42 and later) Customize the login banner displayed, when
logging into SSH sessions on the broker VM in the Welcome Message field by
Cortex® XDR Pro Administrator’s Guide Version 3.3 581 ©2022 Palo Alto Networks, Inc.
Broker VM
overwring the default welcome message with a new one added in the field. When the
field is empty, the default message is used.
• Broker UI Password
Reset your current Broker VM Web UI password. Define and Confirm your new password.
Password must be at least 8 characters.
• (Requires Broker VM 10.1.9 and later) (Oponal) In the SSL Server Cerficate secon,
upload your signed server cerficate and key to establish a validated secure SSL connecon
between your endpoints and the broker VM. When you configure the server cerficate and
the key files in the tenant UI, Cortex XDR automacally updates them in the Broker VM UI,
even when the Broker VM UI is disabled.
Cortex XDR validates that the cerficate and key match, but does not validate the
Cerficate Authority (CA).
STEP 2 | Locate your broker VM, right-click and select one of these opons depending on the type of
logs you want to download.
• Broker Management > Generate New Logs— Regenerates the most up-to-date logs and
downloads them once they are ready.
• Broker Management > Download Logs (<TIMESTAMP>)—Downloads the logs from the last
creaon date reflected in the <TIMESTAMP> displayed. This opon is only displayed when
you’ve downloaded your logs previously using Generate New Logs.
Logs are generated automacally, but can take up to a few minutes depending on the size of
the logs.
Reboot a Broker VM
Cortex XDR enables you to reboot your broker VM directly from the Cortex XDR management
console.
STEP 1 | In Cortex XDR , select Sengs > Configuraons > Data Broker > Broker VMs > Broker VMs
table.
STEP 2 | Locate your broker VM, right-click and select Broker Management > Reboot VM.
Cortex® XDR Pro Administrator’s Guide Version 3.3 582 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | Locate your broker VM in the Broker VMs table, right-click, and select Broker Management >
Shutdown VM.
Upgrade a Broker VM
You can upgrade any broker VM directly from the Cortex XDR management console.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs table.
STEP 2 | Locate your broker VM, right-click and select Broker Management > Upgrade Broker
version.
Upgrading your broker VM takes approximately 5 minutes.
Cortex® XDR Pro Administrator’s Guide Version 3.3 583 ©2022 Palo Alto Networks, Inc.
Broker VM
STEP 2 | Locate the broker VM you want to connect to, right-click and select Open Remote Terminal.
Cortex XDR opens a CLI window where you can perform the following commands:
• Logs
Broker VM logs located are located in /data/logs/ folder and contain the applet
name in file name. For example, folder /data/logs/[applet name], containing
container_ctrl_[applet name].log
• Ubuntu Commands
Cortex XDR Broker VM supports all Ubuntu commands. For example, telnet 10.0.0.10
80 or ifconfig -a.
• Sudo Commands
Broker VM supports the command listed in the following table. All the commands are
located in the /home/admin/sbin folder.
Cortex XDR requires you use the following values when running commands:
Applet Names
• CSV Collector—file_collector
• Database Collector—db_collector
• Files and Folders Collector—log_collector
• FTP Collector— ftp_collector
• Kaa Collector—kafka_collector
• Local Agent Sengs—tms_proxy
• NetFlow Collector—netflow_collector
• Network Mapper—network_mapper
• Pathfinder—odysseus
• Syslog Collector—anubis
• Windows Event Collector—wec
Services
• Upgrade—zenith_upgrade
• Frontend service—webui
• Sync with Cortex XDR—cloud_sync
• Internal messaging service (RabbitMQ)—rabbitmq-server
• Upload metrics to Cortex XDR—metrics_uploader
• Prometheus node exporter—node_exporter
• Backend service—backend
The following table displays the available commands in alphabecal order.
Cortex® XDR Pro Administrator’s Guide Version 3.3 584 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR Pro Administrator’s Guide Version 3.3 585 ©2022 Palo Alto Networks, Inc.
Broker VM
Remove a Broker VM
Cortex XDR allows you to remove a broker VM directly from the Cortex XDR management
console.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Broker > Broker VMs.
STEP 2 | Locate your broker VM, right-click and select Broker Management > Remove Broker.
Cortex® XDR Pro Administrator’s Guide Version 3.3 586 ©2022 Palo Alto Networks, Inc.
Broker VM
Broker VM Noficaons
To help you monitor your broker VM version and connecvity effecvely, Cortex XDR sends
noficaons to your Cortex XDR console Noficaon Center.
Cortex XDR sends the following noficaons:
• New Broker VM Version—Nofies when a new broker VM version has been released.
• If the broker VM Auto Upgrade is disabled, the noficaon includes a link to the latest
release informaon. It is recommend you upgrade to the latest version.
• If the broker VM Auto Upgrade is enabled, 12 hours aer the release you are nofied of the
latest upgrade, or your are nofied that the upgrade failed. In such a case, open a Palo Alto
Networks Support Ticket.
• Broker VM Connecvity—Nofies when the broker VM has lost connecvity to Cortex XDR.
• Broker VM Disk Usage—Nofies when the broker VM is ulizing over 90% of the allocated disk
space.
Cortex® XDR Pro Administrator’s Guide Version 3.3 587 ©2022 Palo Alto Networks, Inc.
Broker VM
Cortex® XDR Pro Administrator’s Guide Version 3.3 588 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex XDR provides a XDR Collectors configuraon that is dedicated for on-premise
data collecon on Windows and Linux machines. The collector includes a dedicated
installer, a collector upgrade configuraon, content updates, and policy management.
589
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 590 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 591 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 592 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Some of the IP addresses required for access are registered in the United States. As a
result, some GeoIP databases do not correctly pinpoint the locaon in which IP addresses
are used. All customer data is stored in your deployment region, regardless of the IP
address registraon and restricts data transmission through any infrastructure to that
region. For consideraons, see Plan Your Cortex XDR Deployment.
Throughout this topic, <xdr-tenant> refers to the chosen subdomain of your Cortex
XDR tenant and <region> is the region in which your Cortex Data Lake is deployed. For
supported regions, see Plan Your Cortex XDR Deployment.
Refer to the following tables for the FQDNs, IP addresses, ports, and App-ID coverage for your
deployment.
• Required Resources by Region
• Required Resources for Federal (United States - Government)
For IP address ranges in GCP, refer to the following tables for IP address coverage for your
deployment.
• hps://www.gstac.com/ipranges/goog.json—Refer to this list to look up and allow access to
the IP address ranges subnets.
• hps://www.gstac.com/ipranges/cloud.json—Refer to this list to look up and allow access to
the IP address ranges associated with your region.
Cortex® XDR Pro Administrator’s Guide Version 3.3 593 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
distributions.traps.paloaltonetworks.com
• IP address—35.223.6.69 traps-management-
• Port—443 service
Used for the first request in
registraon flow where the
agent passes the distribuon
id and obtains the ch-<xdr-
tenant>.traps.paloaltonetworks.com
of its tenant
Cortex® XDR Pro Administrator’s Guide Version 3.3 594 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 595 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
api-<xdr- • IP address— —
130.211.195.231
tenant>.xdr.federal.paloaltonetworks.com
Used for API requests • Port—443
and responses.
Cortex® XDR Pro Administrator’s Guide Version 3.3 596 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 597 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
To move exisng XDR Collectors between Cortex XDR managing servers, you need to
first Uninstall the XDR Collector from the collector machine and then for the new XDR
Collector create a new installaon package.
Cortex® XDR Pro Administrator’s Guide Version 3.3 598 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
STEP 3 | Enter a unique Name and an oponal Descripon to idenfy the installaon package.
The package Name must be no more than 100 characters and can contain leers, numbers,
hyphens, underscores, commas, and spaces.
STEP 4 | Select the Plaorm for which you want to create the installaon package as either Windows
or Linux.
Cortex® XDR Pro Administrator’s Guide Version 3.3 599 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Since Cortex XDR relies on the installaon package ID to approve XDR Collector
registraon during install, it is not recommended to delete the installaon package
for any acve on-premise collector machines. Hiding the installaon package will
remove it from the default list of available installaon packages, and can be useful
to eliminate confusion in the XDR Collectors console main view. These hidden
installaon can be viewed by removing the default filter.
• Copy text to clipboard to copy the text from a specific field in the row of an installaon
package.
• Hide installaon packages. Using the Hide opon provides a quick method to filter out
results based on a specific value in the table. You can also use the filters at the top of the
page to build a filter from scratch. To create a persistent filter, save ( ) it.
When the package is executed using the MSI, an installaon log is generated in %TEMP%
\MSI<Random characters>.log by default.
STEP 1 | With Administrator level privileges, run the MSI file that you downloaded in Cortex XDR on
the collector machine.
The installer displays a welcome dialog.
STEP 3 | Select I accept the terms in the License Agreement and click Next.
Cortex® XDR Pro Administrator’s Guide Version 3.3 600 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
STEP 6 | Aer you complete the installaon, verify the Cortex XDR Collector can establish a
connecon.
If the Cortex XDR Collector does not connect to Cortex XDR, verify your Internet
connecon on the collector machine. If the XDR Collector sll does not connect, verify
the installaon package has not been removed from the Cortex XDR management
console.
Cortex® XDR Pro Administrator’s Guide Version 3.3 601 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Before compleng this task, ensure that you create and download a Cortex XDR Collector
installaon package in Cortex XDR.
To install Cortex XDR Collectors using Msiexec:
STEP 1 | Use one of the following methods to open a command prompt as an administrator.
• Select Start > All Programs > Accessories. Right-click Command prompt and Run as
administrator.
• Select Start. In the Start Search box, type cmd. Then, to open the command prompt as an
administrator, press CTRL+SHIFT+ENTER.
STEP 2 | Run the msiexec command followed by one or more supported opons and properes.
For example:
msiexec /i XDRCollector-Win_x64.msi DATA_PATH=c:\data
PROXY_LIST=2.2.2.2:8888,1.1.1.1:8080 /quiet /l*v c:\installlog.txt
Before compleng this task, ensure that you create and download a Cortex XDR Collector
installaon package.
To install the Cortex XDR Collectors installaon package for Linux.
STEP 1 | Log on to the Linux server.
For example:
user@local ~
$
ssh root@ubuntu.example.com
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1041-aws
x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Cortex® XDR Pro Administrator’s Guide Version 3.3 602 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 603 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Addional opons are available to help you customize your installaon if needed. The
following table describes common opons and parameters.
If you are using rpm or deb installers, you must also add these parameters to the /etc/
panw/collector.conf file prior to installaon.
Opon Descripon
--proxy-list "My.Network.Name:80
8, 10.196.20.244:8080"
Cortex® XDR Pro Administrator’s Guide Version 3.3 604 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Opon Descripon
--data–path=/tmp/xdrLog
If the Cortex XDR Collector does not connect to Cortex XDR, verify your Internet
connecon on the collector machine. If the XDR Collector sll does not connect,
verify the installaon package has not been removed from the Cortex XDR
management console.
Cortex® XDR Pro Administrator’s Guide Version 3.3 605 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 606 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
The Cortex XDR Collector keeps the name of the original installaon package aer
every upgrade.
Cortex® XDR Pro Administrator’s Guide Version 3.3 607 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
STEP 5 | Upgrade.
Cortex XDR distributes the installaon package to the selected collector machine at the next
heartbeat communicaon with the XDR Collector. To monitor the status of the upgrades, go to
Response > Acon Center. From the Acon Center you can also view addional informaon
about the upgrade (right-click the acon and select Addional data) or cancel the upgrade
(right-click the acon and select Cancel Collector Upgrade).
STEP 4 | To proceed, select I agree to confirm that you understand this acon uninstalls the XDR
Collector on all selected collector machines.
Cortex® XDR Pro Administrator’s Guide Version 3.3 608 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
STEP 3 | Right-click anywhere in the collector machine rows, and select Change Collector Alias.
STEP 5 | Use the Quick Launcher to search the collector machines by alias across the Cortex XDR
Collectors console.
Cortex® XDR Pro Administrator’s Guide Version 3.3 609 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
STEP 3 | Specify a Group Name and oponal Descripon to idenfy the collector machine group. The
name you assign to the group will be visible when you assign endpoint security profiles to
endpoints.
STEP 4 | Determine the collector machine properes for creang a collector machine group:
• Dynamic—Use the filters to define the criteria you want to use to dynamically populate a
collector machine group. Dynamic groups support mulple criteria selecons and can use
AND or OR operators. For collector machine names and aliases, and domains, you can use
* to match any string of characters. As you apply filters, Cortex XDR displays any registered
collector machine matches to help you validate your filter criteria.
• Stac—Select specific registered collector machines that you want to include in the collector
machine group. Use the filters, as needed, to reduce the number of results.
When you create a stac collector machine group from a file, the IP address, hostname, or
alias of the collector machine must match an exisng Cortex XDR that has registered with
Cortex XDR.
Disconnecng Directory Sync in your Cortex XDR deployment can affect exisng
collector machine groups and policy rules based on Acve Directory properes.
Cortex® XDR Pro Administrator’s Guide Version 3.3 610 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 611 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 612 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
You can add a Cortex XDR Collector profile, which defines the data that is collected from the
collector machine for either a Windows or Linux plaorm. Data collecon from a collector
machine is configured using Elascsearch* Filebeat in the Elascsearch Filebeat default
configuraon file called filebeat.yml, which is included as part of the XDR Collector Profile
configuraon. Cortex XDR supports using Filebeat version 7.17.1 with the different operang
systems listed in the Elascsearch Support Matrix that conform to the collector machine operang
systems supported by Cortex XDR. Cortex XDR supports the various input types and modules
available in Elascsearch Filebeat. For more informaon on the input types supported, see
Configure Filebeat Inputs in Elascsearch. For more informaon on the modules supported, see
Configure Filebeat Modules in Elascsearch.
The XDR Collector profile is also where you can configure whether to implement an automac
upgrade for the Cortex XDR Collector release. Once you have added an XDR Collector profile, you
need to associate the profile to a parcular policy for a collector machine.
For more informaon on Elascsearch Filebeat, see the Elascsearch Filebeat Overview
Documentaon.
STEP 1 | In Cortex XDR, select Sengs > Configuraons > XDR Collectors > Profiles.
STEP 2 | Select the plaorm for the collector machine that you want to create a profile for.
• For Windows—Select +New Profile > Windows Profile.
• For Linux—Select +New Profile > Linux Profile.
The configuraon sengs are the same for both Windows and Linux.
Cortex® XDR Pro Administrator’s Guide Version 3.3 613 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
processors:
Cortex® XDR Pro Administrator’s Guide Version 3.3 614 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
- add_fields:
fields:
vendor: <Vendor>
product: <Product>
• Cortex XDR collects all logs in either a JSON or text format that are uncompressed.
Compressed files, such as in a gzip format, are unsupported.
• Cortex XDR supports logs in single line format or mulline format. For more
informaon on handling messages that span mulple lines of text in Elascsearch
Filebeat, see Manage Mulline Messages.
For more informaon on how to configure the Filebeat configuraon file to collect
Windows DHCP logs, see Ingest Windows DHCP Logs with an XDR Collectors
Profile.
STEP 6 | Create your new profile, which is listed under the applicable plaorm in the XDR Collectors
Profiles page.
Elascsearch is a trademark of Elascsearch B.V., registered in the U.S. and in other countries.
You can configure Cortex XDR to receive Windows DHCP logs using Elascsearch Filebeat with
the following data collectors.
Cortex® XDR Pro Administrator’s Guide Version 3.3 615 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Ingesng logs and data requires a Cortex XDR Pro per TB license.
When defining data collecon in a XDR Collector profile using the Elascsearch Filebeat
configuraon file editor, you can configure whether the data collected undergoes follow-up
processing in the backend within the filebeat.yml file for Windows DHCP data. You can
enrich network logs with Windows DHCP data when defining data collecon in a XDR Collector
profile. Cortex XDR uses Windows DHCP logs to enrich your network logs with hostnames
and MAC addresses that are searchable in XQL Search using the Windows DHCP XQL dataset
(microsoft_dhcp_raw).
While this enrichment is also available when configuring a Windows DHCP Collector for a cloud
data collecon integraon, we recommend configuring Cortex XDR to receive Windows DHCP
logs with an XDR Collectors profile as it’s the ideal setup configuraon.
Configure Cortex XDR to receive logs from Windows DHCP via Elascsearch Filebeat with an
XDR Collectors profile.
STEP 1 | Add a XDR Collector Profile.
Follow all the steps explained in this secon, where you only need to ensure that you configure
the Filebeat configuraon file as explained in the following step.
STEP 2 | Configure the Filebeat configuraon file to collect Windows DHCP data.
When defining data collecon in a XDR Collector profile using the Elascsearch Filebeat
configuraon file editor, you can configure whether the data collected undergoes follow-up
processing in the backend within the filebeat.yml file for Windows DHCP data. You can
enrich network logs with Windows DHCP data when defining data collecon by seng the
following secon and tags in the filebeat.yml file.
# ================================= Processors
=================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- drop_event.when.not.regexp.message: "^[0-9]+,.*"
- dissect:
tokenizer:
"%{id},%{date},%{time},%{description},%{ipAddress},%{hostName},
%{macAddress},%{userName},%{transactionID},%{qResult},
%{probationTime},%{correlationID},%{dhcid},%{vendorClassHex},
%{vendorClassASCII},%{userClassHex},%{userClassASCII},
%{relayAgentInformation},%{dnsRegError}"
Cortex® XDR Pro Administrator’s Guide Version 3.3 616 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
- drop_fields:
fields: ["message"]
- add_locale: ~
- rename:
fields:
- from: "event.timezone"
to: "dissect.timezone"
ignore_missing: true
fail_on_error: false
- add_tags:
tags: [windows_dhcp]
target: "xdr_log_type"
Ingesng logs and data requires a Cortex XDR Pro per TB license.
To receive Windows DHCP logs, you must configure data collecon from Windows DHCP via
Elascsearch Filebeat. This is configured by seng up a Windows DHCP Collector in Cortex XDR
and installing and configuring an Elascsearch* Filebeat agent on your Windows DHCP Server.
Cortex XDR supports using Filebeat up to version 8.0.1 with the Windows DHCP Collector.
Certain sengs in the Elascsearch Filebeat default configuraon file called filebeat.yml
must be populated with values provided when you configure the Collecon Integraons sengs
in Cortex XDR for the Windows DHCP Collector. To help you configure the filebeat.yml
correctly, Cortex XDR provides an example file that you can download and customize. Aer you
set up collecon integraon, Cortex XDR begins receiving new logs and data from the source.
For more informaon on configuring the filebeat.yml file, see the Elasc Filebeat
Documentaon.
Windows DHCP logs are stored as CSV (comma-separated values) log files. The logs rotate by
days (DhcpSrvLog-<day>.log), and each file contains two secons - Event ID Meaning and
the events list.
As soon as Cortex XDR begins receiving logs, the app automacally creates a Windows DHCP
XQL dataset (microsoft_dhcp_raw). Cortex XDR uses Windows DHCP logs to enrich your
network logs with hostnames and MAC addresses that are searchable in XQL Search using the
Windows DHCP XQL dataset.
Configure Cortex XDR to receive logs from Windows DHCP via Elascsearch Filebeat with the
Windows DHCP collector.
Cortex® XDR Pro Administrator’s Guide Version 3.3 617 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 618 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
• Filebeat inputs—Define the paths to crawl and fetch. The code below provides an
example of how to configure the Filebeat inputs secon in the filebeat.yml file
with these paths configured.
• Elascsearch Output—Set the hosts and api_key, where both of these values
are obtained when you configured the Windows DHCP Collector in Cortex XDR as
explained in Step #1. The code below provides an example of how to configure the
Elascsearch Output secon in the filebeat.yml file and indicates which sengs
need to be obtained from Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 619 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
how to configure the Processors secon in the filebeat.yml file and indicates
which sengs need to be obtained from Cortex XDR.
# ================================= Processors
=================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- drop_event.when.not.regexp.message: "^[0-9]+,.*"
- dissect:
tokenizer: "%{id},%{date},%{time},%{description},
%{ipAddress},%{hostName},%{macAddress},%{userName},
%{transactionID},%{qResult},%{probationTime},
%{correlationID},%{dhcid},%{vendorClassHex},
%{vendorClassASCII},%{userClassHex},%{userClassASCII},
%{relayAgentInformation},%{dnsRegError}"
- drop_fields:
fields: ["message"]
- add_locale: ~
- rename:
fields:
- from: "event.timezone"
to: "dissect.timezone"
ignore_missing: true
fail_on_error: false
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
Cortex® XDR Pro Administrator’s Guide Version 3.3 620 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
STEP 4 | Aer Cortex XDR begins receiving logs from Windows DHCP via Elascsearch Filebeat, you
can use the XQL Search to search for logs in the new dataset (microsoft_dhcp_raw).
Elascsearch is a trademark of Elascsearch B.V., registered in the U.S. and in other countries.
Cortex® XDR Pro Administrator’s Guide Version 3.3 621 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
STEP 4 | Set the Target sengs in the XDR Collectors Endpoints screen.
Use the filters to assign the policy to one or more collector machines (endpoints) or collector
machine (endpoint) groups.
Cortex XDR automacally applies a filter for the plaorm you selected. To change the plaorm,
go Back to the general policy sengs.
STEP 7 | In the XDR Collectors Policies table, change the policy posion, if needed, to order the policy
relave to other policies.
The Cortex XDR Collector evaluates policies from top to boom. When the Cortex XDR
Collector finds the first match it applies that policy as the acve policy. To move the policy
order, select the arrows and drag the policy to the desired locaon in the policy hierarchy.
Cortex® XDR Pro Administrator’s Guide Version 3.3 622 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 623 ©2022 Palo Alto Networks, Inc.
Cortex XDR Collectors
Cortex® XDR Pro Administrator’s Guide Version 3.3 624 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
> External Data Ingeson Vendor Support
> Visibility of Logs and Alerts from External Sources in Cortex XDR
> Ingest Network Connecon Logs
> Ingest Authencaon Logs and Data
> Ingest Operaon and System Logs from Cloud Providers
> Ingest Cloud Assets
> Addional Log Ingeson Methods for Cortex XDR
> Ingest External Alerts
625
External Data Ingeson
To provide you with a more complete and detailed picture of the acvity involved in an incident,
you can ingest data from a variety of external, third-party sources in Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 626 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex XDR can receive logs or both logs and alerts from the source. Depending on the data
source, Cortex XDR can provide visibility into your external data in the form of.
• Log stching with other logs such as to create network or authencaon stories.
• Raw data in queries from XQL Search.
• Alerts reported by the vendor throughout Cortex XDR, such as in the Alerts table, incidents,
and views.
• Alerts raised by Cortex XDR on log data such as Analycs alerts
For more informaon, see Visibility of Logs and Alerts from External Sources in Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 627 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
To ingest data, you must set up the Syslog Collector applet on a Broker VM within your network.
Cortex® XDR Pro Administrator’s Guide Version 3.3 628 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
Network
Amazon S3 (flow —
logs)
Raw data is Opon to ingest Cortex XDR can
searchable in network flow raise Cortex
XQL Search. logs as Cortex XDR alerts
XDR network (Analycs,
connecon IOC, BIOC, and
stories that are Correlaon
searchable in the Rules) when
Query Builder relevant from
and in XQL logs.
Search.
Analycs
Alerts
are
only
raised
on
normalized
logs.
Azure Network —
Watcher (flow
logs) Opon to ingest Cortex XDR can
network flow raise Cortex
Cortex® XDR Pro Administrator’s Guide Version 3.3 629 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
Raw data is logs as Cortex XDR alerts
searchable in XDR network (Analycs,
XQL Search. connecon IOC, BIOC, and
stories that are Correlaon
searchable in the Rules) when
Query Builder relevant from
and in XQL flow logs.
Search.
Analycs
Alerts
are
only
raised
on
normalized
logs.
Check Point
FW1/VPN1
Raw data is Network Cortex XDR can Alerts from
searchable in stories that raise Cortex Check Point
XQL Search. include Check XDR alerts firewalls
Point network (Analycs, are raised
Logs connecon logs IOC, BIOC, and throughout
with are searchable Correlaon Cortex XDR
sessionid in the Query Rules) when when relevant.
= Builder and in relevant from
0 XQL Search. logs.
are
dropped. Logs
with
sessionid
=
0
are
dropped.
Corelight Zeek —
Cortex® XDR Pro Administrator’s Guide Version 3.3 630 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
Builder and in relevant from
XQL Search. logs.
Cisco ASA —
Fornet
Forgate
Raw data is Network stories Cortex XDR can Alerts from
searchable in that include raise Cortex Fornet firewalls
XQL Search. Fornet network XDR alerts are raised
connecon logs (Analycs, throughout
are searchable IOC, BIOC, and Cortex XDR
in the Query Correlaon when relevant.
Builder and in Rules) when
XQL Search. relevant from
logs.
Google Cloud —
Plaorm (flow
logs) Raw data is Opon to ingest Cortex XDR can
searchable in network flow raise Cortex
XQL Search. logs as Cortex XDR alerts
XDR network (Analycs,
connecon IOC, BIOC, and
stories that are Correlaon
searchable in the Rules) when
Query Builder relevant from
and in XQL logs.
Search.
Analycs
Alerts
are
only
raised
on
normalized
logs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 631 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
IOCs
and
BIOCs
are
only
raised
for
these
event
types:
sso
and
session_start.
Windows DHCP — —
via Elascsearch
Filebeat Raw data is Cortex XDR
searchable in uses Windows
XQL Search. DHCP logs to
enrich your
network logs
with hostnames
and MAC
addresses that
are searchable in
XQL Search.
Zscaler Cloud —
Firewall
Raw data is Network stories Cortex XDR can
searchable in that include raise Cortex
XQL Search. Zscaler Cloud XDR alerts
Firewall network (Analycs,
connecon and IOC, BIOC, and
firewall logs Correlaon
are searchable Rules) when
in the Query
Cortex® XDR Pro Administrator’s Guide Version 3.3 632 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
Builder and in relevant from
XQL Search. logs.
Analycs,
IOCs
and
BIOCs
are
only
raised
on
the
Firewall
data.
Amazon S3 —
(audit logs)
Logs and stories Opon to stch Cortex XDR can
are searchable in audit logs with raise Cortex
XQL Search authencaon XDR alerts
stories that are (IOC, BIOC,
searchable in the and Correlaon
Query Builder Rules only) when
and XQL Search. relevant from
logs.
Google Cloud —
Plaorm (audit
logs) Raw data is Opon to stch Cortex XDR can
searchable in audit logs with raise Cortex
XQL Search. authencaon XDR alerts
stories that are (Analycs,
searchable in the IOC, BIOC, and
Correlaon
Cortex® XDR Pro Administrator’s Guide Version 3.3 633 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
Query Builder Rules) when
and XQL Search. relevant from
logs.
Google — —
Workspace
Raw data is For all logs,
searchable in Cortex XDR can
XQL Search. raise Cortex
XDR alerts
(Correlaon
Rules only) when
relevant from
logs.
Microso Office —
365
Logs and stories Azure AD For Azure AD
(Azure AD authencaon authencaon
authencaon logs and audit logs
and audit normalized into only, Cortex
logs only) are authencaon XDR can raise
searchable in stories. Azure Cortex XDR
XQL Search AD audit logs alerts (Analycs,
normalized to IOC, BIOC, and
cloud audit logs Correlaon
stories. Both are Rules only)
searchable in the when relevant
Query Builder. from logs. For
all other logs,
Cortex XDR can
raise Cortex
XDR alerts
(Correlaon
Rules only) when
relevant from
logs.
Okta —
Cortex® XDR Pro Administrator’s Guide Version 3.3 634 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
IOCs
and
BIOCs
are
only
raised
for
these
event
types:
sso
and
session_start.
PingFederate —
PingOne for —
Enterprise
Logs and stories Logs Cortex XDR can
are searchable in stched with raise Cortex
XQL Search authencaon XDR alerts
stories are (IOC, BIOC,
searchable in the and Correlaon
Query Builder. Rules only) when
relevant from
logs.
Amazon S3 — —
(generic logs)
Raw data is Cortex XDR can
searchable in raise Cortex
XQL Search. XDR alerts
(Correlaon
Rules only) when
relevant from
logs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 635 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
AWS CloudTrail — —
and Amazon
CloudWatch Raw data is Cortex XDR can
(generic logs) searchable in raise Cortex
XQL Search. XDR alerts
(Correlaon
Rules only) when
relevant from
logs.
Google Cloud — —
Plaorm
Raw data is Cortex XDR can
searchable in raise Cortex
XQL Search. XDR alerts
(Correlaon
Rules only) when
relevant from
logs.
Google — —
Kubernetes
Engine Raw data is Cortex XDR can
searchable in raise Cortex
XQL Search. XDR alerts
(Correlaon
Rules only) when
relevant from
logs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 636 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
relevant from
logs.
Prisma Cloud
(alerts)
Raw data is Prisma Cloud Cortex XDR can Alerts from
searchable in alerts are raise Cortex Prisma Cloud
XQL Search. stched with XDR alerts are raised
Cloud Provider (Correlaon throughout
logs when Rules only) when Cortex XDR
relevant. relevant from when relevant.
logs.
Prisma Cloud —
Compute (alerts)
Raw data is Cortex XDR can Alerts from
searchable in raise Cortex Prisma Cloud
XQL Search. XDR alerts Compute
(Correlaon are raised
Rules only) when throughout
relevant from Cortex XDR
logs. when relevant.
Endpoint Logs
Windows Event —
Collector
Windows event Windows event Cortex XDR can
logs are available logs are stched raise Cortex
with agent EDR with agent EDR XDR alerts
data and are data and are (IOC, BIOC,
searchable in searchable in the and Correlaon
XQL Search. Query Builder. Rules only) when
relevant from
logs.
Cloud Assets
Cortex® XDR Pro Administrator’s Guide Version 3.3 637 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
Any Vendor —
Sending CEF or To enable Cortex
LEEF formaed Raw data is Cortex XDR can
XDR to display
Syslog searchable in raise Cortex
alerts from other
XQL Search. XDR alerts
vendors, you
(IOC, BIOC,
must map your
and Correlaon
alert fields to
Rules only) when
the Cortex XDR
relevant from
field format (see
logs.
Ingest External
Alerts).
Any vendor — —
CSV files on a
shared Windows Raw data is Cortex XDR can
directory searchable in raise Cortex
XQL Search. XDR alerts
(Correlaon
Rules only) when
relevant from
logs.
Any vendor — —
logs stored in a
database Raw data is Cortex XDR can
searchable in raise Cortex
XQL Search. XDR alerts
(Correlaon
Rules only) when
relevant from
logs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 638 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
over FTP, FTPS, Raw data is (Correlaon
or SFTP searchable in Rules only) when
XQL Search. relevant from
logs.
Any vendor —
sending NetFlow
flow records Raw data is NetFlow events Cortex XDR can
searchable in are stched raise Cortex
XQL Search. with the Agent’s XDR alerts
EDR data and (IOC, BIOC,
other Network and Correlaon
products to Rules only) when
a Session relevant from
Story, and are logs.
searchable in the
Query Builder
and in XQL.
Any vendor —
sending logs To enable Cortex
over HTTP Raw data is Cortex XDR can
XDR to display
searchable in raise Cortex
alerts from other
XQL Search. XDR alerts
vendors, you
(Correlaon
must map your
Rules only) when
alert fields to
relevant from
the Cortex XDR
logs.
field format (see
Ingest External
Alerts).
BeyondTrust — —
Privilege
Management Raw data is Cortex XDR can
Cloud searchable in raise Cortex
XQL Search. XDR alerts
(Correlaon
Rules only) when
Cortex® XDR Pro Administrator’s Guide Version 3.3 639 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
relevant from
logs.
Elascsearch — —
Filebeat
Raw data is Cortex XDR can
searchable in raise Cortex
XQL Search. XDR alerts
(Correlaon
Rules only) when
relevant from
logs.
Forcepoint DLP — —
Analycs
Alerts
are
only
raised
on
normalized
logs.
Proofpoint — —
Targeted Aack
Protecon
Cortex® XDR Pro Administrator’s Guide Version 3.3 640 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Vendor and Raw Data Normalized Log Cortex XDR Alert Vendor Alert
Device Type Visibility Visibility Visibility Visibility
Raw data is Cortex XDR can
searchable in raise Cortex
XQL Search. XDR alerts
(Correlaon
Rules only) when
relevant from
logs.
ServiceNow — —
CMDB
Raw data is Cortex XDR can
searchable in raise Cortex
XQL Search. XDR alerts
(Correlaon
Rules only) when
relevant from
logs.
Workday — —
Any vendor — — —
sending alerts Alerts are
surfaced
throughout
Cortex XDR
when relevant.
To enable Cortex
XDR to display
your alerts, you
must map your
alert fields to
the Cortex XDR
field format (see
Ingest External
Alerts).
Cortex® XDR Pro Administrator’s Guide Version 3.3 641 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
When ingesng data from an external source, Cortex XDR creates a dataset that you can query
using XQL. Datasets created in this way use the following naming convenon.
<vendor_name>_<product_name>_raw
Cortex® XDR Pro Administrator’s Guide Version 3.3 642 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
You can forward network flow logs for the relave service to Cortex XDR from Amazon Simple
Storage Service (Amazon S3).
To receive network flow logs from Amazon S3, you must first configure data collecon from
Amazon S3. You can then configure the Collecon Integraons sengs in Cortex XDR for Amazon
S3. Aer you set up collecon integraon, Cortex XDR begins receiving new logs and data from
the source.
You can either configure Amazon S3 with SQS noficaon manually on your own or use the AWS
CloudFormaon Script that we have created for you to make the process easier. The instrucons
below explain how to configure Cortex XDR to receive network flow logs from Amazon S3 using
SQS. To perform these steps manually, see Configure Data Collecon from Amazon S3 Manually.
For more informaon on configuring data collecon from Amazon S3, see the Amazon S3
Documentaon.
As soon as Cortex XDR begins receiving logs, the app automacally creates an Amazon S3 XQL
dataset (aws_s3_raw). This enables you to search the logs with XQL Search using the dataset.
For example queries, refer to the in-app XQL Library. You can also configure Cortex XDR to ingest
network flow logs as XDR network connecon stories, which you can query with XQL Search
using the xdr_dataset dataset with the preset called network_story. Cortex XDR can also
raise Cortex XDR alerts (Analycs, Correlaon Rules, IOC, and BIOC only) when relevant from
Amazon S3 logs. Analycs alerts are only raised on normalized logs.
Be sure you do the following tasks before you begin configuring data collecon from Amazon S3
using the AWS CloudFormaon Script.
Cortex® XDR Pro Administrator’s Guide Version 3.3 643 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Ensure that you have the proper permissions to run AWS CloudFormaon with the script
provided in Cortex XDR. You need at a minimum the following permissions in AWS for an
Amazon S3 bucket and Amazon Simple Queue Service (SQS):
• Amazon S3 bucket—GetObject
• SQS—ChangeMessageVisibility, ReceiveMessage, and DeleteMessage.
• Ensure that you can access your Amazon Virtual Private Cloud (VPC) and have the necessary
permissions to create flow logs.
• Determine how you want to provide access to Cortex XDR to your logs and to perform API
operaons. You have the following opons:
• Designate an AWS IAM user, where you will need to know the Account ID for the user and
have the relevant permissions to create an access key/id for the relevant IAM user. This is
the default opon as explained in configure the Amazon S3 collecon in Cortex XDR by
selecng Access Key.
• Create an assumed role in AWS to delegate permissions to a Cortex XDR AWS service. This
role grants Cortex XDR access to your flow logs. For more informaon, see Creang a role
to delegate permissions to an AWS service. This is the Assumed Role opon as described in
the configure the Amazon S3 collecon in Cortex XDR. For more informaon on creang an
assumed role for Cortex XDR, see Create an Assumed Role for Cortex XDR.
Configure Cortex XDR to receive network flow logs from Amazon S3 using the CloudFormaon
Script.
STEP 1 | Download the CloudFormaon Script in Cortex XDR.
1. Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
2. In the Amazon S3 configuraon, click Add Instance link to begin a new configuraon.
3. To provide access to Cortex XDR to your logs and to perform API operaons using a
designated AWS IAM user, leave the Access Key opon selected. Otherwise, select
Assumed Role, and ensure that you Create an Assumed Role for Cortex XDR before
connuing with these instrucons.
4. For the Log Type, select Flow Logs to configure your log collecon to receive network
flow logs from Amazon S3, and the following text is displayed under the field Download
CloudFormaon Script. See instrucons here.
5. Click the Download CloudFormaon Script. link to download the script to your
computer.
Cortex® XDR Pro Administrator’s Guide Version 3.3 644 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 2 | Create a new Stack in the CloudFormaon Console with the script you downloaded from
Cortex XDR.
For more informaon on creang a Stack, see Creang a stack on the AWS CloudFormaon
console.
Cortex® XDR Pro Administrator’s Guide Version 3.3 645 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
an Amazon S3 bucket, Amazon Simple Queue Service (SQS) queue, and Queue Policy.
Configure the following sengs in the Specify template page.
• Prerequisite - Prepare template > Prepare template—Select Template is ready.
• Specify Template
• Template source—Select Upload a template file.
• Upload a template file—Choose file, and select the cortex-xdr-create-s3-
with-sqs-flow-logs.json file that you downloaded from Cortex XDR.
5. Click Next.
6. In the Specify stack details page, configure the following stack details.
• Stack name—Specify a descripve name for your stack.
• Parameters > Cortex XDR Flow Logs Integraon
• Bucket Name—Specify the name of the S3 bucket to create, where you can leave
the default populated name as xdr-flow-logs or create a new one. The name must
be unique.
• Publisher Account ID—Specify the AWS IAM user account ID with whom you are
sharing access.
• Queue Name—Specify the name for your Amazon SQS queue to create, where you
can leave the default populated name as xdr-flow or create a new one. The name
must be unique.
Cortex® XDR Pro Administrator’s Guide Version 3.3 646 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
7. Click Next.
8. In the Configure stack opons page, there is nothing to configure, so click Next.
9. In the Review page, look over the stack configuraons sengs that you have configured
and if they are correct, click Create stack. If you need to make a change, click Edit beside
the parcular step that you want to update.
The stack is created and is opened with the Events tab displayed. It can take a few
minutes for the new Amazon S3 bucket, SQS queue, and Queue Policy to be created.
Click Refresh to get updates. Once everything is created, leave the stack opened in
the current browser as you will need to access informaon in the stack for other steps
detailed below.
Cortex® XDR Pro Administrator’s Guide Version 3.3 647 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 3 | Configure your Amazon Virtual Private Cloud (VPC) with flow logs:
1. Open the Amazon VPC Console, and in the Resources by Region listed, select VPCs to view
the VPCs configured for the current region selected. To select another VPC from another
region, select See all regions, and select one of them.
To create a new VPC, click Launch VPC Wizard. For more informaon, see AWS
VPC Flow Logs.
2. From the list of Your VPCs, select the checkbox beside the VPC that you want to configure
to create flow logs, and then select Acons > Create flow log.
Cortex® XDR Pro Administrator’s Guide Version 3.3 648 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Buckets secon, select the bucket that you created for collecng the Amazon S3 flow
logs when you created your stack, click Copy ARN, and paste the ARN in this field.
• Log record format—Specify the fields to include in the flow log record, where we
recommend leaving the default AWS default format selected.
4. Click Create flow log.
Once the flow log is created, a message indicang that the flow log was successfully created
is displayed at the top of the Your VPCs page.
In addion, if you open your Amazon S3 bucket configuraons, by selecng the bucket from
the Amazon S3 console, the Objects tab contains a folder called AWSLogs/ to collect the
flow logs.
STEP 4 | Configure access keys for the AWS IAM user that Cortex XDR uses for API operaons.
1. Open the AWS IAM Console, and in the navigaon pane, select Access management >
Users.
2. Select the User name of the AWS IAM user.
3. Select the Security credenals tab, and scroll down to the Access keys secon, and click
Create access key.
4. Click the copy icon next to the Access key ID and Secret access key keys, where you must
click Show secret access key to see the secret key, and record them somewhere safe before
closing the window. You will need to provide these keys when you edit the Access policy of
the SQS queue and when seng the AWS Client ID and AWS Client Secret in Cortex XDR.
If you forget to record the keys and close the window, you will need to generate new keys
and repeat this process.
For more informaon, see Managing access keys for IAM users.
Cortex® XDR Pro Administrator’s Guide Version 3.3 649 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 5 | When you create an Assumed Role for Cortex XDR, ensure that you edit the policy that
defines the permissions for the Cortex XDR role with the S3 Bucket ARN and SQS ARN,
which is taken from the Stack you created.
Skip this step if you are using an Access Key to provide access to Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 650 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
When seng up any type of Amazon S3 Collector in Cortex XDR, these instrucon explain seng
up an Assumed Role.
Cortex® XDR Pro Administrator’s Guide Version 3.3 651 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 1 | Log in to the AWS Management Console to create a role for Cortex XDR.
Refer to the AWS instrucons for guidance.
1. Create the role in the same region as your AWS account, and use the following values
and opons when creang the role.
• Type of Trusted > Another AWS Account, and specify the Account ID as
006742885340.
• Select Opons for the Require external ID, which is a unique alphanumeric string, and
generate a secure UUIDv4 using an Online UUID Generator. Copy the External ID as
you will use this when configuring the Amazon S3 Collector in Cortex XDR.
2. Click Next and add the AWS Managed Policy for Security Audit.
Cortex® XDR Pro Administrator’s Guide Version 3.3 652 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Then, add a role name and create the role. In this workflow, later, you will create the
granular policies and edit the role to aach the addional policies.
STEP 2 | Create the policy that defines the permissions for the Cortex XDR role.
1. Select IAM on the AWS Management Console.
2. In the navigaon pane on the le, select Access Management > Policies > Create Policy.
3. Select the JSON tab.
Copy the following JSON policy and paste it within editor window.
The <s3-arn> and <sqs-arn> placeholders. These will be filled out later
depending on which Amazon S3 logs you are configuring, including network
flow logs, audit logs, or generic logs.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "<s3-arn>/*"
},
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
Cortex® XDR Pro Administrator’s Guide Version 3.3 653 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
"sqs:DeleteMessage",
"sqs:ChangeMessageVisibility"
],
"Resource": "<sqs-arn>"
}
]
}
STEP 3 | Edit the role you created in Step 1 and aach the policy to the role.
STEP 5 | Connue with the task for the applicable Amazon S3 logs you want to configure.
The following type of logs are available.
• Ingest Network Flow Logs from Amazon S3.
• Ingest Audit Logs from AWS Cloud Trail.
• Ingest Generic Logs from Amazon S3.
Ingesng logs and data requires a Cortex XDR Pro per TB license.
Cortex® XDR Pro Administrator’s Guide Version 3.3 654 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
There are various reasons why you may need to configure data collecon from Amazon S3
manually, as opposed to using the CloudFormaon Script provided in Cortex XDR. For example,
if your organizaon does not use CloudFormaon scripts, you will need to follow the instrucons
below, which explain at a high-level how to perform these steps manually with a link to the
relevant topic in the Amazon S3 documentaon with the detailed steps to follow.
As soon as Cortex XDR begins receiving logs, the app automacally creates an Amazon S3 XQL
dataset (aws_s3_raw). This enables you to search the logs with XQL Search using the dataset.
For example queries, refer to the in-app XQL Library. You can also configure Cortex XDR to ingest
network flow logs as XDR network connecon stories, which you can query with XQL Search
using the xdr_dataset dataset with the preset called network_story. Cortex XDR can also
raise Cortex XDR alerts (Correlaons, IOC, and BIOC only) when relevant from Amazon S3 logs.
Be sure you do the following tasks before you begin configuring data collecon manually from
Amazon CloudWatch to Amazon S3.
If you already have an Amazon S3 bucket configured with VPC flow logs that you want to
use for this configuraon, you do not need to perform the prerequisite steps detailed in the
first two bullets.
• Ensure that you have at a minimum the following permissions in AWS for an Amazon S3 bucket
and Amazon Simple Queue Service (SQS).
• Amazon S3 bucket—GetObject
• SQS—ChangeMessageVisibility, ReceiveMessage, and DeleteMessage.
• Create a dedicated Amazon S3 bucket for collecng network flow logs with the default
sengs. For more informaon, see Creang a bucket using the Amazon S3 Console.
Cortex® XDR Pro Administrator’s Guide Version 3.3 655 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 2 | From the menu bar, ensure that you have selected the correct region for your configuraon.
STEP 3 | Configure your Amazon Virtual Private Cloud (VPC) with flow logs. For more informaon, see
AWS VPC Flow Logs.
If you already have an Amazon S3 bucket configured with VPC flow logs, skip this step
and go to Configure an Amazon Simple Queue Service (SQS).
STEP 4 | Configure an Amazon Simple Queue Service (SQS). For more informaon, see Configuring
Amazon SQS queues (console).
Ensure that you create your Amazon S3 bucket and Amazon SQS queue in the same
region.
STEP 5 | Configure an event noficaon to your Amazon SQS whenever a file is wrien to your
Amazon S3 bucket. For more informaon, see Amazon S3 Event Noficaons.
STEP 6 | Configure access keys for the AWS IAM user that Cortex XDR uses for API operaons. For
more informaon, see Managing access keys for IAM users.
STEP 7 | Update the Access Policy of your SQS queue and grant the required permissions menoned
above to the relevant IAM user. For more informaon, see Granng permissions to publish
event noficaon messages to a desnaon.
Skip this step if you are using an Assumed Role for Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 656 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
an event noficaon to your Amazon SQS whenever a file is wrien to your Amazon
S3 bucket.
• Name—Specify a descripve name for your log collecon configuraon.
• When seng an Access Key, set these parameters.
• AWS Client ID—Specify the Access key ID, which you received when you created
access keys for the AWS IAM user in AWS.
• AWS Client Secret—Specify the Secret access key you received when you created
access keys for the AWS IAM user in AWS.
• When seng an Assumed Role, set these parameters.
• Role ARN—Specify the Role ARN for the Assumed Role for Cortex XDR in AWS.
• External Id—Specify the External Id for the Assumed Role for Cortex XDR in AWS.
• Log Type—Select Flow Logs to configure your log collecon to receive network flow
logs from Amazon S3. When configuring network flow log collecon, the following
addional field is displayed for the Configuraon.
You can Normalize and enrich flow logs by selecng the checkbox. When selected,
Cortex XDR ingests the network flow logs as XDR network connecon stories, which
you can query using XQL Search from the xdr_dataset dataset using the preset
called network_story.
4. Click Test to validate access, and then click Enable.
Once events start to come in, a green check mark appears underneath the Amazon S3
configuraon with the number of logs received.
If you use Check Point FW1/VPN1 firewalls, you can sll take advantage of Cortex XDR
invesgaon and detecon capabilies by forwarding your Check Point firewall logs to Cortex
XDR. Check Point firewall logs can be used as the sole data source, however, you can also use
Check Point firewall logs in conjuncon with Palo Alto Networks firewall logs and addional data
sources.
Cortex XDR can stch data from Check Point firewalls with other logs to make up network stories
searchable in the Query Builder and in XQL queries. Cortex XDR can also return raw data from
Check Point firewalls in XQL queries.
In terms of alerts, Cortex XDR can both surface nave Check Point firewall alerts and raise its
own alerts on network acvity. Alerts are displayed throughout Cortex XDR alert, incident, and
invesgaon views.
Cortex® XDR Pro Administrator’s Guide Version 3.3 657 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
To integrate your logs, you first need to set up an applet in a broker VM within your network to
act as a Syslog Collector. You then configure your Check Point firewall policy to log all traffic and
set up the Log Exporter on your Check Point Log Server to forward logs to the Syslog Collector in
a CEF format.
As soon as Cortex XDR starts to receive logs, the app can begin stching network connecon logs
with other logs to form network stories. Cortex XDR can also analyze your logs to raise Analycs
alerts and can apply IOC, BIOC, and Correlaon Rule matching. You can also use queries to search
your network connecon logs.
STEP 1 | Ensure that your Check Point firewalls meet the following requirements.
Check Point soware version—R77.30, R80.10, R80.20, R80.30, or R80.40
STEP 4 | Configure the Check Point firewall to forward syslog events in CEF format to the Syslog
Collector.
Configure your firewall policy to log all traffic and set up the Log Exporter to forward logs to
the Syslog Collector. For more informaon on seng up Log Exporter, see the Check Point
documentaon.
If you use Cisco ASA firewalls, you can sll take advantage of Cortex XDR invesgaon and
detecon capabilies by forwarding your firewall logs to Cortex XDR. This enables Cortex XDR
to examine your network traffic to detect anomalous behavior. Cortex XDR can use Cisco ASA
firewall logs as the sole data source, but can also use Cisco ASA firewall logs in conjuncon with
Palo Alto Networks firewall logs. For addional endpoint context, you can also use Cortex XDR to
collect and alert on endpoint data.
As soon as Cortex XDR starts to receive logs, the app can begin stching network connecon logs
with other logs to form network stories. Cortex XDR can also analyze your logs to raise Analycs
alerts and can apply IOC, BIOC, and Correlaon Rule matching. You can also use queries to search
your network connecon logs.
To integrate your logs, you first need to set up an applet in a broker VM within your network to
act as a Syslog Collector. You then configure forwarding on your log devices to send logs to the
Syslog Collector in a CEF format.
Cortex® XDR Pro Administrator’s Guide Version 3.3 658 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 1 | Verify that your Cisco ASA firewall meets the following requirements.
• Syslog in Cisco-ASA format
• Must include mestamps
• Only supports messages: 302013, 302014, 302015, 302016
STEP 4 | Configure the Cisco ASA firewall or the log device forwarding logs from it to log to the Syslog
Collector in a CEF format.
Configure your firewall policy to log all traffic and forward the traffic logs to the Syslog
Collector in a CEF format. By logging all traffic, you enable Cortex XDR to detect anomalous
behavior from Cisco ASA firewall logs. For more informaon on seng up Log Forwarding on
Cisco ASA firewalls, see the Cisco ASA Series documentaon.
If you use Corelight Zeek sensors for network monitoring, you can sll take advantage of Cortex
XDR invesgaon and detecon capabilies by forwarding your network connecon logs to
Cortex XDR. This enables Cortex XDR to examine your network traffic to detect anomalous
behavior. Cortex XDR can use Corelight Zeek logs as the sole data source, but can also use logs in
conjuncon with Palo Alto Networks or third-party firewall logs. For addional endpoint context,
you can also use Cortex XDR to collect and alert on endpoint data.
As soon as Cortex XDR starts to receive logs, the app can begin stching network connecon logs
with other logs to form network stories. Cortex XDR can also analyze your logs to raise Analycs
alerts and can apply IOC BIOC, and Correlaon Rule matching. You can also use queries to search
your network connecon logs.
To integrate your logs, you first need to set up an applet in a broker VM within your network to
act as a Syslog Collector. You then configure forwarding on your Corelight Zeek sensors (using the
default Syslog export opon of RFC5424 over TCP) to send logs to the Syslog Collector.
STEP 1 | Acvate the Syslog Collector.
During acvaon, you define the Listening Port over which you want the Syslog Collector
to receive logs. You must also set TCP as the transport Protocol and Corelight as the Syslog
Format.
Cortex® XDR Pro Administrator’s Guide Version 3.3 659 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
If you use Fornet Forgate firewalls, you can sll take advantage of Cortex XDR invesgaon
and detecon capabilies by forwarding your firewall logs to Cortex XDR. This enables Cortex
XDR to examine your network traffic to detect anomalous behavior. Cortex XDR can use Fornet
Forgate firewall logs as the sole data source, but can also use Fornet Forgate firewall logs in
conjuncon with Palo Alto Networks firewall logs. For addional endpoint context, you can also
use Cortex XDR to collect and alert on endpoint data.
As soon as Cortex XDR starts to receive logs, the app can begin stching network connecon logs
with other logs to form network stories. Cortex XDR can also analyze your logs to raise Analycs
alerts and can apply IOC, BIOC, and Correlaon Rule matching. You can also use queries to search
your network connecon logs.
To integrate your logs, you first need to set up an applet in a broker VM within your network to
act as a syslog collector. You then configure forwarding on your log devices to send logs to the
syslog collector in a CEF format.
STEP 1 | Verify that your Fornet Forgate firewalls meet the following requirements.
• Must use ForOS 6.2.1 or a later release
• mestamp must be in nanoseconds
STEP 4 | Configure the log device that receives Fornet Forgate firewall logs to forward syslog
events to the syslog collector in a CEF format.
Configure your firewall policy to log all traffic and forward the traffic logs to the syslog collector
in a CEF format. By logging all traffic, you enable Cortex XDR to detect anomalous behavior
Cortex® XDR Pro Administrator’s Guide Version 3.3 660 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
from Fornet Forgate firewall logs. For more informaon on seng up Log Forwarding on
Fornet Forgate firewalls, see the Fornet ForOS documentaon.
If you use the Pub/Sub messaging service from Global Cloud Plaorm (GCP), you can send logs
and data from your GCP instance to Cortex XDR. Data from GCP is then searchable in Cortex
XDR to provide addional informaon and context to your invesgaons using the GCP XQL
dataset (google_cloud_logging_raw). For example queries, refer to the in-app XQL Library.
You can configure a Google Cloud Plaorm collector to receive generic, flow, or audit logs. When
configuring generic logs, you can receive logs in a Raw, JSON, CEF, LEEF, Cisco, or Corelight
format.
You can also configure Cortex XDR to normalize GCP audit logs, which you can query with XQL
Search using the cloud_audit_logs dataset. In addion, you can configure Cortex XDR to
ingest network flow logs as XDR network connecon stories, which you can query with XQL
Search using the xdr_dataset dataset with the preset called network_story. Cortex XDR can
also raise Cortex XDR alerts (Analycs, IOC, BIOC, and Correlaon Rule only) when relevant from
GCP logs. Analycs alerts are only raised on normalized logs.
When collecng flow logs, we recommend that you include GKE annotaons in your logs,
which enable you to view the names of the containers that communicated with each
other. GKE annotaons are only included in logs if appended manually using the custom
metadata configuraon in GCP. For more informaon, see VPC Flow Logs Overview. In
addion, to customize metadata fields, you must use the gcloud command-line interface or
the API. For more informaon, see Using VPC Flow Logs.
To receive logs and data from GCP, you must first set up log forwarding using a Pub/Sub topic
in GCP. You can configure GCP sengs using either the GCP web interface or a GCP cloud shell
terminal. Aer you set up your service account in GCP, you configure the Data Collecon sengs
in Cortex XDR. The setup process requires the subscripon name and authencaon key from
your GCP instance.
Aer you set up log collecon, Cortex XDR immediately begins receiving new logs and data from
GCP.
• Set up Log Forwarding Using the GCP Web Interface.
• Set up Log Forwarding Using the GCP Cloud Shell Terminal.
Cortex® XDR Pro Administrator’s Guide Version 3.3 661 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 662 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 663 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
can configure Cortex XDR to normalize GCP audit logs, which you can query with
XQL Search using the cloud_audit_logs dataset.
• Generic—When selecng this log type, you can configure the following sengs.
• Log Format—Select the log format type as Raw, JSON, CEF, LEEF, Cisco, or
Corelight.
-The Vendor and Product defaults to Auto-Detect when the Log Format is
set to CEF or LEEF.
-For a Log Format set to CEF or LEEF, Cortex XDR reads events row by
row to look for the Vendor and Product configured in the logs. When the
values are populated in the event log row, Cortex XDR uses these values
even if you specified a value in the Vendor and Product fields in the GCP
data collector sengs. Yet, when the values are blank in the event log row,
Cortex XDR uses the Vendor and Product that you specified in the GCP
data collector sengs. If you did not specify a Vendor or Product in the
GCP data collector sengs, and the values are blank in the event log row,
the values for both fields are set to unknown.
For a Log Format set to Cisco, the following fields are automacally set and not
configurable.
-Vendor—Cisco
-Product—ASA
For a Log Format set to Corelight, the following fields are automacally set and not
configurable.
-Vendor—Corelight
-Product—Zeek
For a Log Format set to Raw or JSON, the following fields are automacally set and
are configurable.
-Vendor—Google
-Product—Cloud Logging
Cortex XDR supports logs in single line format or mulline format. For a JSON
format, mulline logs are collected automacally when the Log Format is
configured as JSON. When configuring a Raw format, you must also define the
Mulline Parsing Regex as explained below.
• Vendor—(Oponal) Specify a parcular vendor name for the GCP generic data
collecon, which is used in the GCP XQL dataset <Vendor>_<Product>_raw
that Cortex XDR creates as soon as it begins receiving logs.
• Product—(Oponal) Specify a parcular product name for the GCP
generic data collecon, which is used in the GCP XQL dataset name
<Vendor>_<Product>_raw that Cortex XDR creates as soon as it begins
receiving logs.
• Mulline Parsing Regex—(Oponal) This opon is only displayed when the Log
Format is set to Raw, where you can set the regular expression that idenfies
Cortex® XDR Pro Administrator’s Guide Version 3.3 664 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
when the mulline event starts in logs with mullines. It is assumed that when a
new event begins, the previous one has ended.
6. Test the provided sengs and, if successful, proceed to Enable log collecon.
STEP 6 | Aer Cortex XDR begins receiving informaon from the GCP Pub/Sub service, you can use
the XQL Query language to search for specific data.
Note the subscripon name you define in this step as you will need it to set up log ingeson
from Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 665 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
If setup is successful, the console displays a summary of your log sink sengs:
Created [https://logging.googleapis.com/v2/projects/
PROJECT_ID/sinks/SINK_NAME]. Please remember to grant
`serviceAccount:LOGS_SINK_SERVICE_ACCOUNT` \ the Pub/Sub Publisher
role on the topic. More information about sinks can be found at /
logging/docs/export/configure_export
STEP 6 | Grant log sink service account to publish to the new topic
Note the serviceAccount name from the previous step and use it to define the service for
which you want to grant publish access.
Cortex® XDR Pro Administrator’s Guide Version 3.3 666 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 667 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
can configure Cortex XDR to normalize GCP audit logs, which you can query with
XQL Search using the cloud_audit_logs dataset.
• Generic—When selecng this log type, you can configure the following sengs.
• Log Format—Select the log format type as Raw, JSON, CEF, LEEF, Cisco, or
Corelight.
-The Vendor and Product defaults to Auto-Detect when the Log Format is
set to CEF or LEEF.
-For a Log Format set to CEF or LEEF, Cortex XDR reads events row by
row to look for the Vendor and Product configured in the logs. When the
values are populated in the event log row, Cortex XDR uses these values
even if you specified a value in the Vendor and Product fields in the GCP
data collector sengs. Yet, when the values are blank in the event log row,
Cortex XDR uses the Vendor and Product that you specified in the GCP
data collector sengs. If you did not specify a Vendor or Product in the
GCP data collector sengs, and the values are blank in the event log row,
the values for both fields are set to unknown.
For a Log Format set to Cisco, the following fields are automacally set and not
configurable.
-Vendor—Cisco
-Product—ASA
For a Log Format set to Corelight, the following fields are automacally set and not
configurable.
-Vendor—Corelight
-Product—Zeek
For a Log Format set to Raw or JSON, the following fields are automacally set and
are configurable.
-Vendor—Google
-Product—Cloud Logging
Cortex XDR supports logs in single line format or mulline format. For a JSON
format, mulline logs are collected automacally when the Log Format is
configured as JSON. When configuring a Raw format, you must also define the
Mulline Parsing Regex as explained below.
• Vendor—(Oponal) Specify a parcular vendor name for the GCP generic data
collecon, which is used in the GCP XQL dataset <Vendor>_<Product>_raw
that Cortex XDR creates as soon as it begins receiving logs.
• Product—(Oponal) Specify a parcular product name for the GCP
generic data collecon, which is used in the GCP XQL dataset name
<Vendor>_<Product>_raw that Cortex XDR creates as soon as it begins
receiving logs.
• Mulline Parsing Regex—(Oponal) This opon is only displayed when the Log
Format is set to Raw, where you can set the regular expression that idenfies
Cortex® XDR Pro Administrator’s Guide Version 3.3 668 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
when the mulline event starts in logs with mullines. It is assumed that when a
new event begins, the previous one has ended.
6. Test the provided sengs and, if successful, proceed to Enable log collecon.
STEP 11 | Aer Cortex XDR begins receiving informaon from the GCP Pub/Sub service, you can use
the XQL Query language to search for specific data.
To receive logs from Azure Event Hub, you must configure the Collecon Integraons sengs
in Cortex XDR based on your Microso Azure Event Hub configuraon. Aer you set up data
collecon, Cortex XDR begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the app creates a new dataset (MSFT_Azure_raw) that
you can use to iniate XQL Search queries. For example queries, refer to the in-app XQL Library.
You can also configure Cortex XDR to normalize Azure Event Hub audit logs with other Cortex
XDR authencaon stories across all cloud providers using the same format, which you can query
with XQL Search using the cloud_audit_logs or xdr_data datasets. For logs that you do not
configure Cortex XDR to normalize, you can change the default dataset. Cortex XDR can also raise
Cortex XDR alerts (IOC, BIOC, and Correlaon Rule only) when relevant from Azure Event Hub
logs.
Cortex XDR can also ingest Azure sign-in logs when you configure an Azure Event Hub data
collector to collect audit logs. This is also dependent on seng the applicable Diagnosc sengs
in Azure Acve Directory with the selected sign-in log categories. These logs are added in Cortex
XDR to the MSFT_Azure_raw dataset. In addion, Cortex XDR can normalize and enrich these
authencaon logs. Cortex XDR can normalize these Acve Directory sign-in logs with other
Cortex XDR authencaon stories across all cloud providers using the same format. You can query
these logs in XQL Search using the cloud_audit_logs and xdr_data datasets.
Be sure you do the following tasks before you begin configuring data collecon from Azure Event
Hub.
• Create an Azure Event Hub. For more informaon, see Quickstart: Create an event hub using
Azure portal.
• Ensure the format for the logs you want collected from the Azure Event Hub is either JSON or
raw.
Configure the Azure Event Hub collecon in Cortex XDR.
STEP 1 | In the Microso Azure Console, open the Event Hubs page, and select the Azure Event Hub
that you created for collecon in Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 669 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 2 | Record the following parameters from your configured event hub, which you will need when
configuring data collecon in Cortex XDR.
• Your event hub’s consumer group.
1. Select Enes > Event Hubs, and select your event hub.
2. Select Enes > Consumer groups, and select your event hub.
3. In the Consumer group table, copy the applicable value listed in the Name column for
your Cortex XDR data collecon configuraon.
• Your event hub’s connecon string for the designated policy.
1. Select Sengs > Shared access policies.
2. In the Shared access policies table, select the applicable policy.
3. Copy the Connecon string-primary key.
• Storage account for the connecon string.
1. Open the Storage accounts page, and select the storage account that contains the
connecon string for the event hub you have configured for data collecon by Cortex
XDR.
2. Select Security + networking > Access keys, and click Show keys.
3. Copy the applicable Connecon string.
Cortex® XDR Pro Administrator’s Guide Version 3.3 670 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 3 | (Oponal) Configure your Microso Azure Event Hub to collect Azure sign-in logs.
1. In the Microso Azure Console, search for Azure Acve Directory, and select Services >
Azure Acve Directory.
2. Select Monitoring > Diagnosc sengs, and +Add diagnosc seng.
3. Set the following parameters.
Cortex® XDR Pro Administrator’s Guide Version 3.3 671 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Event hub namespace—Select the applicable Subscripon for the Azure Event
Hub.
• (Oponal) Event hub name—Specify the name of your Azure Event Hub.
• Event hub policy—Select the applicable Event hub policy for your Azure Event
Hub.
4. Save your sengs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 672 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
When you Normalize and enrich audit logs, the log format is automacally
configured. As a result, this opon is removed and no longer available to
configure.
-The Vendor and Product defaults to Auto-Detect when the Log Format is set
to CEF or LEEF.
-For a Log Format set to CEF or LEEF, Cortex XDR reads events row by row
to look for the Vendor and Product configured in the logs. When the values
are populated in the event log row, Cortex XDR uses these values even if
you specified a value in the Vendor and Product fields in the Azure Event
Hub data collector sengs. Yet, when the values are blank in the event log
row,Cortex XDR uses the Vendor and Product that you specified in the Azure
Event Hub data collector sengs. If you did not specify a Vendor or Product
in the Azure Event Hub data collector sengs, and the values are blank in the
event log row, the values for both fields are set to unknown.
For a Log Format set to Cisco, the following fields are automacally set and not
configurable.
-Vendor—Cisco
-Product—ASA
For a Log Format set to Corelight, the following fields are automacally set and not
configurable.
-Vendor—Corelight
-Product—Zeek
For a Log Format set to Raw or JSON, the following fields are automacally set and
are configurable.
-Vendor—Ms
-Product—Azure
Cortex® XDR Pro Administrator’s Guide Version 3.3 673 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Vendor and Product—Specify the Vendor and Product for the type of logs you are
ingesng.
The Vendor and Product are used to define the name of your XQL dataset
(<vendor>_<product>_raw). The Vendor and Product values vary depending on
the Log Format selected. To uniquely idenfy the log source, consider changing the
values if the values are configurable.
When you Normalize and enrich audit logs, the Vendor and Product fields
are automacally configured. Therefore, these fields are removed as available
opons.
• Normalize and enrich audit logs—(Oponal) You can Normalize and enrich audit logs
by selecng the checkbox. If selected, Cortex XDR normalizes and enriches Azure
Event Hub audit logs, including any Azure sign-in logs configured for collecon, with
other Cortex XDR authencaon stories across all cloud providers using the same
format, which you can query with XQL Search using the cloud_audit_logs and
xdr_data datasets.
4. Click Test to validate access, and then click Enable.
Once events start to come in, a green check mark appears underneath the Azure Event
Hub configuraon with the amount of data received.
To receive network security group (NSG) flow logs from Azure Network Watcher, you must
configure data collecon from Microso Azure Network Watcher using an Azure Funcon
provided by Cortex XDR. This Azure Funcon requires a token that is generated when you
configure your Azure Network Watcher Collector in the Collecon Integraon sengs in Cortex
XDR. Aer you set up data collecon, Cortex XDR begins receiving new logs and data from the
source.
When Cortex XDR begins receiving logs, the app creates a new dataset (MSFT_Azure_raw) that
you can use to iniate XQL Search queries. For example queries, refer to the in-app XQL Library.
You can also configure Cortex XDR to ingest network flow logs as XDR network connecon
stories, which you can query with XQL Search using the xdr_dataset dataset with the preset
called network_story. Cortex XDR can also raise Cortex XDR alerts (Analycs, Correlaon Rule,
IOC and BIOC only) when relevant from Azure Network Watcher flow logs. Analycs alerts are
only raised on normalized logs.
Be sure you do the following tasks before you begin configuring data collecon from Azure
Network Watcher.
• Ensure that your NSG flow logs in Azure Network Watcher, conform to the requirements
as outlined in the Microso documentaon. For more informaon, see Introducon to flow
logging for network security groups.
• Enable NSG flow logs in the Microso Azure Portal.
Configure the Azure Network Watcher collecon in Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 674 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 675 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 676 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
To receive logs and data from Okta, you must configure the Collecon Integraons sengs in
Cortex XDR. Aer you set up data collecon, Cortex XDR immediately begins receiving new logs
and data from the source. The informaon from Okta is then searchable in XQL Search using the
okta_sso_raw dataset.
You can collect all types of events from Okta. When seng up the Okta data collector in Cortex
XDR, a field called Okta Filter is available to configure collecon for events of your choosing. All
events are collected by default unless you define an Okta API Filter expression for collecng the
data, such as filter=eventType eq “user.session.start”.\n. For Okta informaon
to be weaved into authencaon stories, “user.authentication.sso” events must be
collected.
Cortex® XDR Pro Administrator’s Guide Version 3.3 677 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 3 | Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
STEP 5 | Aer Cortex XDR begins receiving informaon from the service, you can Create an XQL
Query to search for specific data. When including authencaon events, you can also Create
an Authencaon Query to search for specific authencaon data.
Cortex® XDR Pro Administrator’s Guide Version 3.3 678 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
You can configure Cortex XDR to receive Windows DHCP logs using Elascsearch Filebeat with
the following data collectors.
• XDR Collectors (recommended)
• Windows DHCP
Ingesng logs and data requires a Cortex XDR Pro per TB license.
When defining data collecon in a XDR Collector profile using the Elascsearch Filebeat
configuraon file editor, you can configure whether the data collected undergoes follow-up
processing in the backend within the filebeat.yml file for Windows DHCP data. You can
enrich network logs with Windows DHCP data when defining data collecon in a XDR Collector
profile. Cortex XDR uses Windows DHCP logs to enrich your network logs with hostnames
and MAC addresses that are searchable in XQL Search using the Windows DHCP XQL dataset
(microsoft_dhcp_raw).
While this enrichment is also available when configuring a Windows DHCP Collector for a cloud
data collecon integraon, we recommend configuring Cortex XDR to receive Windows DHCP
logs with an XDR Collectors profile as it’s the ideal setup configuraon.
Configure Cortex XDR to receive logs from Windows DHCP via Elascsearch Filebeat with an
XDR Collectors profile.
STEP 1 | Add a XDR Collector Profile.
Follow all the steps explained in this secon, where you only need to ensure that you configure
the Filebeat configuraon file as explained in the following step.
STEP 2 | Configure the Filebeat configuraon file to collect Windows DHCP data.
When defining data collecon in a XDR Collector profile using the Elascsearch Filebeat
configuraon file editor, you can configure whether the data collected undergoes follow-up
processing in the backend within the filebeat.yml file for Windows DHCP data. You can
enrich network logs with Windows DHCP data when defining data collecon by seng the
following secon and tags in the filebeat.yml file.
# ================================= Processors
=================================
processors:
- add_host_metadata:
Cortex® XDR Pro Administrator’s Guide Version 3.3 679 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
when.not.contains.tags: forwarded
- drop_event.when.not.regexp.message: "^[0-9]+,.*"
- dissect:
tokenizer:
"%{id},%{date},%{time},%{description},%{ipAddress},%{hostName},
%{macAddress},%{userName},%{transactionID},%{qResult},
%{probationTime},%{correlationID},%{dhcid},%{vendorClassHex},
%{vendorClassASCII},%{userClassHex},%{userClassASCII},
%{relayAgentInformation},%{dnsRegError}"
- drop_fields:
fields: ["message"]
- add_locale: ~
- rename:
fields:
- from: "event.timezone"
to: "dissect.timezone"
ignore_missing: true
fail_on_error: false
- add_tags:
tags: [windows_dhcp]
target: "xdr_log_type"
Ingesng logs and data requires a Cortex XDR Pro per TB license.
To receive Windows DHCP logs, you must configure data collecon from Windows DHCP via
Elascsearch Filebeat. This is configured by seng up a Windows DHCP Collector in Cortex XDR
and installing and configuring an Elascsearch* Filebeat agent on your Windows DHCP Server.
Cortex XDR supports using Filebeat up to version 8.0.1 with the Windows DHCP Collector.
Certain sengs in the Elascsearch Filebeat default configuraon file called filebeat.yml
must be populated with values provided when you configure the Collecon Integraons sengs
in Cortex XDR for the Windows DHCP Collector. To help you configure the filebeat.yml
correctly, Cortex XDR provides an example file that you can download and customize. Aer you
set up collecon integraon, Cortex XDR begins receiving new logs and data from the source.
For more informaon on configuring the filebeat.yml file, see the Elasc Filebeat
Documentaon.
Windows DHCP logs are stored as CSV (comma-separated values) log files. The logs rotate by
days (DhcpSrvLog-<day>.log), and each file contains two secons - Event ID Meaning and
the events list.
As soon as Cortex XDR begins receiving logs, the app automacally creates a Windows DHCP
XQL dataset (microsoft_dhcp_raw). Cortex XDR uses Windows DHCP logs to enrich your
network logs with hostnames and MAC addresses that are searchable in XQL Search using the
Windows DHCP XQL dataset.
Configure Cortex XDR to receive logs from Windows DHCP via Elascsearch Filebeat with the
Windows DHCP collector.
Cortex® XDR Pro Administrator’s Guide Version 3.3 680 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 681 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Filebeat inputs—Define the paths to crawl and fetch. The code below provides an
example of how to configure the Filebeat inputs secon in the filebeat.yml file
with these paths configured.
• Elascsearch Output—Set the hosts and api_key, where both of these values
are obtained when you configured the Windows DHCP Collector in Cortex XDR as
explained in Step #1. The code below provides an example of how to configure the
Elascsearch Output secon in the filebeat.yml file and indicates which sengs
need to be obtained from Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 682 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
how to configure the Processors secon in the filebeat.yml file and indicates
which sengs need to be obtained from Cortex XDR.
# ================================= Processors
=================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- drop_event.when.not.regexp.message: "^[0-9]+,.*"
- dissect:
tokenizer: "%{id},%{date},%{time},%{description},
%{ipAddress},%{hostName},%{macAddress},%{userName},
%{transactionID},%{qResult},%{probationTime},
%{correlationID},%{dhcid},%{vendorClassHex},
%{vendorClassASCII},%{userClassHex},%{userClassASCII},
%{relayAgentInformation},%{dnsRegError}"
- drop_fields:
fields: ["message"]
- add_locale: ~
- rename:
fields:
- from: "event.timezone"
to: "dissect.timezone"
ignore_missing: true
fail_on_error: false
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
Cortex® XDR Pro Administrator’s Guide Version 3.3 683 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 4 | Aer Cortex XDR begins receiving logs from Windows DHCP via Elascsearch Filebeat, you
can use the XQL Search to search for logs in the new dataset (microsoft_dhcp_raw).
Elascsearch is a trademark of Elascsearch B.V., registered in the U.S. and in other countries.
If you use Zscaler Cloud Firewall in your network, you can forward your firewall and network
logs to Cortex XDR for analysis. This enables you to take advantage of Cortex XDR anomalous
behavior detecon and invesgaon capabilies. Cortex XDR can use the firewall and network
logs from Zscaler Cloud Firewall as the sole data source, and can also use these firewall and
network logs from Zscaler Cloud Firewall in conjuncon with Palo Alto Networks firewall and
network logs. For addional endpoint context, you can also use Cortex XDR to collect and alert on
endpoint data.
As soon as Cortex XDR starts to receive logs, the app performs these acons.
• Begins stching network connecon and firewall logs with other logs to form network stories.
Cortex XDR can also analyze your logs to raise Analycs alerts and can apply IOC, BIOC, and
Correlaon Rule matching. You can also use queries to search your network connecon logs.
• Creates a Zscaler XQL dataset (<Vendor>_<Product>_raw) based on the <Vendor> and
<Product> fields defined on the Zscaler Cloud Firewall syslog configuraon. This enables you
to search the logs using XQL Search.
To integrate your logs, you first need to set up an applet in a broker VM within your network to
act as a Syslog Collector. You then configure forwarding on your log devices to send logs to the
syslog collector. To provide seamless log ingeson, Cortex XDR automacally maps the fields in
your traffic logs to the Cortex XDR log format.
To ingest logs from Zscaler Cloud Firewall:
STEP 1 | Acvate the Syslog Collector.
STEP 2 | Increase log storage for Zscaler Cloud Firewall logs. For more informaon, see Manage Your
Log Storage within Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 684 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 3 | Configure NSS log forwarding in Zscaler Cloud Firewall to the Syslog Collector.
1. In the Zscaler Cloud Firewall applicaon, go to Administraon > Nanolog Streaming
Service.
2. In the NSS Feeds tab, Add NSS Feed.
3. In the Add NSS Feed screen, configure the fields for the Cortex XDR Syslog Collector.
The following image displays the fields required to add an NSS feed.
For more informaon on configuring the other configuraons on the screen, see
the Zscaler Cloud Firewall documentaon for Adding NSS Feeds for Firewall
Logs.
• SIEM TCP Port—Specify the port that you set when acvang the Syslog Collector in
Cortex XDR. See Step 1.
• SIEM IP Address—Specify the IP that you set when acvang the Syslog Collector in
Cortex XDR. See Step 1.
Cortex® XDR Pro Administrator’s Guide Version 3.3 685 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
4. Click Save.
5. Click Save and acvate the change according to the Zscaler Cloud Firewall
documentaon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 686 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
When you ingest authencaon logs and data from an external source, Cortex XDR can weave
that informaon into authencaon stories. An authencaon story unites logs and data
regardless of the informaon source (for example, from an on-premise KDC or from a cloud-based
authencaon service) into a uniform schema. To search authencaon stories, you can use the
Query Builder or XQL Search.
Cortex XDR can ingest authencaon logs and data from the following authencaon services.
• AWS CloudTrail
• Microso Azure Event Hub
• GCP Pub/Sub
• Google Workspace
• Microso Office 365
• Okta
• PingFederate
• PingOne
You can forward audit logs for the relave service to Cortex XDR from AWS CloudTrail.
To receive audit logs from Amazon Simple Storage Service (Amazon S3) via AWS CloudTrail,
you must first configure data collecon from Amazon S3. You can then configure the Collecon
Integraons sengs in Cortex XDR for Amazon S3. Aer you set up collecon integraon, Cortex
XDR begins receiving new logs and data from the source.
For more informaon on configuring data collecon from Amazon S3 using AWS
CloudTrail, see the AWS CloudTrail Documentaon.
As soon as Cortex XDR begins receiving logs, the app automacally creates an Amazon S3 XQL
dataset (aws_s3_raw). This enables you to search the logs with XQL Search using the dataset.
For example queries, refer to the in-app XQL Library. You can also configure Cortex XDR to stch
Amazon S3 audit logs with other Cortex XDR authencaon stories across all cloud providers
using the same format, which you can query with XQL Search using the cloud_audit_logs
dataset. Cortex XDR can also raise Cortex XDR alerts (IOC, BIOC, and Correlaon Rule only) when
relevant from Amazon S3 logs.
Be sure you do the following tasks before you begin configuring data collecon from Amazon S3
via AWS CloudTrail.
Cortex® XDR Pro Administrator’s Guide Version 3.3 687 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Ensure that you have the proper permissions to access AWS CloudTrail and have the necessary
permissions to create audit logs. You need at a minimum the following permissions in AWS for
an Amazon S3 bucket and Amazon Simple Queue Service (SQS).
• Amazon S3 bucket—GetObject
• SQS—ChangeMessageVisibility, ReceiveMessage, and DeleteMessage.
• Determine how you want to provide access to Cortex XDR to your logs and to perform API
operaons. You have the following opons.
• Designate an AWS IAM user, where you will need to know the Account ID for the user and
have the relevant permissions to create an access key/id for the relevant IAM user. This is
the default opon as explained in configure the Amazon S3 collecon in Cortex XDR by
selecng Access Key.
• Create an assumed role in AWS to delegate permissions to a Cortex XDR AWS service. This
role grants Cortex XDR access to your flow logs. For more informaon, see Creang a role
to delegate permissions to an AWS service. This is the Assumed Role opon as described in
the configure the Amazon S3 collecon in Cortex XDR. For more informaon on creang an
assumed role for Cortex XDR, see Create an Assumed Role for Cortex XDR.
Configure Cortex XDR to receive audit logs from Amazon S3 via AWS Cloudtrail.
STEP 1 | Log in to the AWS Management Console.
STEP 2 | From the menu bar, ensure that you have selected the correct region for your configuraon.
For more informaon on creang an AWS CloudTrail trail, see Create a trail.
If you already have an Amazon S3 bucket configured with AWS CloudTrail audit logs,
skip this step and go to Configure an Amazon Simple Queue Service (SQS).
Cortex® XDR Pro Administrator’s Guide Version 3.3 688 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
write to it. For informaon about manually eding the bucket policy, see Amazon S3
Bucket Policy for CloudTrail.
The CloudWatch Logs - oponal sengs are not supported and should be le
disabled.
3. Click Next, and configure the following Choose log events sengs.
• Event type—Leave the default Management events checkbox selected to capture
audit logs. Depending on your system requirements, you can also select Data events
to log the resource operaons performed on or within a resource, or Insights events
to idenfy unusual acvity, errors, or user behavior in your account. Based on your
selecon, addional fields are displayed on the screen to configure under secon
headings with the same name as the event type.
• Management events secon—Configure the following sengs.
-API acvity—For Management events, select the API acvies you want to log. By
default, the Read and Write acvies are logged.
-Exclude AWS KMS events—(Oponal) If you want to filter AWS Key Management
Service (AWS KMS) events out of your trail, select the checkbox. By default, all AWS
KMS events are included.
• Data events secon—(Oponal) This secon is displayed when you configure the
Event type to include Data events, which relate to resource operaons performed on
or within a resource, such as reading and wring to a S3 bucket. For more informaon
on configuring these oponal sengs in AWS CloudTrail, see Creang a trail.
• Insights events secon—(Oponal) This secon is displayed when you configure the
Event type to include Insight events, which relate to unusual acvies, errors, or
Cortex® XDR Pro Administrator’s Guide Version 3.3 689 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
user behavior on your account. For more informaon on configuring these oponal
sengs in AWS CloudTrail, see Creang a trail.
4. Click Next.
5. In the Review and create page, look over the trail configuraons sengs that you have
configured and if they are correct, click Create trail. If you need to make a change, click
Edit beside the parcular step that you want to update.
The new trail is listed in the Trails page, which lists the trails in your account from all
Regions. It can take up to 15 minutes for CloudTrail to begin publishing log files. You can
see the log files in the S3 bucket that you specified. For more informaon, see Creang a
trail.
Ensure that you create your Amazon S3 bucket and Amazon SQS queue in the same
region.
Cortex® XDR Pro Administrator’s Guide Version 3.3 690 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
messages to your SQS queue. Use this sample code as a guide for defining the
“Statement” with the following definions:
-“Resource”—Leave the automacally generated ARN for the SQS queue that is
set in the code, which uses the format “arn:sns:Region:account-id:topic-
name”.
You can retrieve your bucket’s ARN by opening the Amazon S3 Console in a browser
window. In the Buckets secon, select the bucket that you created for collecng the
Amazon S3 flow logs, click Copy ARN, and paste the ARN in the field.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SQS:SendMessage",
"Resource": "[Leave automatically generated ARN for
the SQS queue defined by AWS]",
"Condition": {
"ArnLike": {
"aws:SourceArn": "[ARN of your Amazon S3 bucket]"
}
}
},
]
}
• Dead-leer queue secon—We recommend that you configure a queue for sending
undeliverable messages by selecng Enabled, and then in the Choose queue field
selecng the queue to send the messages. You may need to create a new queue for
Cortex® XDR Pro Administrator’s Guide Version 3.3 691 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
this, if you do not already have one set up. For more informaon, see Amazon SQS
dead-leer queues.
3. Click Create queue.
Once the SQS is created, a message indicang that the queue was successfully
configured is displayed at the top of the page.
STEP 5 | Configure an event noficaon to your Amazon SQS whenever a file is wrien to your
Amazon S3 bucket.
1. Open the Amazon S3 Console and in the Properes tab of your Amazon S3 bucket, scroll
down to the Event noficaons secon, and click Create event noficaon.
2. Configure the following sengs.
• Event name—Specify a descripve name for your event noficaon containing up to
255 characters.
• Prefix—Do not set a prefix as the Amazon S3 bucket is meant to be a dedicated
bucket for collecng audit logs.
• Event types—Select All object create events for the type of event noficaons that
you want to receive.
• Desnaon—Select SQS queue to send noficaons to an SQS queue to be read by a
server.
• Specify SQS queue—You can either select Choose from your SQS queues and then
select the SQS queue, or select Enter SQS queue ARN and specify the ARN in the
SQS queue field.
You can retrieve your SQS queue ARN by opening another instance of the AWS
Management Console in a browser window, and opening the Amazon SQS Console,
Cortex® XDR Pro Administrator’s Guide Version 3.3 692 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
and selecng the Amazon SQS that you created. In the Details secon, under ARN,
click the copy icon ( )), and paste the ARN in the field.
If your receive an error when trying to save your changes, you should ensure that
the permissions are set up correctly.
STEP 6 | Configure access keys for the AWS IAM user that Cortex XDR uses for API operaons.
1. Open the AWS IAM Console, and in the navigaon pane, select Access management >
Users.
2. Select the User name of the AWS IAM user.
3. Select the Security credenals tab, and scroll down to the Access keys secon, and click
Create access key.
4. Click the copy icon next to the Access key ID and Secret access key keys, where you
must click Show secret access key to see the secret key, and record them somewhere
safe before closing the window. You will need to provide these keys when you edit the
Access policy of the SQS queue and when seng the AWS Client ID and AWS Client
Secret in Cortex XDR . If you forget to record the keys and close the window, you will
need to generate new keys and repeat this process.
For more informaon, see Managing access keys for IAM users.
Cortex® XDR Pro Administrator’s Guide Version 3.3 693 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Skip this step if you are using an Assumed Role for Cortex XDR .
1. In the Amazon SQS Console, select the SQS queue that you created in Configure an
Amazon Simple Queue Service (SQS).
2. Select the Access policy tab, and Edit the Access policy code in the editor
window to enable the IAM user to perform operaons on the Amazon SQS with
permissions to SQS:ChangeMessageVisibility, SQS:DeleteMessage, and
SQS:ReceiveMessage. Use this sample code as a guide for defining the “Sid”:
“__receiver_statement” with the following definions.
• “aws:SourceArn”—Specify the ARN of the AWS IAM user. You can retrieve the
User ARN from the Security credenals tab, which you accessed when configuring
access keys for the AWS API user.
• “Resource”—Leave the automacally generated ARN for the SQS queue that is
set in the code, which uses the format “arn:sns:Region:account-id:topic-
name”.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SQS:SendMessage",
"Resource": "[Leave automatically generated ARN for
the SQS queue defined by AWS]",
"Condition": {
"ArnLike": {
"aws:SourceArn": "[ARN of your Amazon S3 bucket]"
}
}
},
{
"Sid": "__receiver_statement",
"Effect": "Allow",
"Principal": {
"AWS": "[Add the ARN for the AWS IAM user]"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage"
],
Cortex® XDR Pro Administrator’s Guide Version 3.3 694 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 695 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
To receive logs from Azure Event Hub, you must configure the Collecon Integraons sengs
in Cortex XDR based on your Microso Azure Event Hub configuraon. Aer you set up data
collecon, Cortex XDR begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the app creates a new dataset (MSFT_Azure_raw) that
you can use to iniate XQL Search queries. For example queries, refer to the in-app XQL Library.
You can also configure Cortex XDR to normalize Azure Event Hub audit logs with other Cortex
XDR authencaon stories across all cloud providers using the same format, which you can query
with XQL Search using the cloud_audit_logs or xdr_data datasets. For logs that you do not
configure Cortex XDR to normalize, you can change the default dataset. Cortex XDR can also raise
Cortex XDR alerts (IOC, BIOC, and Correlaon Rule only) when relevant from Azure Event Hub
logs.
Cortex XDR can also ingest Azure sign-in logs when you configure an Azure Event Hub data
collector to collect audit logs. This is also dependent on seng the applicable Diagnosc sengs
in Azure Acve Directory with the selected sign-in log categories. These logs are added in Cortex
XDR to the MSFT_Azure_raw dataset. In addion, Cortex XDR can normalize and enrich these
authencaon logs. Cortex XDR can normalize these Acve Directory sign-in logs with other
Cortex XDR authencaon stories across all cloud providers using the same format. You can query
these logs in XQL Search using the cloud_audit_logs and xdr_data datasets.
Be sure you do the following tasks before you begin configuring data collecon from Azure Event
Hub.
• Create an Azure Event Hub. For more informaon, see Quickstart: Create an event hub using
Azure portal.
• Ensure the format for the logs you want collected from the Azure Event Hub is either JSON or
raw.
Configure the Azure Event Hub collecon in Cortex XDR.
STEP 1 | In the Microso Azure Console, open the Event Hubs page, and select the Azure Event Hub
that you created for collecon in Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 696 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 2 | Record the following parameters from your configured event hub, which you will need when
configuring data collecon in Cortex XDR.
• Your event hub’s consumer group.
1. Select Enes > Event Hubs, and select your event hub.
2. Select Enes > Consumer groups, and select your event hub.
3. In the Consumer group table, copy the applicable value listed in the Name column for
your Cortex XDR data collecon configuraon.
• Your event hub’s connecon string for the designated policy.
1. Select Sengs > Shared access policies.
2. In the Shared access policies table, select the applicable policy.
3. Copy the Connecon string-primary key.
• Storage account for the connecon string.
1. Open the Storage accounts page, and select the storage account that contains the
connecon string for the event hub you have configured for data collecon by Cortex
XDR.
2. Select Security + networking > Access keys, and click Show keys.
3. Copy the applicable Connecon string.
Cortex® XDR Pro Administrator’s Guide Version 3.3 697 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 3 | (Oponal) Configure your Microso Azure Event Hub to collect Azure sign-in logs.
1. In the Microso Azure Console, search for Azure Acve Directory, and select Services >
Azure Acve Directory.
2. Select Monitoring > Diagnosc sengs, and +Add diagnosc seng.
3. Set the following parameters.
Cortex® XDR Pro Administrator’s Guide Version 3.3 698 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Event hub namespace—Select the applicable Subscripon for the Azure Event
Hub.
• (Oponal) Event hub name—Specify the name of your Azure Event Hub.
• Event hub policy—Select the applicable Event hub policy for your Azure Event
Hub.
4. Save your sengs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 699 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
When you Normalize and enrich audit logs, the log format is automacally
configured. As a result, this opon is removed and no longer available to
configure.
-The Vendor and Product defaults to Auto-Detect when the Log Format is set
to CEF or LEEF.
-For a Log Format set to CEF or LEEF, Cortex XDR reads events row by row
to look for the Vendor and Product configured in the logs. When the values
are populated in the event log row, Cortex XDR uses these values even if
you specified a value in the Vendor and Product fields in the Azure Event
Hub data collector sengs. Yet, when the values are blank in the event log
row,Cortex XDR uses the Vendor and Product that you specified in the Azure
Event Hub data collector sengs. If you did not specify a Vendor or Product
in the Azure Event Hub data collector sengs, and the values are blank in the
event log row, the values for both fields are set to unknown.
For a Log Format set to Cisco, the following fields are automacally set and not
configurable.
-Vendor—Cisco
-Product—ASA
For a Log Format set to Corelight, the following fields are automacally set and not
configurable.
-Vendor—Corelight
-Product—Zeek
For a Log Format set to Raw or JSON, the following fields are automacally set and
are configurable.
-Vendor—Ms
-Product—Azure
Cortex® XDR Pro Administrator’s Guide Version 3.3 700 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Vendor and Product—Specify the Vendor and Product for the type of logs you are
ingesng.
The Vendor and Product are used to define the name of your XQL dataset
(<vendor>_<product>_raw). The Vendor and Product values vary depending on
the Log Format selected. To uniquely idenfy the log source, consider changing the
values if the values are configurable.
When you Normalize and enrich audit logs, the Vendor and Product fields
are automacally configured. Therefore, these fields are removed as available
opons.
• Normalize and enrich audit logs—(Oponal) You can Normalize and enrich audit logs
by selecng the checkbox. If selected, Cortex XDR normalizes and enriches Azure
Event Hub audit logs, including any Azure sign-in logs configured for collecon, with
other Cortex XDR authencaon stories across all cloud providers using the same
format, which you can query with XQL Search using the cloud_audit_logs and
xdr_data datasets.
4. Click Test to validate access, and then click Enable.
Once events start to come in, a green check mark appears underneath the Azure Event
Hub configuraon with the amount of data received.
If you use the Pub/Sub messaging service from Global Cloud Plaorm (GCP), you can send logs
and data from your GCP instance to Cortex XDR. Data from GCP is then searchable in Cortex
XDR to provide addional informaon and context to your invesgaons using the GCP XQL
dataset (google_cloud_logging_raw). For example queries, refer to the in-app XQL Library.
You can configure a Google Cloud Plaorm collector to receive generic, flow, or audit logs. When
configuring generic logs, you can receive logs in a Raw, JSON, CEF, LEEF, Cisco, or Corelight
format.
You can also configure Cortex XDR to normalize GCP audit logs, which you can query with XQL
Search using the cloud_audit_logs dataset. In addion, you can configure Cortex XDR to
ingest network flow logs as XDR network connecon stories, which you can query with XQL
Search using the xdr_dataset dataset with the preset called network_story. Cortex XDR can
also raise Cortex XDR alerts (Analycs, IOC, BIOC, and Correlaon Rule only) when relevant from
GCP logs. Analycs alerts are only raised on normalized logs.
When collecng flow logs, we recommend that you include GKE annotaons in your logs,
which enable you to view the names of the containers that communicated with each
other. GKE annotaons are only included in logs if appended manually using the custom
metadata configuraon in GCP. For more informaon, see VPC Flow Logs Overview. In
addion, to customize metadata fields, you must use the gcloud command-line interface or
the API. For more informaon, see Using VPC Flow Logs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 701 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
To receive logs and data from GCP, you must first set up log forwarding using a Pub/Sub topic
in GCP. You can configure GCP sengs using either the GCP web interface or a GCP cloud shell
terminal. Aer you set up your service account in GCP, you configure the Data Collecon sengs
in Cortex XDR. The setup process requires the subscripon name and authencaon key from
your GCP instance.
Aer you set up log collecon, Cortex XDR immediately begins receiving new logs and data from
GCP.
• Set up Log Forwarding Using the GCP Web Interface.
• Set up Log Forwarding Using the GCP Cloud Shell Terminal.
Cortex® XDR Pro Administrator’s Guide Version 3.3 702 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 703 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
can configure Cortex XDR to normalize GCP audit logs, which you can query with
XQL Search using the cloud_audit_logs dataset.
• Generic—When selecng this log type, you can configure the following sengs.
• Log Format—Select the log format type as Raw, JSON, CEF, LEEF, Cisco, or
Corelight.
-The Vendor and Product defaults to Auto-Detect when the Log Format is
set to CEF or LEEF.
-For a Log Format set to CEF or LEEF, Cortex XDR reads events row by
row to look for the Vendor and Product configured in the logs. When the
values are populated in the event log row, Cortex XDR uses these values
even if you specified a value in the Vendor and Product fields in the GCP
data collector sengs. Yet, when the values are blank in the event log row,
Cortex XDR uses the Vendor and Product that you specified in the GCP
data collector sengs. If you did not specify a Vendor or Product in the
GCP data collector sengs, and the values are blank in the event log row,
the values for both fields are set to unknown.
For a Log Format set to Cisco, the following fields are automacally set and not
configurable.
-Vendor—Cisco
-Product—ASA
For a Log Format set to Corelight, the following fields are automacally set and not
configurable.
-Vendor—Corelight
-Product—Zeek
For a Log Format set to Raw or JSON, the following fields are automacally set and
are configurable.
-Vendor—Google
-Product—Cloud Logging
Cortex XDR supports logs in single line format or mulline format. For a JSON
format, mulline logs are collected automacally when the Log Format is
configured as JSON. When configuring a Raw format, you must also define the
Mulline Parsing Regex as explained below.
• Vendor—(Oponal) Specify a parcular vendor name for the GCP generic data
collecon, which is used in the GCP XQL dataset <Vendor>_<Product>_raw
that Cortex XDR creates as soon as it begins receiving logs.
• Product—(Oponal) Specify a parcular product name for the GCP
generic data collecon, which is used in the GCP XQL dataset name
<Vendor>_<Product>_raw that Cortex XDR creates as soon as it begins
receiving logs.
• Mulline Parsing Regex—(Oponal) This opon is only displayed when the Log
Format is set to Raw, where you can set the regular expression that idenfies
Cortex® XDR Pro Administrator’s Guide Version 3.3 704 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
when the mulline event starts in logs with mullines. It is assumed that when a
new event begins, the previous one has ended.
6. Test the provided sengs and, if successful, proceed to Enable log collecon.
STEP 6 | Aer Cortex XDR begins receiving informaon from the GCP Pub/Sub service, you can use
the XQL Query language to search for specific data.
Note the subscripon name you define in this step as you will need it to set up log ingeson
from Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 705 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
If setup is successful, the console displays a summary of your log sink sengs:
Created [https://logging.googleapis.com/v2/projects/
PROJECT_ID/sinks/SINK_NAME]. Please remember to grant
`serviceAccount:LOGS_SINK_SERVICE_ACCOUNT` \ the Pub/Sub Publisher
role on the topic. More information about sinks can be found at /
logging/docs/export/configure_export
STEP 6 | Grant log sink service account to publish to the new topic
Note the serviceAccount name from the previous step and use it to define the service for
which you want to grant publish access.
Cortex® XDR Pro Administrator’s Guide Version 3.3 706 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 707 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
can configure Cortex XDR to normalize GCP audit logs, which you can query with
XQL Search using the cloud_audit_logs dataset.
• Generic—When selecng this log type, you can configure the following sengs.
• Log Format—Select the log format type as Raw, JSON, CEF, LEEF, Cisco, or
Corelight.
-The Vendor and Product defaults to Auto-Detect when the Log Format is
set to CEF or LEEF.
-For a Log Format set to CEF or LEEF, Cortex XDR reads events row by
row to look for the Vendor and Product configured in the logs. When the
values are populated in the event log row, Cortex XDR uses these values
even if you specified a value in the Vendor and Product fields in the GCP
data collector sengs. Yet, when the values are blank in the event log row,
Cortex XDR uses the Vendor and Product that you specified in the GCP
data collector sengs. If you did not specify a Vendor or Product in the
GCP data collector sengs, and the values are blank in the event log row,
the values for both fields are set to unknown.
For a Log Format set to Cisco, the following fields are automacally set and not
configurable.
-Vendor—Cisco
-Product—ASA
For a Log Format set to Corelight, the following fields are automacally set and not
configurable.
-Vendor—Corelight
-Product—Zeek
For a Log Format set to Raw or JSON, the following fields are automacally set and
are configurable.
-Vendor—Google
-Product—Cloud Logging
Cortex XDR supports logs in single line format or mulline format. For a JSON
format, mulline logs are collected automacally when the Log Format is
configured as JSON. When configuring a Raw format, you must also define the
Mulline Parsing Regex as explained below.
• Vendor—(Oponal) Specify a parcular vendor name for the GCP generic data
collecon, which is used in the GCP XQL dataset <Vendor>_<Product>_raw
that Cortex XDR creates as soon as it begins receiving logs.
• Product—(Oponal) Specify a parcular product name for the GCP
generic data collecon, which is used in the GCP XQL dataset name
<Vendor>_<Product>_raw that Cortex XDR creates as soon as it begins
receiving logs.
• Mulline Parsing Regex—(Oponal) This opon is only displayed when the Log
Format is set to Raw, where you can set the regular expression that idenfies
Cortex® XDR Pro Administrator’s Guide Version 3.3 708 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
when the mulline event starts in logs with mullines. It is assumed that when a
new event begins, the previous one has ended.
6. Test the provided sengs and, if successful, proceed to Enable log collecon.
STEP 11 | Aer Cortex XDR begins receiving informaon from the GCP Pub/Sub service, you can use
the XQL Query language to search for specific data.
Cortex XDR can ingest the following types of data from Google Workspace, where most of the
data is collected as audit events from various Google reports, using the Google Workspace data
collector.
• Google Chrome
• Admin Console
• Google Chat
• Enterprise Groups
• Login
• Rules
• Google drive
• Token
• User Accounts
• SAML
• Emails—Requires a compliance mailbox to ingest email data (not email reports).
• All message details except email headers and email content (payload.body,
payload.parts, and snippet).
• Aachment details, when Get Aachment Info is selected, includes file name, size, and hash
calculaon.
The following Google APIs are required to collect the different types of data from Google
Workspace.
• For all data types, except emails.
• Admin SDK API
• Admin Reports API (part of Admin SDK API)
• Emails require implemenng the Gmail API.
To receive logs from Google Workspace for any of the data types except emails, you must first
enable the Google Workspace Admin SDK API with a user with access to the Admin SDK Reports
API. For emails, you must set up a compliance email account as explained in the prerequisite
step below and then enable the Google Workspace Gmail API. Once implemented, you can then
Cortex® XDR Pro Administrator’s Guide Version 3.3 709 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
configure the Collecon Integraons sengs in Cortex XDR. Aer you set up data collecon,
Cortex XDR begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the app creates a new dataset for the different types
of data that you are collecng, which you can use to iniate XQL Search queries. For example
queries, refer to the in-app XQL Library. For all logs, Cortex XDR can raise Cortex XDR alerts for
Correlaon Rules only, when relevant from Google Workspace logs.
The following table lists the different datasets, vendors, and products automacally configured for
the different types of data you can collect using the Google Workspace data collector.
Login Google
google_workspace_login_raw Workspace Login
Rules Google
google_workspace_rules_raw Workspace Rules
Token Google
google_workspace_token_raw Workspace Token
SAML Google
google_workspace_saml_raw Workspace SAML
Be sure you do the following tasks before you begin configuring data collecon from Google
Workspace using the instrucons detailed below.
• When configuring data collecon for all data types except emails, complete the following API
setup steps in the Reports API Prerequisites to set up the Google Workspace Admin SDK
environment.
1. Set up the basics
2. Set up a Google API Console project without acvang the Reports API service as this will
be explained in greater detail in the task below.
Cortex® XDR Pro Administrator’s Guide Version 3.3 710 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Before you can collect Google emails, you need to set up the following.
1. A compliance email account.
2. In every user’s email account that you want to monitor, you need to ensure that the user
creates a rule to filter their emails to the compliance email account. When creang this rule,
ensure that every user sets the following in their filter rule.
• To—Specify the user’s email address, such as myemail@gmail.com, whose emails will
be monitored and forwarded to the compliance email account.
• Select Forward it to:, and then select the email address for the compliance email account,
where the emails will be forwarded.
This rule ensures to forward every message sent to the user’s account to a defined compliance
mailbox. Aer the Google Workspace data collector ingests the emails, they are deleted from
the compliance mailbox to prevent email from building up over me (nothing touches the actual
users’ mailboxes).
• Spam emails from the compliance email account, and from all other monitored email
accounts, are not collected.
• Any dra emails wrien in the compliance email account are collected by the
Google Workspace data collector, and are then deleted even if the email was never
sent.
STEP 1 | Complete the applicable prerequisite steps for the types of data you want to collect from
Google Workspace.
Cortex® XDR Pro Administrator’s Guide Version 3.3 711 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 3 | Perform Google Workspace Domain-Wide Delegaon of Authority when collecng any type
of data from Google Workspace except Google Emails.
When collecng any type of data from Google Workspace except emails, you need to set
up Google Workspace enterprise applicaons to access users’ data without any manual
authorizaon. This is performed by following these steps.
For more informaon on the enre process, see Perform Google Workspace Domain-
Wide Delegaon of Authority.
1. Enable the Admin SDK API to create a service account and set credenals for this service
account.
As you complete this step, you need to gather informaon related to your service
account, including the Client ID, Private key file, and Email address, which you will need
to use later on in this task.
1. Select the Hamburger menu > APIs & Services > Library.
2. Search for the Admin SDK API, and select the API from the results list.
3. Enable the Admin SDK API.
4. Select APIs & Services > Credenals.
5. Select + CREATE CREDENTIALS > Service account.
6. Set the following Service account details in the applicable fields.
• Specify a service account name. This name is automacally used to populate the
following field as the service account ID, where the name is changed to lowercase
leers and all spaces are changed to hyphens.
• Specify the service account ID, where you can either leave the default
service account ID or add a new one. This service account ID is used to set
the service account email using the following format: <id>@<project
name>.iam.gserviceaccount.com.
• (Oponal) Specify a service account descripon.
7. CREATE AND CONTINUE.
8. (Oponal) Decide whether you want to Grant this service account access to project
or Grant users access to this service account.
9. Click Done.
10.Select your newly created Service Account from the list.
11.Create a service account private key and download the private key file as a JSON file.
In the Keys tab, select ADD KEY > Create new key, leave the default Key type set to
JSON, and CREATE the private key. Once you’ve downloaded the new private key
pair to your machine, ensure that you store it in a secure locaon as it’s the only copy
Cortex® XDR Pro Administrator’s Guide Version 3.3 712 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
of this key. You will need to browse to this JSON file when configuring the Google
Workplace data collector in Cortex XDR.
2. Delegate domain-wide authority to your service account with the Admin Reports API
scopes.
1. Open the Google Admin Console.
2. Select Security > Access and data control > API controls.
3. Scroll down to the Domain wide delegaon secon, and select MANAGE DOMAIN
WIDE DELEGATION.
4. Click Add new.
5. Set the following sengs to define permissions for the Admin SDK API.
• Client ID—Specify the service account’s Unique ID, which you can obtain from the
Service accounts page by clicking the email of the service account to view further
details.
• In the OAuth scopes (comma-delimited) field, paste in the first of the two
Admin Reports API scopes—https://www.googleapis.com/auth/
admin.reports.audit.readonly
• In the following OAuth scopes (comma-delimited) field, paste in the second
Admin Reports API scope—https://www.googleapis.com/auth/
admin.reports.usage.readonly
For more informaon on the Admin Reports API scopes, see OAuth 2.0
Scopes for Google APIs.
6. Authorize the domain-wide authority to your service account.
This ensures that your service account now has domain-wide access to the Google
Admin SDK Reports API for all of the users of your domain.
Cortex® XDR Pro Administrator’s Guide Version 3.3 713 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
types of data with the Admin SDK API already set up or you are configuring the collecon to
only include emails using only the Gmail API. The steps below explain both scenarios.
1. Select the Hamburger menu > APIs & Services > Library.
2. Search for the Gmail API, and select the API from the results list.
3. Enable the Gmail API.
4. Select APIs & Services > Credenals.
The instrucons for seng up credenals differ depending on whether you are seng
up the Gmail API together with the Admin SDK API as you are collecng other data
types, or you are configuring collecon for emails only with the Gmail API.
• When you’ve already set up the Admin SDK API, verify that the same Service Account
that you configured for the Admin SDK API is listed, and connue on to the next step.
• When you’re only collecng Google emails without the Admin SDK API, complete
these steps.
1. Select + CREATE CREDENTIALS > Service account.
2. Set the following Service account details in the applicable fields.
-Specify a service account name. This name is automacally used to populate the
following field as the service account ID, where the name is changed to lowercase
leers and all spaces are changed to hyphens.
-Specify the service account ID, where you can either leave the default
service account ID or add a new one. This service account ID is used to set
the service account email using the following format: <id>@<project
name>.iam.gserviceaccount.com.
-(Oponal) Specify a service account descripon.
3. CREATE AND CONTINUE.
4. (Oponal) Decide whether you want to Grant this service account access to
project or Grant users access to this service account.
5. Click Done.
6. Select your newly created Service Account from the list.
7. Create a service account private key and download the private key file as a JSON
file.
In the Keys tab, select ADD KEY > Create new key, leave the default Key type set
to JSON, and CREATE the private key. Once you’ve downloaded the new private
key pair to your machine, ensure that you store it in a secure locaon as it’s the
Cortex® XDR Pro Administrator’s Guide Version 3.3 714 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
only copy of this key. You will need to browse to this JSON file when configuring
the Google Workplace data collector in Cortex XDR.
5. Delegate domain-wide authority to your service account with the Gmail API scopes.
1. Open the Google Admin Console.
2. Select Security > Access and data control > API controls.
3. Scroll down to the Domain wide delegaon secon, and select MANAGE DOMAIN
WIDE DELEGATION.
This step explains how the following Gmail API scopes are added.
• https://mail.google.com/
• https://www.googleapis.com/auth/
gmail.addons.current.action.compose
• https://www.googleapis.com/auth/
gmail.addons.current.message.action
• https://www.googleapis.com/auth/
gmail.addons.current.message.metadata
• https://www.googleapis.com/auth/
gmail.addons.current.message.readonly
• https://www.googleapis.com/auth/gmail.compose
• https://www.googleapis.com/auth/gmail.insert
• https://www.googleapis.com/auth/gmail.labels
• https://www.googleapis.com/auth/gmail.metadata
• https://www.googleapis.com/auth/gmail.modify
• https://www.googleapis.com/auth/gmail.readonly
• https://www.googleapis.com/auth/gmail.send
• https://www.googleapis.com/auth/gmail.settings.basic
• https://www.googleapis.com/auth/gmail.settings.sharing
For more informaon on the Gmail API scopes, see OAuth 2.0 Scopes for
Google APIs.
The instrucons differ depending on whether you are seng up the Gmail API
together with the Admin SDK API as you are collecng other data types, or you are
configuring collecon for emails only with the Gmail API.
• When you’ve already set up the Admin SDK API, Edit the same Service Account
that you configured for the Admin SDK API, and add the Gmail API scopes listed
above.
• When you’re only collecng Google emails without the Admin SDK API, click Add
New, and set the following sengs to define permissions for the Admin SDK API.
-Client ID—Specify the service account’s Unique ID, which you can obtain from the
Service accounts page by clicking the email of the service account to view further
details.
Cortex® XDR Pro Administrator’s Guide Version 3.3 715 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
In the OAuth scopes (comma-delimited) field, paste in the first of the Gmail API
scopes listed above, and connue adding in the rest of the scopes.
Authorize the domain-wide authority to your service account.
This ensures that your service account now has domain-wide access to the Google
Gmail API for all of the users of your domain.
STEP 5 | Prepare your service account to impersonate a user with access to the Admin SDK Reports
API when collecng any type of data from Google Workspace except Google emails.
Only users with access to the Admin APIs can access the Admin SDK Reports API. Therefore,
your service account needs to be set up to impersonate one of these users to access the Admin
SDK Reports API. This means that when collecng any type of data from Google Workspace
except Google emails, you need to designate a user whose Roles permissions are set to
access reports, where Security > Reports is selected. This user’s email will be required when
configuring the Google Workspace data collector in Cortex XDR.
1. In the Google Admin Console, select Directory > Users.
2. From the list of users listed, select the user configured with the necessary permissions in
Admin roles and privileges to view reports, such as a Super Admin, that you want to set
up your service account to impersonate.
3. Record the email of this user as you will need it in Cortex XDR.
STEP 6 | In Cortex XDR, select Sengs ( ) > Configuraons > Data Collecon > Google Workspace.
STEP 7 | In the Google Workspace configuraon, click Add Instance to begin a new configuraon.
STEP 8 | Integrate the applicable Google Workspace service with Cortex XDR.
1. Specify a descripve Name for your log collecon integraon.
2. Browse to the JSON file containing your service account key Credenals for the Google
Workspace Admin SDK API that you enabled. If you’re only collecng Google emails,
Cortex® XDR Pro Administrator’s Guide Version 3.3 716 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
ensure that you Browse to the JSON file containing your service account key Credenals
for the Gmail API that you enabled.
3. Select the types of data that you want to Collect from Google Workspace.
• Google Chrome—Chrome browser and Chrome OS events included in the Chrome
acvity reports.
• Admin Console—Account informaon about different types of administrator acvity
events included in the Admin console applicaon's acvity reports.
• Google Chat—Chat acvity events included in the Chat acvity reports.
• Enterprise Groups —Enterprise group acvity events included in the Enterprise
Groups acvity reports.
• Login—Account informaon about different types of login acvity events included in
the Login applicaon's acvity reports.
• Rules—Rules acvity events included in the Rules acvity report.
• Google drive—Google Drive acvity events included in the Google Drive applicaon's
acvity reports.
• Token—Token acvity events included in the Token applicaon's acvity reports.
• User Accounts—Account informaon about different types of User Accounts acvity
events included in the User Accounts applicaon's acvity reports.
• SAML—SAML acvity events included in the SAML acvity report.
• Emails—Collects email data (not emails reports). All message details except email
headers and email content (payload.body, payload.parts, and snippet).
For more informaon about the events collected from the various Google
Reports, see Google Workspace Reports API Documentaon.
For all opons selected, except Emails, you must specify the Reports Admin Email. This
is the email account of the user with access to the Admin SDK Reports API that you
prepared your service account to impersonate.
When selecng Emails, configure the following.
• Audit Email Account—Specify the email address for the compliance mailbox that you
set up.
• Get Aachment Info from the ingested email, which includes file name, size, and hash
calculaon.
4. Test the connecon sengs.
To test the connecon, you must select one or more log types. Cortex XDR then tests
the connecon sengs for the selected log types.
5. If successful, Enable Google Workspace log collecon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 717 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex XDR can ingest the following logs and data from Microso Office 365 Management
Acvity API and Microso Graph API using the Office 365 data collector.
• Microso Office 365 audit events from Management Acvity API, which provides informaon
about various user, administrator, system, and policy acons and events from Office 365, Azure
AD and MDO acvity logs.
• Microso Office 365 emails via Microso’s Graph API, which requires a compliance mailbox to
ingest email.
• All message details except the body, bodyPreview, and subject.
• Aachment details including file name, file type, file hash, size, and id.
Prerequisite Step—Before you can collect Microso Office 365 emails, you need to setup a
compliance email account, and then configure an Email Flow Rule. This rule ensures to Blind
carbon copy (Bcc) every message sent to, from, and within the organizaon to a defined
compliance mailbox. Aer the Office 365 data collector ingests the emails, they are deleted
from the compliance mailbox to prevent email from building up over me (nothing touches the
actual users’ mailboxes).
• The Bcc field always returns an empty value from Microso’s Graph API.
• Junk emails from the compliance email account are collected. All other junk emails
from the other monitored email accounts are not collected.
• Any dra emails wrien in the compliance email account are collected by the Office
365 data collector, and are then deleted even if the email was never sent.
• Azure AD authencaon and audit events from Microso Graph API.
To address Azure reporng latency, there is a 10-minute latency period for Cortex
XDR to receive Azure AD logs.
• Office 365 Alerts from Microso Graph Security API
• Alerts from the following providers are available via the Microso Graph Security API
—Microso Defender for Cloud, Azure Acve Directory Identy Protecon, Microso
Defender for Cloud Apps, Microso Defender for Endpoint, Microso Defender for Identy,
Microso 365, Azure Informaon Protecon, and Azure Sennel.
For more informaon, see the Office 365 Management Acvity API schema.
To receive logs from Microso Office 365, you must first configure the Collecon Integraons
sengs in Cortex XDR. Aer you set up data collecon, Cortex XDR begins receiving new logs
and data from the source.
Cortex® XDR Pro Administrator’s Guide Version 3.3 718 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
When Cortex XDR begins receiving logs, the app creates a new dataset for the different types
of logs and data that you are collecng, which you can use to iniate XQL Search queries. For
example queries, refer to the in-app XQL Library. When relevant, Cortex XDR normalizes Azure
AD authencaon logs into authencaon stories, and Azure AD audit logs are normalized to
cloud audit logs stories. For Azure AD authencaon and audit logs only, Cortex XDR can also
raise Cortex XDR alerts (Analycs, IOC, BIOC, and Correlaon Rules only) when relevant from
Azure AD logs. For all other logs, Cortex XDR can raise Cortex XDR alerts for Correlaon Rules
only, when relevant from Office 365 logs.
The following table lists the different datasets, vendors, and product automacally configured for
the different types of data you can collect using the Office 365 data collector.
-General msft_o365_general_raw
msft O365 General
Cortex® XDR Pro Administrator’s Guide Version 3.3 719 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 1 | From the Microso Azure Console, create an app for Cortex XDR with the applicable API
permissions for the logs and data you want to collect as detailed in the following table.
-DLP ActivityFeed.ReadDlp
-General ActivityFeed.Read
For more informaon on Microso Azure, see the following instrucons in the Microso
documentaon portal.
• Register an app.
• Add API permissions with type Applicaon.
• Create an applicaon secret.
STEP 2 | Select Sengs ( ) > Configuraons > Data Collecon > Office 365.
STEP 3 | In the Office 365 configuraon, click Add Instance to begin a new configuraon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 720 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 4 | Integrate the applicable Microso Azure service with Cortex XDR.
1. Specify the Tenant Domain of your Microso Azure AD tenant.
2. Obtain the Applicaon Client ID and Secret for your Azure AD service from the
Microso Azure Console and specify the values in Cortex XDR.
These values enable Cortex XDR to authencate with your Azure AD service.
3. Select the types of logs that you want to receive from Office 365.
The following opons are available.
Use this
opon when
you don’t
want to grant
permissions
for Azure AD
Authencaon
and Azure
AD Audit.
Cortex® XDR Pro Administrator’s Guide Version 3.3 721 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
To receive logs and data from Okta, you must configure the Collecon Integraons sengs in
Cortex XDR. Aer you set up data collecon, Cortex XDR immediately begins receiving new logs
and data from the source. The informaon from Okta is then searchable in XQL Search using the
okta_sso_raw dataset.
You can collect all types of events from Okta. When seng up the Okta data collector in Cortex
XDR, a field called Okta Filter is available to configure collecon for events of your choosing. All
events are collected by default unless you define an Okta API Filter expression for collecng the
data, such as filter=eventType eq “user.session.start”.\n. For Okta informaon
to be weaved into authencaon stories, “user.authentication.sso” events must be
collected.
Cortex® XDR Pro Administrator’s Guide Version 3.3 722 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 3 | Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
STEP 5 | Aer Cortex XDR begins receiving informaon from the service, you can Create an XQL
Query to search for specific data. When including authencaon events, you can also Create
an Authencaon Query to search for specific authencaon data.
Cortex® XDR Pro Administrator’s Guide Version 3.3 723 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
To receive authencaon logs from PingFederate, you must first write Audit and Provisioner Audit
Logs to CEF in PingFederate and then set up a Syslog Collector in Cortex XDR to receive the logs.
Aer you set up log collecon, Cortex XDR immediately begins receiving new authencaon logs
from the source. Cortex XDR creates a dataset named ping_identity_pingfederate_raw.
Logs from PingFederate are searchable in XQL queries using the dataset and surfaced, when
relevant, in authencaon stories.
STEP 1 | Acvate the Syslog Collector.
STEP 3 | To search for specific authencaon logs or data, you can Create an Authencaon Query or
use the XQL Search.
To receive authencaon logs and data from PingOne for Enterprise, you must first set up a
Poll subscripon in PingOne and then configure the Collecon Integraons sengs in Cortex
XDR. Aer you set up collecon integraon, Cortex XDR immediately begins receiving new
authencaon logs and data from the source. These logs and data are then searchable in Cortex
XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 724 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 2 | Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
STEP 3 | Connect Cortex XDR to your PingOne for Enterprise authencaon service.
1. Enter your PingOne ACCOUNT ID.
2. Enter your PingOne SUBSCRIPTION ID.
3. Enter your PingOne USER NAME.
4. Enter your PingOne PASSWORD.
5. Test the connecon sengs.
6. If successful, Enable PingOne authencaon log collecon.
Aer configuraon is complete, Cortex XDR begins receiving informaon from the
authencaon service. From the Integraons page, you can view the log collecon summary.
STEP 4 | To search for specific authencaon logs or data, you can Create an Authencaon Query or
Create an XQL Query.
Cortex® XDR Pro Administrator’s Guide Version 3.3 725 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
To receive alerts from Prisma Cloud, first configure the Collecon Integraons sengs in Cortex
XDR. Aer you set up collecon integraon, Cortex XDR begins to receive alerts from Prisma
Cloud every 30 seconds.
Cortex XDR then groups these alerts into incidents and adds them to the Alerts table. When
Cortex XDR begins receiving the alerts, it creates a new XQL dataset (prisma_cloud_raw),
which you can use to iniate XQL Search queries and create Correlaon Rules. The in-app XQL
Library contains sample search queries.
You can also configure Cortex XDR to collect data directly from other cloud providers using an
applicable collector. For more informaon on the cloud collectors, see External Data Ingeson
Vendor Support. The Prisma Cloud alerts are stched to this data.
Complete the following tasks before you begin configuring Cortex XDR to receive alerts from
Prisma Cloud.
• Create an Access Key and Secret Key as explained in the Create and Manage Access Keys
secon of the Prisma Cloud Administrator’s Guide
• Copy or download the Access Key ID and Secret Key as you will need them when configuring
the Prisma Cloud Collector in Cortex XDR.
Configure Cortex Cortex XDR to receive alerts from Prisma Cloud.
STEP 1 | Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
STEP 2 | In the Prisma Cloud Collector configuraon, click Add Instance to begin a new configuraon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 726 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
You can find your default Prisma Cloud domain in the Prisma Cloud API URL table.
• Specify the Prisma Cloud Access Key Id that you received when you created an Access Key.
• Specify the Prisma Cloud Secret Key that you received when you created an Access Key.
STEP 4 | Click Test to validate the connecon, and then click Enable.
In Cortex Cortex XDR, once alerts start to come in, a green check mark appears underneath
the Prisma Cloud Collector configuraon with the amount of data received.
STEP 6 | Aer Cortex Cortex XDR begins receiving data from Prisma Cloud, you can use XQL Search
to search for specific data, using the prisma_cloud_raw dataset and to view alerts in the
Cortex XDR Alerts table. In the Cortex Cortex XDR Alerts table, the Prisma Cloud alerts are
listed as Prisma Cloud in the ALERT SOURCE column.
To receive alerts from Prisma Cloud Compute, first configure the Collecon Integraons sengs
in Cortex XDR. In Prisma Cloud, you then must create a webhook, which provides the mechanism
to interface Prisma Cloud’s alert system with Cortex XDR. Aer you set up your webhook, Cortex
XDR begins receiving alerts from Prisma Cloud Compute.
Cortex XDR then groups these alerts into incidents and adds them to the Alerts
table. When Cortex XDR begins receiving the alerts, it creates a new XQL dataset
(prisma_cloud_compute_raw), which you can use to iniate XQL Search queries and to create
Correlaon Rules. The in-app XQL Library contain sample search queries.
Configure Cortex XDR to receive alerts from Prisma Cloud Compute.
STEP 1 | Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons
STEP 2 | In the Prisma Cloud Compute Collector configuraon, click Add Instance to begin a new
alerts integraon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 727 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 3 | Specify the Name for the Prisma Cloud Compute Collector displayed in Cortex XDR.
STEP 4 | Save & Generate Token. The token is displayed in a blue box, which is blurred in the image
below.
Click the Copy icon next to the Username and Password, and record them in a safe place,
as you will need to provide them when you configure the Prisma Cloud Compute Collector
for alerts integraon. If you forget to record the key and close the window, you will need to
generate a new key and repeat this process. When you are finished, click Done to close the
window.
STEP 6 | Create a webhook as explained in the Webhook Alerts secon of the Prisma Cloud
Administrator’s Guide (Compute).
1. Use the Webhook opon to configure the webhook.
2. In Incoming Webhook URL, paste the API URL that you copied and recorded from Copy
api url..
3. In Credenal Opons, select Basic Authencaon, and use the Username and Password
that you saved when you generated the token in Cortex XDR.
4. Select Container Runme.
5. Click Save.
In Cortex XDR, once alerts start to come in, a green check mark appears underneath the
Prisma Cloud Compute Collector configuraon with the amount of data received.
STEP 8 | Aer Cortex XDR begins receiving data from Prisma Cloud Compute, you can use XQL
Search to search for specific data using the prisma_cloud_compute_raw dataset and
view alerts in the Cortex XDR Alerts table. In the Cortex XDR Alerts table, the Prisma Cloud
Compute alerts are listed as Prisma Cloud Compute in the ALERT SOURCE column and are
classified as Medium in the SEVERITY column.
Cortex® XDR Pro Administrator’s Guide Version 3.3 728 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
You can forward generic logs for the relave service to Cortex XDR from Amazon S3.
To receive generic data from Amazon Simple Storage Service (Amazon S3), you must first configure
data collecon from Amazon S3. You can then configure the Collecon Integraons sengs in
Cortex XDR for Amazon S3. Aer you set up collecon integraon, Cortex XDR begins receiving
new logs and data from the source.
For more informaon on configuring data collecon from Amazon S3, see the Amazon S3
Documentaon.
As soon as Cortex XDR begins receiving logs, the app automacally creates an Amazon S3 XQL
dataset (<Vendor>_<Product>_raw). This enables you to search the logs using XQL Search
with the dataset. For example queries, refer to the in-app XQL Library. Cortex XDR can also raise
Cortex XDR alerts (Correlaon Rules only) when relevant from Amazon S3 logs.
You need to set up an Amazon S3 data collector to receive generic logs when collecng
logs from BeyondTrust Privilege Management Cloud. For more informaon, see Ingest
Logs from BeyondTrust Privilege Management Cloud.
Be sure you do the following tasks before you begin configuring data collecon from Amazon S3.
• Create a dedicated Amazon S3 bucket, which collects the generic logs that you want captured.
For more informaon, see Creang a bucket using the Amazon S3 Console.
Cortex® XDR Pro Administrator’s Guide Version 3.3 729 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
the default opon as explained in configure the Amazon S3 collecon in Cortex XDR by
selecng Access Key.
• Create an assumed role in AWS to delegate permissions to a Cortex XDR AWS service. This
role grants Cortex XDR access to your flow logs. For more informaon, see Creang a role
to delegate permissions to an AWS service. This is the Assumed Role opon as described in
the configure the Amazon S3 collecon in Cortex XDR. For more informaon on creang an
assumed role for Cortex XDR, see Create an Assumed Role for Cortex XDR.
Configure Cortex XDR to receive generic logs from Amazon S3.
STEP 1 | Log in to the AWS Management Console.
STEP 2 | From the menu bar, ensure that you have selected the correct region for your configuraon.
Ensure that you create your Amazon S3 bucket and Amazon SQS queue in the same
region.
Cortex® XDR Pro Administrator’s Guide Version 3.3 730 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
messages to your SQS queue. Use this sample code as a guide for defining the
“Statement” with the following definions.
-“Resource”—Leave the automacally generated ARN for the SQS queue that is
set in the code, which uses the format “arn:sns:Region:account-id:topic-
name”.
You can retrieve your bucket’s ARN by opening the Amazon S3 Console in a browser
window. In the Buckets secon, select the bucket that you created for collecng the
Amazon S3 flow logs, click Copy ARN, and paste the ARN in the field.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SQS:SendMessage",
"Resource": "[Leave automatically generated ARN for
the SQS queue defined by AWS]",
"Condition": {
"ArnLike": {
"aws:SourceArn": "[ARN of your Amazon S3 bucket]"
}
}
}
]
}
• Dead-leer queue secon—We recommend that you configure a queue for sending
undeliverable messages by selecng Enabled, and then in the Choose queue field
selecng the queue to send the messages. You may need to create a new queue for
Cortex® XDR Pro Administrator’s Guide Version 3.3 731 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
this, if you do not already have one set up. For more informaon, see Amazon SQS
dead-leer queues.
3. Click Create queue.
Once the SQS is created, a message indicang that the queue was successfully
configured is displayed at the top of the page.
STEP 4 | Configure an event noficaon to your Amazon SQS whenever a file is wrien to your
Amazon S3 bucket.
1. Open the Amazon S3 Console and in the Properes tab of your Amazon S3 bucket, scroll
down to the Event noficaons secon, and click Create event noficaon.
2. Configure the following sengs:
• Event name—Specify a descripve name for your event noficaon containing up to
255 characters.
• Prefix—Do not set a prefix as the Amazon S3 bucket is meant to be a dedicated
bucket for collecng only network flow logs.
• Event types—Select All object create events for the type of event noficaons that
you want to receive.
• Desnaon—Select SQS queue to send noficaons to an SQS queue to be read by a
server.
• Specify SQS queue—You can either select Choose from your SQS queues and then
select the SQS queue, or select Enter SQS queue ARN and specify the ARN in the
SQS queue field.
You can retrieve your SQS queue ARN by opening another instance of the AWS
Management Console in a browser window, and opening the Amazon SQS Console,
Cortex® XDR Pro Administrator’s Guide Version 3.3 732 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
and selecng the Amazon SQS that you created. In the Details secon, under ARN,
click the copy icon ( )), and paste the ARN in the field.
If your receive an error when trying to save your changes, you should ensure that
the permissions are set up correctly.
1. Open the AWS IAM Console, and in the navigaon pane, select Access management >
Users.
2. Select the User name of the AWS IAM user.
3. Select the Security credenals tab, and scroll down to the Access keys secon, and click
Create access key.
4. Click the copy icon () next to the Access key ID and Secret access key keys, where you
must click Show secret access key to see the secret key, and record them somewhere
safe before closing the window. You will need to provide these keys when you edit the
Access policy of the SQS queue and when seng the AWS Client ID and AWS Client
Secret in Cortex XDR. If you forget to record the keys and close the window, you will
need to generate new keys and repeat this process.
For more informaon, see Managing access keys for IAM users.
Cortex® XDR Pro Administrator’s Guide Version 3.3 733 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Skip this step if you are using an Assumed Role for Cortex XDR.
1. In the Amazon SQS Console, select the SQS queue that you created in Configure an
Amazon Simple Queue Service (SQS).
2. Select the Access policy tab, and Edit the Access policy code in the editor
window to enable the IAM user to perform operaons on the Amazon SQS with
permissions to SQS:ChangeMessageVisibility, SQS:DeleteMessage, and
SQS:ReceiveMessage. Use this sample code as a guide for defining the “Sid”:
“__receiver_statement” with the following definions.
• “aws:SourceArn”—Specify the ARN of the AWS IAM user. You can retrieve the
User ARN from the Security credenals tab, which you accessed when configuring
access keys for the AWS API user.
• “Resource”—Leave the automacally generated ARN for the SQS queue that is
set in the code, which uses the format “arn:sns:Region:account-id:topic-
name”.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SQS:SendMessage",
"Resource": "[Leave automatically generated ARN for
the SQS queue defined by AWS]",
"Condition": {
"ArnLike": {
"aws:SourceArn": "[ARN of your Amazon S3 bucket]"
}
}
},
{
"Sid": "__receiver_statement",
"Effect": "Allow",
"Principal": {
"AWS": "[Add the ARN for the AWS IAM user]"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage"
],
Cortex® XDR Pro Administrator’s Guide Version 3.3 734 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 735 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
for Cortex XDR, ensure that you edit the policy that defines the permissions for the
Cortex XDR role with the Amazon S3 Bucket ARN and SQS ARN.
• SQS URL—Specify the SQS URL, which is the ARN of the Amazon SQS that you
configured in the AWS Management Console. For more informaon on how to
retrieve your Amazon SQS ARN, see Specify SQS queue.
• Name—Specify a descripve name for your log collecon configuraon.
• When seng an Access Key, set these parameters.
• AWS Client ID—Specify the Access key ID, which you received when you
configured access keys for the AWS IAM user in AWS.
• AWS Client Secret—Specify the Secret access key you received when you
configured access keys for the AWS IAM user in AWS.
• When seng an Assumed Role, set these parameters.
• Role ARN—Specify the Role ARN for the Assumed Role you created for Cortex
XDR in AWS.
• External Id—Specify the External Id for the Assumed Role you created for Cortex
XDR in AWS.
• Log Type—Select Generic to configure your log collecon to receive generic logs
from Amazon S3, which can include different types of data, such as file and metadata.
When selecng this opon, the following addional fields are displayed.
• Log Format—Select the log format type as Raw, JSON, CEF, LEEF, Cisco, Corelight,
or Beyondtrust Cloud ECS.
-The Vendor and Product defaults to Auto-Detect when the Log Format is
set to CEF or LEEF.
-For a Log Format set to CEF or LEEF, Cortex XDR reads events row by
row to look for the Vendor and Product configured in the logs. When
the values are populated in the event log row, Cortex XDR uses these
values even if you specified a value in the Vendor and Product fields in
the Amazon S3 data collector sengs. Yet, when the values are blank
in the event log row, Cortex XDR uses the Vendor and Product that you
specified in these fields in the Amazon S3 data collector sengs. If you did
not specify a Vendor or Product in the Amazon S3 data collector sengs,
and the values are blank in the event log row, the values for both fields are
set to unknown.
For a Log Format set to Beyondtrust Cloud ECS, the following fields are
automacally set and not configurable.
-Vendor—Beyondtrust
-Product—Privilege Management
-Compression—Uncompressed
For more informaon, see Ingest Logs from BeyondTrust Privilege Management
Cloud.
Cortex® XDR Pro Administrator’s Guide Version 3.3 736 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
For a Log Format set to Cisco, the following fields are automacally set and not
configurable.
-Vendor—Cisco
-Product—ASA
For a Log Format set to Corelight, the following fields are automacally set and not
configurable.
-Vendor—Corelight
-Product—Zeek
For a Log Format set to Raw or JSON, the following fields are automacally set and
are configurable.
-Vendor—AMAZON
-Product—AWS
Cortex XDR supports logs in single line format or mulline format. For a JSON
format, mulline logs are collected automacally when the Log Format is
configured as JSON. When configuring a Raw format, you must also define the
Mulline Parsing Regex as explained below.
• Vendor—(Oponal) Specify a parcular vendor name for the Amazon
S3 generic data collecon, which is used in the Amazon S3 XQL dataset
<Vendor>_<Product>_raw that Cortex XDR creates as soon as it begins
receiving logs.
• Product—(Oponal) Specify a parcular product name for the Amazon S3
generic data collecon, which is used in the Amazon S3 XQL dataset name
<Vendor>_<Product>_raw that Cortex XDR creates as soon as it begins
receiving logs.
• Compression—Select whether the logs are compressed into a gzip file or are
uncompressed.
• Mulline Parsing Regex—(Oponal) This opon is only displayed when the Log
Format is set to Raw, where you can set the regular expression that idenfies
when the mulline event starts in logs with mullines. It is assumed that when a
new event begins, the previous one has ended.
4. Click Test to validate access, and then click Enable.
Once events start to come in, a green check mark appears underneath the Amazon S3
configuraon with the number of logs received.
You can forward generic logs for the relave service to Cortex XDR from AWS CloudTrail or
Amazon CloudWatch.
Cortex® XDR Pro Administrator’s Guide Version 3.3 737 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
You can ingest generic logs of the raw data from Amazon Kinesis Firehose. To enable log
forwarding, you set up Amazon Kinesis Firehose and then add that to your AWS CloudTrail
or Amazon CloudWatch configuraon. Aer you complete the set up process, logs from the
respecve service are then searchable in Cortex XDR to provide addional informaon and
context to your invesgaons.
To set up AWS integraon, you require certain permissions in AWS. You need a role that enables
access to configuring Amazon Kinesis Firehose.
STEP 1 | Set up the AWS integraon in Cortex XDR.
1. Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
2. In the AWS configuraon, click Add Instance to begin a new configuraon.
3. Specify a descripve Name for your log collecon configuraon.
4. Specify the Vendor and Product for the type of logs you are ingesng.
The vendor and product are used to define the name of your XQL dataset
(<vendor>_<product>_raw). If you do not define a vendor or product, Cortex
XDR uses the default values of Amazon and AWS with the resulng dataset name as
amazon_aws_raw. To uniquely idenfy the log source, consider changing the values.
5. Choose the format of the data input source (CloudTrail or CloudWatch) that you will
export to Cortex XDR, either JSON or Text.
6. Save & Generate Token.
Click the copy icon next to the key and record it somewhere safe. You will need to
provide this key when you set up output sengs in AWS Kinesis Firehose. If you forget
to record the key and close the window you will need to generate a new key and repeat
this process.
7. Select Done to close the window.
Cortex® XDR Pro Administrator’s Guide Version 3.3 738 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 2 | Create a Kinesis Data Firehose delivery stream to your chosen desnaon.
1. Log in to the AWS Management Console, and open the Kinesis console.
2. Select Data Firehose > Create delivery stream.
Cortex® XDR Pro Administrator’s Guide Version 3.3 739 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
> Custom Collectors > Copy API URL. The URL will include your tenant name
(https://api-<tenant external URL>/logs/v1/aws).
• Access key—Paste in the token key you recorded earlier during the configuraon of
your Cortex XDR log collecon sengs.
• Content encoding—Select GZIP. Disabling content encoding may result in high egress
costs.
• Retry duraon—Enter 300 seconds.
• S3 bucket—Set the S3 backup mode as Failed data only. For the S3 bucket, we
recommend that you create a dedicated bucket for Cortex XDR integraon.
Click Next to proceed to the sengs configuraon.
6. Configure addional sengs.
• HTTP endpoint buffer condions—Set the Buffer size as 1 MiB and the Buffer interval
as 60 seconds.
• S3 buffer condions—Use the default sengs for Buffer size as 5 MiB and Buffer
interval as 300 seconds unless you have alternave sizing preferences.
• S3 compression and encrypon—Choose your desired compression and encrypon
sengs.
• Error logging—Select Enabled.
• Permissions—Create or update IAM role opon.
Select Next.
7. Review your configuraon and Create delivery stream.
When your delivery stream is ready, the status changes from Creang to Acve.
STEP 3 | To begin forwarding logs, add the Kinesis Firehose instance to your AWS CloudTrail or
Amazon CloudWatch configuraon.
To do this, add a subscripon filter for Amazon Kinesis Firehose.
STEP 5 | Aer Cortex XDR begins receiving logs from your Amazon services, you can use the XQL
Search to search for logs in the new dataset.
If you use the Pub/Sub messaging service from Global Cloud Plaorm (GCP), you can send logs
and data from your GCP instance to Cortex XDR. Data from GCP is then searchable in Cortex
XDR to provide addional informaon and context to your invesgaons using the GCP XQL
dataset (google_cloud_logging_raw). For example queries, refer to the in-app XQL Library.
You can configure a Google Cloud Plaorm collector to receive generic, flow, or audit logs. When
Cortex® XDR Pro Administrator’s Guide Version 3.3 740 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
configuring generic logs, you can receive logs in a Raw, JSON, CEF, LEEF, Cisco, or Corelight
format.
You can also configure Cortex XDR to normalize GCP audit logs, which you can query with XQL
Search using the cloud_audit_logs dataset. In addion, you can configure Cortex XDR to
ingest network flow logs as XDR network connecon stories, which you can query with XQL
Search using the xdr_dataset dataset with the preset called network_story. Cortex XDR can
also raise Cortex XDR alerts (Analycs, IOC, BIOC, and Correlaon Rule only) when relevant from
GCP logs. Analycs alerts are only raised on normalized logs.
When collecng flow logs, we recommend that you include GKE annotaons in your logs,
which enable you to view the names of the containers that communicated with each
other. GKE annotaons are only included in logs if appended manually using the custom
metadata configuraon in GCP. For more informaon, see VPC Flow Logs Overview. In
addion, to customize metadata fields, you must use the gcloud command-line interface or
the API. For more informaon, see Using VPC Flow Logs.
To receive logs and data from GCP, you must first set up log forwarding using a Pub/Sub topic
in GCP. You can configure GCP sengs using either the GCP web interface or a GCP cloud shell
terminal. Aer you set up your service account in GCP, you configure the Data Collecon sengs
in Cortex XDR. The setup process requires the subscripon name and authencaon key from
your GCP instance.
Aer you set up log collecon, Cortex XDR immediately begins receiving new logs and data from
GCP.
• Set up Log Forwarding Using the GCP Web Interface.
• Set up Log Forwarding Using the GCP Cloud Shell Terminal.
Cortex® XDR Pro Administrator’s Guide Version 3.3 741 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 742 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
can configure Cortex XDR to normalize GCP audit logs, which you can query with
XQL Search using the cloud_audit_logs dataset.
• Generic—When selecng this log type, you can configure the following sengs.
• Log Format—Select the log format type as Raw, JSON, CEF, LEEF, Cisco, or
Corelight.
-The Vendor and Product defaults to Auto-Detect when the Log Format is
set to CEF or LEEF.
-For a Log Format set to CEF or LEEF, Cortex XDR reads events row by
row to look for the Vendor and Product configured in the logs. When the
values are populated in the event log row, Cortex XDR uses these values
even if you specified a value in the Vendor and Product fields in the GCP
data collector sengs. Yet, when the values are blank in the event log row,
Cortex XDR uses the Vendor and Product that you specified in the GCP
data collector sengs. If you did not specify a Vendor or Product in the
GCP data collector sengs, and the values are blank in the event log row,
the values for both fields are set to unknown.
For a Log Format set to Cisco, the following fields are automacally set and not
configurable.
-Vendor—Cisco
-Product—ASA
For a Log Format set to Corelight, the following fields are automacally set and not
configurable.
-Vendor—Corelight
-Product—Zeek
For a Log Format set to Raw or JSON, the following fields are automacally set and
are configurable.
-Vendor—Google
-Product—Cloud Logging
Cortex XDR supports logs in single line format or mulline format. For a JSON
format, mulline logs are collected automacally when the Log Format is
configured as JSON. When configuring a Raw format, you must also define the
Mulline Parsing Regex as explained below.
• Vendor—(Oponal) Specify a parcular vendor name for the GCP generic data
collecon, which is used in the GCP XQL dataset <Vendor>_<Product>_raw
that Cortex XDR creates as soon as it begins receiving logs.
• Product—(Oponal) Specify a parcular product name for the GCP
generic data collecon, which is used in the GCP XQL dataset name
<Vendor>_<Product>_raw that Cortex XDR creates as soon as it begins
receiving logs.
• Mulline Parsing Regex—(Oponal) This opon is only displayed when the Log
Format is set to Raw, where you can set the regular expression that idenfies
Cortex® XDR Pro Administrator’s Guide Version 3.3 743 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
when the mulline event starts in logs with mullines. It is assumed that when a
new event begins, the previous one has ended.
6. Test the provided sengs and, if successful, proceed to Enable log collecon.
STEP 6 | Aer Cortex XDR begins receiving informaon from the GCP Pub/Sub service, you can use
the XQL Query language to search for specific data.
Note the subscripon name you define in this step as you will need it to set up log ingeson
from Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 744 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
If setup is successful, the console displays a summary of your log sink sengs:
Created [https://logging.googleapis.com/v2/projects/
PROJECT_ID/sinks/SINK_NAME]. Please remember to grant
`serviceAccount:LOGS_SINK_SERVICE_ACCOUNT` \ the Pub/Sub Publisher
role on the topic. More information about sinks can be found at /
logging/docs/export/configure_export
STEP 6 | Grant log sink service account to publish to the new topic
Note the serviceAccount name from the previous step and use it to define the service for
which you want to grant publish access.
Cortex® XDR Pro Administrator’s Guide Version 3.3 745 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 746 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
can configure Cortex XDR to normalize GCP audit logs, which you can query with
XQL Search using the cloud_audit_logs dataset.
• Generic—When selecng this log type, you can configure the following sengs.
• Log Format—Select the log format type as Raw, JSON, CEF, LEEF, Cisco, or
Corelight.
-The Vendor and Product defaults to Auto-Detect when the Log Format is
set to CEF or LEEF.
-For a Log Format set to CEF or LEEF, Cortex XDR reads events row by
row to look for the Vendor and Product configured in the logs. When the
values are populated in the event log row, Cortex XDR uses these values
even if you specified a value in the Vendor and Product fields in the GCP
data collector sengs. Yet, when the values are blank in the event log row,
Cortex XDR uses the Vendor and Product that you specified in the GCP
data collector sengs. If you did not specify a Vendor or Product in the
GCP data collector sengs, and the values are blank in the event log row,
the values for both fields are set to unknown.
For a Log Format set to Cisco, the following fields are automacally set and not
configurable.
-Vendor—Cisco
-Product—ASA
For a Log Format set to Corelight, the following fields are automacally set and not
configurable.
-Vendor—Corelight
-Product—Zeek
For a Log Format set to Raw or JSON, the following fields are automacally set and
are configurable.
-Vendor—Google
-Product—Cloud Logging
Cortex XDR supports logs in single line format or mulline format. For a JSON
format, mulline logs are collected automacally when the Log Format is
configured as JSON. When configuring a Raw format, you must also define the
Mulline Parsing Regex as explained below.
• Vendor—(Oponal) Specify a parcular vendor name for the GCP generic data
collecon, which is used in the GCP XQL dataset <Vendor>_<Product>_raw
that Cortex XDR creates as soon as it begins receiving logs.
• Product—(Oponal) Specify a parcular product name for the GCP
generic data collecon, which is used in the GCP XQL dataset name
<Vendor>_<Product>_raw that Cortex XDR creates as soon as it begins
receiving logs.
• Mulline Parsing Regex—(Oponal) This opon is only displayed when the Log
Format is set to Raw, where you can set the regular expression that idenfies
Cortex® XDR Pro Administrator’s Guide Version 3.3 747 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
when the mulline event starts in logs with mullines. It is assumed that when a
new event begins, the previous one has ended.
6. Test the provided sengs and, if successful, proceed to Enable log collecon.
STEP 11 | Aer Cortex XDR begins receiving informaon from the GCP Pub/Sub service, you can use
the XQL Query language to search for specific data.
Instead of forwarding Google Kubernetes Engine (GKE) logs directly to Google StackDrive, Cortex
XDR can ingest container logs from GKE using Elascsearch* Filebeat. To receive logs, you must
install Filebeat on your containers and enable Data Collecon sengs for Filebeat.
Aer Cortex XDR begins receiving logs, the app automacally creates an XQL dataset using the
vendor and product name that you specify during Filebeat setup. It is recommended to specify
a descripve name. For example, if you specify google as the vendor and kubernetes as the
product, the dataset name will be google_kubernetes_raw. If you leave the product and
vendor blank, Cortex XDR assigns the dataset a name of container_container_raw.
Aer Cortex XDR creates the dataset, you can search your GKE logs using XQL Search.
STEP 1 | Install Filebeat on your containers.
For more informaon, see hps://www.elasc.co/guide/en/beats/filebeat/current/running-on-
kubernetes.html.
Cortex® XDR Pro Administrator’s Guide Version 3.3 748 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
curl -L -O https://raw.githubusercontent.com/elastic/
beats/7.10/deploy/kubernetes/filebeat-kubernetes.yaml
Cortex® XDR Pro Administrator’s Guide Version 3.3 749 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 750 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 751 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Collecon > Custom Collectors > Copy API URL. The URL will include your tenant
name (https://api-<tenant external URL>:443/logs/v1/filebeat)
• ELASTICSEARCH_API_KEY—Specify the token key you recorded earlier during the
configuraon of your Filebeat Collector instance.
Aer you configure these sengs your configuraon should look like the following
image.
STEP 4 | If you use RedHat OpenShi, you must also specify addional sengs.
See hps://www.elasc.co/guide/en/beats/filebeat/7.10/running-on-kubernetes.html.
Cortex® XDR Pro Administrator’s Guide Version 3.3 752 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
This will deploy Filebeat in the kube-system namespace. If you want to deploy the Filebeat
configuraon in other namespaces, change the namespace values in the YAML file (in any
YAML inside this file) and add -n <your_namespace>.
Aer you deploy your configuraon, the Filebeat DameonSet will run throughout your
containers to forward logs to Cortex XDR. You can review the configuraon from the
Kubernetes Engine console: Workloads > Filebeat > YAML.
Cortex XDR supports logs in single line format or mulline format. For more
informaon on handling messages that span mulple lines of text in Elascsearch
Filebeat, see Manage Mulline Messages.
STEP 6 | Aer Cortex XDR begins receiving logs from GKE, you can use the XQL Search to search for
logs in the new dataset.
Elascsearch is a trademark of Elascsearch B.V., registered in the U.S. and in other countries.
To receive logs from Azure Event Hub, you must configure the Collecon Integraons sengs
in Cortex XDR based on your Microso Azure Event Hub configuraon. Aer you set up data
collecon, Cortex XDR begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the app creates a new dataset (MSFT_Azure_raw) that
you can use to iniate XQL Search queries. For example queries, refer to the in-app XQL Library.
You can also configure Cortex XDR to normalize Azure Event Hub audit logs with other Cortex
XDR authencaon stories across all cloud providers using the same format, which you can query
with XQL Search using the cloud_audit_logs or xdr_data datasets. For logs that you do not
configure Cortex XDR to normalize, you can change the default dataset. Cortex XDR can also raise
Cortex XDR alerts (IOC, BIOC, and Correlaon Rule only) when relevant from Azure Event Hub
logs.
Cortex XDR can also ingest Azure sign-in logs when you configure an Azure Event Hub data
collector to collect audit logs. This is also dependent on seng the applicable Diagnosc sengs
in Azure Acve Directory with the selected sign-in log categories. These logs are added in Cortex
XDR to the MSFT_Azure_raw dataset. In addion, Cortex XDR can normalize and enrich these
authencaon logs. Cortex XDR can normalize these Acve Directory sign-in logs with other
Cortex XDR authencaon stories across all cloud providers using the same format. You can query
these logs in XQL Search using the cloud_audit_logs and xdr_data datasets.
Be sure you do the following tasks before you begin configuring data collecon from Azure Event
Hub.
• Create an Azure Event Hub. For more informaon, see Quickstart: Create an event hub using
Azure portal.
Cortex® XDR Pro Administrator’s Guide Version 3.3 753 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Ensure the format for the logs you want collected from the Azure Event Hub is either JSON or
raw.
Configure the Azure Event Hub collecon in Cortex XDR.
STEP 1 | In the Microso Azure Console, open the Event Hubs page, and select the Azure Event Hub
that you created for collecon in Cortex XDR.
STEP 2 | Record the following parameters from your configured event hub, which you will need when
configuring data collecon in Cortex XDR.
• Your event hub’s consumer group.
1. Select Enes > Event Hubs, and select your event hub.
2. Select Enes > Consumer groups, and select your event hub.
3. In the Consumer group table, copy the applicable value listed in the Name column for
your Cortex XDR data collecon configuraon.
• Your event hub’s connecon string for the designated policy.
1. Select Sengs > Shared access policies.
2. In the Shared access policies table, select the applicable policy.
3. Copy the Connecon string-primary key.
• Storage account for the connecon string.
1. Open the Storage accounts page, and select the storage account that contains the
connecon string for the event hub you have configured for data collecon by Cortex
XDR.
2. Select Security + networking > Access keys, and click Show keys.
3. Copy the applicable Connecon string.
Cortex® XDR Pro Administrator’s Guide Version 3.3 754 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 3 | (Oponal) Configure your Microso Azure Event Hub to collect Azure sign-in logs.
1. In the Microso Azure Console, search for Azure Acve Directory, and select Services >
Azure Acve Directory.
2. Select Monitoring > Diagnosc sengs, and +Add diagnosc seng.
3. Set the following parameters.
Cortex® XDR Pro Administrator’s Guide Version 3.3 755 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Event hub namespace—Select the applicable Subscripon for the Azure Event
Hub.
• (Oponal) Event hub name—Specify the name of your Azure Event Hub.
• Event hub policy—Select the applicable Event hub policy for your Azure Event
Hub.
4. Save your sengs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 756 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
When you Normalize and enrich audit logs, the log format is automacally
configured. As a result, this opon is removed and no longer available to
configure.
-The Vendor and Product defaults to Auto-Detect when the Log Format is set
to CEF or LEEF.
-For a Log Format set to CEF or LEEF, Cortex XDR reads events row by row
to look for the Vendor and Product configured in the logs. When the values
are populated in the event log row, Cortex XDR uses these values even if
you specified a value in the Vendor and Product fields in the Azure Event
Hub data collector sengs. Yet, when the values are blank in the event log
row,Cortex XDR uses the Vendor and Product that you specified in the Azure
Event Hub data collector sengs. If you did not specify a Vendor or Product
in the Azure Event Hub data collector sengs, and the values are blank in the
event log row, the values for both fields are set to unknown.
For a Log Format set to Cisco, the following fields are automacally set and not
configurable.
-Vendor—Cisco
-Product—ASA
For a Log Format set to Corelight, the following fields are automacally set and not
configurable.
-Vendor—Corelight
-Product—Zeek
For a Log Format set to Raw or JSON, the following fields are automacally set and
are configurable.
-Vendor—Ms
-Product—Azure
Cortex® XDR Pro Administrator’s Guide Version 3.3 757 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Vendor and Product—Specify the Vendor and Product for the type of logs you are
ingesng.
The Vendor and Product are used to define the name of your XQL dataset
(<vendor>_<product>_raw). The Vendor and Product values vary depending on
the Log Format selected. To uniquely idenfy the log source, consider changing the
values if the values are configurable.
When you Normalize and enrich audit logs, the Vendor and Product fields
are automacally configured. Therefore, these fields are removed as available
opons.
• Normalize and enrich audit logs—(Oponal) You can Normalize and enrich audit logs
by selecng the checkbox. If selected, Cortex XDR normalizes and enriches Azure
Event Hub audit logs, including any Azure sign-in logs configured for collecon, with
other Cortex XDR authencaon stories across all cloud providers using the same
format, which you can query with XQL Search using the cloud_audit_logs and
xdr_data datasets.
4. Click Test to validate access, and then click Enable.
Once events start to come in, a green check mark appears underneath the Azure Event
Hub configuraon with the amount of data received.
To receive logs and data from Okta, you must configure the Collecon Integraons sengs in
Cortex XDR. Aer you set up data collecon, Cortex XDR immediately begins receiving new logs
and data from the source. The informaon from Okta is then searchable in XQL Search using the
okta_sso_raw dataset.
You can collect all types of events from Okta. When seng up the Okta data collector in Cortex
XDR, a field called Okta Filter is available to configure collecon for events of your choosing. All
events are collected by default unless you define an Okta API Filter expression for collecng the
data, such as filter=eventType eq “user.session.start”.\n. For Okta informaon
to be weaved into authencaon stories, “user.authentication.sso” events must be
collected.
Cortex® XDR Pro Administrator’s Guide Version 3.3 758 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 3 | Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
STEP 5 | Aer Cortex XDR begins receiving informaon from the service, you can Create an XQL
Query to search for specific data. When including authencaon events, you can also Create
an Authencaon Query to search for specific authencaon data.
Cortex® XDR Pro Administrator’s Guide Version 3.3 759 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex XDR provides a unified, normalized asset inventory for cloud assets in AWS. This capability
provides deeper visibility to all the assets and superior context for incident invesgaon.
To receive cloud assets from AWS, you must configure the Collecon Integraons sengs in
Cortex XDR using the Cloud Inventory data collector to configure the AWS wizard. The AWS
wizard includes instrucons to be completed both in AWS and the AWS wizard screens. Aer you
set up data collecon, Cortex XDR begins receiving new data from the source.
As soon as Cortex XDR begins receiving cloud assets, you can view the data in Assets > Cloud
Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format.
To configure the AWS cloud assets collecon in Cortex XDR.
STEP 1 | Open the AWS wizard in Cortex XDR.
1. Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
2. In the Cloud Inventory configuraon, click Add Instance to begin a new configuraon.
3. Click AWS.
Cortex® XDR Pro Administrator’s Guide Version 3.3 760 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 761 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
4. Wait for the Status to update to CREATE_COMPLETE in the Stacks page that is
displayed, and select the XDRCloudAPP stack under the Stack name column in the table.
Cortex® XDR Pro Administrator’s Guide Version 3.3 762 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
5. Select the Outputs tab and copy the Value of the Role ARN.
6. Paste the Role ARN value in one of the following fields in the Account Details screen in
Cortex XDR. The field name is dependent on the Organizaon Level that you selected.
• Account—Paste the value in the Account Role ARN field.
• Organizaon—Paste the value in the Master Role ARN field.
Cortex® XDR Pro Administrator’s Guide Version 3.3 763 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
1. On the main menu of the AWS Console, select <your username> > My Organizaon.
2. Copy the Root ID displayed under the Root directory and paste it in the Root ID field
in the Account Details screen in Cortex XDR.
8. Set the Organizaon Unit ID in Cortex XDR.
1. On the main menu of the AWS Console, select <your username> > My Organizaon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 764 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
3. Copy the ID and paste it in the Organizaon Unit ID field in the Account Details
screen in Cortex XDR.
9. Define the following remaining connecon parameters in the Account Details screen in
Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 765 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• Account Role External ID / Master External ID—The name of this field is dependent
on the Organizaon Level configured. This field is automacally populated with a
value. You can either leave this value or replace it with another value.
• Cortex XDR Collecon Name—Specify a name for your Cortex XDR collecon that is
displayed underneath the Cloud Inventory configuraon for this AWS collecon.
10. Click Next.
This wizard screen is only displayed if you’ve configured the Organizaon Level as
Organizaon or Organizaon Unit in the Account Details screen in Cortex XDR.
Otherwise, you can skip this step when the Organizaon Level is set to Account.
Configuring member accounts is dependent on creang a stack set and configuring stack
instances in AWS, which can be performed using either the Amazon Command Line Interface
(CLI) or Cloud Formaon template via the AWS Console. Both of these methods are explained
in the instrucons below.
• Define the account credenals using Amazon CLI.
1. Select the Amazon CLI tab, which is displayed by default.
2. Open the Amazon CLI.
For more informaon on how to set up the AWS CLI tool, see the AWS
Command Line Interface Documentaon.
3. Run the following command to create a stack set, which you can copy from the Configure
Member Accounts screen by selecng the copy icon ( ), and paste in the Amazon CLI.
This command includes the Role Name and External ID field values configured from the
wizard screen.
4. Run the following command to add stack instances to your stack set, which you can
copy from the Configure Member Accounts screen by selecng the copy icon ( ),
and paste in the Amazon CLI. For the --deployment-targets parameter, specify
the organizaon root ID to deploy to all accounts in your organizaon, or specify
Organizaon Unit IDs to deploy to all accounts in these Organizaon Units. In this
parameter, you will need to replace <Org_OU_ID1>, <Org_OU_ID2>, and <Region>
according to your AWS sengs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 766 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
OrganizationalUnitIds='["<Org_OU_ID1>", "<Org_OU_ID2>"]' --
regions '["<Region>"]'
In this example, the Organizaon Units are populated with ou-rcuk-1x5j1lwo and
ou-rcuk-slr5lh0a IDs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 767 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
OrganizationalUnitIds='["ou-rcuk-1x5j1lwo", "ou-rcuk-
slr5lh0a"]' --regions '["eu-west-1"]'
Once completed, in the AWS Console, select Services > CloudFormaon > StackSets,
and you can see the StackSet is now listed in the table.
• Define the account credenals using AWS CloudFormaon.
1. Select the Cloud Formaon tab.
2. Download the CloudFormaon template. The name of the file downloaded is called
cortex-xdr-aws-master-ro-1.0.0.template.
3. Sign in to your AWS Master Account using the AWS console, select Services >
CloudFormaon > StackSets, and click Create StackSet.
Cortex® XDR Pro Administrator’s Guide Version 3.3 768 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 769 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 770 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
11.To create the StackSet, accept the IAM acknowledgment for resource creaon by
selecng the I acknowledge that AWS CloudFormaon might create IAM resources with
custom names checkbox, and click Submit.
When the process completes, the Status of the StackSet is SUCCEEDED in the StackSet
details page.
Cortex® XDR Pro Administrator’s Guide Version 3.3 771 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Whenever the Cloud Inventory data collector integraons are modified by using the
Edit, Disable, or Delete opons, it can take up to 10 minutes for these changes to be
reflected in Cortex XDR.
STEP 6 | Aer Cortex XDR begins receiving AWS cloud assets, you can view the data in Assets >
Cloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table
format. For more informaon, see Cloud Inventory Assets.
Cortex XDR provides a unified, normalized asset inventory for cloud assets in Google Cloud
Plaorm (GCP). This capability provides deeper visibility to all the assets and superior context for
incident invesgaon.
To receive cloud assets from GCP, you must configure the Collecon Integraons sengs in
Cortex XDR using the Cloud Inventory data collector to configure the GCP wizard. The GCP
wizard includes instrucons to be completed both in GCP and the GCP wizard screens. Aer you
set up data collecon, Cortex XDR begins receiving new data from the source.
As soon as Cortex XDR begins receiving cloud assets, you can view the data in Assets > Cloud
Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format.
To configure the GCP cloud assets collecon in Cortex XDR.
STEP 1 | Open the GCP wizard in Cortex XDR.
1. Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
2. In the Cloud Inventory configuraon, click Add Instance to begin a new configuraon.
3. Click Google Cloud Plaorm.
Cortex® XDR Pro Administrator’s Guide Version 3.3 772 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 773 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
1. From the Select from menu, select the organizaon that you want.
2. The next steps to perform in Google Cloud Plaorm are dependent on the
Organizaon Level you selected in Cortex XDR - Project, Folder, or Organizaon.
• Project or Folder Organizaon Level—In the table, copy one of the following IDs
that you want to configure and paste it in the designated field in the Configure
Account screen in Cortex XDR. The field in Cortex XDR is dependent on the
Organizaon Level you selected.
-Project—Contains a project icon ( ) beside it, and the ID should be pasted in the
Project ID field in Cortex XDR.
-Folder—Contains a folder icon ( ) beside it, and the ID should be pasted in the
Folder ID field in Cortex XDR.
When you are finished, click CANCEL to close the window.
• Organizaon is the Organizaon Level—Select the ellipsis icon ( ) > Sengs. In
the Sengs page, copy the Organizaon ID for the applicable organizaon that
Cortex® XDR Pro Administrator’s Guide Version 3.3 774 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
you want to configure and paste it in the Organizaon Id field in the Configure
Account screen in Cortex XDR.
6. Select the Hamburger menu > Storage > Cloud Storage > Browser.
7. You can either use an exisng bucket from the list or create a new bucket. Copy the
Name of the bucket and paste it in the Bucket Name field in the Configure Account
screen in Cortex XDR.
8. Define the following remaining connecon parameters in the Configure Account screen
in Cortex XDR.
• Bucket Directory Name—You can either leave the default directory as Exported-
Assets or define a new directory name that will be created for the exported assets
collected for the bucket configured in GCP.
• Cortex XDR Collecon Name—Specify a name for your Cortex XDR collecon that is
displayed underneath the Cloud Inventory configuraon for this GCP collecon.
9. Click Next.
Cortex® XDR Pro Administrator’s Guide Version 3.3 775 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
4. Select File > Open, and Open the Terraform script that you downloaded from Cortex
XDR.
5. Use the following commands to upload the Terraform script, which you can copy from
the Account Details screen in Cortex XDR using the copy icon ( ).
1. teraform init—Inializes the Terraform script. You need to wait unl the
inializaon is complete before running the next command as indicated in the image
below.
Cortex® XDR Pro Administrator’s Guide Version 3.3 776 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
2. terraform apply—When running this command you will be asked to enter the
following values.
• var.assets_bucket_name—Specify the GCP storage Bucket Name that you
configured in the Configure Account screen of the wizard to contain GCP cloud
asset data.
• var.host_project_id—Specify the GCP Project ID to host the XDR service
account and bucket, which you registered your applicaon. Ensure that you use a
permanent project.
• var.project_id—Specify the Project ID, Folder ID, or Organizaon ID that you
configured in the Configure Account screen of the wizard from GCP.
Aer specifying all the values, you need to Authorize gcloud to use your
credenals to make this GCP API call in the Authorize Cloud Shell dialog box that
is displayed.
Before the acon completes, you need to confirm whether you want to perform
these acons, and aer the process finishes running an Apply complete indicaon
is displayed.
Cortex® XDR Pro Administrator’s Guide Version 3.3 777 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
2. Select the JSON file produced aer running the Terraform script, and click Download.
7. Upload the downloaded Service Account Key JSON file in the Configure Account screen
in Cortex XDR. You can drag and drop the file, or Browse to the file.
8. Click Next.
Cortex® XDR Pro Administrator’s Guide Version 3.3 778 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 4 | (Oponal) Define the Change Asset Logs screen of the wizard.
You can skip this step if you’ve already configured a Google Cloud Plaorm data
collector with a Pub/Sub asset feed collecon.
1. In the GCP Console, search for Topics, and select the Topics link.
2. CREATE TOPIC.
Cortex® XDR Pro Administrator’s Guide Version 3.3 779 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
For more informaon on the gcloud CLI tool. see gcloud tool overview.
The command contains a parameter already populated and parameters that you need to
replace before running the command.
• <FEED_ID>—Replace this placeholder text with a unique asset feed idenfier of your
choosing.
• --project—This parameter is automacally populated from the Project ID field in
the Configure Account screen wizard in Cortex XDR.
• <Topic name>—Replace this placeholder text with the name of the topic you
created in the Topic details page in the GCP console.
5. In the GCP Console, search for Subscripon, and select the Subscripons link.
Cortex® XDR Pro Administrator’s Guide Version 3.3 780 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 781 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
10. ADD PRINCIPAL to add permissions for the Service Account that you created the key
for in the JSON file and uploaded to the Configure Account wizard screen in Cortex
XDR. Set the following permissions for the Service Account.
• New principals—Select the designated Service Account Key as you created in the
JSON file.
• Select a role—Select Pub/Sub Subscriber.
11. Copy the Subscripon name and paste it in the Subscripon Name field on the right-side
of the Change Asset Logs screen in Cortex XDR, and click Next.
The Subscripon Name is the name of the new Google Cloud Plaorm data
collector that is configured with a Pub/Sub asset feed collecon in Cortex XDR
under Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons
> Google Cloud Plaorm.
Cortex® XDR Pro Administrator’s Guide Version 3.3 782 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Whenever the Cloud Inventory data collector integraons are modified by using the
Edit, Disable, or Delete opons, it can take up to 10 minutes for these changes to be
reflected in Cortex XDR.
In addion, if you created a Pub/Sub asset feed colleconcreated a Pub/Sub asset feed
collecon, a green check mark appears underneath the Google Cloud Plaorm configuraon
with the amount of data received.
STEP 7 | Aer Cortex XDR begins receiving GCP cloud assets, you can view the data in Assets >
Cloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table
format. For more informaon, see Cloud Inventory Assets.
Cortex XDR provides a unified, normalized asset inventory for cloud assets in Microso Azure.
This capability provides deeper visibility to all the assets and superior context for incident
invesgaon.
To receive cloud assets from Microso Azure, you must configure the Collecon Integraons
sengs in Cortex XDR using the Cloud Inventory data collector to configure the Microso Azure
wizard. The Microso Azure wizard includes instrucons to be completed both in Microso Azure
and the Microso Azure wizard screens. Aer you set up data collecon, Cortex XDR begins
receiving new data from the source.
As soon as Cortex XDR begins receiving cloud assets, you can view the data in Assets > Cloud
Inventory, where All Assets and Specific Cloud Assets pages display the data in a table format.
To configure the Microso Azure cloud assets collecon in Cortex XDR.
STEP 1 | Open the Microso Azure wizard in Cortex XDR.
1. Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
2. In the Cloud Inventory configuraon, click Add Instance to begin a new configuraon.
3. Click Azure.
Cortex® XDR Pro Administrator’s Guide Version 3.3 783 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
4. Search for Management groups, select Management groups, copy the applicable ID in
Azure, and paste it in the Management Group ID field in the Configure Account screen
wizard in Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 784 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
5. Search for Tenant properes, select Tenant properes, copy the Tenant ID in Azure, and
paste it in the Tenant ID field in the Configure Account screen wizard in Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 785 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
6. Specify a Cortex XDR Collecon Name to be displayed underneath the Cloud Inventory
configuraon for this Azure collecon.
7. Click Next.
Cortex® XDR Pro Administrator’s Guide Version 3.3 786 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
2. terraform apply—When running this command you will be asked to enter the
following values, which are dependent on the Organizaon Level that you configured.
• var.subscription_id—Specify the Subscripon ID that you configured in the
Configure Account screen of the wizard from Microso Azure. This value only
needs to be specified if the Subscripon ID is set to Subscripon.
• var.management.group_id—Specify the Management Group ID that you
configured in the Configure Account screen of the wizard from Microso
Cortex® XDR Pro Administrator’s Guide Version 3.3 787 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Azure. This value only needs to be specified if the Management Group is set to
Management Group.
• var.tenant_id—Specify the Tenant ID that you configured in the Configure
Account screen of the wizard from Microso Azure.
Before the acon completes, you need to confirm whether you want to perform these
acons, and aer the process finishes running an Apply complete indicaon is displayed.
5. Copy the client_id value displayed in the Cloud Shell window and paste it in the
Applicaon Client ID field in the Account Details screen in Cortex XDR.
6. Copy the secret value displayed in the Cloud Shell window and paste it in the Secret field
in the Account Details screen in Cortex XDR.
7. Download the JSON file from Cloud Shell using the upload/download icon ( ), so you
have output field values for future reference.
8. Click Next.
Whenever the Cloud Inventory data collector integraons are modified by using the
Edit, Disable, or Delete opons, it can take up to 10 minutes for these changes to be
reflected in Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 788 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 6 | Aer Cortex XDR begins receiving Azure cloud assets, you can view the data in Assets >
Cloud Inventory, where All Assets and Specific Cloud Assets pages display the data in a table
format. For more informaon, see Cloud Inventory Assets.
Cortex® XDR Pro Administrator’s Guide Version 3.3 789 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex XDR can receive Syslog from a variety of supported vendors (see External Data Ingeson
Vendor Support). In addion, Cortex XDR can receive Syslog from addional vendors that use CEF,
LEEF, CISCO, CORELIGHT, or RAW formaed over Syslog (TLS not supported).
Aer Cortex XDR begins receiving logs from the third-party source, Cortex XDR automacally
parses the logs in CEF, LEEF, CISCO, CORELIGHT, or RAW format and creates a dataset with
the name <vendor>_<product>_raw. You can then use XQL Search queries to view logs and
create new IOC, BIOC, and Correlaon Rules.
To receive Syslog from an external source:
STEP 1 | Set up your Syslog receiver to forward logs.
STEP 2 | Acvate the Syslog Collector applet on a Broker VM within your network.
Cortex® XDR Pro Administrator’s Guide Version 3.3 790 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex XDR can receive CSV log files from a shared Windows directory directly to your log
repository for query and visualizaon purposes. Aer you acvate the CSV Collector applet on
a broker VM in your network, which includes defining the list of folders mounted to the broker
VM and seng the list of CSV files to monitor and upload to Cortex XDR (using a username and
password), you can ingest CSV files as datasets.
The ingested CSV log files must conform to the following guidelines:
• Header field names must contain only leers (a-z, A-Z) or numbers (0-9) and must start with a
leer. Spaces are converted to underscores (_).
• Date values can be in either of the following formats:
• YYYY-MM-DD (oponally including HH:MM:SS)
• Unix Epoch me. For example, 1614858795.
Aer Cortex XDR begins receiving logs from the shared Windows directory, Cortex XDR
automacally parses the logs and creates a dataset with the specific name you set as the target
dataset when you configured the CSV Collector. The CSV Collector checks for any changes in
the configured CSV files, as well as any new CSV files added to the configuraon folders, in the
Windows directory every 10 minutes and replaces the data in the dataset with the data from
those files. You can then use XQL Search queries to view logs and create new Correlaon Rules.
Configure Cortex XDR to receive CSV files as datasets from a shared Windows directory.
STEP 1 | Ensure that you share the applicable CSV files in your Windows directory.
STEP 2 | Acvate the CSV Collector applet on a broker VM within your network.
Cortex® XDR Pro Administrator’s Guide Version 3.3 791 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex XDR can receive data from a client relaonal database directly to your log repository for
query and visualizaon purposes. Aer you acvate the Database Collector applet on a broker
VM in your network, which includes defining the database connecon details and sengs related
to the query details for collecng the data from the database to monitor and upload to Cortex
XDR, you can collect data as datasets.
Aer Cortex XDR begins receiving data from a client relaonal database, Cortex XDR
automacally parses the logs and creates a dataset with the specific name you set
as the target dataset when you configured the Database Collector using the format
<Vendor>_<Product>_raw. The Database Collector checks for any changes in the configured
database based on the SQL Query defined in the database connecon according to the execuon
frequency of collecon that you configured and appends the data to the dataset. You can then use
XQL Search queries to view data and create new Correlaon Rules.
Configure Cortex XDR to receive data as datasets data from a client relaonal database.
STEP 1 | Acvate the Database Collector applet on a broker VM within your network.
Cortex XDR can receive logs from files and folders in a network share directly to your log
repository for query and visualizaon purposes. Aer you acvate the Files and Folders Collector
applet on a broker VM in your network, which includes defining the connecon details and
sengs related to the list of files to monitor and upload to Cortex XDR, you can collect files as
datasets.
Aer Cortex XDR begins receiving logs from files and folders in a network share, Cortex
XDR automacally parses the logs and creates a dataset with the specific name you set as
the target dataset when you configured the Files and Folders Collector using the format
<Vendor>_<Product>_raw. The Files and Folders Collector reads and processes the configured
files one by one, as well as any new files added to the configured files and folders, in the network
share according to the execuon frequency of collecon that you configured and adds the data
in these files to the dataset. You can then use XQL Search queries to view logs and create new
Correlaon Rules.
The Files and Folders Collector applet only starts to collect files that are more than 256
bytes.
Configure Cortex XDR to receive logs as datasets from files and folders in a network share.
STEP 1 | Acvate the Files and Folders Collector applet on a broker VM within your network.
Cortex® XDR Pro Administrator’s Guide Version 3.3 792 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex XDR can receive NetFlow flow records and IPFIX from a UDP port directly to your log
repository for query and visualizaon purposes. Aer you acvate the NetFlow Collector applet
on a broker VM in your network, which includes configuring your NetFlow Collector sengs, you
can ingest NetFlow flow records and IPFIX as datasets.
The ingested NetFlow flow record format must include, at the very least:
• Source and Desnaon IP addresses
• TCP/UDP source and desnaon port numbers
Aer Cortex XDR begins receiving flow records from the UDP port, Cortex XDR automacally
parses the flow records and creates a dataset with the specific name you set as the target dataset
when you configured the NetFlow Collector. The NetFlow Collector adds the flow records to the
dataset. You can then use XQL Search queries to view those flow records and create new IOC,
BIOC, and Correlaon Rules.
Configure Cortex XDR to receive NetFlow flow records as datasets from the routers and switches
that support NetFlow.
STEP 1 | Set up your NetFlow exporter to forward flow records to the IP address of the broker that
runs the NetFlow collector applet.
STEP 2 | Acvate the NetFlow Collector applet on a broker VM within your network.
STEP 3 | Use the XQL Search to query your flow records, using your designated dataset.
Cortex® XDR Pro Administrator’s Guide Version 3.3 793 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
In addion to logs from supported vendors, you can set up a custom HTTP log collector to receive
logs in Raw, JSON, CEF, or LEEF format.
Aer Cortex XDR begins receiving logs from the third-party source, Cortex XDR automacally
parses the logs and creates a dataset with the name <vendor>_<product>_raw. You can then
use XQL Search queries to view logs and create new Correlaon rules.
To set up an HTTP log collector to receive logs from an external source.
STEP 1 | Create an HTTP Log collector in Cortex XDR.
1. Select Sengs ( ) > Configuraons > Custom Collecons.
2. In the HTTP configuraon, click Add Instance.
3. Specify a descripve Name for your HTTP log collecon configuraon.
4. Select the data object Compression, either gzip or uncompressed.
5. Select the Log Format as Raw, JSON, CEF, or LEEF.
Cortex XDR supports logs in single line format or mulline format. For a JSON format,
mulline logs are collected automacally when the Log Format is configured as JSON.
When configuring a Raw format, you must also define the Mulline Parsing Regex as
explained below.
-The Vendor and Product defaults to Auto-Detect when the Log Format is set to
CEF or LEEF.
-For a Log Format set to CEF or LEEF, Cortex XDR reads events row by row
to look for the Vendor and Product configured in the logs. When the values
are populated in the event log row, Cortex XDR uses these values even if you
specified a value in the Vendor and Product fields in the HTTP collector sengs.
Yet, when the values are blank in the event log row, Cortex XDR uses the Vendor
and Product that you specified in the HTTP collector sengs. If you did not
specify a Vendor or Product in the HTTP collector sengs, and the values are
blank in the event log row, the values for both fields are set to unknown.
6. Specify the Vendor and Product for the type of logs you are ingesng.
The vendor and product are used to define the name of your XQL dataset
(<vendor>_<product>_raw). If you do not define a vendor or product, Cortex XDR
examines the log header to idenfy the type and uses that to define the vendor and
Cortex® XDR Pro Administrator’s Guide Version 3.3 794 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
product in the dataset. For example, if the type is Acme and you opt to let Cortex XDR
determine the values, the dataset name would be acme_acme_raw.
7. (Oponal) Specify the Mulline Parsing Regex for logs with mullines.
This opon is only displayed when the Log Format is set to Raw, so you can set the
regular expression that idenfies when the mulline event starts in logs with mullines. It
is assumed that when a new event begins, the previous one has ended.
8. Save & Generate Token.
Click the copy icon next to the key and record it somewhere safe. You will need to
provide this key when you configure your HTTP POST request. If you forget to record
the key and close the window you will need to generate a new key and repeat this
process.
Click Done when finished.
STEP 4 | Aer Cortex XDR begins receiving logs, use the XQL Search to search your logs.
If you use BeyondTrust Privilege Management Cloud, you can take advantage of Cortex XDR
invesgaon and detecon capabilies by forwarding your logs to Cortex XDR. This enables
Cortex XDR to help you expand visibility into computer, acvity, and authorizaon requests in the
Cortex® XDR Pro Administrator’s Guide Version 3.3 795 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
organizaon, correlate and detect access violaons, and query BeyondTrust Endpoint Privilege
Management logs using XQL Search.
As soon as Cortex XDR starts to receive logs, Cortex XDR can analyze your logs in XQL Search
and you can create new Correlaon Rules.
To integrate your logs, you first need to configure SIEM sengs and an AWS S3 Bucket according
to the specific requirements provided by BeyondTrust. You can then configure data collecon
in Cortex XDR by configuring an Amazon S3 data collector for a generic log type using the
Beyondtrust Cloud ECS log format.
Before you begin configuring data collecon verify that you are using BeyondTrust Privilege
Management Cloud version 21.6.339 or later.
Configure BeyondTrust Privilege Management Cloud collecon in Cortex XDR.
STEP 1 | Configure SIEM sengs and an AWS S3 Bucket according to the requirements provided in
the BeyondTrust documentaon.
Ensure that when you add the AWS S3 bucket in the PMC and set the SIEM sengs, you
select ECS - Elasc Common Schema as the SIEM Format.
STEP 2 | Configure BeyondTrust logs collecon with Cortex XDR using an Amazon S3 data collector
for generic data.
Ensure your Amazon S3 data collector is configured with the following sengs.
• Log Type—Select Generic to configure your log collecon to receive generic logs from
Amazon S3.
• Log Format—Select the log format type as Beyondtrust Cloud ECS.
For a Log Format set to Beyondtrust Cloud ECS, the following fields are
automacally set and not configurable.
• Vendor—Beyondtrust
• Product—Privilege Management
• Compression—Uncompressed
STEP 3 | Aer Cortex XDR begins receiving data from BeyondTrust Privilege
Management Cloud, you can use XQL Search to search your logs using the
beyondtrust_privilege_management_raw dataset that you configured when seng
up your Amazon S3 data collector.
If you want to ingest logs about file acvity on your endpoints and servers and do not use the
Cortex XDR agent, you can install Elascsearch* Filebeat as a system logger and then forward
those logs to Cortex XDR. To facilitate log ingeson, Cortex XDR supports the same protocols
that Filebeat and Elascsearch use to communicate. Cortex XDR supports using Filebeat up to
version 8.0.1 with the Filebeat data collector. Cortex XDR also supports logs in single line format
Cortex® XDR Pro Administrator’s Guide Version 3.3 796 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
or mulline format. For more informaon on handling messages that span mulple lines of text in
Elascsearch Filebeat, see Manage Mulline Messages.
Cortex XDR supports all secons in the filebeat.yml configuraon file, such as support for
Filebeat fields and tags. As a result, this enables you to use the add_fields processor to idenfy the
product/vendor for the data collected by Filebeat so the collected events go through the ingeson
flow (Parsing Rules). To idenfy the product/vendor ensure that you use the default fields
aribute, as opposed to the target aribute, as shown in the following example.
processors:
- add_fields:
fields:
vendor: <Vendor>
product: <Product>
To provide addional context during invesgaons, Cortex XDR automacally creates a new
XQL dataset from your Filebeat logs. You can then use the XQL dataset to search across the logs
Cortex XDR received from Filebeat.
To receive logs, you configure collecon sengs for Filebeat in Cortex XDR and output sengs in
your Filebeat installaons. As soon as Cortex XDR begins receiving logs, the data is visible in XQL
Search queries.
STEP 1 | In Cortex XDR, set up Data Collecon.
1. Select Sengs ( ) > Configuraons > Data Collecon > Custom Collectors.
2. In the Filebeat configuraon, click Add Instance.
3. Specify a descripve Name for your Filebeat log collecon configuraon.
4. Specify the Vendor and Product for the type of logs you are ingesng.
The vendor and product are used to define the name of your XQL dataset
(<vendor>_<product>_raw). If you do not define a vendor or product, Cortex XDR
examines the log header to idenfy the type and uses that to define the vendor and
product in the dataset. For example, if the type is Acme and you opt to let Cortex XDR
determine the values, the dataset name would be acme_acme_raw.
5. Save & Generate Token.
Click the copy icon next to the key and record it somewhere safe. You will need to
provide this key when you set up output sengs on your Filebeat instance. If you forget
to record the key and close the window you will need to generate a new key and repeat
this process.
Cortex® XDR Pro Administrator’s Guide Version 3.3 797 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
• hosts—Copy the API URL from your Filebeat configuraon and paste it in this field.
• compression_level—5 (recommended)
• bulk_max_size—1000 (recommended)
• api_key—Paste the key you created in when you configured Filebeat Log Collecon
in Cortex XDR.
• proxy_url—(Oponal) <server_ip>:<port_number>. You can specify your
own <server_ip> or use the broker VM to proxy Filebeat communicaon using the
format <broker_VM_ip>:<port_number>. When using the broker VM, ensure
that you acvate the Local Agent Sengs applet with the Agent Proxy enabled.
2. Save the changes to your output file.
Aer Cortex XDR begins receiving logs from Filebeat, they will be available in XQL Search
queries.
Elascsearch is a trademark of Elascsearch B.V., registered in the U.S. and in other countries.
If you use Forcepoint DLP to prevent data loss over endpoint channels, you can take advantage
of Cortex XDR invesgaon and detecon capabilies by forwarding your logs to Cortex XDR.
This enables Cortex XDR to help you expand visibility into data violaon by users and hosts in
Cortex® XDR Pro Administrator’s Guide Version 3.3 798 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
the organizaon, correlate and detect DLP incidents, and query Forcepoint DLP logs using XQL
Search.
As soon as Cortex XDR starts to receive logs, Cortex XDR can analyze your logs in XQL Search
and you can create new Correlaon Rules.
To integrate your logs, you first need to set up an applet in a broker VM within your network to
act as a Syslog Collector. You then configure forwarding on your log devices to send logs to the
Syslog Collector in a CEF or LEEF format.
Configure Forcepoint DLP collecon in Cortex XDR.
STEP 1 | Verify that your Forcepoint DLP meet the following requirements.
• Must use version 8.8.0.347 or a later release.
• On premise installaon only.
STEP 4 | Configure the log device that receives Forcepoint DLP logs to forward syslog events to the
Syslog Collector in a CEF or LEEF format.
For more informaon, see the Forcepoint DLP documentaon.
STEP 5 | Aer Cortex XDR begins receiving data from Forcepoint DLP, you can use XQL Search to
search your logs using the forcepoint_dlp_endpoint dataset.
The Palo Alto Networks IoT Security soluon discovers unmanaged devices, detects behavioral
anomalies, recommends policy based on risk, and automates enforcement without the need for
addional sensors or infrastructure. The Cortex XDR - PAN IoT Security integraon enables you to
ingest alerts and device informaon from your PAN IoT Security instance.
To receive data, configure the Collecon Integraons sengs in Cortex XDR for the PAN IoT
Security data collector in Sengs > Configuraons > Data Collecon > Collecon Integraons.
As soon as data collecon begins, Cortex XDR displays the PAN IoT Security alerts in the Cortex
XDR Alerts table and groups them into Incidents. The PAN IoT Security alerts are updated every
Cortex® XDR Pro Administrator’s Guide Version 3.3 799 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
15 minutes. PAN IoT security alerts which were resolved before the integraon aren’t added to the
Cortex XDR table. Cortex XDR adds device acvies detected by PAN IoT Security into the Cortex
XDR Assets table. Device acvies are updated every five minutes.
Cortex XDR automacally creates a new dataset for device acvies
(panw_iot_security_devices_raw) and a new dataset for alerts
(panw_iot_security_alerts_raw), which you can use to iniate XQL Search queries and
create Correlaon Rules.
Before you configure the PAN IoT Security Collector, generate an access key and a key ID for the
integraon.
1. Log in to the PAN IoT Security portal and click your user name.
2. Select Preferences.
3. In the User Role & Access secon, Create an API Access Key.
4. Download and save the access key and key ID in a secure locaon.
For more informaon about the PAN IoT Secuity API, see Get Started with the IoT Security API.
Configure the PAN IoT Security alerts and assets collecon in Cortex XDR.
STEP 1 | Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
STEP 2 | In the PAN IoT Security Collector configuraon, click Add Instance to begin a new
configuraon.
STEP 6 | Aer Cortex XDR begins receiving data from PAN IOT Security, you can use the XQL Search
to search for logs in the new datasets, panw_iot_security_devices_raw for device
acvies, and panw_iot_security_alerts_raw for alerts.
Cortex® XDR Pro Administrator’s Guide Version 3.3 800 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
To receive logs from Proofpoint Targeted Aack Protecon (TAP), you must first configure TAP
service credenals in the TAP dashboard, and then the Collecon Integraons sengs in Cortex
XDR based on your Proofpoint TAP configuraon. Aer you set up data collecon, Cortex XDR
begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the app creates a new dataset (proofpoint_tap_raw)
that you can use to iniate XQL Search queries. For example queries, refer to the in-app XQL
Library.
Configure the Proofpoint TAP collecon in Cortex XDR.
STEP 1 | Generate TAP Service Credenals in Proofpoint TAP.
TAP service credenals can be generated in the TAP Dashboard, where you will receive a
Proofpoint Service Principal for authencaon and Proofpoint API Secret for authencaon.
Record these credenals as you will need to provide them when configuring the Proofpoint
Targeted Aack Protecon data collector in Cortex XDR. For more informaon on generang
TAP service credenals, see Generate TAP Service Credenals.
Cortex® XDR Pro Administrator’s Guide Version 3.3 801 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 3 | (Oponal) Manage your Proofpoint Targeted Aack Protecon data collector.
Aer you enable the Proofpoint Targeted Aack Protecon data collector, you can make
addional changes as needed.
You can perform any of the following.
• Edit the Proofpoint Targeted Aack Protecon data collector sengs.
• Disable the Proofpoint Targeted Aack Protecon data collector.
• Delete the Proofpoint Targeted Aack Protecon data collector.
To receive data from the ServiceNow CMDB database, you must first configure data collecon
from ServiceNow CMDB. ServiceNow CMDB is a logical representaons of assets, services, and
the relaonships between them that comprise the infrastructure of an organizaon. It is built
as a series of connected tables that contain all the assets and business services controlled by a
company and its configuraons. You can configure the Collecon Integraon sengs in Cortex
XDR for the ServiceNow CMDB database, which includes selecng the specific tables containing
the data that you want to collect, in the ServiceNow CMDB Collector. You can select from the list
of default tables and also specify custom tables. By default, the ServiceNow CMDB Collector is
configured to collect data from the following tables, which you can always change depending on
your system requirements.
• cmdb_ci
• cmdb_ci_computer
• cmdb_rel_ci
• cmdb_ci_application_software
As soon as Cortex XDR begins receiving data, the app automacally creates a ServiceNow CMDB
dataset for each table using the format servicenow_cmdb_<table name>_raw. You can then
use XQL Search queries to view the data and create new Correlaon Rules.
You can only configure a single ServiceNow CMDB Collector, which is automacally configured
every 6 hours to reload the data from the configured tables and replace the exisng data. You can
always use the Sync Now opon to reload the data and replace the exisng data whenever you
want.
Complete the following task before you begin configuring Cortex XDR to receive data from
ServiceNow CMDB.
• Create a ServiceNow CMDB user with SNOW credenals, who is designated to access the
tables from ServiceNow CMDB for data collecon in Cortex XDR. Record the credenals for
this user as you will need them when configuring the ServiceNow CMDB Collector in Cortex
XDR.
Configure Cortex XDR to receive data from ServiceNow CMDB.
STEP 1 | Select Sengs ( ) > Configuraons > Data Collecon > Collecon Integraons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 802 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 2 | In the ServiceNow CMDB Collector configuraon, click Add Instance to begin a new
configuraon.
STEP 6 | Aer Cortex XDR begins receiving data from ServiceNow CMDB, you can use the XQL
Search to search for logs in the new datasets, where each dataset name is based on the table
name using the format servicenow_cmdb_<table name>_raw.
To receive Workday report data, you must first configure data collecon from Workday using a
Workday custom report to ingest the appropriate data. This is configured by seng up a Workday
Collector in Cortex XDR and configuring report data collecon via this Workday custom report
that you set up.
Cortex® XDR Pro Administrator’s Guide Version 3.3 803 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
As soon as Cortex XDR begins receiving data, the app automacally creates a Workday XQL
dataset (workday_workday_raw). You can then use XQL Search queries to view the data and
create new Correlaon Rules. In addion, Cortex XDR adds the workday fields next to each user
in the Key Assets list in the Incident View, and in the User node in the Causality View of Identy
Analycs alerts.
Any user with permissions to view alerts and incidents can view the Workday data.
You can only configure a single Workday Collector, which is automacally configured to run the
report every 6 hours. You can always use the Sync Now opon to run the report whenever you
want.
Complete the following tasks before you begin configuring Cortex XDR to receive report data
from Workday.
1. Create an Integraon System User that is designated to access the custom report from
Workday for data collecon in Cortex XDR.
2. Create an Integraon System Security Group for the Integraon System User created in Step 1
for accessing the report. When seng this group ensure to define the following.
• Type of Tenanted Security Group—Select either Integraon System Security Group
(Constrained) or Integraon System Security Group (Unconstrained) depending on how
your data is configured. For more informaon, see the Workday documentaon.
• Integraon System User—Select the user that you defined in step 1 for accessing the
custom report.
3. Create the Workday credenals for the Integraon System User created in Step 1 so that
the username and password can be used to access the report in Cortex XDR. Record these
credenals as you will need them when configuring the Workday Collector in Cortex XDR.
For more informaon on compleng any of these prerequisite steps, see the Workday
documentaon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 804 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
Cortex® XDR Pro Administrator’s Guide Version 3.3 805 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
that is displayed in the Column Heading Override XML Alias column. This default field
name is what is used in XQL Search and the dataset to view and query the data.
For the incident and card views in Cortex XDR, map the following fields in the table by
selecng the applicable Field that contains the data represenng the Cortex XDR field
name as provided below that should be added to the Column Heading Override XML
Alias. For example, for full_name, select the applicable Field from the Business Object
Cortex® XDR Pro Administrator’s Guide Version 3.3 806 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
defined that contains the full name of the user and in the Column Heading Override
XML Alias specify full_name to map the set Field to the Cortex XDR field name.
Cortex XDR uses a structured schema when integrang Workday data. To get
the best Analycs results, specify all the fields marked with an asterisk from the
recommended schema.
• workday_user_id*
• full_name*
• workday_manager_user_id*
• manager*
• worker_type*
• position_title*
• department*
• private_email_address*
• business_email_address*
• employment_start_date*
• employment_end_date
• phone_number
• mailing_address
5. (Oponal) Filter out any employees that you do not want included in the Filter tab.
6. Share access to the report with the designated Integraon System User that you created
by seng the following sengs in the Share tab.
• Report Definion Sharing Opons—Select Share with specific authorized groups and
users.
• Authorized Users—Select the designated Integraon System User that you created for
accessing the custom report.
7. Ensure that the following Web Services Opons sengs in the Advanced tab are
configured.
Here is an example of the configured sengs, where the Web Service API Version and
Namespace are automacally populated and dependent on your report.
8. (Oponal) Test the report to ensure all the fields are populated.
9. Get the URL for the report.
1. In the related acons menu, select Acons > Web Service > View URLs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 807 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
2. Click OK.
3. Scroll down to the JSON secon.
4. Hover over the JSON link and click the icon, which open a new tab in your browser
with the URL for the report. You need to use the designated user credenals to open
the report.
5. Copy the URL for the report and record them somewhere as this URL needs to be
provided when seng up the Workday Collector in Cortex XDR.
10. Complete the report by clicking Done.
STEP 4 | Aer Cortex XDR begins receiving report data from Workday, you can use the XQL Search to
search for logs in the new dataset (workday_workday_raw).
Cortex® XDR Pro Administrator’s Guide Version 3.3 808 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
If you send pre-parsed alerts using the XDR API, addional mapping is not required.
Storage of external alerts is determined by your Cortex XDR tenant retenon policy. For more
informaon, see Dataset Management.
To ingest external alerts.
Cortex® XDR Pro Administrator’s Guide Version 3.3 809 ©2022 Palo Alto Networks, Inc.
External Data Ingeson
STEP 2 | In Cortex XDR, select Sengs ( ) > Configuraons > External Alerts Mapping.
STEP 3 | Right-click the Vendor Product for your alerts and select Filter and Map.
STEP 4 | Use the filters at the top of the table to narrow the results to only the alerts you want to
map.
Cortex XDR displays a limited sample of results during the mapping rule creaon. As you define
your filters, Cortex XDR applies the filter to the limited sample but does not apply the filters
across all alerts. As a result, you might not see any results from the alert sample during the rule
creaon.
STEP 6 | Submit your alert filter and mapping rule when finished.
Cortex® XDR Pro Administrator’s Guide Version 3.3 810 ©2022 Palo Alto Networks, Inc.
Data Management
> Dataset Management
> Create Parsing Rules
> Manage Event Forwarding
> Manage Compute Units Usage
811
Data Management
Dataset Management
This feature requires a Cortex XDR Pro license.
The Dataset Management page enables you to manage your datasets and understand your overall
data storage, period based retenon. The top part of the screen details your Storage License
Details as you receive log storage based on the amount of storage associated with your Cortex
XDR Licenses. All Cortex XDR licenses provide you with a default retenon of 30 days. You can
extend your license retenon depending on your requirements for the following types of storage.
• Hot Storage—Fully searchable storage, for invesgaon and threat hunng.
• Cold Storage—Cheaper storage usually for long-term compliance needs with limited search
opons.
The boom half of the screen lists your Datasets in a table format.
Once Cortex XDR starts to enforce retenon, you will not have access to data that exceeds
your retenon period. You will receive an email and in app noficaon before any changes
are implemented.
For each dataset listed in the table, the following informaon is available.
Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is
exposed by default.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 812 ©2022 Palo Alto Networks, Inc.
Data Management
Field Descripon
data is ingested via a configured dedicated
collector.
• Snapshot—A dataset that contains only the
last successful snapshot of the data, such
as Workday or ServiceNow CMDB tables.
• System—Cortex XDR datasets that are
created out-of-the-box.
• User—If saved by a query using the
target command, the Type can be either
User or Lookup. See the entry for target
in the XQL Language Reference for details.
*LAST UPDATED The last me the data in the dataset logs were
updated, when the LOG UPDATE TYPE is set
to State.
*TOTAL DAYS STORED The actual number of days that the data is
stored in the Cortex XDR tenant, which is
comprised of the HOT RANGE + the COLD
RANGE.
*TOTAL SIZE STORED The actual size of the data that is stored in the
Cortex XDR tenant. This number is dependent
on the events stored in the Hot Storage.
For the xdr_data dataset, where the first
30 days of storage are included with your
license, the first 30 days are not included in
the TOTAL SIZE STORED number.
*AVERAGE DAILY SIZE The average daily amount stored in the Cortex
XDR tenant. This number is dependent on the
events stored in the Hot Storage.
Cortex® XDR Pro Administrator’s Guide Version 3.3 813 ©2022 Palo Alto Networks, Inc.
Data Management
Field Descripon
is dependent on the events stored in the Hot
Storage.
Manage Datasets
This feature requires a Cortex XDR Pro per TB license.
Cortex XDR runs every XQL query against a dataset. A dataset is a collecon of column:value sets.
You can upload datasets as a CSV, TSV, or JSON file that contains the data you are interested in
querying. If you do not specify a dataset in your query, Cortex XDR runs the query against the
default datasets configured, which is by default xdr_data. The xdr_data dataset contains all
of the endpoint and network data that Cortex XDR collects. You can always change the default
datasets using the Set as default opon.
To query other datasets, you have two opons: you can either set the dataset as default, which
enables you to query the datasets without specifying them in the query, or you can name a
specific dataset at the beginning of your query with the dataset stage command. You can add to
your list of available datasets by uploading a CSV, TSV, or JSON file to Cortex XDR.
You cannot upload a file that contains a byte array (that is, binary data).
Cortex® XDR Pro Administrator’s Guide Version 3.3 814 ©2022 Palo Alto Networks, Inc.
Data Management
Cortex XDR Query Language (XQL) supports using different languages for dataset and field names.
In addion, when seng up your XQL query, it is important to keep in mind the following.
• The dataset formats supported are dependent on the data retenon offerings available in
Cortex XDR according to whether you want to query hot storage or cold storage.
• Hot Storage queries are performed on a dataset using the format dataset = <dataset
name>. This is the default opon.
dataset = xdr_data
• Cold Storage queries are performed using the format cold_dataset = <dataset
name>.
cold_dataset = xdr_data
• The refresh mes for datasets. All Cortex XDR system datasets, which are created out-of-the-
box, are connuously ingested in near real-me as the data comes in, except for the following
excepons.
• endpoints—Refreshed every hour.
• pan_dss_raw—Refreshed daily.
• Forensics datasets—The Forensics data is not configured to be updated by default. When
you enable a collecon in the Agent Sengs profile, the data is collected only once unless
you specify an interval. If you specify an interval, the data is collected every <interval>
number of hours with the minimum being 12.
Manage datasets from Cortex XDR > Sengs > Configuraons > Data Management > Dataset
Management. In the Dataset Management page you can import, view, and interact with your
available datasets.
Cortex® XDR Pro Administrator’s Guide Version 3.3 815 ©2022 Palo Alto Networks, Inc.
Data Management
Import a dataset.
1. Select + Lookup.
2. Browse to your CSV, TSV, or JSON file, or drag and drop it into the dialog window.You
can only upload a TSV file that contains a .tsv file extension.
When uploading a CSV, TSV, or JSON file, ensure that the file meets the
following requirements.
• Field names are supported using different languages, numbers (0-9), or
underscores (_). If you use any other characters, Cortex XDR automacally
converts them to underscores (_).
• Dataset names are supported using different languages. Numbers (0-9) and
underscores (_) are supported, but not as the first character of the name.
You can create dataset names using uppercase characters, but in queries
dataset names are always treated as if they are lowercase.
• Must start with a leer or underscore. Cannot use prefixes TABLE, FILE, or
_PARTITION.
• Cannot exceed 128 characters.
• No duplicate names, white spaces, or carriage returns.
3. (Oponal) Rename the file, where only English alphabecal characters are supported.
4. Add the file as a lookup.
5. Aer receiving a noficaon reporng that the upload succeeded, Refresh ( ) to view it
in your list of datasets.
If the file has the same name as an exisng dataset, Cortex XDR will append an
underscore and a number to the name to make it unique.
Query against a dataset by selecng it with the dataset command when you create an XQL
query.
Right-click a dataset to view the schema of the dataset, set it as default, delete it, copy it,
and show or hide datasets. In addion, for a dataset with a TYPE set to Lookup, you can also
download the JSON file.
• View Schema to view the schema informaon for every field found in the dataset result
set in the Schema tab of XQL Search. Each system field in the schema is wrien with an
underscore (_) before the name of the field in the FIELD NAME column in the table.
• Set as default to query the dataset without having to specify it in your queries in XQL
Search as dataset = <name of dataset>. Once configured, the DEFAULT QUERY
TARGET column entry for this dataset is set to Yes. By default, this opon is not available
when right-clicking the xdr_data dataset as this dataset is the only dataset configured as the
DEFAULT QUERY TARGET as it contains all of the endpoint and network data that Cortex
Cortex® XDR Pro Administrator’s Guide Version 3.3 816 ©2022 Palo Alto Networks, Inc.
Data Management
XDR collects. Once you Set as default another dataset, you can always remove it by right-
clicking the dataset, and selecng Remove from defaults. When seng mulple default
datasets, your query does not need to menon any of the dataset names, and Cortex XDR
queries the default datasets using a join.
• Delete to remove the dataset from Cortex XDR.
• Download the JSON file for a dataset with a Type set to Lookup. This opon is not available
for any other dataset type.
When you download a Lookup dataset with field names in a foreign language, the
downloaded JSON file displays the fields as COL_<randomstring> as opposed
to returning the fields in the foreign language as expected.
• Copy text to clipboard to copy the name of the dataset to your clipboard.
• Copy enre row to copy each cell in a row, separated by tabs, to your clipboard.
• Show rows with ‘<dataset_name>’ to create a filter that displays all datasets with the same
name.
• Hide rows with ‘<dataset_name>’ to create a filter that hides all datasets with the same
name.
Filter your available datasets to specify the ones you want to see.
1. Select Filter.
An interface for your filter criteria appears.
2. Select a field, an operator, and a value to match.
3. Select + AND or + OR to add addional filter expressions.
4. Save ( ) your filter to reuse it later.
Aer saving, select the three-dot menu ( ) to view your filter.
Cortex® XDR Pro Administrator’s Guide Version 3.3 817 ©2022 Palo Alto Networks, Inc.
Data Management
Cortex XDR includes an editor for creang 3rd party Parsing Rules, which enables you to:
• Remove unused data that is not required for analycs, hunng, or regulaon.
• Reduce your data storage costs.
• Pre-process all incoming data for complex rule performance.
• Add tags to the ingested data as part of the ingeson flow.
• Easily idenfy and resolve Parsing Rules errors with error reporng.
• Test your Parsing Rules on actual logs and validate their outputs before implementaon.
Parsing Rules contain the following built-in characteriscs.
• Parsing Rules are bound to a specific vendor and product.
• Parsing Rules take raw log input, perform an arbitrary number of transions and modificaons
to the data using XQL, and return zero, one, or more rows that are eventually inserted into the
Cortex XDR tenant.
• Parsing Rules can be grouped together by a no-match policy. This means, if all the rules of a
group did not produce an output for a specific log record, a no-match policy defines what to do,
such as drop the log or keep the log in some default format.
• Upon ingeson, all fields are retained even fields with a null value. You can also use the Cortex
XDR XQL query language to query parsing rules for null values.
Cortex XDR provides a number of default Parsing Rules that you can easily override as required
using the Cortex XDR Query Language and addional custom syntax that is specific to creang
Parsing Rules. Before you create your own Parsing Rules and override the defaults, we recommend
that you review the following.
• Parsing Rules Editor Views
• Parsing Rules File Structure and Syntax
• Error Reporng in Parsing Rules
• Parsing Rules Raw Dataset
To create Parsing Rules:
STEP 1 | In Cortex XDR, select Sengs > Configuraons > Data Management > Parsing Rules.
Cortex® XDR Pro Administrator’s Guide Version 3.3 818 ©2022 Palo Alto Networks, Inc.
Data Management
STEP 2 | Select the Parsing Rules editor view for wring your Parsing Rules.
You can select one of the following views.
• User Defined Rules—Leave the default view open and write your Parsing Rules directly in
the editor.
• Both—Select this view to see the Parsing Rules editor as well as the default rules as you
write your Parsing Rules.
• Simulate—Select this view to test your Parsing Rules on actual logs and validate their
outputs as you write your Parsing Rules.
For more informaon, see Parsing Rules Editor Views.
STEP 3 | Write your Parsing Rules using XQL syntax and the syntax specific for Parsing Rules. For
more informaon, see Parsing Rules File Structure and Syntax.
STEP 4 | (Oponal) Test your Parsing Rules on actual logs and validate their outputs using the Simulate
view.
Cortex® XDR Pro Administrator’s Guide Version 3.3 819 ©2022 Palo Alto Networks, Inc.
Data Management
When there are any Parsing Rules errors to report, the Parsing Rules editor displays these
errors at the boom of the editor in a secon called List of Errors. Otherwise, this secon
is not displayed. For more informaon, see Error Reporng in Parsing Rules.
• User Defined Rules (default)—Displays an editor for wring your own custom parsing rules that
override the default rules and a List of Errors secon to help you troubleshoot any errors in
your Parsing Rules.
• Default Rules—Displays the parsing rules that are provided by default with Cortex XDR in read-
only mode and a List of Errors secon to view any errors in your Parsing Rules.
• Both—Side-by-side view of both the Default Rules and User Defined Rules, so you can
easily view the different rules in one screen. In addion, the List of Errors secon helps you
troubleshoot any errors in your Parsing Rules.
• Simulate—Enables you to test your Parsing Rules on actual logs and validate their outputs,
which helps minimize your errors when creang Parsing Rules. The editor includes the
following secons.
• User defined rules—A list of the current User defined rules on the le side of the window.
• XQL Samples—A table of the exisng XQL raw data samples on the right side of the
window, which contain sample logs lisng the Vendor, Product, Raw Log, and Sample Time.
For each Vendor and Product, up to 5 different samples are available to choose from. From
this list, you can select the logs used to simulate the rule.
• Logs Output—Displays in a table format the following columns per dataset at the boom of
the window.
-Dataset—Displays the applicable dataset name and a line number associated to this dataset
in the User defined rules secon.
-Vendor—The vendor associated with this dataset.
-Product—The product associated with this dataset.
-Logs Output—Displays the output logs that are available based on your User defined
rules and XQL Samples selected aer simulang the results. When there is no output log
to display, the text Output logs is not available with the corresponding error
message is displayed. When there is no output due to a missing rule in the User defined
rules secon for the logs selected, the text No output logs. You can change your parsing
rules and try again is displayed.
-Input Logs—Displays the relevant input log with a right-click pivot to Show diff between
the Output Logs and Input Logs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 820 ©2022 Palo Alto Networks, Inc.
Data Management
File Structure
The Parsing Rules file consists of mulple secons of these three types, which also represent the
custom syntax specific to Parsing Rules.
• INGEST—This secon is used to define the resulng dataset.
• COLLECT—(Oponal) This secon defines a rule that enables data reducon and data
manipulaon at the broker VM to help avoid sending unnecessary data to the Cortex XDR
server and reduce traffic, storage, and compung costs. In addion, the COLLECT secon is
used to manipulate, alter, and enrich the data before it’s passed to the Cortex XDR server.
While this rule is oponal to configure, once added this rule runs before the INGEST secon.
• CONST—(Oponal) This secon is used to define strings and numbers that can be re-used
mulple mes within XQL statements in other INGEST secons by using $constName.
• RULE—(Oponal) Rules are part of the XQL syntax, which are tagged with a name, and can be
reused in the code in the INGEST secons by using [rule:ruleName].
The order of the secons is unimportant. The data of each secon type gets grouped together
during the parsing stage. Before any acon takes place all COLLECT, CONST, RULE, and INGEST
objects are grouped together and collected to the same list.
Syntax
The syntax used in the Parsing Rules file is derived from XQL, but with a few modificaons. This
subset of XQL is called XQL for Parsing (XQLp).
For more informaon on the XQL syntax, see Cortex XDR XQL Language Reference.
The COLLECT, CONST, INGEST, and RULE syntax is derived from XQL, but with the following
modificaons for XQLp.
• A statement never starts with dataset or preset selecon. The query's data source is
meaningless. It is transparent to the user where the raw logs are coming from, fully handled by
the system.
• Only the following XQL stages are permied: alter, fields, filter, and join. In addion, a new
call stage is supported, which is used to invoke another rule.
• The join stage is only supported in CONST, INGEST, and RULE secons and is
unsupported in a COLLECT secon.
• No output stages are supported.
• A Rule object can only contain a single statement.
Cortex® XDR Pro Administrator’s Guide Version 3.3 821 ©2022 Palo Alto Networks, Inc.
Data Management
• A join inner query is restricted to using a lookup as a data source and only supported in
XQLp stages.
There is no default lookup, so all join inner queries must start with dataset=<lookup>
| ....
• CONST reference ($MY_CONST) is supported.
• An IN condion can only take a sequence list, such as device_name in (“device1”,
“device2”, “device3”) and not another XQL or XQLp inner queries.
C-Type code comments can be used anywhere throughout the Parsing Rules file.
// line comment
/* inner comment */
Every statement in the Parsing Rules file must end with a semicolon (;).
INGEST
An INGEST secon is used to define the resulng dataset. The COLLECT, CONST, and RULE
secons are only add-ons, used to help organize the INGEST secons, and are oponal to
configure. Yet, a Parsing Rules file that contains no INGEST secons, generates no Parsing Rules.
Therefore, the INGEST secon is mandatory to configure.
INGEST syntax is derived from XQL with a few modificaons as explained in the Parsing Rules
syntax. In addion, INGEST secons contain the following syntax add-ons.
• INGEST secons can have more than one XQLp statement, separated by a semicolon (;). Each
statement creates a different Parsing Rule.
• The XQL arrayfilter, arraycreate, arraymerge, and object_create funcons and iploc stage
command are also supported in the INGEST secon.
• Another new stage is available called drop.
• drop takes a condion similar to the XQL filter stage (same syntax), but drops every
log entry that passes that condion. One can think of it as a negave filter, so drop
<condition> is not equivalent to filter not <condition>.
• drop can only appear last in a statement. No other XQLp rules can follow.
• INGEST secons take parameters, and not names as RULE secons use, where some are
mandatory and others oponal.
Cortex® XDR Pro Administrator’s Guide Version 3.3 822 ©2022 Palo Alto Networks, Inc.
Data Management
Parameter Descripon
Each statement represents a different Parsing Rule in the same group as depicted in the following
example.
[CONST]
DEVICE_NAME = "ngfw";
[rule:use_two_rules]
filter severity = "medium" | call basic_rule | call
use_xql_and_another_rule;
[rule:basic_rule]
fields log_type, severity | filter log_type="eal" and severity="HIGH"
and type="something";
[rule:use_xql_and_another_rule]call multiline_statement | filter
severity = "medium";
[rule:multiline_statement]
alter url = json_extract(_raw_log, "$.url")
| join type = inner conflict_strategy = both (dataset=my_lookup) as
inn url=inn.url
Cortex® XDR Pro Administrator’s Guide Version 3.3 823 ©2022 Palo Alto Networks, Inc.
Data Management
This generates 1 group of 2 Parsing Rules for panw/ngfw, where all the ingested data into
panw_ngfw_ds dataset.
The following represents the syntax for the rules.
Rule #1:
filter log_type="traffic" | alter url = json_extract(_raw_log,
"$.url");
Rule #2:
filter severity = "medium"
| fields log_type, severity
| filter log_type="eal" and severity="HIGH" and type="something"
| alter url = json_extract(_raw_log, "$.url")
| join type = inner conflict_strategy = both (dataset=my_lookup) as
inn url=inn.url
| filter severity = "medium"
| filter severity = "medium"
| join type = inner conflict_strategy = both (dataset=my_lookup) as
inn severity=inn.severity
| fields severity, log_type
| drop device_name = $DEVICE_NAME
Cortex® XDR Pro Administrator’s Guide Version 3.3 824 ©2022 Palo Alto Networks, Inc.
Data Management
• You can add a single tagor list of tags to the ingested data as part of the ingeson flow that you
can easily query in XQL Search. You can add tags as part of the INGEST secon or using both
the INGEST and RULE secons. The following are examples of each.
• INGEST secon.
Adding a single tag.
[RULE:new_tag_rule]
Cortex® XDR Pro Administrator’s Guide Version 3.3 825 ©2022 Palo Alto Networks, Inc.
Data Management
[RULE:new_tag_rule]
tag add "test1", "test2", "test3";
COLLECT
A COLLECT secon defines a rule that enables data reducon and data manipulaon at the broker
VM to help avoid sending unnecessary data to the Cortex XDR server and reduce traffic, storage,
and compung costs. In addion, the COLLECT secon is used to manipulate, alter, and enrich
the data before it’s passed to the Cortex XDR server. While this rule is oponal to configure, once
added this rule runs before the INGEST secon.
The CSV Collector applet is not affected by the COLLECT rules applied to a broker VM.
To avoid performance issues on the broker VM, Cortex XDR does not permit all Parsing Rules to
run on the broker VM by default, but only the Parsing Rules that you designate.
The broker VM is directly affected by the [COLLECT] rules you create, so depending on the
complexity of the rules more hardware resources on the broker VM may be required. As a
result, ensure that your broker VM meets the following minimum hardware requirements to run
[COLLECT] rules.
• 8-core processor
• 8GB RAM
• 512GB disk
• Plan for a max of 10K eps (events per second) per core.
COLLECT syntax is derived from XQL with a few modificaons as explained in the Parsing Rules
syntax. In addion, COLLECT rules contain the following syntax add-ons.
• COLLECT rules can have more than one XQLp statement, separated by a semicolon (;). Each
statement creates a different data reducon and manipulaon at the broker VM for a different
vendor and product.
• While the XQL stages alter and fields are permied in COLLECT rules for various vendors and
products, you should avoid using them for supported vendors that can be used for Analycs as
these stages can disrupt the operaon of the Analycs Engine. For a list of these vendors, see
the Visibility of Logs and Alerts from External Sources in Cortex XDR table specifically those
vendors with Normalized Log Visibility.
Cortex® XDR Pro Administrator’s Guide Version 3.3 826 ©2022 Palo Alto Networks, Inc.
Data Management
Parameter Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 827 ©2022 Palo Alto Networks, Inc.
Data Management
The following is an example of using a COLLECT rule to filter data for a specific vendor and
product that will run before the INGEST secon.
CONST
A CONST secon is used to define strings and numbers that can be re-used mulple mes
within XQL statements in other INGEST secons by using $constName. This can be helpful to
avoid wring the same value in mulple secons, similar to constants in modern programming
languages.
For example:
[CONST]
DEFAULT_DEVICE_NAME = "firewall3060"; // string
FILE_REGEX = "c:\\users\\[a-zA-Z0-9.]*"; // complex string
my_num = 3; /* int */
An example of using a CONST inside XQL statements in other INGEST secons using
$constName:
Cortex® XDR Pro Administrator’s Guide Version 3.3 828 ©2022 Palo Alto Networks, Inc.
Data Management
The dollar sign ($) must be adjacent to the [CONST] name, without any whitespace in
between.
...
| filter device_name = $DEFAULT_DEVICE_NAME
| alter new_field = JSON_EXTRACT(field, $FILE_REGEX)
| filter age < $MAX_TIMEOUT
| join type=$DEFAULT_JOIN_TYPE conflict_strategy=
$DEFAULT_JOIN_CONFLICT_STRATEGY (dataset=my_lookup) as inn
url=inn.url
...
NOTICE: Only quoted or integer terminal values are considered valid for CONST secons. For
example, these will not compile:
[CONST]
WORD_CONST = abcde; //invalid
func_val = regex_extract(_raw_log, "regex"); // not possible
RECURSIVE_CONST = $WORD_CONST; // not terminal - not
possible
CONST secons are meant to replace values. Other types, such as column names, are not
supported:
...
| filter $DEVICE_NAME = "my_device" // illegal
...
RULE
Rules are very similar to funcons in modern programming languages. They are essenally pieces
of XQL code, tagged with a name - alias, for easier code re-use and avoiding code duplicaons. A
RULE is an add-on to the Parsing Rule syntax and is oponal to configure.
RULE syntax is derived from XQL with a few modificaons as explained in the Parsing Rules
syntax.
Cortex® XDR Pro Administrator’s Guide Version 3.3 829 ©2022 Palo Alto Networks, Inc.
Data Management
For more informaon on the XQL syntax, see Cortex XDR XQL Language Reference.
[rule:filter_alerts]
filter raw_log not contains "alert";
• Rules are invoked by using a call keyword as depicted in the following example.
[rule:filter_alerts]
filter raw_log not contains "alert";
[rule:use_another_rule]
filter severity="LOW" | call filter_alerts | fields - raw_log;
[rule:use_another_rule]
filter severity="LOW" | filter raw_log not contains "alert" |
fields - raw_log;
• Rule names are not case sensive. They can be wrien in any user-desired casing,
such as UPPER_SNAKE, lower_snake, camelCase, and CamelCase). For example,
MY_RULE=My_Rule=my_rule.
• Rule names must be unique across the enre file. This means you cannot have the same rule
name defined more than once in the same file.
• Since secon order is unimportant, you do not have to declare a rule before using it. You can
have the rule definion secon wrien below other secons that uses this rule.
• You can add a single tagor list of tags to the ingested data as part of the ingeson flow that you
can easily query in XQL Search. You can add tags using both the INGEST and RULE secons.
For example,
Adding a single tag.
[RULE:new_tag_rule]
tag add "test";
[RULE:new_tag_rule]
Cortex® XDR Pro Administrator’s Guide Version 3.3 830 ©2022 Palo Alto Networks, Inc.
Data Management
You can also add tags using only the INGEST secon. For more informaon, see
INGEST.
To help you easily idenfy and resolve Parsing Rules errors, Cortex XDR includes error reporng in
Parsing Rules for these scenarios.
• Unable to compile a rule for different reasons including invalid funcon parameters, such as
invalid regex.
• Unable to apply a rule to the data.
• Mismatch between expected data type, such as CEF, LEEF, or JSON with the actual data, such
as TEXT or CSV.
All errors are saved to a dataset called parsing_rules_errors, where the dataset type is
system_audit. The following table describes the fields that are available when running a query
in XQL Search for this dataset in alphabecal order.
• Some errors can only be found aer the applicable logs are collected in Cortex XDR.
• New errors generate a noficaon called Parsing Rules Error, which you can view when
selecng the Noficaon center.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 831 ©2022 Palo Alto Networks, Inc.
Data Management
Field Descripon
this error belongs to. Possible values are the
following.
• drop— In a scenario where none of the
rules in the group generates output for a
given log record, that record is discarded.
• keep—In a scenario where none of the
rules in the group generates output for a
given log record, that record is kept in the
_raw_log field. This record is inserted into
the group's dataset once, but every column
holds NULL except for _raw_log which
holds the original JSON log record.
The Parsing Rules editor includes a separate secon called List of Errors at the boom page with
the following capabilies.
The List of Errors secon is only displayed when there are any errors to list.
• Lists the details of the last 20 errors from the total number of errors found.
Cortex XDR only updates this list with new errors when the list is closed.
• Selecng a parcular error highlights the relevant lines in the User Defined or Default
Rules views and displays these lines on the screen, so you can easily review the error and
troubleshoot the problem.
• Link to Open All in XQL Search to view addional informaon about these errors in XQL
Search from the last 24 hours. The enre list of errors in the parsing_rules_errors
Cortex® XDR Pro Administrator’s Guide Version 3.3 832 ©2022 Palo Alto Networks, Inc.
Data Management
dataset are displayed, so you can easily troubleshoot. You can edit the query opened in XQL
Search to search for a designated me of your choosing, for example, if you want to view the
results for the last week as opposed to 24 hours.
• When you Save changes in the Parsing Rules editor, all of the errors listed are removed from
the page.
Each vendor and product has its own raw dataset that uses the format
<vendor>_<product>_raw. For example, for Palo Alto Networks Next-Generaon Firewall,
the dataset is called panw_ngfw_raw. This raw dataset by default keeps all raw logs, whether
ingested or dropped for other datasets.
You can override the default raw dataset, by creang an INGEST secon referring to that dataset.
For example, the following syntax overrides the panw_ngfw_raw automac Parsing Rule.
Cortex® XDR Pro Administrator’s Guide Version 3.3 833 ©2022 Palo Alto Networks, Inc.
Data Management
You can save your ingested, parsed data in an external locaon by exporng your logs to a bucket
from where you can download them for two weeks.
The Event Forwarding page enables you to acvate your Event Forwarding licenses and retrieve
the path and credenals of your external storage desnaon. This page is available when you
purchase the Event Forwarding add-on license.
Start forwarding event logs.
STEP 1 | Under Sengs > Configuraons > Data Management > Event Forwarding, acvate the
licenses in the Acvaon secon.
• Enable GB Event Forwarding to export parsed logs for XDR pro TB to an external SIEM
for storage. This enables you to keep data in your own storage in addion to the Cortex
XDR data layer, for compliance requirements and machine learning purposes. The exported
logs are raw data, without any stories. Cortex XDR exports all the data without filtering or
configuraon opons.
• Enable Endpoints Event Forwarding to export raw endpoint data for Cortex XDR Pro EP
and Cloud endpoints. The exported logs are raw data, without any stories. Cortex XDR
exports a subset of the endpoint data without filtering or configuraon opons. See the
breakdown of the Exported Event Types for the endpoints.
STEP 3 | To retrieve the data, access GCP Cloud Storage through the Service Account.
The Desnaon secon displays the details of the Google Cloud Plaorm (GCP) bucket where
your data is stored for 14 days. The data is compressed and saved as a line-delimited JSON
gzip file.
1. Copy the path displayed.
2. Generate and download the Service Account JSON WEB TOKEN, which contains the
access key. The token provides access to all your data stored in this bucket on the service
account, and must be saved in a safe place.
If you need to regenerate your access token, Replace and download a new access token.
This acon invalidates your previous token.
3. Using the path and the access key, retrieve your files manually or using an API.
• Copying files and objects from GCP
• Authencang as a service account
Cortex® XDR Pro Administrator’s Guide Version 3.3 834 ©2022 Palo Alto Networks, Inc.
Data Management
data without filtering or configuraon opons. The table below lists the types of events exported
for the endpoints, and the fields that are included and excluded.
acon_remote_ip acon_proxy
acon_remote_port acon_network_app_ids
acon_local_ip acon_network_rule_ids
acon_local_port acon_network_dpi_fields
acon_network_connecon_id acon_network_is_loopback
acon_network_is_server acon_upload
acon_network_creaon_me acon_download
acon_total_upload acon_network_stats_seq
acon_total_download acon_network_is_ipv6
acon_network_protocol
acon_network_stats_is_last
acon_process_os_pid acon_process_is_causality_root
acon_process_instance_id acon_process_is_replay
acon_process_image_md5 acon_process_yara_file_scan_result
acon_process_image_sha256 acon_process_wf_verdict
acon_process_image_path acon_process_stac_analysis_score
acon_process_image_name execuon_actor_causality_id
acon_process_image_extensionacon_process_ns_pid
acon_process_image_command_line
acon_process_container_id
acon_process_signature_product
acon_process_is_container_root
acon_process_signature_vendoracon_process_image_command_line_indice
Cortex® XDR Pro Administrator’s Guide Version 3.3 835 ©2022 Palo Alto Networks, Inc.
Data Management
acon_process_signature_is_embedded
acon_process_is_special
acon_process_signature_status acon_process_ns_user_sid
acon_process_integrity_level acon_process_ns_user_real_sid
acon_process_username acon_process_file_size
acon_process_user_sid acon_process_file_create_me
acon_process_in_txn acon_process_file_mod_me
acon_process_pe_load_info acon_process_remote_session_ip
acon_process_peb acon_process_file_info
acon_process_peb32 acon_process_device_info
acon_process_last_writer_actorexecuon_actor_instance_id
acon_process_token acon_process_user_real_sid
acon_process_privileges acon_process_requested_parent_pid
acon_process_fds acon_process_requested_parent_iid
acon_process_scheduled_task_name
acon_process_terminaon_date
acon_process_instance_execuon_me
acon_process_terminaon_code
acon_file_name acon_file_yara_file_scan_result
acon_file_previous_file_path acon_file_dir_query
acon_file_previous_file_name acon_file_previous_device_info
acon_file_md5 acon_file_device_info
acon_file_sha256 acon_file_reparse_path
acon_file_size acon_file_reparse_count
acon_file_aributes acon_file_dirty_reason
Cortex® XDR Pro Administrator’s Guide Version 3.3 836 ©2022 Palo Alto Networks, Inc.
Data Management
acon_file_create_me acon_file_remote_ip
acon_file_mod_me acon_file_remote_port
acon_file_access_me acon_file_remote_file_ip
acon_file_type acon_file_remote_file_host
acon_file_operaon_flags acon_file_sec_desc
acon_file_mode acon_file_previous_file_extension
acon_file_owner acon_file_extension
acon_file_owner_name acon_file_archive_list
acon_file_group acon_file_contents
acon_file_group_name
acon_file_device_type
acon_file_signature_product
acon_file_signature_vendor
acon_file_signature_is_embedded
acon_file_signature_status
acon_file_pe_info
acon_file_prev_type
acon_file_last_writer_actor
acon_file_is_anonymous
Registry acon_registry_value_type
acon_registry_key_name
acon_registry_data
acon_registry_value_name
acon_registry_old_key_name
acon_registry_file_path
Cortex® XDR Pro Administrator’s Guide Version 3.3 837 ©2022 Palo Alto Networks, Inc.
Data Management
acon_registry_return_val
Injecon acon_remote_process_thread_idacon_remote_process_causality_id
acon_remote_process_os_pid acon_remote_process_is_causality_root
acon_remote_process_instance_id
acon_remote_process_is_replay
acon_remote_process_image_md5
acon_remote_process_image_extension
acon_remote_process_image_sha256
acon_remote_process_image_command_lin
acon_remote_process_image_path
acon_remote_process_is_special
acon_remote_process_image_name
acon_remote_process_file_size
acon_remote_process_image_command_line
acon_remote_process_file_create_me
acon_remote_process_signature_product
acon_remote_process_file_mod_me
acon_remote_process_signature_vendor
acon_remote_process_file_info
acon_remote_process_signature_is_embedded
acon_remote_process_signature_status
acon_remote_process_thread_start_address
acon_remote_process_integrity_level
acon_remote_process_username
acon_remote_process_user_sid
address_mapping
acon_module_md5 acon_module_yara_file_scan_result
acon_module_sha256 acon_module_file_size
acon_module_base_address acon_module_file_create_me
acon_module_image_size acon_module_file_mod_me
acon_module_signature_productacon_module_file_access_me
acon_module_signature_vendoracon_module_device_info
Cortex® XDR Pro Administrator’s Guide Version 3.3 838 ©2022 Palo Alto Networks, Inc.
Data Management
acon_module_signature_is_embedded
acon_module_wf_verdict
acon_module_signature_status
acon_module_file_info
acon_module_last_writer_actor
acon_module_other_load_locaon
acon_module_page_protecon
acon_module_system_properes
acon_module_code_integrity
acon_module_boot_code_integrity
acon_username
acon_user_status_sid
acon_user_session_id
acon_user_is_local_session
acon_powered_off
agent_status_component
host_metadata_hostname
host_metadata_domain
Cortex® XDR Pro Administrator’s Guide Version 3.3 839 ©2022 Palo Alto Networks, Inc.
Data Management
agent_hostname event_utc_diff_minutes
agent_interface_map manifest_file_version
agent_os_sub_type source_message_id
agent_os_type zip_id
agent_version agent_request_me
agent_id server_request_me
agent_ip_addresses agent_id_hash
agent_ip_addresses_v6 agent_id_hash_bre
backtrace_idenes
_product
_vendor
actor_fields
agent_is_vdi
event_type event_is_replay
event_sub_type event_impersonaon_status
event_id event_is_simulated
event_mestamp event_user_presence
event_rpc_interface_uuid agent_host_boot_me
event_rpc_func_opnum agent_session_start_me
event_validity_enum
event_invalidity_field
event_rpc_inteface_version_major
event_rpc_inteface_version_minor
Cortex® XDR Pro Administrator’s Guide Version 3.3 840 ©2022 Palo Alto Networks, Inc.
Data Management
event_rpc_protocol
event_address_mapped
event_user_presence_status
os_actor_local_port actor_process_auth_id
os_actor_primary_user_sid actor_process_causality_id
os_actor_primary_username actor_process_ns_pid
os_actor_process_command_lineactor_process_session_id
os_actor_process_image_md5 actor_process_signature_is_embedded
os_actor_process_image_name actor_process_signature_product
os_actor_process_image_path actor_process_signature_vendor
os_actor_process_image_sha256actor_remote_host
os_actor_process_signature_status
actor_remote_pipe_name
os_actor_process_logon_id actor_remote_port
os_actor_process_os_pid actor_rpc_interface_version_major
os_actor_remote_ip actor_rpc_interface_version_minor
os_actor_process_instance_id actor_rpc_protocol
os_actor_thread_thread_id actor_type
actor_rpc_func_opnum
actor_rpc_interface_uuid
actor_process_device_info
actor_process_execuon_me
actor_process_file_create_me
actor_process_file_mod_me
Cortex® XDR Pro Administrator’s Guide Version 3.3 841 ©2022 Palo Alto Networks, Inc.
Data Management
actor_process_file_size
actor_process_image_extension
actor_process_instance_id
actor_process_command_line_indices
actor_process_integrity_level
actor_process_is_special
actor_process_last_writer_actor
actor_process_instance_id
actor_thread_thread_id
actor_is_injected_thread
actor_causality_id
actor_effecve_username
actor_effecve_user_sid
Cortex® XDR Pro Administrator’s Guide Version 3.3 842 ©2022 Palo Alto Networks, Inc.
Data Management
STEP 2 | In the Daily Usage in Compute Units secon, monitor the amount of quota units used over
the past 24 hours and the amount of free daily quota allocated according to your license size
and the addional amount you have purchased. Time frame is calculated according to UTC
me.
For Managed Security tenants, the values calculated are the total daily usage of parent and
child tenants.
STEP 3 | In the Compute Units over last 30 Days secon, to track your quota usage over the past 30
days. The red line represents your daily license quota. For Managed Security tenants, make
Cortex® XDR Pro Administrator’s Guide Version 3.3 843 ©2022 Palo Alto Networks, Inc.
Data Management
sure you select from the MSSP Tenant Selecon drop-down menu, the tenant for which you
want to display the informaon. To invesgate further.
• Hover over each bar to view the total number of query units used on each day for both
API Usage and Cold Storage Usage.
• Select a bar to display in the XQL Queries Using API table the list of XQL API and Cold
Storage queries executed on the selected day.
STEP 4 | In the Compute Units Usage table, invesgate all the XQL API and Cold Storage queries that
were executed on your tenant. For Managed Security tenants, make sure you select from
the MSSP Tenant Selecon drop-down menu, the tenant for which you want to display the
informaon. You can filter and sort according to the following fields.
• ID—Unique idenfier represenng the executed XQL API query.
• Timestamp—Date and me of when the XQL API was executed.
• Type—Indicates the type of query performed either an API Query or Cold Storage Query.
• PAPI Key ID—API Key ID used to execute the XQL API.
• XQL Query—The XQL query called using an API or Cold Storage search.
• Compute Unit Usage—Displays how many query units were used to execute the API query
and Cold Storage query.
• Tenant—Appears only in a Managed Security tenant. Displays which tenant executed an API
query or Cold Storage query.
Cortex® XDR Pro Administrator’s Guide Version 3.3 844 ©2022 Palo Alto Networks, Inc.
Analycs
> Analycs Concepts
845
Analycs
Analycs Concepts
Safeguarding a network requires a defense-in-depth strategy which ulizes current and patched
soware and hardware. Most strategies designed to keep unwanted users out of a network stop
intrusion aempts at the network perimeter, defending only against known threats. For example,
systems scanning for malicious soware rely on previously idenfied MD5 signature databases.
However, aackers constantly modify virus signatures to circumvent virus scanners.
Your network defense-in-depth strategy must include soware and processes designed to detect
and respond to an intruder who penetrates your systems. The Cortex XDR app efficiently and
automacally idenfies abnormal acvity on your network, while providing you with the exact
informaon you need to rapidly evaluate, isolate and remove potenal threats from your network.
• Analycs Engine
• Analycs Sensors
• Coverage of MITRE Aack Taccs
• Analycs Detecon Time Intervals
• Analycs Alerts and Analycs BIOCs
• Identy Analycs
Analycs Engine
The Cortex XDR app uses its Analycs Engine to examine logs and data retrieved from your
sensors on the Cortex XDR tenants to build an acvity baseline, and recognize abnormal acvity
when it occurs. The Analycs Engine accesses your logs as they are streamed to the Cortex XDR
tenant, including any Firewall data that was forwarded by the Cortex Data Lake, and analyzes
the data as soon as it arrives. Cortex XDR raises an Analycs alert when the Analycs Engine
determines an anomaly.
The Analycs Engine examines traffic and data from a variety of sources such as network acvity
from firewall logs, VPN logs (from Prisma Access from the Panorama plugin), endpoint acvity
data (on Windows endpoints), Acve Directory or a combinaon of these sources, to idenfy the
endpoints and users on your network. Aer idenfying the endpoints and the users, the Analycs
Engine collects relevant details about each asset based on the informaon it obtains from the logs
to create profiles. The Analycs Engine can detect threats from only network data or only endpoint
data, but for more context when invesgang an alert, using a combinaon of data sources is
recommended.
The Analycs Engine creates and maintains the profiles to view the acvity of the endpoint or user
in context by comparing it to similar endpoints or users. The large number of Profile types can
generally be placed into one of three categories.
• Peer Group Profiles—A stascal analysis of an enty or an enty relaon that compares
acvies from mulple enes in a peer group. For example, a domain can have a cross-
organizaon popularity profile or per peer group popularity profile.
• Temporal Profiles—A stascal analysis of an enty or an enty relaon that compares the
same enty to itself over me. For example, a host can have a Profile depending on the number
of ports it accessed in the past.
Cortex® XDR Pro Administrator’s Guide Version 3.3 846 ©2022 Palo Alto Networks, Inc.
Analycs
• Enty classificaon—A model detecng the role of an enty. For example, users can be
classified as service accounts, and hosts as domain controllers.
Analycs Sensors
To detect anomalous behavior, Cortex XDR can analyze logs and data from a variety of sensors.
Sensor Descripon
Enhanced applicaon logs (EAL) To provide greater coverage and accuracy, you
can enable enhanced applicaon logging on
your Palo Alto Networks firewalls. EAL are
collected by the firewall to increase visibility into
network acvity for Palo Alto Networks apps and
services, like Cortex XDR . Only firewalls sending
logs to Cortex Data Lake can generate enhanced
applicaon logs.
Examples of the types of data that enhanced
applicaon logs gather include records of DNS
queries, the HTTP header User Agent field that
specifies the web browser or tool used to access
a URL, and informaon about DHCP automac
IP address assignment. With DHCP informaon,
for example, Cortex XDR can alert on unusual
acvity based on hostname instead of IP address.
This enables the security analyst using Cortex
XDR to meaningfully assess whether the user’s
acvity is within the scope of his or her role, and
if not, to more quickly take acon to stop the
acvity.
GlobalProtect and Prisma Access logs If you use GlobalProtect or Prisma Access to
extend your firewall security coverage to your
mobile users, Cortex XDR can also analyze VPN
traffic to detect anomalous behavior on mobile
endpoints.
Cortex® XDR Pro Administrator’s Guide Version 3.3 847 ©2022 Palo Alto Networks, Inc.
Analycs
Sensor Descripon
Firewall URL logs (part of firewall threat Palo Alto Networks firewalls can log Threat
logs) log entries when traffic matches one of the
Security Profiles aached to a security rule on
the firewall. Cortex XDR can analyze entries for
Threat logs relang to URLs and raise alerts that
indicate malicious behavior such as command
and control and exfiltraon.
Cortex XDR agent endpoint data With a Cortex XDR Pro per Endpoint license, you
can deploy Cortex XDR agents on your endpoints
to protect them from malware and soware
exploits. The Analycs Engine can also analyze
the EDR data collected by the Cortex XDR agent
to raise alerts. To collect EDR data, you must
install Cortex XDR agent 6.0 or a later release
on your Windows endpoints (Windows 7 SP1 or
later).
The Cortex XDR Analycs Engine can analyze
acvity and traffic based solely on endpoint
acvity data sent from Cortex XDR agents. For
increased coverage and greater insight during
invesgaons, use a combinaon of Cortex XDR
agent data and firewalls to supply acvity logs
for analysis.
Directory Sync logs If you use the Cloud Identy Engine to provide
Cortex XDR with Acve Directory data, the
Analycs Engine can also raise alerts on your
Acve Directory logs.
External sensors
Cortex® XDR Pro Administrator’s Guide Version 3.3 848 ©2022 Palo Alto Networks, Inc.
Analycs
Sensor Descripon
logs to Cortex XDR , you can increase detecon
coverage and take advantage of Cortex XDR
analysis capabilies. When Cortex XDR analyzes
your firewall logs and detects anomalous
behavior, it raises an alert.
Windows Event Collector logs The Windows Event Collector (WEC) runs on the
broker VM collecng event logs from Domain
Controllers (DCs). The Analycs Engine can
analyze these event logs to raise alerts such as
for credenal access and defense evasion.
The Analycs Engine can alert on any of the following aack taccs as defined by the MITRE
ATT&CK™ knowledge base of taccs.
Tacc Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 849 ©2022 Palo Alto Networks, Inc.
Analycs
Tacc Descripon
endpoint data from your Cortex XDR agents,
and evaluaon of suspicious files using the
WildFire® cloud service.
Cortex® XDR Pro Administrator’s Guide Version 3.3 850 ©2022 Palo Alto Networks, Inc.
Analycs
Tacc Descripon
periodicity of connecons and failed DNS
lookups, changes in random DNS lookups, and
other symptoms that suggest an aacker has
gained inial control of a system.
Cortex® XDR Pro Administrator’s Guide Version 3.3 851 ©2022 Palo Alto Networks, Inc.
Analycs
These me periods are different for every Cortex XDR Analycs detector. The actual amount of
logging data (measured in me) required to raise any given Cortex XDR Analycs alert is idenfied
in the Cortex XDR Analycs Alert Reference.
Cortex® XDR Pro Administrator’s Guide Version 3.3 852 ©2022 Palo Alto Networks, Inc.
Analycs
Identy Analycs
Cortex XDR enables you invesgate suspicious user acvity informaon using Identy Analycs.
When enabled, Identy Analycs aggregates and displays user profile informaon, acvity, and
alerts associated with a user-based Analycs type alert and Analycs BIOC rule.
To easily track the alerts and Analycs BIOC rules, Cortex XDR displays an Identy Analycs
tag in the Alerts table > Alert Name field and Analycs BIOC Rules table > Name field. In the
Analycs Alert View, when selecng the User node,Cortex XDR details the acve directory group,
organizaonal unit, role, logins, hosts, alerts, and process execuons associated with the user.
To enable the Identy Analycs, you must first:
• Set Up Cloud Identy Engine (Formally Directory Sync Services (DSS))
• Acvate Cortex XDR Analycs
Aer configuring your Cloud Identy Engine instance and Cortex XDR Analycs, select Sengs
( ) > Configuraons > Cortex XDR - Analycs and in the Featured in Analycs secon, Enable
Identy Analycs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 853 ©2022 Palo Alto Networks, Inc.
Analycs
Cortex® XDR Pro Administrator’s Guide Version 3.3 854 ©2022 Palo Alto Networks, Inc.
Asset Management
> Network Configuraon
> Vulnerability Assessment
> Manage User Scores
> Asset Inventory
> Cloud Inventory Assets
855
Asset Management
Network Configuraon
Network asset visibility is a crucial invesgave tool in discovering rogue devices in your network
and prevenng malicious acvity. Understanding how many managed and unmanaged assets are
part of your network provides you with vital informaon to beer assess your security exposure
and track network communicaon.
Cortex XDR Network Configuraon provides an accurate representaon of your network assets
by collecng and analyzing the following network resources.
• User-defined IP Address Ranges and Domain Names associated with your internal network
• EDR data collected by Firewall Logs
• Cortex XDR Agent Logs
• ARP Cache
• Broker VM Network Mapper
• Pathfinder Data Collector
In addion to the network resources, Cortex XDR allows you to configure in your Windows Agent
Profile a Cortex XDR agent scan of your endpoints using Ping that provides updated idenfiers of
your network assets, such as IP addresses and OS plaorms. The scan is automacally distributed
by Cortex XDR to all the agents configured in the profile and cannot be iniated by request.
With the data aggregated by Cortex XDR Network Configuraon you can locate and manage your
assets more effecvely and reduce the amount of research required to.
• Disnguish between assets managed and unmanaged by a Cortex XDR Agent.
• Idenfy assets that are part of your internal network.
• Track network data communicaons from within and outside your network.
Cortex® XDR Pro Administrator’s Guide Version 3.3 856 ©2022 Palo Alto Networks, Inc.
Asset Management
You can add a range which is fully contained in an exisng range, however you
cannot add a new range which parally intersect with another range.
The range names you define will appear when invesgang the network related events
within the Cortex XDR console.
• Save your definions.
• Upload from File
• In the Upload IP Address Ranges pop-up, drag and drop or search for a CSV file lisng
the IP address ranges. Download example file to view the correct format.
• Add your list of IP address ranges.
Cortex® XDR Pro Administrator’s Guide Version 3.3 857 ©2022 Palo Alto Networks, Inc.
Asset Management
STEP 2 | In the Internal Domain Suffixes secon, +Add the domain suffix you want to include as part
of your internal network. For example, acme.com.
Cortex® XDR Pro Administrator’s Guide Version 3.3 858 ©2022 Palo Alto Networks, Inc.
Asset Management
Vulnerability Assessment
Cortex XDR vulnerability assessment enables you to idenfy and quanfy the security
vulnerabilies on an endpoint in Cortex XDR. Relying on the informaon from Cortex XDR, you
can easily migate and patch these vulnerabilies on all endpoints in your organizaon.
To provide you with a comprehensive understanding of the vulnerability severity, Cortex XDR
retrieves the latest data for each CVE from the NIST Naonal Vulnerability Database, including
CVE severity and metrics. You can use Cortex XDRto evaluate the extent and severity of each
CVE in your network, gain full visibility in to the risks to which each endpoint is exposed, and
assess the vulnerability status of an installed applicaon in your network.
You can access the Vulnerability Assessment panel from: Assets > Vulnerability Assessment.
Collecng the inial data from all endpoints in your network could take up to 6 hours. Aer that,
Cortex XDR iniates periodical recalculaons to rescan the endpoints and retrieve the updated
data. If at any point you want to force data recalculaon, click Recalculate.
The following are prerequisites for Cortex XDR to perform vulnerability assessment of your
endpoints:
Requirement Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 859 ©2022 Palo Alto Networks, Inc.
Asset Management
Requirement Descripon
Setup and Permissions • Ensure Host Inventory Data Collecon is enabled for
your Cortex XDR agent.
CVE Analysis
To evaluate the extent and severity of each CVE across your endpoints, you can drill down in to
each CVE in Cortex XDR and view all the endpoints and applicaons in your environment that are
impacted by the CVE. Cortex XDR retrieves the latest informaon from the NIST public database.
From Add-ons > Host Insights > Vulnerability Assessment, select CVEs on the upper-right bar. For
each vulnerability, Cortex XDR displays the following default and oponal values:
Value Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 860 ©2022 Palo Alto Networks, Inc.
Asset Management
Value Descripon
(CVSS). Click the score to see the full CVSS
descripon.
You can perform the following acons from Cortex XDR as you analyze the exisng vulnerabilies:
• View CVE details—Le-click the CVE to view in-depth details about it on a panel that appears
on the right. Use the in-panel links as needed.
• View a complete list of all endpoints in your network that are impacted by a CVE—Right-click
the CVE and then select View affected endpoints.
• Learn more about the applicaons in your network that are impacted by a CVE—Right-click
the CVE and then select View applicaons.
• Exclude irrelevant CVEs from your endpoints and applicaons analysis—Right-click the CVE
and then select Exclude. You can add a comment if needed, as well as Report CVE as incorrect
for further analysis and invesgaon by Palo Alto Networks. The CVE is grayed out and labeled
Excluded and no longer appears on the Endpoints and Applicaons views in Vulnerability
Assessment, or in the Host Insights widgets. To restore the CVE, you can right-click the CVE
and Undo exclusion at any me.
The CVE will be removed/reinstated to all views, filters, and widgets aer the next
vulnerabilies recalculaon.
Endpoint Analysis
To help you assess the vulnerability status of an endpoint, Cortex XDR provides a full list of
all installed applicaons and exisng CVEs per endpoint and also assigns each endpoint a
vulnerability severity score that reflects the highest NIST vulnerability score detected on the
endpoint. This informaon helps you to determine the best course of acon for remediang each
endpoint. From Add-ons > Host Insights > Vulnerability Assessment, select Endpoints on the
upper-right bar. For each endpoint, Cortex XDR displays the following default and oponal values:
Value Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 861 ©2022 Palo Alto Networks, Inc.
Asset Management
Value Descripon
Last Reported Timestamp The date and me of the last me the Cortex
XDR agent started the process of reporng its
applicaon inventory to Cortex XDR.
You can perform the following acons from Cortex XDR as you invesgate and remediate your
endpoints:
• View endpoint details—Le-click the endpoint to view in-depth details about it on a panel that
appears on the right. Use the in-panel links as needed.
• View a complete list of all applicaons installed on an endpoint—Right-click the endpoint and
then select View installed applicaons. This list includes the applicaon name, version, and
installaon path on the endpoint. If an installed applicaon has known vulnerabilies, Cortex
XDR also displays the list of CVEs and the highest Severity.
• (Windows only) Isolate an endpoint from your network—Right-click the endpoint and then
select Isolate the endpoint before or during your remediaon to allow the Cortex XDR agent to
communicate only with Cortex XDR.
• (Windows only) View a complete list of all KBs installed on an endpoint—Right-click the
endpoint and then select View installed KBs. This list includes all the Microso Windows
patches that were installed on the endpoint and a link to the Microso official Knowledge Base
(KB) support arcle.
• Retrieve an updated list of applicaons installed on an endpoint—Right-click the endpoint and
then select Rescan endpoint.
Applicaon Analysis
You can assess the vulnerability status of applicaons in your network using the Host inventory.
Cortex XDR compiles an applicaon inventory of all the applicaons installed in your network
by collecng from each Cortex XDR agent the list of installed applicaons. For each applicaon
on the list, you can see the exisng CVEs and the vulnerability severity score that reflects the
highest NIST vulnerability score detected for the applicaon. Any new applicaon installed on the
Cortex® XDR Pro Administrator’s Guide Version 3.3 862 ©2022 Palo Alto Networks, Inc.
Asset Management
endpoint will appear in Cortex XDR with 24 hours. Alternavely, you can re-scan the endpoint to
retrieve the most updated list.
Starng with macOS 10.15, Mac built-in system applicaons are not reported by the
Cortex XDR agent and are not part of the Cortex XDR Applicaon Inventory.
From Add-ons > Host Insights > Host Inventory, select Applicaons.
• To view the details of all the endpoints in your network on which an applicaon is installed,
right-click the applicaon and select View endpoints.
• To view in-depth details about the applicaon, le-click the applicaon name.
Cortex® XDR Pro Administrator’s Guide Version 3.3 863 ©2022 Palo Alto Networks, Inc.
Asset Management
Using Identy Analycs, Cortex XDR is able to aggregate from Workday and Acve Directory a
list of all the user assets located within your network according to their associated incidents. To
help invesgate user acvies and detect compromised accounts and malicious acvies, Cortex
XDR calculates a User Score that allows you to easily idenfy the most high-risk users in your
organizaon.
The User Score is the higher score of the following two components:
• Incident Scoring Rules—Alerts within an incident matching your scoring rules criteria are each
given a score. The alert with the highest score from the incident is assigned as the User Score.
• System Rules—Alerts within an incident matching Cortex XDR generated scoring rules are each
given a score. Cortex XDR sums all the alerts for each incident up to a total of 100. The highest
score is assigned as the User Score.
As new alerts are associated with incidents, the User Score assigned is recalculated.
Navigate to the User Scores table to view the latest score, and the User View to track the
User Score trend.
Cortex® XDR Pro Administrator’s Guide Version 3.3 864 ©2022 Palo Alto Networks, Inc.
Asset Management
Field Descripon
LAST LOGIN Last date and me the user accessed Cortex
XDR.
STEP 3 | Invesgate further by locang the user you want to invesgate, right-click and Open User
View.
Some User Associated Insights may not appear as part of the User Associated
Incidents due to the insight generaon mechanism. For example, when an insight
related to one of the assets in an incident is generated a few days aer the associated
incident, the insight may not be associated with the incident.
Cortex® XDR Pro Administrator’s Guide Version 3.3 865 ©2022 Palo Alto Networks, Inc.
Asset Management
Asset Inventory
Cortex XDR provides a central locaon from which you can view and invesgate informaon
relang to assets in your network. Using your defined internal network configuraons, Broker VM
Network Mapper, Cortex XDR agent, EDR data collected from firewall logs, and logs from third-
party vendors, Cortex XDR is able to aggregate and display a list of all the assets located within
your network. As soon as Cortex XDR begins receiving network assets, you can view the data in
Assets > Asset Inventory.
• When any row in the table is selected, a side panel on the right with greater details is displayed,
where you can view addional data divided by secons. The secon heading names and data
displayed change depending on the source of the assets.
• Depending on the cell you’ve selected in the table, different right-click pivot menus are
available, such as Open IP View and Open in Quick Launcher.
• You can export the tables and respecve asset views to a tab-separated values (TSV) file.
You can toggle between the following views on the page.
• Legacy View—Displays a list of all the assets located within your network according to their IP
address. The task below provides more informaon on invesgang your asset inventory using
the Legacy View.
The Legacy View will be deprecated in the upcoming Cortex XDR release.
Cortex® XDR Pro Administrator’s Guide Version 3.3 866 ©2022 Palo Alto Networks, Inc.
Asset Management
HOST NAME Host name of the asset, if The asset requires at least
available. one of the following.
• An installed Cortex XDR
agent
• A running Cortex XDR
collector
• A Global Protect client
9.1 or a later release,
configured to send HIP
Match logs
• Associated DHCP logs
covering this asset are sent
to Cortex XDR
Cortex® XDR Pro Administrator’s Guide Version 3.3 867 ©2022 Palo Alto Networks, Inc.
Asset Management
MAC ADDRESS Mac address of the asset. The asset requires at least
one of the following:
• An installed Cortex XDR
agent
• A running Cortex XDR
collector
• For Mac endpoints, a
Global Protect client 9.1 or
a later release, configured
to send HIP Match logs
• Associated DHCP logs
covering this asset are sent
to Cortex XDR
MAC ADDRESS VENDOR Vendor name of the Mac The asset requires at least
address of the asset. one of the following:
• An installed Cortex XDR
agent
• A running Cortex XDR
collector
• For Mac endpoints, a
Global Protect client 9.1 or
a later release, configured
to send HIP Match logs
• Associated DHCP logs
covering this asset are sent
to Cortex XDR
Cortex® XDR Pro Administrator’s Guide Version 3.3 868 ©2022 Palo Alto Networks, Inc.
Asset Management
• View agent details—Pivot to the Endpoints table filtered according to the agent ID. Choose
whether to open the view in a new tab or the same tab. This opon is available only for
assets with a Cortex XDR agent installed.
• Open in Quick Launcher—Open the Quick Launcher search results for the IP address.
• Remove Collector—Remove the Pathfinder Data Collector. Only available if a collector is
status is In Process.
All Assets
Ingesng and Viewing Cloud Compute Instances for Cloud Inventory Assets requires a
Cortex XDR Pro per TB license.
The All Assets page enable you to view all your assets from various assets categories. Each asset is
available in Cortex XDR in different ways depending on the asset category and Cortex XDR license
as explained in the following table.
Cloud Compute Instance Requires configuring either Cortex XDR Pro TB license
a Cloud Inventory data
collector or Cortex Agents
that are installed on the
Cloud Compute Instances.
To view the All Assets page, select Assets > Asset Inventory.
By default, the All Assets page displays all assets according to the asset name. To search for
specific assets, use the filters above the results table to narrow the results. You can export the
Cortex® XDR Pro Administrator’s Guide Version 3.3 869 ©2022 Palo Alto Networks, Inc.
Asset Management
tables and respecve asset views to a tab-separated values (TSV) file. From the All Assets page,
you can also manage the assets output using the right-click pivot menu.
The All Assets table is comprised of a number of common fields that are available when viewing
any of the Specific Assets pages. The TYPE field is only available in the All Assets table as this
field determines the Specific Assets categories, and can be used to filter the different types of
assets from the enre list of assets.
When any row in the table is selected, a side panel on the right with greater details is displayed,
where you can view addional data divided by secons. The secon heading names and data
displayed change depending on the source of the assets.
The following table describes the fields that are available when viewing All Assets in alphabecal
order.
Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is
exposed by default.
Field Descripon
FIRST OBSERVED* When the asset was first observed via any of
the sources.
LAST OBSERVED* When the asset was last observed via any of
the sources.
Cortex® XDR Pro Administrator’s Guide Version 3.3 870 ©2022 Palo Alto Networks, Inc.
Asset Management
Field Descripon
Specific Assets
Ingesng and Viewing Cloud Compute Instances for Cloud Inventory Assets requires a
Cortex XDR Pro per TB license.
The Specific Assets pages enable you to view specific assets from a designated assets category.
Each specific table contains the common columns that are listed in the All Assets table and some
addional specific columns that are relevant for the type of asset.
To view the Specific Assets pages, select Assets > Asset Inventory > Specific Assets, and select a
specific asset category.
By default, the Specific Assets pages displays the assets according to the name of the asset. To
search for specific assets, use the filters above the results table to narrow the results. You can
export the tables and respecve asset views to a tab-separated values (TSV) file. From the Specific
Assets page, you can also manage the assets output using the right-click pivot menu.
Cortex® XDR Pro Administrator’s Guide Version 3.3 871 ©2022 Palo Alto Networks, Inc.
Asset Management
When any row in the table is selected, a side panel on the right with greater details is displayed,
where you can view addional data divided by secons. The secon heading names and data
displayed change depending on the source of the assets.
The table below describes the following for the different Specific Assets pages.
The Specific Assets listed are dependent on your Cortex XDR license. For more
informaon, see All Assets.
Cloud Compute Instance Include assets that are No specific unique fields
managed by Cortex Agents, displayed in addion to the
where the agent reported common fields.
that the assets are in a cloud
environment. In addion, the
assets can be Cloud Compute
Instances that were reported
by a Cloud integraon
(i.e. Cloud Inventory data
collector) with or without a
Cortex agent.
Cortex XDR aempts to
associate the data received
from the Cortex agent and
the data received from the
Cloud Integraon and e
them together into a single
asset.
Cortex® XDR Pro Administrator’s Guide Version 3.3 872 ©2022 Palo Alto Networks, Inc.
Asset Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 873 ©2022 Palo Alto Networks, Inc.
Asset Management
Cortex XDR provides a unified, normalized asset inventory for cloud assets in Google Cloud
Plaorm, Microso Azure, and Amazon Web Services. This capability provides deeper visibility
to all the assets and superior context for incident invesgaon. To receive cloud assets, you must
first configure a Cloud Inventory data collector for the vendor in Cortex XDR. As soon as Cortex
XDR begins receiving cloud assets, you can view the data in Assets > Cloud Inventory, where All
Cloud Assets and Specific Cloud Assets pages display the data in a table format.
The following are some of the main features available to you on these pages.
• When any row in the table is selected, a side panel on the right with greater details is displayed,
where you can view addional data divided by secons. The following are some descripons of
the main secons.
• Internet Exposure—When there are any open external ports, these ports and their
corresponding details are displayed, so you can quickly idenfy the source of the problem.
You can also view the raw JSON text of the banner details obtained from Cortex Xpanse.
• Asset Editors—Displays the idenes of the latest 5 editors lisng the percentage of eding
acons for a single identy. A link is provided to open a predefined query in XQL Search on
the cloud_audit_log dataset to view the edit operaons by the identy selected for this
asset in the last 7 days.
• Asset Metadata—Details the asset metadata collected for the parcular row selected in the
table.
• Depending on the cell you’ve selected in the table, different right-click pivot menus are
available, such as Open IP View and Open in Quick Launcher.
• You can export the tables and respecve asset views to a tab-separated values (TSV) file.
For more informaon on these secons in the side panel, see Manage Your Cloud Inventory
Assets.
The All Cloud Assets page enable you to view all your cloud assets from the various cloud assets
categories that you configured for collecon from Google Cloud Plaorm, Microso Azure, and
Amazon Web Services using the Cloud Inventory data collector.
To view the All Cloud Assets page, select Assets > Cloud Inventory > All Cloud Assets.
By default, the All Cloud Assets page displays all cloud assets according to the most recent me
that the data was updated. To search for specific assets, use the filters above the results table to
narrow the results. You can export the tables and respecve asset views to a tab-separated values
Cortex® XDR Pro Administrator’s Guide Version 3.3 874 ©2022 Palo Alto Networks, Inc.
Asset Management
(TSV) file. From the All Cloud Assets page, you can also manage the assets output using the right-
click pivot menu. For more informaon, see Manage Your Cloud Inventory Assets.
The All Cloud Assets table is comprised of a number of common fields that are available when
viewing any of the Specific Cloud Assets pages. The TYPE and SUBTYPE fields are only available
in the All Cloud Assets table as these fields determine the Specific Cloud Assets categories, and
can be used to filters the different types of assets from the enre list of assets.
When any row in the table is selected, a side panel on the right with greater details is displayed,
where you can view addional data divided by secons, such as Asset Metadata and Asset
Editors. The Asset Editors secon also provides a link to open a predefined query in XQL Search
on the cloud_audit_log dataset to view the edit operaons by the identy selected for this
asset in the last 7 days.
The following table describes the fields that are available when viewing All Cloud Assets in
alphabecal order.
Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is
exposed by default.
Field Descripon
CREATION TIME* Displays the me that the cloud asset was
1
created. This informaon is not always
available.
Cortex® XDR Pro Administrator’s Guide Version 3.3 875 ©2022 Palo Alto Networks, Inc.
Asset Management
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 876 ©2022 Palo Alto Networks, Inc.
Asset Management
Field Descripon
• VM Instance
• Bucket
• Disk
• Image
• Subnet
• Security Group
• Other
This field is unique to the All Cloud Assets
table.
UPDATE TIME* Displays the me that the cloud asset was
updated. This informaon is not always
available.
1
Due to a known AWS synchronizaon issue, where the creaon me displayed in the AWS
Console does not match the actual me when the AWS Bucket was created, the CREATION TIME
in Cortex XDR does not always match the AWS Console as Cortex XDR displays the actual me.
The Specific Cloud Assets pages enable you to view specific cloud assets from a designated
cloud assets category from all the assets you configured to collect from Google Cloud Plaorm,
Microso Azure, and Amazon Web Services using the Cloud Inventory data collector. These asset
Cortex® XDR Pro Administrator’s Guide Version 3.3 877 ©2022 Palo Alto Networks, Inc.
Asset Management
cloud categories are based on a combinaon of asset types and subtypes. Each specific table
contains the common columns that are listed in the All Cloud Assets table and some addional
specific columns that are relevant for this type of cloud asset.
To view the Specific Cloud Assets pages, select Assets > Cloud Inventory > Specific Cloud Assets,
and select a specific cloud asset category.
By default, the Specific Cloud Assets pages displays the cloud assets according to the most recent
me that the data was updated. To search for specific assets, use the filters above the results table
to narrow the results. You can export the tables and respecve asset views to a tab-separated
values (TSV) file. From the Specific Cloud Assets page, you can also manage the assets output
using the right-click pivot menu. For more informaon, see Manage Your Cloud Inventory Assets.
When any row in the table is selected, a side panel on the right with greater details is displayed,
where you can view addional data divided by secons, such as Asset Metadata and Asset
Editors. The Asset Editors secon also provides a link to open a predefined query in XQL Search
on the cloud_audit_log dataset to view the edit operaons by the identy selected for this
asset in the last 7 days.
The image below is an example of a Specific Cloud Assets page for Compute Instances.
The table below describes for the different Specific Cloud Assets pages the following.
• Specific Cloud Assets—The name of the specific cloud asset page.
• Asset Type—The asset type that is automacally associated to this specific cloud asset page.
• Asset Subtype—The asset subtype that is automacally associated to this specific cloud asset
page.
• Unique Fields—The unique fields that are only available when viewing this specific cloud asset
page, and are displayed in addion to the common fields listed for All Cloud Assets page. These
fields are exposed by default.
Cortex® XDR Pro Administrator’s Guide Version 3.3 878 ©2022 Palo Alto Networks, Inc.
Asset Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 879 ©2022 Palo Alto Networks, Inc.
Asset Management
The All Cloud Assets and Specific Cloud Assets pages provide a central locaon from which
you can view and invesgate informaon relang to inventory assets in the cloud. These cloud
inventory assets are collected from Google Cloud Plaorm, Microso Azure, and Amazon Web
Services depending on your defined cloud configuraons, and are received by Cortex XDR using
the Cloud Inventory data collector. These pages are designed in a similar format so you can
navigate to the page, view the data, and perform the same tasks to easily invesgate your assets.
To manage your cloud inventory assets.
STEP 1 | Select Assets > Cloud Inventory.
STEP 2 | View all All Cloud Assets by remaining on the page, or select a Specific Cloud Assets page
from the list available on the le panel.
By default, the pages displays all cloud assets according to the most recent me that the data
was updated.
STEP 4 | (Oponal) Export your filtered results to a tab-separated values (TSV) file using the Export to
file icon ( ) on the top of page.
STEP 5 | (Oponal) Invesgate any asset further by selecng the applicable row in the table to reveal
a side panel.
The side panel enables you to view addional data divided by secons, such as Asset
Metadata and Asset Editors. The Asset Editors secon also provides a link ( ) to open in a
Cortex® XDR Pro Administrator’s Guide Version 3.3 880 ©2022 Palo Alto Networks, Inc.
Asset Management
new tab a predefined query in XQL Search on the cloud_audit_log dataset to view the edit
operaons by the identy selected for this asset in the last 7 days.
The following table describes the common side panel components that are displayed for all
asset types and subtypes, and the specific side panel components based on the specific cloud
assets type selected.
Cortex® XDR Pro Administrator’s Guide Version 3.3 881 ©2022 Palo Alto Networks, Inc.
Asset Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 882 ©2022 Palo Alto Networks, Inc.
Asset Management
The Project
is called
something
else in
each cloud
provider.
For more
informaon,
see the
PROJECT
descripon.
• Public IPs—Displays list of
external public IPs.
• Private IPs—Displays list of
internal private IPs.
• Cloud Tags—Displays
any cloud tags or labels
configured according to
the cloud provider.
• Last Reported Status—
Last reported status of the
asset, such as AVAILABLE
or READY.
Cortex® XDR Pro Administrator’s Guide Version 3.3 883 ©2022 Palo Alto Networks, Inc.
Asset Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 884 ©2022 Palo Alto Networks, Inc.
Asset Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 885 ©2022 Palo Alto Networks, Inc.
Asset Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 886 ©2022 Palo Alto Networks, Inc.
Asset Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 887 ©2022 Palo Alto Networks, Inc.
Asset Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 888 ©2022 Palo Alto Networks, Inc.
Asset Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 889 ©2022 Palo Alto Networks, Inc.
Asset Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 890 ©2022 Palo Alto Networks, Inc.
Monitoring
> Cortex XDR Dashboard
> Monitor Cortex XDRXSIAM Incidents
> Monitor Cortex XDR Gateway Management Acvity
> Monitor Administrave Acvity
> Monitor Agent Acvity
> Monitor Agent Operaonal Status
891
Monitoring
The dashboard comprises Dashboard Widgets (2) that summarize informaon about your endpoint
in graphical or tabular format. You can customize Cortex XDR to display Predefined Dashboards
or create your own custom dashboard using the dashboard builder. You can toggle between your
available dashboards using the dashboard menu (1).
In addion, the dashboard provides a color theme toggle (3) that enables you to switch the
interface colors between light and dark.
Dashboard Widgets
Cortex XDR provides the following list of widgets to help you create dashboards and reports
displaying summarized informaon about your endpoints.
Cortex® XDR Pro Administrator’s Guide Version 3.3 892 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex XDR sorts widgets in the Cortex XDR app according to the following categories:
• Agent Management Widgets
• Asset Widgets
• Cloud Widgets
• Custom Widget
• Host Insights
• Incident Management Widgets
• Invesgaon Widgets
• System Monitoring
• User Defined Widgets
• XQL Search
Agent Content Version Breakdown Displays the total number of registered Cortex
XDR agents and the distribuon of agents by
content update version.
Asset Widgets
Cortex® XDR Pro Administrator’s Guide Version 3.3 893 ©2022 Palo Alto Networks, Inc.
Monitoring
Top 5 Notable Users Displays the top 5 users with the highest User
Score. Select a user to pivot to the User View.
Cloud Widgets
Assets by Responsive Port Number Displays the number of exposed cloud assets
by port number. Refreshes every two hours.
Cortex® XDR Pro Administrator’s Guide Version 3.3 894 ©2022 Palo Alto Networks, Inc.
Monitoring
Responsive Assets Over Time Displays the number of exposed cloud assets
over me.
Select the me scope in the upper right to
view the number of exposed cloud assets over
the last 24 hours, 7 days, or 30 days.
Custom Widget
Host Insights
(Requires a Cortex XDR Host Insights Add-on)
Top CVEs By Affected Endpoints Displays the top Crical, High, and Medium
severity CVEs currently exisng in your
network according to the total number of
endpoints affected by each CVE.
Click a CVE to open a filtered view of all
affected endpoints.
Cortex® XDR Pro Administrator’s Guide Version 3.3 895 ©2022 Palo Alto Networks, Inc.
Monitoring
Vulnerabilies On All Endpoints Over Time Displays CVEs over me across your network.
Select the me scope in the upper right to
view the number of CVEs over the last 24
hours, 7 days, or 30 Days.
Hover over the graph to view the number of
exisng CVEs on a specific day.
Cortex® XDR Pro Administrator’s Guide Version 3.3 896 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex® XDR Pro Administrator’s Guide Version 3.3 897 ©2022 Palo Alto Networks, Inc.
Monitoring
Overdue Incidents of top 5 Assignees Displays the last 30 days, 7 days, or 24 hours
of the following informaon according to the
incidents creaon me:
• Top 5 assignees, by assignee name, with
the highest number of overdue incidents.
For further invesgaon, select a user to pivot
to the Incident table filtered according to the
incident creaon me and assignee.
Cortex® XDR Pro Administrator’s Guide Version 3.3 898 ©2022 Palo Alto Networks, Inc.
Monitoring
Invesgaon Widgets
Open Incidents by Severity Displays the total open incidents over the last
30 days according to severity.
Select a severity to open a filtered view of
incidents by the selected severity.
Cortex® XDR Pro Administrator’s Guide Version 3.3 899 ©2022 Palo Alto Networks, Inc.
Monitoring
Response Acon Breakdown Displays the top response acons taken in the
Acon Center over the last 24 hours, 7 days,
or 30 Days.
Top Hosts Displays the top ten hosts with the highest
number of incidents in order of severity over
the last 30 days. Incidents are color-coded:
red for high severity and yellow for medium
severity.
Click a host to open a filtered view of all open
incidents for the selected host.
Top Incidents Displays the top ten current incidents with the
highest number of alerts according to severity
over the last 30 days. Alerts are color-coded;
red for high and yellow for medium.
Click a severity to open a filtered view of all
open alerts for the selected incident.
System Monitoring
Cortex® XDR Pro Administrator’s Guide Version 3.3 900 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex® XDR Pro Administrator’s Guide Version 3.3 901 ©2022 Palo Alto Networks, Inc.
Monitoring
XQL Search
Cortex® XDR Pro Administrator’s Guide Version 3.3 902 ©2022 Palo Alto Networks, Inc.
Monitoring
STEP 1 | In Cortex XDR, navigate to Dashboards & Reports > Customize > Widget Library.
• Create and edit custom widgets based on XQL Search queries.
1. In the widget menu, Create custom XQL widget.
2. Enter a widget Name and oponal Descripon.
3. Create an XQL query. Select XQL Helper to view XQL search and schema examples.
4. Generate the XQL query to display the search results.
XQL queries generated from the widget library do not appear in the Query
Center. The results are used only for creang the custom widget.
5. In the Widget secon, define how you want to visualize the results.
6. Aer you are happy with the query parameters and visualizaon definions, Save
widget.
The custom widget appears in the list of exisng widgets.
• Search for custom and predefined widgets.
1. Search for a widget or Show widgets according to the type of category.
2. Select a widget type to display the widget graph type and parameters. By default, Cortex
XDR displays the widget with Mock Data. Toggle to display your current Real Data.
• Edit exisng custom widgets.
1. Locate a custom widget.
2. Select Update widget ( ) to edit the widget or Delete widget from library.
Eding an exisng widget affects all dashboards that include the widget and
future generated reports.
STEP 2 | (Oponal) Include the widgets listed in the widget library in your custom dashboards and
reports.
Predefined Dashboards
Cortex XDR comes with predefined dashboards that display widgets tailored to the dashboard
type. You can select any of the predefined dashboards directly from the dashboard menu in
Dashboards & Reports > Customize > Dashboards Manager. You can also select and rename a
predefined dashboard in the Dashboard Builder available by clicking + New Dashboard. The types
of dashboards that are available to you depend on your license type but can include:
• Agent Management Dashboard
• Cloud Inventory Dashboard
• Data Ingeson Dashboard
• Incident Management Dashboard
• My Dashboard
• Security Admin Dashboard
• Security Manager Dashboard
Cortex® XDR Pro Administrator’s Guide Version 3.3 903 ©2022 Palo Alto Networks, Inc.
Monitoring
Support for the Agent Management Dashboard requires either a Cortex XDR Prevent or
Cortex XDR Pro per Endpoint license.
The Cloud Inventory Dashboard requires a Cortex XDR Pro per TB license.
Cortex® XDR Pro Administrator’s Guide Version 3.3 904 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex® XDR Pro Administrator’s Guide Version 3.3 905 ©2022 Palo Alto Networks, Inc.
Monitoring
The LAST DAY INGESTED and CURRENT DAY INGESTED columns always display 0
for any ingeson result less than 1.
Cortex® XDR Pro Administrator’s Guide Version 3.3 906 ©2022 Palo Alto Networks, Inc.
Monitoring
My Dashboard
My Dashboard provides an overview of the incidents and MTTR for the logged-in user.
Cortex® XDR Pro Administrator’s Guide Version 3.3 907 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex® XDR Pro Administrator’s Guide Version 3.3 908 ©2022 Palo Alto Networks, Inc.
Monitoring
The Security Manager Dashboard requires either a Cortex XDR Prevent or Cortex XDR Pro
per Endpoint license.
STEP 2 | In the Dashboard Builder, enter a unique Dashboard Name and an oponal Descripon of
the dashboard.
Cortex® XDR Pro Administrator’s Guide Version 3.3 909 ©2022 Palo Alto Networks, Inc.
Monitoring
STEP 6 | When you have finished customizing your dashboard, click Next.
STEP 7 | To set the custom dashboard as your default dashboard when you log in to Cortex XDR,
Define as default dashboard.
STEP 8 | To keep this dashboard visible only for you, select Private.
Otherwise, the dashboard is public and visible to all Cortex XDR app users with the appropriate
roles to manage dashboards.
Manage Dashboards
In the Cortex XDR console, navigate to Dashboards & Reports > Customize > Dashboards
Manager to view all custom and default dashboards. From the Dashboards Manager, you can also
delete, edit, duplicate, disable, and perform addional management acons on your dashboards.
To manage an exisng dashboard, right click the dashboard and select the desired acon.
• Delete - Permanently delete a dashboard.
• Edit - Edit an exisng dashboard. You cannot edit the default dashboards provided by Palo Alto
Networks, but you can save it as a new dashboard.
• Save as new - Duplicate an exisng template.
• Disable - Temporarily disable a dashboard. If the dashboard is public, this dashboard is also
removed for all users.
Cortex® XDR Pro Administrator’s Guide Version 3.3 910 ©2022 Palo Alto Networks, Inc.
Monitoring
• Set as default - Make the dashboard the default dashboard that displays when you (and other
users, if the dashboard is public) log in to Cortex XDR.
• Save as report template - Save a report as a template.
STEP 2 | Right-click the dashboard from which you want to generate a report, and select Save as
report template.
STEP 3 | Enter a unique Report Name and an oponal Descripon of the report, then Save the
template.
STEP 6 | Aer your report completes, you can download it from the Reporng > Reports page.
STEP 2 | Enter a unique Report Name and an oponal Descripon of the report.
Cortex® XDR Pro Administrator’s Guide Version 3.3 911 ©2022 Palo Alto Networks, Inc.
Monitoring
STEP 7 | When you have finished customizing your report template, click Next.
STEP 8 | If you are ready to run the report, select Generate now.
STEP 9 | To run the report on a regular Schedule, you can specify the me and frequency that Cortex
XDR will run the report.
STEP 10 | (Oponal) Enter an Email Distribuon list or Slack workspace to send a PDF version of your
report.
Select Add password used to access report sent by email and Slack to set a password
encrypon.
STEP 11 | (Oponal) Aach CSV file of your XQL query widget to a report.
From the drop-down menu, search and select one or more of your custom widgets to aach
to the report. The XQL query widget is aached to the report as a CSV file along with the
customized PDF. Depending on how you selected to send the report, the CSV file is aached
as follows:
• Email—Sent as separate aachments for each widget. The total size of the aachment in the
email cannot exceed 20MB.
• Slack—Sent within a ZIP file that includes the PDF file.
STEP 13 | Aer your report completes, you can download it from the Reporng > Reports page.
In the Name field, reports with mulple files, PDF and CSV files, are marked with a icon,
while reports with a single PDF are marked with a icon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 912 ©2022 Palo Alto Networks, Inc.
Monitoring
Cortex® XDR Pro Administrator’s Guide Version 3.3 913 ©2022 Palo Alto Networks, Inc.
Monitoring
You must have Account Admin role permissions to access the Management Auding page.
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 914 ©2022 Palo Alto Networks, Inc.
Monitoring
Field Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 915 ©2022 Palo Alto Networks, Inc.
Monitoring
Field Descripon
• Authencaon—User sessions started, along with
the user name that started the session.
• Broker API—Operaon related to the Broker
applicaon programming interface (API).
• Broker VM—Operaon related to the Broker
virtual machine (VM).
• Dashboards—Use of parcular dashboards.
• Device Control Permanent Excepons—
Modificaon of permanent device control
excepons.
• Device Control Profile—Modificaon of a device
control profile.
• Device Control Temporary Excepons—
Modificaon of temporary device control
excepons.
• Disk Encrypon Profile—Modificaon of a disk
encrypon profile.
• Endpoint Administraon—Management of
endpoints.
• Endpoint Groups—Management of endpoint
groups.
• Extensions Policy—Modificaon of extension
policy sengs, including host firewall and disk
encrypon.
• Extensions Profiles—Modificaon of extension
profile sengs.
• Global Excepons—Management of global
excepons.
• Host Firewall Profile—Modificaon of a host
firewall profile.
• Host Insights— Iniaon of Host Insights data
collecon scan (Host Inventory and Vulnerability
Assessment).
• Incident Management—Acons taken on incidents
and on the assets, alerts, and arfacts in incidents.
• Ingest Data—Import of data for immediate use or
storage in a database.
• Integraons—Integraon operaons, such as
integrang Slack for outbound noficaons.
• Licensing—Any licensing-related operaon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 916 ©2022 Palo Alto Networks, Inc.
Monitoring
Field Descripon
• Live Terminal—Remote terminal sessions created
and acons taken in the file manager or task
manager, a complete history of commands issued,
their success, and the response.
• Managed Threat Hunng—Acvity relang to
managed threat hunng.
• MSSP—Management of security services
providers.
• Policy & Profiles—Acvity related to managing
policies and profiles.
• Prevenon Policy Rules—Modificaon of
prevenon policy rules.
• Protecon Policy—Modificaon of the protecon
policy.
• Protecon Profile—Modificaon of the protecon
profile.
• Public API—Authencaon acvity using an
associated Cortex XDR API key.
• Query Center—Operaons in the Query Center.
• Remediaon—Remediaon operaons.
• Reporng—Any reporng acvity.
• Response—Remedial acons taken. For example:
Isolate a host, undo host isolaon, add a file hash
signature to block list, or undo the addion to the
block list.
• Rules—Modificaon to rules.
• Rules Excepons—Creaon, eding, or deleon
under Rules excepons.
• SaaS Collecon—Any collected SaaS data.
• Script Execuon—Any script execuon.
• Starred Incidents—Modificaon of starred
incidents.
• Vulnerability Assessment—Any vulnerability
assessment acvity.
Cortex® XDR Pro Administrator’s Guide Version 3.3 917 ©2022 Palo Alto Networks, Inc.
Monitoring
The Cortex XDR agent logs entries for events that are monitored by the Cortex XDR agent and
reports the logs back to Cortex XDR hourly. Cortex XDR stores the logs for 365 days. To view the
Cortex XDR agent logs, select Sengs > Agent Auding.
To ensure you and your colleagues stay informed about agent acvity, you can Configure
Noficaon Forwarding to forward your Agent Audit log to an email distribuon list, Syslog server,
or Slack channel.
You can customize your view of the logs by adding or removing filters to the Agent Audits Table.
You can also filter the page result to narrow down your search. The following table describes the
default and oponal fields that you can view in the Cortex XDR Agents Audit Table:
Field Descripon
Category The Cortex XDR agent logs these endpoint events using one of the
following categories:
• Audit—Successful changes to the agent indicang correct
behavior.
• Monitoring—Unsuccessful changes to the agent that may require
administrator intervenon.
• Status—Indicaon of the agent status.
Received Time Date and me when the acon was received by the agent and
reported back to Cortex XDR.
Cortex® XDR Pro Administrator’s Guide Version 3.3 918 ©2022 Palo Alto Networks, Inc.
Monitoring
Field Descripon
• Informational
Type and Sub-Type Addional classificaon of agent log (Type and Sub-Type:
• Installation:
• Install
• Uninstall
• Upgrade
• Policy change:
• Local Configuration Change
• Content Update
• Policy Update
• Process Exception
• Hash Exception
• Agent service:
• Service start (reported only when the agent fails to start
and the RESULT is Fail)
• Service stopped
• Agent modules:
• Module initialization
• Local analysis module
• Local analysis feature extraction
• Agent status:
• Fully protected
• OS incompatible
• Software incompatible
• Kernel driver initialization
• Kernel extension initialization
• Proxy communication
• Quota exceeded (reported when old prevenon data is being
deleted from the endpoint)
• Minimal content
Cortex® XDR Pro Administrator’s Guide Version 3.3 919 ©2022 Palo Alto Networks, Inc.
Monitoring
Field Descripon
• Action:
• Endpoint Token
• Scan
• File retrieval
• Terminate process
• Isolate
• Cancel isolation
• Payload execution
• Quarantine
• Restore
• Block IP address
• Unblock IP address
• Tagging
XDR Agent Version Version of the Cortex XDR agent running on the endpoint.
Cortex® XDR Pro Administrator’s Guide Version 3.3 920 ©2022 Palo Alto Networks, Inc.
Monitoring
Status Descripon
Cortex® XDR Pro Administrator’s Guide Version 3.3 921 ©2022 Palo Alto Networks, Inc.
Monitoring
Status Descripon
• Behavioral threat protecon is not running
• An-malware flow is asynchronous
• Malware protecon is not running
• Exploit protecon is not running
Cortex® XDR Pro Administrator’s Guide Version 3.3 922 ©2022 Palo Alto Networks, Inc.
Log Forwarding
To help you stay informed and updated, you can easily forward Cortex® XDR™ alerts
and reports to an external syslog receiver, a Slack channel, or to email accounts.
923
Log Forwarding
Alerts
Management Audit — —
Log
Reports — —
Cortex® XDR Pro Administrator’s Guide Version 3.3 924 ©2022 Palo Alto Networks, Inc.
Log Forwarding
STEP 2 | Select the provided link to install Cortex XDR on your Slack workspace.
You are directed to the Slack browser to install the Cortex XDR app. You can only use
this link to install Cortex XDR on Slack. Aempng to install from Slack marketplace
will redirect you to Cortex XDR documentaon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 925 ©2022 Palo Alto Networks, Inc.
Log Forwarding
STEP 2 | Select Sengs > Configuraons > Integraons > External Applicaons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 926 ©2022 Palo Alto Networks, Inc.
Log Forwarding
If your Syslog receiver uses a self signed CA, Browse and upload your self-signed Syslog
receiver CA.
If you only use a trusted root CA leave the Cerficate field empty.
• Ignore Cerficate Error—Cortex XDR does not recommend, but you can choose to select
this opon to ignore cerficate errors if they occur. This will forward alerts and logs even if
the cerficate contains errors.
STEP 5 | Test the parameters to ensure a valid connecon and Create when ready.
You can define up to five Syslog servers. Upon success, the table displays the Syslog servers
and their status.
Cortex® XDR Pro Administrator’s Guide Version 3.3 927 ©2022 Palo Alto Networks, Inc.
Log Forwarding
If you find the Syslog data limited, Cortex XDR recommended to run the Get Alerts
API for complete alert data.
Cortex® XDR Pro Administrator’s Guide Version 3.3 928 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex XDR applies the filter only to future alerts and events.
Use this workflow to configure noficaons for alerts, agent audit logs, and management audit
logs. To receive noficaons about reports, see Create a Report from Scratch.
STEP 1 | Select Sengs > Configuraons > General > Noficaons.
STEP 4 | Select the Log Type you want to forward, one of the following:
• Alerts—Send noficaons for specific alert types (for example, XDR Agent or BIOC).
• Agent Audit Logs—Send noficaons for audit logs reported by your Cortex XDR agents.
• Management Audit Logs—Send noficaons for audit logs about events related to your
Cortex XDR management console.
STEP 5 | In the Configuraon Scope, Filter the type of informaon you want included in a noficaon.
For example, set a filter Severity = Medium, Alert Source = XDR Agent. Cortex
XDR sends the alerts or events matching this filter as a noficaon.
Cortex® XDR Pro Administrator’s Guide Version 3.3 929 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Before you can select a Slack channel or Syslog receiver you must Integrate Slack for
Outbound Noficaons and Integrate a Syslog Receiver.
1. Enter the Slack channel name and select from the list of available channels.
Slack channels are managed independently of Cortex XDR in your Slack workspace. Aer
integrang your Slack account with your Cortex XDR tenant, Cortex XDR displays a list
of specific Slack channels associated with the integrated Slack workspace.
2. Select a Syslog receiver.
Cortex XDR displays the list of receivers integrated with your Cortex XDR tenant.
STEP 9 | (Oponal) To later modify a saved forwarding configuraon, right-click the configuraon, and
Edit, Disable, or Delete it.
Cortex® XDR Pro Administrator’s Guide Version 3.3 930 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type-Acon Center
Type—Agent Configuraon
Cortex® XDR Pro Administrator’s Guide Version 3.3 931 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Agent Installaon
• Severity—Informaonal
Type—Alert Exclusions
Cortex® XDR Pro Administrator’s Guide Version 3.3 932 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Alert Noficaons
Cortex® XDR Pro Administrator’s Guide Version 3.3 933 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Status—Success
• Severity—Informaonal
Type—Alert Rules
Type—Api Key
Cortex® XDR Pro Administrator’s Guide Version 3.3 934 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Authencaon
• Sub Type—Login
• Status—Success
• Severity—Informaonal
• Sub Type—Logout
• Status—Success
• Severity—Informaonal
Type—Broker API
Type—Broker VMs
Cortex® XDR Pro Administrator’s Guide Version 3.3 935 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Cortex® XDR Pro Administrator’s Guide Version 3.3 936 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Cortex® XDR Pro Administrator’s Guide Version 3.3 937 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Type—Dashboards
Cortex® XDR Pro Administrator’s Guide Version 3.3 938 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR Pro Administrator’s Guide Version 3.3 939 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Cortex® XDR Pro Administrator’s Guide Version 3.3 940 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—EDL Management
Type—Endpoint Administraon
Cortex® XDR Pro Administrator’s Guide Version 3.3 941 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR Pro Administrator’s Guide Version 3.3 942 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR Pro Administrator’s Guide Version 3.3 943 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Endpoint Groups
Type-Event Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 944 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Extensions Policy
Type—Extensions Profile
Cortex® XDR Pro Administrator’s Guide Version 3.3 945 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR Pro Administrator’s Guide Version 3.3 946 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Global Excepons
Cortex® XDR Pro Administrator’s Guide Version 3.3 947 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Host Insights
Type—Incident Management
Cortex® XDR Pro Administrator’s Guide Version 3.3 948 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Cortex® XDR Pro Administrator’s Guide Version 3.3 949 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Ingest Data
Type—Integraons
Cortex® XDR Pro Administrator’s Guide Version 3.3 950 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Licensing
Cortex® XDR Pro Administrator’s Guide Version 3.3 951 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Live Terminal
Cortex® XDR Pro Administrator’s Guide Version 3.3 952 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Cortex® XDR Pro Administrator’s Guide Version 3.3 953 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—MSSP
Cortex® XDR Pro Administrator’s Guide Version 3.3 954 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Permission
Cortex® XDR Pro Administrator’s Guide Version 3.3 955 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR Pro Administrator’s Guide Version 3.3 956 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Cortex® XDR Pro Administrator’s Guide Version 3.3 957 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• <x> policy rules were exported • Severity—Informaonal
Type—Public API
Type—Query Center
Cortex® XDR Pro Administrator’s Guide Version 3.3 958 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Remediaon
Type—Reporng
Cortex® XDR Pro Administrator’s Guide Version 3.3 959 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Response
Cortex® XDR Pro Administrator’s Guide Version 3.3 960 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Cortex® XDR Pro Administrator’s Guide Version 3.3 961 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
•
Cortex® XDR Pro Administrator’s Guide Version 3.3 962 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Cortex® XDR Pro Administrator’s Guide Version 3.3 963 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Low
Type—Rules
Cortex® XDR Pro Administrator’s Guide Version 3.3 964 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR Pro Administrator’s Guide Version 3.3 965 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Cortex® XDR Pro Administrator’s Guide Version 3.3 966 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Rules Excepons
Type—SaaS Collecon
Cortex® XDR Pro Administrator’s Guide Version 3.3 967 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Severity—Informaonal
Type—Scoring Rules
Cortex® XDR Pro Administrator’s Guide Version 3.3 968 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Security Sengs
Cortex® XDR Pro Administrator’s Guide Version 3.3 969 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Acon is Enabled, Disabled, or
Changed.
domain_list is in one of the
following formats.
• for domainX, domainY
• from: domainX to: domainY
• (empty)
Cortex® XDR Pro Administrator’s Guide Version 3.3 970 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
Type—Starred Incidents
Cortex® XDR Pro Administrator’s Guide Version 3.3 971 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Message Details
• Status—Success / Fail
• Severity—Informaonal
Type—System
Email Account
Alert noficaons are sent to email accounts according to the sengs you configured when
you Configure Noficaon Forwarding. If only one alert exists in the queue, a single alert email
format is sent. If more than one alert was grouped in the me frame, all the alerts in the queue
are forwarded together in a grouped email format. Emails also include an alert code snippet of the
fields of the alerts according to the columns in the Alert table.
Single Alert Email Example
Cortex® XDR Pro Administrator’s Guide Version 3.3 972 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Starred: Yes
Alert: <link to Cortex XDR app alert view>Incident: <link to
Cortex XDR app incident view>
Alert Name: Behavioral Threat Protection
Alert ID: 2412
Description: A really cool detection
Severity: Medium
Source: XDR Agent
Category: Exploit
Action: Prevented
Host: <host name>
Starred: Yes
Alert: <link to Cortex XDR app alert view>
Incident: <link to Cortex XDR app incident view>
Notification Name: “My notification policy 2 ”
Notification Description: “Starred alerts with medium severity”
{
"original_alert_json":{
"uuid":"<UUID Value>",
"recordType":"threat",
"customerId":"<Customer ID>",
"severity":4,
"generatedTime":"2020-11-03T07:46:03.166000Z",
"originalAgentTime":"2020-11-03T07:46:01.372974700Z",
"serverTime":"2020-11-03T07:46:03.312633",
"isEndpoint":1,
"agentId":"<agent ID>",
"endPointHeader":{
"osVersion":"<OS version>",
"agentIp":"<Agent IP Address>",
"deviceName":"<Device Name>",
"agentVersion":"<Agent Version>",
"contentVersion":"152-40565",
"policyTag":"<Policy Tag Value>",
"securityStatus":0,
"protectionStatus":0,
"dataCollectionStatus":1,
"isolationStatus":0,
"agentIpList":[
"<IP Address>"
],
"addresses":[
{
"ip":[
"<IP Address>"
],
"mac":"<Mac ID>"
}
],
"liveTerminalEnabled":true,
"scriptExecutionEnabled":true,
"fileRetrievalEnabled":true,
"agentLocation":0,
Cortex® XDR Pro Administrator’s Guide Version 3.3 973 ©2022 Palo Alto Networks, Inc.
Log Forwarding
"fileSearchEnabled":false,
"deviceDomain":"env21.local",
"userName":"Aragorn",
"userDomain":"env21.local",
"userSid":"<User S ID>",
"osType":1,
"is64":1,
"isVdi":0,
"agentId":"<Agent ID>",
"agentTime":"2020-11-03T07:46:03.166000Z",
"tzOffset":120
},
"messageData":{
"eventCategory":"prevention",
"moduleId":"COMPONENT_WILDFIRE",
"moduleStatusId":"CYSTATUS_MALICIOUS_EXE",
"preventionKey":"<Prevention Key>",
"processes":[
{
"pid":111,
"parentId":<Parent ID>,
"exeFileIdx":0,
"userIdx":0,
"commandLine":"\"C:\\<file path>\\test.exe\" ",
"instanceId":"Instance ID",
"terminated":0
}
],
"files":[
{
"rawFullPath":"C:\\<file path>\\test.exe",
"fileName":"test.exe",
"sha256":"<SHA256 Value>",
"fileSize":"12800",
"innerObjectSha256":"<SHA256 Value>"
}
],
"users":[
{
"userName":"<User Name>",
"userDomain":"<Domain Name>",
"domainUser":"<Domain Name>\\<User Name>"
}
],
"urls":[
],
"postDetected":0,
"sockets":[
],
"containers":[
],
"techniqueId":[
Cortex® XDR Pro Administrator’s Guide Version 3.3 974 ©2022 Palo Alto Networks, Inc.
Log Forwarding
],
"tacticId":[
],
"modules":[
],
"javaStackTrace":[
],
"terminate":0,
"block":0,
"eventParameters":[
"C:\\<file path>\\test.exe",
"B30--A56B9F",
"B30--A56B9F",
"1"
],
"sourceProcessIdx":0,
"fileIdx":0,
"verdict":1,
"canUpload":0,
"preventionMode":"reported",
"trapsSeverity":2,
"profile":"Malware",
"description":"WildFire Malware",
"cystatusDescription":"Suspicious executable detected",
"sourceProcess":{
"user":{
"userName":"<User Name>",
"userDomain":"<Domain Name>",
"domainUser":"<Domain Name>"\\"<User Name>"
},
"pid":1111,
"parentId":<Parent ID>,
"exeFileIdx":0,
"userIdx":0,
"commandLine":"\"C:\\<file path>\\test.exe\" ",
"instanceId":"<Instance ID>",
"terminated":0,
"rawFullPath":"C:\\<file path>\\Test.exe",
"fileName":"test.exe",
"sha256":"<SHA256 Value>",
"fileSize":"12800",
"innerObjectSha256":"<SHA256 Value>"
},
"policyId":"<Policy ID>"
}
},
"internal_id":<Internal ID>,
"external_id":"<External ID>",
"severity":"SEV_030_MEDIUM",
"matching_status":"MATCHED",
"end_match_attempt_ts":1604389636437,
"alert_source":"TRAPS",
"local_insert_ts":1604570760,
Cortex® XDR Pro Administrator’s Guide Version 3.3 975 ©2022 Palo Alto Networks, Inc.
Log Forwarding
"source_insert_ts":160470366,
"alert_name":"WildFire Malware",
"alert_category":"Malware",
"alert_description":"Suspicious executable detected",
"bioc_indicator":null,
"matching_service_rule_id":null,
"attempt_counter":1,
"bioc_category_enum_key":null,
"alert_action_status":"REPORTED",
"case_id":111,
"is_whitelisted":false,
"starred":false,
"deduplicate_tokens":null,
"filter_rule_id":null,
"mitre_technique_id_and_name":[
""
],
"mitre_tactic_id_and_name":[
""
],
"agent_id":"80d2e314c92f6",
"agent_version":"7.2.1.2718",
"agent_ip_addresses":[
"10.208.213.137"
],
"agent_hostname":"<Agent Hostname>",
"agent_device_domain":"<Device Domain>",
"agent_fqdn":"<FQDN Value>",
"agent_os_type":"AGENT_OS_WINDOWS",
"agent_os_sub_type":"<Operating System Sub-Type> ",
"agent_data_collection_status":true,
"mac":"<Mac ID>",
"agent_is_vdi":null,
"agent_install_type":"STANDARD",
"agent_host_boot_time":[
1604446615
],
"event_sub_type":null,
"module_id":[
"WildFire"
],
"association_strength":null,
"dst_association_strength":null,
"story_id":null,
"is_disintegrated":null,
"event_id":null,
"event_type":[
1
],
"event_timestamp":[
1604389563166
],
"actor_effective_username":[
"<Domain Name>\\<User Name>"
],
"actor_process_instance_id":[
Cortex® XDR Pro Administrator’s Guide Version 3.3 976 ©2022 Palo Alto Networks, Inc.
Log Forwarding
"<Actor>\/<Instance ID>"
],
"actor_process_image_path":[
"C:\\<file path>\\test.exe"
],
"actor_process_image_name":[
"test.exe"
],
"actor_process_command_line":[
"\"C:\\<file path>\\test.exe\" "
],
"actor_process_signature_status":[
"SIGNATURE_UNSIGNED"
],
"actor_process_signature_vendor":null,
"actor_process_image_sha256":[
"SHA256 Value>"
],
"actor_process_image_md5":[
"MD5 Value>"
],
"actor_process_causality_id":[
"<Actor>\/<Causality ID>"
],
"actor_causality_id":null,
"actor_process_os_pid":[
1111
],
"actor_thread_thread_id":[
1222
],
"causality_actor_process_image_name":[
"test1.exe"
],
"causality_actor_process_command_line":[
"C:\\<file path>\\test1.EXE"
],
"causality_actor_process_image_path":[
"C:\\<file path>\\test1.exe"
],
"causality_actor_process_signature_vendor":[
"Microsoft Corporation"
],
"causality_actor_process_signature_status":[
"SIGNATURE_SIGNED"
],
"causality_actor_causality_id":[
"AdaxtV\/iNIMAAAc8AAAAAA=="
],
"causality_actor_process_execution_time":[
1604389557724
],
"causality_actor_process_image_md5":null,
"causality_actor_process_image_sha256":[
"SHA256 value>"
],
Cortex® XDR Pro Administrator’s Guide Version 3.3 977 ©2022 Palo Alto Networks, Inc.
Log Forwarding
"action_file_path":null,
"action_file_name":null,
"action_file_md5":null,
"action_file_sha256":null,
"action_file_macro_sha256":null,
"action_registry_data":null,
"action_registry_key_name":null,
"action_registry_value_name":null,
"action_registry_full_key":null,
"action_local_ip":null,
"action_local_port":null,
"action_remote_ip":null,
"action_remote_port":null,
"action_external_hostname":null,
"action_country":[
"UNKNOWN"
],
"action_process_instance_id":null,
"action_process_causality_id":null,
"action_process_image_name":null,
"action_process_image_sha256":null,
"action_process_image_command_line":null,
"action_process_signature_status":[
"SIGNATURE_UNAVAILABLE"
],
"action_process_signature_vendor":null,
"os_actor_effective_username":null,
"os_actor_process_instance_id":null,
"os_actor_process_image_path":null,
"os_actor_process_image_name":null,
"os_actor_process_command_line":null,
"os_actor_process_signature_status":[
"SIGNATURE_UNAVAILABLE"
],
"os_actor_process_signature_vendor":null,
"os_actor_process_image_sha256":null,
"os_actor_process_causality_id":null,
"os_actor_causality_id":null,
"os_actor_process_os_pid":null,
"os_actor_thread_thread_id":[
1396
],
"fw_app_id":null,
"fw_interface_from":null,
"fw_interface_to":null,
"fw_rule":null,
"fw_rule_id":null,
"fw_device_name":null,
"fw_serial_number":null,
"fw_url_domain":null,
"fw_email_subject":null,
"fw_email_sender":null,
"fw_email_recipient":null,
"fw_app_subcategory":null,
"fw_app_category":null,
"fw_app_technology":null,
Cortex® XDR Pro Administrator’s Guide Version 3.3 978 ©2022 Palo Alto Networks, Inc.
Log Forwarding
"fw_vsys":null,
"fw_xff":null,
"fw_misc":null,
"fw_is_phishing":[
"NOT_AVAILABLE"
],
"dst_agent_id":null,
"dst_causality_actor_process_execution_time":null,
"dns_query_name":null,
"dst_action_external_hostname":null,
"dst_action_country":null,
"dst_action_external_port":null,
"is_pcap":null,
"contains_featured_host":[
"NO"
],
"contains_featured_user":[
"YES"
],
"contains_featured_ip":[
"YES"
],
"events_length":1,
"is_excluded":false
Cortex® XDR Pro Administrator’s Guide Version 3.3 979 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Slack Channel
You can send alert noficaons to a single Slack contact or a Slack channel. Noficaons are
similar to the email format.
Syslog Server
Alert noficaon forwarded to a Syslog server are sent in a CEF format RF 5425.
Secon Descripon
Syslog Header
<9>: PRI (considered a prioirty
field)1: version number2020-03-2
2T07:55:07.964311Z: timestamp of
when alert/log was sentcortexxd
r: host name
CEF Header
HEADER/Vendor="Palo Alto Network
s" (as a constant string)HEADER/
Device Product="Cortex XDR" (as
a constant string)HEADER/Product
Version= Cortex XDR version (2.
0/2.1....)HEADER/Severity=(integ
er/0 - Unknown, 6 - Low, 8 - Med
ium, 9 - High)HEADER/Device Even
t Class ID=alert sourceHEADER/na
me =alert name
CEF Body
end=timestamp shost=endpoint_nam
e deviceFacility=facility cat=ca
tegory externalId=external_id re
quest=request cs1=initiated_by_p
rocess cs1Label=Initiated by (co
nstant string) cs2=initiator_com
mande cs2Label=Initiator CMD (co
nstant string) cs3=signature cs3
Cortex® XDR Pro Administrator’s Guide Version 3.3 980 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Secon Descripon
Label=Signature (constant string
) cs4=cgo_name cs4Label=CGO name
(constant string) cs5=cgo_comma
nd cs5Label=CGO CMD (constant st
ring) cs6=cgo_signature cs6Label
=CGO Signature (constant string)
dst=destination_ip dpt=destinat
ion_port src=source_ip spt=sourc
e_port fileHash=file_hash filePa
th=file_path targetprocesssignat
ure=target_process_signature ten
antname=tenant_name tenantCDLid=
tenant_id CSPaccountname=account
_name initiatorSha256=initiator_
hash initiatorPath=initiator_pat
h osParentName=parent_name osPar
entCmd=parent_command osParentSh
a256=parent_hash osParentSignatu
re=parent_signature osParentSign
er=parent_signer incident=incide
nt_id act=action suser=actor_eff
ective_username
Example
Cortex® XDR Pro Administrator’s Guide Version 3.3 981 ©2022 Palo Alto Networks, Inc.
Log Forwarding
osParentSignature=SIGNATURE_SIGNED osParentSigner=Microsoft
Corporation incident=118719 act=Detected suser=['root']
Cortex XDR forwards the agent audit log to external data resources according to the following
formats.
Email Account
Cortex XDR can forward agent audit log noficaons to email accounts.
Syslog Server
Agent audit logs forwarded to a Syslog server are sent in a CEF format RFC 5425 according to the
following mapping.
Secon Descripon
Syslog Header
<9>: PRI (considered a prioirty field)1: version n
umber2020-03-22T07:55:07.964311Z: timestamp of whe
n alert/log was sentcortexxdr: host name
CEF Header
HEADER/Vendor="Palo Alto Networks" (as a constant
string)HEADER/Device Product="Cortex XDR Agent" (a
s a constant string)HEADER/Device Version= Cortex
XDR Agent version (7.0/7.1....)HEADER/Severity=(in
teger/0 - Unknown, 6 - Low, 8 - Medium, 9 - High)H
EADER/Device Event Class ID="Agent Audit Logs" (as
a constant string)HEADER/name = type
Cortex® XDR Pro Administrator’s Guide Version 3.3 982 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Secon Descripon
CEF Body
dvchost=domain shost=endpoint_name cat=category en
d=timestamp rt=received_time cs1Label=agentversion
(constant string) cs1=agent_version cs2Label=subt
ype (constant string) cs2=subtype cs3Label=result
(constant string) cs3=result cs4Label=reason (cons
tant string) cs4=reason msg=event_description tena
ntname=tenant_name tenantCDLid=tenant_id CSPaccoun
tname=csp_id
Example:
Email Account
Management audit log noficaons are forward to email accounts.
Syslog Server
Management Audit logs forwarded to a Syslog server are sent in a CEF format RF 5425 according
to the following mapping:
Cortex® XDR Pro Administrator’s Guide Version 3.3 983 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Secon Descripon
Syslog Header
<9>: PRI (considered a prioirty field)1: ver
sion number2020-03-22T07:55:07.964311Z: time
stamp of when alert/log was sentcortexxdr: h
ost name
CEF Header
HEADER/Vendor="Palo Alto Networks" (as a con
stant string)HEADER/Device Product="Cortex X
DR" (as a constant string)HEADER/Device Vers
ion= Cortex XDR version (2.0/2.1....)HEADER/
HEADER/Severity=(integer/0 - Unknown, 6 - Lo
w, 8 - Medium, 9 - High)HEADER/Device Event
Class ID="Management Audit Logs" (as a const
ant string)HEADER/name = type
CEF Body
suser=user end=timestamp externalId=external
_id cs1Label=email (constant string) cs1=use
r_mail cs2Label=subtype (constant string) cs
2=subtype cs3Label=result (constant string)
cs3=result cs4Label=reason (constant string)
cs4=reason msg=event_description tenantname
=tenant_name tenantCDLid=tenant_id CSPaccoun
tname=csp_id
Example
"/edrData/action_country","/edrData/action_download","/edrData/
action_external_hostname","/edrData/action_external_port","/
edrData/action_file_extension","/edrData/action_file_md5","/
Cortex® XDR Pro Administrator’s Guide Version 3.3 984 ©2022 Palo Alto Networks, Inc.
Log Forwarding
edrData/action_file_name","/edrData/action_file_path","/
edrData/action_file_previous_file_extension","/
edrData/action_file_previous_file_name","/edrData/
action_file_previous_file_path","/edrData/action_file_sha256","/
edrData/action_file_size","/edrData/action_file_remote_ip","/edrData/
action_file_remote_port","/edrData/action_is_injected_thread","/
edrData/action_local_ip","/edrData/action_local_port","/
edrData/action_module_base_address","/edrData/
action_module_image_size","/edrData/action_module_is_remote","/
edrData/action_module_is_replay","/edrData/action_module_path","/
edrData/action_module_process_causality_id","/
edrData/action_module_process_image_command_line","/
edrData/action_module_process_image_extension","/
edrData/action_module_process_image_md5","/edrData/
action_module_process_image_name","/edrData/
action_module_process_image_path","/edrData/
action_module_process_image_sha256","/edrData/
action_module_process_instance_id","/edrData/
action_module_process_is_causality_root","/
edrData/action_module_process_os_pid","/edrData/
action_module_process_signature_product","/
edrData/action_module_process_signature_status","/
edrData/action_module_process_signature_vendor","/
edrData/action_network_connection_id","/edrData/
action_network_creation_time","/edrData/action_network_is_ipv6","/
edrData/action_process_causality_id","/edrData/
action_process_image_command_line","/edrData/
action_process_image_extension","/edrData/
action_process_image_md5","/edrData/action_process_image_name","/
edrData/action_process_image_path","/edrData/
action_process_image_sha256","/edrData/action_process_instance_id","/
edrData/action_process_integrity_level","/
edrData/action_process_is_causality_root","/
edrData/action_process_is_replay","/edrData/
action_process_is_special","/edrData/action_process_os_pid","/
edrData/action_process_signature_product","/
edrData/action_process_signature_status","/edrData/
action_process_signature_vendor","/edrData/action_proxy","/edrData/
action_registry_data","/edrData/action_registry_file_path","/edrData/
action_registry_key_name","/edrData/action_registry_value_name","/
edrData/action_registry_value_type","/edrData/
action_remote_ip","/edrData/action_remote_port","/
edrData/action_remote_process_causality_id","/
edrData/action_remote_process_image_command_line","/
edrData/action_remote_process_image_extension","/
edrData/action_remote_process_image_md5","/
edrData/action_remote_process_image_name","/
edrData/action_remote_process_image_path","/
edrData/action_remote_process_image_sha256","/
edrData/action_remote_process_is_causality_root","/
edrData/action_remote_process_os_pid","/edrData/
action_remote_process_signature_product","/
edrData/action_remote_process_signature_status","/
edrData/action_remote_process_signature_vendor","/
edrData/action_remote_process_thread_id","/edrData/
action_remote_process_thread_start_address","/edrData/
Cortex® XDR Pro Administrator’s Guide Version 3.3 985 ©2022 Palo Alto Networks, Inc.
Log Forwarding
action_thread_thread_id","/edrData/action_total_download","/
edrData/action_total_upload","/edrData/action_upload","/edrData/
action_user_status","/edrData/action_username","/edrData/
actor_causality_id","/edrData/actor_effective_user_sid","/
edrData/actor_effective_username","/edrData/
actor_is_injected_thread","/edrData/actor_primary_user_sid","/
edrData/actor_primary_username","/edrData/
actor_process_causality_id","/edrData/actor_process_command_line","/
edrData/actor_process_execution_time","/edrData/
actor_process_image_command_line","/edrData/
actor_process_image_extension","/edrData/
actor_process_image_md5","/edrData/actor_process_image_name","/
edrData/actor_process_image_path","/edrData/
actor_process_image_sha256","/edrData/actor_process_instance_id","/
edrData/actor_process_integrity_level","/edrData/
actor_process_is_special","/edrData/actor_process_os_pid","/
edrData/actor_process_signature_product","/
edrData/actor_process_signature_status","/edrData/
actor_process_signature_vendor","/edrData/actor_thread_thread_id","/
edrData/agent_content_version","/edrData/agent_host_boot_time","/
edrData/agent_hostname","/edrData/agent_id","/edrData/
agent_ip_addresses","/edrData/agent_is_vdi","/edrData/
agent_os_sub_type","/edrData/agent_os_type","/edrData/
agent_session_start_time","/edrData/agent_version","/
edrData/causality_actor_causality_id","/edrData/
causality_actor_effective_user_sid","/edrData/
causality_actor_effective_username","/edrData/
causality_actor_primary_user_sid","/edrData/
causality_actor_primary_username","/edrData/
causality_actor_process_causality_id","/edrData/
causality_actor_process_command_line","/edrData/
causality_actor_process_execution_time","/edrData/
causality_actor_process_image_command_line","/
edrData/causality_actor_process_image_extension","/
edrData/causality_actor_process_image_md5","/
edrData/causality_actor_process_image_name","/
edrData/causality_actor_process_image_path","/
edrData/causality_actor_process_image_sha256","/
edrData/causality_actor_process_instance_id","/
edrData/causality_actor_process_integrity_level","/
edrData/causality_actor_process_is_special","/
edrData/causality_actor_process_os_pid","/edrData/
causality_actor_process_signature_product","/edrData/
causality_actor_process_signature_status","/edrData/
causality_actor_process_signature_vendor","/edrData/
event_id","/edrData/event_is_simulated","/edrData/
event_sub_type","/edrData/event_timestamp","/edrData/
event_type","/edrData/event_utc_diff_minutes","/edrData/
event_version","/edrData/host_metadata_hostname","/edrData/
missing_action_remote_process_instance_id","/facility","/
generatedTime","/recordType","/recsize","/trapsId","/uuid","/
xdr_unique_id","/meta_internal_id","/external_id","/is_visible","/
is_secdo_event","/severity","/alert_source","/internal_id","/
matching_status","/local_insert_ts","/source_insert_ts","/
alert_name","/alert_category","/alert_description","/
bioc_indicator","/matching_service_rule_id","/external_url","/
Cortex® XDR Pro Administrator’s Guide Version 3.3 986 ©2022 Palo Alto Networks, Inc.
Log Forwarding
xdr_sub_type","/bioc_category_enum_key","/alert_action_status","/
agent_data_collection_status","/attempt_counter","/case_id","/
global_content_version_id","/global_rule_id","/is_whitelisted"
When alert logs are forwarded by email, each field is labeled, one line per field.
Email body format example.
edrData/action_country:
edrData/action_download:
edrData/action_external_hostname:
edrData/action_external_port:
edrData/action_file_extension: pdf
edrData/action_file_md5: null
edrData/action_file_name: XORXOR2614081980.pdf
edrData/action_file_path: C:\ProgramData\Cyvera\Ransomware
\16067987696371268494\XORXOR2614081980.pdf
edrData/action_file_previous_file_extension: null
edrData/action_file_previous_file_name: null
edrData/action_file_previous_file_path: null
edrData/action_file_sha256: null
edrData/action_file_size: 0
edrData/action_file_remote_ip: null
edrData/action_file_remote_port: null
edrData/action_is_injected_thread:
edrData/action_local_ip:
edrData/action_local_port:
edrData/action_module_base_address:
edrData/action_module_image_size:
edrData/action_module_is_remote:
edrData/action_module_is_replay:
edrData/action_module_path:
edrData/action_module_process_causality_id:
edrData/action_module_process_image_command_line:
edrData/action_module_process_image_extension:
edrData/action_module_process_image_md5:
edrData/action_module_process_image_name:
edrData/action_module_process_image_path:
edrData/action_module_process_image_sha256:
edrData/action_module_process_instance_id:
edrData/action_module_process_is_causality_root:
edrData/action_module_process_os_pid:
edrData/action_module_process_signature_product:
edrData/action_module_process_signature_status:
edrData/action_module_process_signature_vendor:
edrData/action_network_connection_id:
edrData/action_network_creation_time:
edrData/action_network_is_ipv6:
edrData/action_process_causality_id:
edrData/action_process_image_command_line:
edrData/action_process_image_extension:
edrData/action_process_image_md5:
edrData/action_process_image_name:
edrData/action_process_image_path:
edrData/action_process_image_sha256:
edrData/action_process_instance_id:
Cortex® XDR Pro Administrator’s Guide Version 3.3 987 ©2022 Palo Alto Networks, Inc.
Log Forwarding
edrData/action_process_integrity_level:
edrData/action_process_is_causality_root:
edrData/action_process_is_replay:
edrData/action_process_is_special:
edrData/action_process_os_pid:
edrData/action_process_signature_product:
edrData/action_process_signature_status:
edrData/action_process_signature_vendor:
edrData/action_proxy:
edrData/action_registry_data:
edrData/action_registry_file_path:
edrData/action_registry_key_name:
edrData/action_registry_value_name:
edrData/action_registry_value_type:
edrData/action_remote_ip:
edrData/action_remote_port:
edrData/action_remote_process_causality_id:
edrData/action_remote_process_image_command_line:
edrData/action_remote_process_image_extension:
edrData/action_remote_process_image_md5:
edrData/action_remote_process_image_name:
edrData/action_remote_process_image_path:
edrData/action_remote_process_image_sha256:
edrData/action_remote_process_is_causality_root:
edrData/action_remote_process_os_pid:
edrData/action_remote_process_signature_product:
edrData/action_remote_process_signature_status:
edrData/action_remote_process_signature_vendor:
edrData/action_remote_process_thread_id:
edrData/action_remote_process_thread_start_address:
edrData/action_thread_thread_id:
edrData/action_total_download:
edrData/action_total_upload:
edrData/action_upload:
edrData/action_user_status:
edrData/action_username:
edrData/actor_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_effective_user_sid: S-1-5-18
edrData/actor_effective_username: NT AUTHORITY\SYSTEM
edrData/actor_is_injected_thread: false
edrData/actor_primary_user_sid: S-1-5-18
edrData/actor_primary_username: NT AUTHORITY\SYSTEM
edrData/actor_process_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_process_command_line:
edrData/actor_process_execution_time: 1559827133585
edrData/actor_process_image_command_line:
edrData/actor_process_image_extension:
edrData/actor_process_image_md5:
edrData/actor_process_image_name: System
edrData/actor_process_image_path: System
edrData/actor_process_image_sha256:
edrData/actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_process_integrity_level: 16384
edrData/actor_process_is_special: 1
edrData/actor_process_os_pid: 4
edrData/actor_process_signature_product: Microsoft Windows
Cortex® XDR Pro Administrator’s Guide Version 3.3 988 ©2022 Palo Alto Networks, Inc.
Log Forwarding
edrData/actor_process_signature_status: 1
edrData/actor_process_signature_vendor: Microsoft Corporation
edrData/actor_thread_thread_id: 64
edrData/agent_content_version: 58-9124
edrData/agent_host_boot_time: 1559827133585
edrData/agent_hostname: padme-7
edrData/agent_id: a832f35013f16a06fc2495843674a3e9
edrData/agent_ip_addresses: ["10.196.172.74"]
edrData/agent_is_vdi: false
edrData/agent_os_sub_type: Windows 7 [6.1 (Build 7601: Service Pack
1)]
edrData/agent_os_type: 1
edrData/agent_session_start_time: 1559827592661
edrData/agent_version: 6.1.0.13895
edrData/causality_actor_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/causality_actor_effective_user_sid:
edrData/causality_actor_effective_username:
edrData/causality_actor_primary_user_sid: S-1-5-18
edrData/causality_actor_primary_username: NT AUTHORITY\SYSTEM
edrData/causality_actor_process_causality_id:
edrData/causality_actor_process_command_line:
edrData/causality_actor_process_execution_time: 1559827133585
edrData/causality_actor_process_image_command_line:
edrData/causality_actor_process_image_extension:
edrData/causality_actor_process_image_md5:
edrData/causality_actor_process_image_name: System
edrData/causality_actor_process_image_path: System
edrData/causality_actor_process_image_sha256:
edrData/causality_actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA==
edrData/causality_actor_process_integrity_level: 16384
edrData/causality_actor_process_is_special: 1
edrData/causality_actor_process_os_pid: 4
edrData/causality_actor_process_signature_product: Microsoft Windows
edrData/causality_actor_process_signature_status: 1
edrData/causality_actor_process_signature_vendor: Microsoft
Corporation
edrData/event_id: AAABa13u2PQsqXnCAB1qjw==
edrData/event_is_simulated: false
edrData/event_sub_type: 1
edrData/event_timestamp: 1560649063308
edrData/event_type: 3
edrData/event_utc_diff_minutes: 120
edrData/event_version: 20
edrData/host_metadata_hostname:
edrData/missing_action_remote_process_instance_id:
facility:
generatedTime: 2019-06-16T01:37:43
recordType: alert
recsize:
trapsId:
uuid:
xdr_unique_id: ae65c92c6e704023df129c728eab3d3e
meta_internal_id: None
external_id: 318b7f91-ae74-4860-abd1-b463e8cd6deb
is_visible: null
is_secdo_event: null
Cortex® XDR Pro Administrator’s Guide Version 3.3 989 ©2022 Palo Alto Networks, Inc.
Log Forwarding
severity: SEV_010_INFO
alert_source: BIOC
internal_id: None
matching_status: null
local_insert_ts: null
source_insert_ts: 1560649063308
alert_name: BIOC-16
alert_category: CREDENTIAL_ACCESS
alert_description: File action type = all AND name = *.pdf
bioc_indicator:
"[{""pretty_name"":""File"",""data_type"":null,""render_type"":""entity"",
""entity_map"":null},{""pretty_name"":""action
type"",""data_type"":null,
""render_type"":""attribute"",""entity_map"":null},
{""pretty_name"":""="",
""data_type"":null,""render_type"":""operator"",""entity_map"":null},
{""pretty_name"":""all"",""data_type"":null,""render_type"":""value"",
""entity_map"":null},{""pretty_name"":""AND"",""data_type"":null,
""render_type"":""connector"",""entity_map"":null},
{""pretty_name"":""name"",""data_type"":""TEXT"",
""render_type"":""attribute"",""entity_map"":""attributes""},
{""pretty_name"":""="",""data_type"":null,""render_type"":""operator"",
""entity_map"":""attributes""},{""pretty_name"":""*.pdf"",
""data_type"":null,""render_type"":""value"",
""entity_map"":""attributes""}]"
matching_service_rule_id: 200
external_url: null
xdr_sub_type: BIOC - Credential Access
bioc_category_enum_key: null
alert_action_status: null
agent_data_collection_status: null
attempt_counter: null
case_id: null
global_content_version_id:
global_rule_id:
is_whitelisted: false
The following table summarizes the field prefixes and addional relevant fields available for BIOC
and IOC alert logs.
Cortex® XDR Pro Administrator’s Guide Version 3.3 990 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 991 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 992 ©2022 Palo Alto Networks, Inc.
Log Forwarding
[{""pretty_name"":""File"",""dat
a_type"":null,
""render_type"":""entity"",""ent
ity_map"":null},
{""pretty_name"":""action type""
,
""data_type"":null,""render_type
"":""attribute"",
""entity_map"":null},{""pretty_n
ame"":""="",
""data_type"":null,""render_type
"":""operator"",
""entity_map"":null},{""pretty_n
ame"":""all"",
""data_type"":null,""render_type
"":""value"",
""entity_map"":null},{""pretty_n
ame"":""AND"",
""data_type"":null,""render_type
"":""connector"",
""entity_map"":null},{""pretty_n
ame"":""name"",
""data_type"":""TEXT"",
""render_type"":""attribute"",
""entity_map"":""attributes""},
{""pretty_name"":""="",""data_ty
pe"":null,
""render_type"":""operator"",
""entity_map"":""attributes""},
{""pretty_name"":""*.pdf"",""dat
a_type"":null,
""render_type"":""value"",
""entity_map"":""attributes""}]"
Cortex® XDR Pro Administrator’s Guide Version 3.3 993 ©2022 Palo Alto Networks, Inc.
Log Forwarding
sub_type,time_generated,id,version_info/
document_version,version_info/magnifier_version,version_info/
detection_version,alert/url,alert/category,alert/
type,alert/name,alert/description/html,alert/description/
text,alert/severity,alert/state,alert/is_whitelisted,alert/
ports,alert/internal_destinations/single_destinations,alert/
internal_destinations/ip_ranges,alert/external_destinations,alert/
app_id,alert/schedule/activity_first_seen_at,alert/schedule/
activity_last_seen_at,alert/schedule/first_detected_at,alert/
schedule/last_detected_at,user/user_name,user/url,user/
display_name,user/org_unit,device/id,device/url,device/mac,device/
hostname,device/ip,device/ip_ranges,device/owner,device/
org_unit,files
sub_type: Update
time_generated: 1547717480
id: 4
version_info/document_version: 1
Cortex® XDR Pro Administrator’s Guide Version 3.3 994 ©2022 Palo Alto Networks, Inc.
Log Forwarding
version_info/magnifier_version: 1.8
version_info/detection_version: 2019.2.0rc1
alert/url: https:\/\/ddc1...
alert/category: Recon
alert/type: Port Scan
alert/name: Port Scan
alert/description/html: \t<ul>\n\t\t<li>The device....
alert/description/text: The device ...
alert/severity: Low
alert/state: Reopened
alert/is_whitelisted: false
alert/ports: "[1,2,3,4,5,6,7,8,9,10,11...]
alert/internal_destinations/single_destinations: []
alert/internal_destinations/ip_ranges:
"[{""max_ip"":""..."",""name"":""..."",""min_ip"":""...""}]"
alert/external_destinations: []
alert/app_id:
alert/schedule/activity_first_seen_at: 1542178800
alert/schedule/activity_last_seen_at: 1542182400
alert/schedule/first_detected_at: 1542182400
alert/schedule/last_detected_at: 1542182400
user/user_name:
user/url:
user/display_name:
user/org_unit:
device/id: 2-85e40edd-b2d1-1f25-2c1e-a3dd576c8a7e
device/url: https:\/\/ddc1 ...
device/mac: 00-50-56-a5-db-b2
device/hostname: DC1ENV3APC42
device/ip: 10.201.102.17
device/ip_ranges:
"[{""max_ip"":""..."",""name"":""..."",""min_ip"":""..."",""asset"":""""}]"
device/owner:
device/org_unit:
files: []
Cortex® XDR Pro Administrator’s Guide Version 3.3 995 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 996 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 997 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 998 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 999 ©2022 Palo Alto Networks, Inc.
Log Forwarding
The FUTURE_USE tag applies to fields that Cortex XDR does not currently implement.
With log forwarding to an email desnaon, the Cortex XDR tenant sends an email with each field
on a separate line in the email body.
• Threat Logs
• Config Logs
• Analycs Logs
• System Logs
Cortex® XDR Pro Administrator’s Guide Version 3.3 1000 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Threat Logs
Syslog format: recordType, class, FUTURE_USE, eventType, generatedTime, serverTime,
agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost,
serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64,
agentIp, deviceName, deviceDomain, severity, trapsSeverity, agentVersion, contentVersion,
proteconStatus, prevenonKey, moduleId, profile, moduleStatusId, verdict, prevenonMode,
terminate, terminateTarget, quaranne, block, postDetected, eventParameters(Array),
sourceProcessIdx(Array), targetProcessIdx(Array), fileIdx(Array), processes(Array), files(Array),
users(Array), urls(Array), descripon(Array)
Email body format example:
recordType: threat
messageData/class: threat
messageData/subClass:
eventType: AgentSecurityEvent
generatedTime: 2019-01-29T05:07:58.045-08:00
serverTime: 2018-07-02T20:01:39.591Z
endPointHeader/agentTime: 2018-07-02T20:01:03Z
endPointHeader/tzOffset: 180
product:
facility: TrapsAgent
customerId: 245143
trapsId: mac510a2monday-01
serverHost: coreop-qaauta-2606-0-112132729246-266
serverComponentVersion: 2.0.2
regionId: 70
isEndpoint: 1
agentId: dc3af3198f172048082c21ff0956866b
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.11.6
endPointHeader/is64: 1
endPointHeader/agentIp: 10.200.37.201
endPointHeader/deviceName: A1260700MC1011
endPointHeader/deviceDomain:
severity: emergency
messageData/trapsSeverity: medium
endPointHeader/agentVersion: 5.1.0.1401
endPointHeader/contentVersion: 26-3625
endPointHeader/protectionStatus: 0
messageData/preventionKey: 9a94965188d2455486dd8d60cf4b3849
messageData/moduleId: COMPONENT_EPM_J01
messageData/profile: ExploitModules
messageData/moduleStatusId: CYSTATUS_JIT_EXCEPTION
messageData/verdict:
messageData/preventionMode: blocked
messageData/terminate: 1
messageData/terminateTarget:
quarantine:
messageData/block: 0
messageData/postDetected: 0
messageData/eventParameters: "[""/Users/administrator/Desktop/JitMac/
j01_test"",""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4fe4619""]"
Cortex® XDR Pro Administrator’s Guide Version 3.3 1001 ©2022 Palo Alto Networks, Inc.
Log Forwarding
messageData/sourceProcessIdx: 0
messageData/targetProcessIdx: -1
messageData/fileIdx: 0
messageData/processes: "[{""exeFileIdx"":0,""commandLine"":""/
Users/Administrator/Desktop/JitMac/j01_test test=system
depth=1"",""userIdx"":0,""pid"":1359,""parentId"":452}]"
messageData/files:
"[{""sha256"":""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4654619"",
""rawFullPath"":""/Users/administrator/Desktop/JitMac/
j01_test"",""signers"":[""N/A""],""fileName"":""j01_test""}]"
messageData/users: "[{""userName"":""Administrator""}]"
messageData/urls: []
messageData/description: Memory Corruption Exploit
Cortex® XDR Pro Administrator’s Guide Version 3.3 1002 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1003 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1004 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1005 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1006 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1007 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1008 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1009 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1010 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Config Logs
Syslog format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory,
generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost,
serverComponentVersion, regionId, isEndpoint, severity, trapsSeverity, messageCode,
friendlyName, FUTURE_USE, msgTextEn, userFullName, userName, userRole, userDomain,
addionalData(Array), messageCode, errorText, errorData, resultData
Email body format example:
recordType: system
messageData/class: system
messageData/subClass: Provisioning
messageData/subClassId: 13
eventType: ServerLogPerTenant
messageData/eventCategory: tenant
generatedTime: 2019-01-31T18:15:19.000000+00:00
serverTime: 2019-01-31T18:15:19.000000+00:00
product:
facility: TrapsServerManagement
customerId: 004403511
trapsId: 18520498190303952
serverHost: 14917869646-201.proda.brz
serverComponentVersion: 2.0.9+624
regionId:
isEndpoint: 0
agentId:
severity: notice
messageData/trapsSeverity: informational
messageData/messageCode: 19015
messageData/friendlyName: User Login
Cortex® XDR Pro Administrator’s Guide Version 3.3 1011 ©2022 Palo Alto Networks, Inc.
Log Forwarding
messageData/msgTextLoc:
messageData/msgTextEn: User username@paloaltonetworks.com has logged
in with role superadmin
endPointHeader/userFullName:
endPointHeader/username:
endPointHeader/userRole:
endPointHeader/userDomain:
endPointHeader/agentTime:
endPointHeader/tzOffset:
endPointHeader/osType:
endPointHeader/isVdi:
endPointHeader/osVersion:
endPointHeader/is64:
endPointHeader/agentIp:
endPointHeader/deviceName:
endPointHeader/deviceDomain:
endPointHeader/agentVersion:
endPointHeader/contentVersion:
endPointHeader/protectionStatus:
messageData/userFullName:
messageData/username:
messageData/userRole:
messageData/userDomain:
messageData/messageName:
messageData/messageId:
messageData/processStatus:
messageData/errorText:
messageData/errorData:
messageData/resultData:
messageData/parameters:
messageData/additionalData: {}
Cortex® XDR Pro Administrator’s Guide Version 3.3 1012 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1013 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1014 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1015 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1016 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Analycs Logs
Syslog format: recordType, class, FUTURE_USE, eventType, eventCategory, generatedTime,
serverTime, agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost,
serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp,
deviceName, deviceDomain, severity, agentVersion, contentVersion, proteconStatus, sha256,
type, parentSha256, lastSeen, fileName, filePath, fileSize, localAnalysisResult, reported, blocked,
execuonCount
Email body format example:
recordType: analytics
messageData/class: agent_data
messageData/subClass:
eventType: AgentTimelineEvent
messageData/eventCategory: hash
generatedTime: 2019-01-31T18:00:43Z
serverTime: 2019-01-31T18:59:46.586Z
endPointHeader/agentTime: 2019-01-31T18:00:43Z
endPointHeader/tzOffset: -480
product:
facility: TrapsAgent
customerId: 110044035
trapsId: 18520039498190352
serverHost: coreop-f-proda-mnmauto03930348053-311.proda.brz
serverComponentVersion: 2.0.9+564
regionId: 10
isEndpoint: 1
agentId: 3bcf7e5ff56e2891c78684a38b728e49
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.12.6
endPointHeader/is64: 1
endPointHeader/agentIp: 192.168.0.21
endPointHeader/deviceName: Jeffreys-MacBook-Pro.local
endPointHeader/deviceDomain:
severity:
endPointHeader/agentVersion: 5.0.5.1193
endPointHeader/contentVersion: 42-6337
endPointHeader/protectionStatus: 0
messageData/sha256:
87e27ba9128d9c3b3d113c67623a06817a030b3bbb4d2871d1e6da9002206f26
Cortex® XDR Pro Administrator’s Guide Version 3.3 1017 ©2022 Palo Alto Networks, Inc.
Log Forwarding
messageData/type: macho
messageData/parentSha256:
messageData/lastSeen: 2019-01-31T18:00:43Z
messageData/fileName: crashpad_handler
messageData/filePath: /users/username/library/google/
googlesoftwareupdate/googlesoftwareupdate.bundle/contents/macos/
messageData/fileSize: 353680
messageData/localAnalysisResult:
"{""contentVersion"":""42-6337"",""result"":""Benign"",""trusted"":""None"",
""publishers"":[""developer id application: google, inc.
(eqhxz8m8av)""],""resultId"":0,""trustedId"":0}"
messageData/reported: 0
messageData/blocked: 0
messageData/executionCount: 4179
Cortex® XDR Pro Administrator’s Guide Version 3.3 1018 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1019 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1020 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1021 ©2022 Palo Alto Networks, Inc.
Log Forwarding
System Logs
Syslog format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory,
generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost,
serverComponentVersion, regionId, isEndpoint, agentId, severity, trapsSeverity, messageCode,
friendlyName, FUTURE_USE, msgTextEn, userFullName, username, userRole, userDomain,
agentTime, tzOffset, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain,
agentVersion, contentVersion, proteconStatus, userFullName, username, userRole, userDomain,
messageName, messageId, processStatus, errorText, errorData, resultData, parameters,
addionalData(Array)
Email body format example:
recordType: system
messageData/class: system
messageData/subClass: Provisioning
messageData/subClassId: 13
eventType: ServerLogPerTenant
messageData/eventCategory: tenant
generatedTime: 2019-01-31T18:15:19.000000+00:00
serverTime: 2019-01-31T18:15:19.000000+00:00
product:
facility: TrapsServerManagement
customerId: 004403511
trapsId: 18520498190303952
serverHost: 14917869646-201.proda.brz
serverComponentVersion: 2.0.9+624
regionId:
isEndpoint: 0
agentId:
severity: notice
messageData/trapsSeverity: informational
messageData/messageCode: 19015
messageData/friendlyName: User Login
messageData/msgTextLoc:
messageData/msgTextEn: User username@paloaltonetworks.com has logged
in with role superadmin
endPointHeader/userFullName:
endPointHeader/username:
endPointHeader/userRole:
Cortex® XDR Pro Administrator’s Guide Version 3.3 1022 ©2022 Palo Alto Networks, Inc.
Log Forwarding
endPointHeader/userDomain:
endPointHeader/agentTime:
endPointHeader/tzOffset:
endPointHeader/osType:
endPointHeader/isVdi:
endPointHeader/osVersion:
endPointHeader/is64:
endPointHeader/agentIp:
endPointHeader/deviceName:
endPointHeader/deviceDomain:
endPointHeader/agentVersion:
endPointHeader/contentVersion:
endPointHeader/protectionStatus:
messageData/userFullName:
messageData/username:
messageData/userRole:
messageData/userDomain:
messageData/messageName:
messageData/messageId:
messageData/processStatus:
messageData/errorText:
messageData/errorData:
messageData/resultData:
messageData/parameters:
messageData/additionalData: {}
Cortex® XDR Pro Administrator’s Guide Version 3.3 1023 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1024 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1025 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1026 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1027 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Analycs Logs
Format: recordType, class, FUTURE_USE, eventType, category, generatedTime,
serverTime, agentTime, tzoffset, FUTURE_USE, facility, customerId, trapsId, serverHost,
serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp,
deviceName, deviceDomain, severity, agentVersion, contentVersion, proteconStatus, sha256,
type, parentSha256, lastSeen, fileName, filePath, fileSize, localAnalysisResult, reported, blocked,
execuonCount
Email body format example:
recordType: analytics
messageData/class: agent_data
messageData/subClass:
eventType: AgentTimelineEvent
messageData/eventCategory: hash
generatedTime: 2019-01-31T18:00:43Z
serverTime: 2019-01-31T18:59:46.586Z
endPointHeader/agentTime: 2019-01-31T18:00:43Z
endPointHeader/tzOffset: -480
product:
facility: TrapsAgent
customerId: 110044035
trapsId: 18520039498190352
serverHost: coreop-f-proda-mnmauto03930348053-311.proda.brz
serverComponentVersion: 2.0.9+564
regionId: 10
isEndpoint: 1
agentId: 3bcf7e5ff56e2891c78684a38b728e49
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.12.6
endPointHeader/is64: 1
endPointHeader/agentIp: 192.168.0.21
endPointHeader/deviceName: Jeffreys-MacBook-Pro.local
endPointHeader/deviceDomain:
severity:
endPointHeader/agentVersion: 5.0.5.1193
endPointHeader/contentVersion: 42-6337
endPointHeader/protectionStatus: 0
messageData/sha256:
87e27ba9128d9c3b3d113c67623a06817a030b3bbb4d2871d1e6da9002206f26
messageData/type: macho
messageData/parentSha256:
messageData/lastSeen: 2019-01-31T18:00:43Z
messageData/fileName: crashpad_handler
messageData/filePath: /users/username/library/google/
googlesoftwareupdate/googlesoftwareupdate.bundle/contents/macos/
messageData/fileSize: 353680
messageData/localAnalysisResult:
"{""contentVersion"":""42-6337"",""result"":""Benign"",""trusted"":""None"",
""publishers"":[""developer id application: google, inc.
(eqhxz8m8av)""],""resultId"":0,""trustedId"":0}"
messageData/reported: 0
messageData/blocked: 0
Cortex® XDR Pro Administrator’s Guide Version 3.3 1028 ©2022 Palo Alto Networks, Inc.
Log Forwarding
messageData/executionCount: 4179
Cortex® XDR Pro Administrator’s Guide Version 3.3 1029 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1030 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1031 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1032 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1033 ©2022 Palo Alto Networks, Inc.
Log Forwarding
Cortex® XDR Pro Administrator’s Guide Version 3.3 1034 ©2022 Palo Alto Networks, Inc.
Managed Security
> About Managed Security
> Cortex XDR Managed Security Access Requirements
> Switch to a Different Tenant
> Pair a Parent Tenant with Child Tenant
> Manage a Child Tenant
> About Managed Threat Hunng
> Set up Managed Threat Hunng
> Invesgate Managed Threat Hunng Reports
1035
Managed Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 1036 ©2022 Palo Alto Networks, Inc.
Managed Security
Child Customer Support Portal Add the user name from the
(CSP) Account parent tenant who is iniang
the parent-child pairing and
ensure the user name has
Super User role permissions.
Cortex® XDR Pro Administrator’s Guide Version 3.3 1037 ©2022 Palo Alto Networks, Inc.
Managed Security
If you don’t own more than one account, the tenant navigator funcon is not available.
STEP 2 | From the list of available tenants, choose the tenant to which you want to switch (navigate).
You can also type a tenant name in the Search line to filter the list of tenants according to
what you type.
Cortex® XDR Pro Administrator’s Guide Version 3.3 1038 ©2022 Palo Alto Networks, Inc.
Managed Security
STEP 3 | In the Pair Tenant window, select the child tenant you want to pair. The drop-down only
displays child tenants your are allowed to pair with.
Child tenants are grouped according to:
• Unpaired—Children that have not yet been paired and are available. If another parent has
requested to pair with the child but the child has not yet agreed, the tenant will appear.
• Paired—Children that have already been paired to this parent.
• Paired with others—Children that have been paired with other parents.
• Pending—Children with a pending pairing request.
STEP 5 | In the child tenant Cortex XDR console, a child tenant user with Admin role permissions
needs to approve the pairing by navigang to , locate the Request for Pairing noficaon
and select Approve.
Cortex® XDR Pro Administrator’s Guide Version 3.3 1039 ©2022 Palo Alto Networks, Inc.
Managed Security
In the child tenant’s, pages managed by you appear with a read-only banner. Child tenant users
cannot perform any acons from these pages, but can view the configuraons you create on
their behalf.
Cortex® XDR Pro Administrator’s Guide Version 3.3 1040 ©2022 Palo Alto Networks, Inc.
Managed Security
Once a configuraon is created Cortex XDR resets the child tenant data and synchronizes
the security acons configured in the parent tenant.
Cortex® XDR Pro Administrator’s Guide Version 3.3 1041 ©2022 Palo Alto Networks, Inc.
Managed Security
Field Descripon
BIOC RULES & EXCEPTIONS Name of the configuraon managing the BIOC
rules and excepons acons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 1042 ©2022 Palo Alto Networks, Inc.
Managed Security
Tenant_1:
users= {“employee_name”: “John”, “employee_number”: 123}
Tenant_2:
users= {“employee_name”: “John”, “employee_number”: "123",
"national_ID": 123456789}
When you start selecng fields from users, Cortex XDR displays only the field
employee_name as an opon for the query since its name and type are the same for
both child tenants.
• Run an XQL Query API on your local and child tenants.
Cortex® XDR Pro Administrator’s Guide Version 3.3 1043 ©2022 Palo Alto Networks, Inc.
Managed Security
• Use the Query Builder to build and execute an enty-specific query across the data of a child
tenant. You can run either an ad-hoc query or scheduled query on one or more child tenants.
For each query, Cortex XDR returns up to 100,000,000 results across all selected tenants.
• Use the Query Center to view previously run XQL searches and enty queries run on your
tenant and the child tenants.
STEP 2 | In the corresponding Configuraon panel (1), + Create New (2) configuraon.
STEP 4 | Create.
The new configuraon (3) appears in the Configuraon pane.
STEP 6 | In the Tenant Management table, right-click a child tenant row and Edit Configuraons.
STEP 7 | Assign the configuraon you want to use to manage each of the security acons.
You can configure Profiles only as Managed or Unmanaged. All profiles you create are
automacally cloned to your child tenants.
STEP 8 | Update.
The Tenant Management table is updated with your assigned configuraons.
Cortex® XDR Pro Administrator’s Guide Version 3.3 1044 ©2022 Palo Alto Networks, Inc.
Managed Security
STEP 2 | In the corresponding Configuraon panel, select the acon configuraonacon configuraon
you created and allocated to your child tenant.
The corresponding security acon Table displays the acons managing the child tenant.
Cortex® XDR Pro Administrator’s Guide Version 3.3 1045 ©2022 Palo Alto Networks, Inc.
Managed Security
Cortex® XDR Pro Administrator’s Guide Version 3.3 1046 ©2022 Palo Alto Networks, Inc.
Managed Security
STEP 2 | Configure noficaon emails for the impact reports and threat inquiries you want Cortex
XDR to send.
1. Select Sengs > Configuraons > Managed Threat Hunng.
2. Enter one or more email addresses to which you want to send reports and inquires and
ADD each one.
3. Save your changes.
STEP 3 | Ensure a successful set up by locang in your defined email address mailbox the Welcome to
the Palo Alto Networks Cortex XDR Managed Threat Hunng Service email. If you did not
receive such an email, contact your Palo Alto sales representave.
STEP 4 | (Oponal) If desired, forward Managed Threat Hunng alerts to external sources such as
email or slack from the Sengs > Configuraons > General > Noficaons page.
This will forward both the alert itself and the detailed report in a PDF format.
Cortex® XDR Pro Administrator’s Guide Version 3.3 1047 ©2022 Palo Alto Networks, Inc.
Managed Security
The MTH page is available for users with the Managed Threat Hunng license and have
the necessary permission to view and triage alerts and incidents in Cortex XDR .
STEP 2 | In the le-pane, select the report you want to invesgate. You can sort the list according to
the report Type, Insert Time, or Severity, and use the search bar to help you locate reports.
Aer selecng a report, the right-pane view displays a summary of the Managed Threat
Hunng findings along with an aachment of the complete report.
STEP 3 | In the right-pane, invesgate the report findings and add your comments.
The comments are a way for you to communicate directly with the Managed Threat Hunng
without the need to send separate emails. When you post a comment, the Managed Threat
Hunters team is nofied and can see and reply to your comments. Comments are listed
chronologically and are visible to all the Cortex XDR tenant users with access to the MTH
page and the Managed Threat Hunng team. You can aach up to ten PDF or image format
files with a maximum of 10MB per file in each comment. Eding and deleng a comments is
available only on comments you wrote.
Cortex® XDR Pro Administrator’s Guide Version 3.3 1048 ©2022 Palo Alto Networks, Inc.