Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Cortex XDR Admin

Download as pdf or txt
Download as pdf or txt
You are on page 1of 138
At a glance
Powered by AI
The document provides an overview of Cortex XDR and its core concepts like sensors, log stitching, causality analysis and analytics.

Contact information, how to access documentation and provide feedback are given. Copyright information is also provided.

Cortex XDR concepts include sensors, log stitching, causality analysis engine, causality chains, causality group owners and analytics concepts like the analytics engine and detectors.

Cortex XDR™ Administrator’s Guide

paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation


• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2018-2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
August 4, 2019

2 CORTEX XDR™ ADMINISTRATOR’S GUIDE |


Table of Contents
Cortex XDR™ Overview....................................................................................5
Cortex XDR Architecture.......................................................................................................................... 7
Cortex XDR Concepts................................................................................................................................ 8
XDR.................................................................................................................................................... 8
Sensors...............................................................................................................................................8
Log Stitching.................................................................................................................................... 8
Causality Analysis Engine............................................................................................................. 8
Causality Chain................................................................................................................................9
Causality Group Owner (CGO)....................................................................................................9
Cortex XDR Analytics Concepts........................................................................................................... 10
Analytics Engine............................................................................................................................10
Coverage of the MITRE Attack Tactics.................................................................................. 10
Analytics Detectors......................................................................................................................12
Cortex XDR Analytics Data Sources....................................................................................... 13

Get Started with Cortex XDR........................................................................17


Use the Cortex XDR Interface.............................................................................................................. 19
Manage Tables.............................................................................................................................. 20

Incident Response.............................................................................................25
Incidents Dashboard.................................................................................................................................27
Cortex XDR Incidents................................................................................................................. 28
Investigate Incidents....................................................................................................................29
Cortex XDR Alerts.................................................................................................................................... 33
Alert Sources................................................................................................................................. 36
Triage Alerts.................................................................................................................................. 37
Manage Alerts............................................................................................................................... 38
Alert Exclusions.............................................................................................................................39
Causality View...............................................................................................................................41
Timeline View................................................................................................................................43
Analytics Alert View.................................................................................................................... 44
Response Actions......................................................................................................................................47
Initiate a Live Terminal Session................................................................................................ 47
Run a Pathfinder Scan................................................................................................................ 52
Add an IP Address or Domain to the Cortex XDR EDL..................................................... 53

Search and Investigate.................................................................................... 55


Cortex XDR Query Builder.....................................................................................................................57
Create a Process Query..............................................................................................................57
Create a File Query..................................................................................................................... 59
Create a Network Query............................................................................................................61
Create a Registry Query.............................................................................................................63
Create an Event Log Query.......................................................................................................65
Query Across All Entities........................................................................................................... 67
Cortex XDR Query Center..................................................................................................................... 70
Manage Your Queries................................................................................................................. 71
Cortex XDR Scheduled Queries............................................................................................................75

TABLE OF CONTENTS iii


Manage Scheduled Queries.......................................................................................................75
Research a Known Threat...................................................................................................................... 78

Manage Cortex XDR Rules.............................................................................79


Cortex XDR Rules..................................................................................................................................... 81
Working with BIOCs................................................................................................................................ 82
BIOC Rule Details........................................................................................................................ 82
Create a BIOC Rule..................................................................................................................... 83
Manage Global BIOC Rules....................................................................................................... 85
Working with IOCs...................................................................................................................................87
IOC Rule Details........................................................................................................................... 87
Create an IOC Rule......................................................................................................................88
Manage Existing Rules.............................................................................................................................90
Edit a Rule......................................................................................................................................90
Export a Rule (BIOC Only).........................................................................................................90
Copy a Rule................................................................................................................................... 90
Disable or Remove a Rule..........................................................................................................90
Add a Rule Exception..................................................................................................................91

Administration....................................................................................................93
Manage Administrative Access..............................................................................................................95
Administrative Roles....................................................................................................................95
Assign Roles to Cortex XDR Users..........................................................................................95
Integrate External Threat Intelligence Services.................................................................................97
Integrate Demisto..................................................................................................................................... 99
Integrate Third-Party Apps.................................................................................................................. 100
Analytics Management..........................................................................................................................101
Analytics Status.......................................................................................................................... 101
Analytics Configuration Settings............................................................................................108
Analytics Management............................................................................................................. 116
Audit Admin Activity............................................................................................................................. 119

Logs.................................................................................................................... 121
Configure Log Forwarding for BIOC and IOC Alerts.................................................................... 123
Cortex XDR Log Format....................................................................................................................... 125
Configure Log Forwarding for Analytics Alerts.............................................................................. 133
Cortex XDR – Analytics Log Format................................................................................................. 134

iv TABLE OF CONTENTS
Cortex XDR™ Overview
The Cortex XDR™ app offers you complete visibility over network traffic, user behavior,
and endpoint activity. It simplifies threat investigation by correlating logs from your network
sensors (for example next-generation firewalls and Traps endpoint agents) to reveal threat
causalities and timelines. This enables you to easily identify the root cause of every alert. The
app also allows you to perform immediate response actions. Finally, to stop future attacks,
you can pro-actively define indicators of compromise (IOC) and behavioral rules to detect and
respond to malicious activity.

> Cortex XDR Architecture


> Cortex XDR Concepts
> Cortex XDR Analytics Concepts

5
6 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview
© 2019 Palo Alto Networks, Inc.
Cortex XDR Architecture
Cortex XDR consumes data from the Cortex Data Lake and can correlate and stitch together logs across
your different log sensors to derive event causality and timelines. A Cortex XDR deployment which uses the
full set of sensors can include the following components:

• Cortex XDR—The Cortex XDR app provides complete visibility into all your data in the Cortex Data Lake.
The app provides a single interface from which you can investigate and triage alerts, take remediation
actions, and define policies to detect the malicious activity in the future.
• Palo Alto Networks next-generation firewalls—On-premise or virtual firewalls that enforce network
security policies in your campus, branch offices, and cloud data centers.
• Cortex Data Lake—A cloud-based logging infrastructure that allows you to centralize the collection and
storage of logs from your log data sources.
• Analytics engine—Cloud-based network security service that utilizes data from the Cortex Data Lake to
automatically detect and report on post-intrusion threats. The analytics engine does this by identifying
good (normal) behavior on your network, so that it can notice bad (anomalous) behavior.
• Traps—Protects your endpoints from known and unknown malware and malicious behavior and
techniques. Traps performs its own analysis locally on the endpoint but also consumes WildFire threat
intelligence. The Traps agent reports all endpoint activity to the Cortex Data Lake for analysis by Cortex
XDR apps.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 7


© 2019 Palo Alto Networks, Inc.
Cortex XDR Concepts
• XDR
• Sensors
• Log Stitching
• Causality Analysis Engine
• Causality Chain
• Causality Group Owner (CGO)
• Cortex XDR Analytics Concepts

XDR
With Endpoint Detection and Response (EDR), enterprises rely on endpoint data as a means to trigger
cybersecurity incidents. As cybercriminals and their tactics have become more sophisticated, the time
to identify and contain breaches has only increased. XDR goes beyond the traditional EDR approach of
using only endpoint data to identify and respond to threats by applying machine learning across all your
enterprise, network, cloud, and endpoint data. This approach enables you to quickly find and stop targeted
attacks and insider abuse and remediate compromised endpoints.

Sensors
Cortex XDR™ uses your existing Palo Alto Networks products as sensors to collect logs and telemetry data.
A sensor can be any of the following Palo Alto Networks products that forwards data to the Cortex Data
Lake:
• Virtual (VM-Series) or physical firewalls—identifies known threats in your network and cloud data center
environments
• Analytics engine—Identifies anomalous behavior in your network
• Traps—Identifies threats on your Windows, Mac, and Linux endpoints and halts any malicious behavior
or files
While more sensors increases the amount of data Cortex XDR can analyze, you only need to deploy one
type of sensor, such as next-generation firewalls or Traps, to begin detecting and stopping threats with
Cortex XDR.

Log Stitching
To provide a complete picture of the events and activity surrounding an event, Cortex XDR™ correlates
network, endpoint, and cloud data across your detection sensors. The act of correlating logs from different
sources is referred to as log stitching. For example, if your firewalls detect malicious network activity, the
app can correlate that activity with endpoint logs to observe the impact of the activity and identify the
cause of the behavior.
Log stitching streamlines detection and reduces response time by eliminating the need for manual analysis
across different data sensors.

Causality Analysis Engine


The Causality Analysis Engine™ is the heart of Cortex XDR™. The Causality Analysis Engine correlates
activity from all detection sensors to establish causality chains that identify the root cause of every alert.
The Causality Analysis Engine also identifies a complete forensic timeline of events that helps you to
determine the scope and damage of an attack, and provide immediate response. The Causality Analysis

8 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview


© 2019 Palo Alto Networks, Inc.
Engine determines the most relevant artifacts in each alert and aggregates the alerts into Incidents
corresponding to a single event.

Causality Chain
When a malicious file, behavior, or technique is detected, Cortex XDR™ correlates available data across
your detection sensors to display the sequence of activity that led to the alert. This sequence of events is
called the causality chain. The causality chain is built from processes, events, insights, and alerts associated
with the activity. During alert investigation you should review the entire causality chain to fully understand
why the alert occurred.

Causality Group Owner (CGO)


The Causality Group Owner (CGO) is the process in the causality chain that the Causality Analysis Engine
identified as being responsible for or causing the activities that led to the alert.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 9


© 2019 Palo Alto Networks, Inc.
Cortex XDR Analytics Concepts
Network security professionals know that safeguarding a network requires a defense-in-depth strategy.
This layered approach to network security means ensuring that software is always patched and current,
while running hardware and software systems that are designed to keep attackers out. Many strategies
exist to keep unwanted users out of a network, most of these work by stopping intrusion attempts at the
network perimeter.
As good and necessary as those strategies and products are, they all can defend only against known threats.
Systems that looks for malicious software, for example, traditionally do its work based on previously
identified MD5 signatures. But authors of these viruses constantly make trivial modifications to these
signatures of the virus to avoid virus scanners until their MD5 database is updated with the modified and
newly discovered signatures.
In other words, defensive network systems are constantly trying to keep up with the best efforts of
aggressive, nimble attackers. Your defensive network software must be 100% correct 100% of the time to
prevent successful attacks. A determined attacker, on the other hand, must be successful only once to ruin
your day.
Consequently, your network defense-in-depth strategy must include software and processes that are
designed to detect and respond to an intruder who has successfully penetrated your systems. This is the
position that Cortex XDR takes in your enterprise. The app efficiently and automatically identifies abnormal
activity on your network while providing you with the exact information you need to rapidly evaluate
potential threats and then isolate and remove those threats from your network before they can perform
real damage.
• Analytics Engine
• Coverage of the MITRE Attack Tactics
• Analytics Detectors
• Cortex XDR Analytics Data Sources

Analytics Engine
The Cortex XDR™ app uses an analytics engine to examine your network and VPN traffic, and endpoint
activity data. The analytics engine retrieves logs from Cortex Data Lake to understand the normal behavior
for your endpoints and network (creates a baseline) so that it can raise alerts when abnormal activity
occurs. This analysis is highly sophisticated and performed on more than a thousand dimensions of data.
Internally, the analytics engine organizes its analytics activity into algorithms called detectors. Each detector
is responsible for raising an alert when worrisome behavior is detected. To raise alerts, each detector
compares the recent past behavior of your network entities to the expected baseline by examining the data
found in your firewall logs. A certain amount of log file time is required to establish a baseline and then a
certain amount of recent log file time is required to identify what is currently happening on your network.
The analytics engine accesses your logs as they are streamed to Cortex Data Lake and analyzes the data
as soon as it arrives. An Analytics alert is reported when the analytics engine determines an anomaly in
endpoint or network activity.

Coverage of the MITRE Attack Tactics


Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will
be neutralized.

10 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview


© 2019 Palo Alto Networks, Inc.
The analytics engine can alert on any of the following attack tactics as defined by the MITRE ATT&CK™
knowledge base of tactics.

Tactic Description

Execution After attackers gain a foothold in your network, they can use
various techniques to execute malicious code on a local or
remote endpoint.
The Cortex XDR app detects malware and grayware on your
network using a combination of network activity, Pathfinder
scans of your endpoints, Traps endpoint data, and evaluation
of suspicious files using the WildFire® cloud service.

Persistence To carry out a malicious action, an attacker can try


techniques that maintain access in a network or on an
endpoint. An attacker can initiate configuration changes—
such as a system restart or failure—that require the endpoint
to restart a remote access tool or open a backdoor that
allows the attacker to regain access on the endpoint.

Discovery After an attacker has access to a part of your network,


discovery techniques to explore and identify subnets, and
discover servers and the services that are hosted on those
endpoints. The idea is to identify vulnerabilities within your
network.
The app detects attacks that use this tactic by looking for
symptoms in your internal network traffic such as changes
in connectivity patterns that including increased rates of
connections, failed connections, and port scans.

Lateral Movement To expand the footprint inside your network, and attacker
uses lateral movement techniques to obtain credentials to
gain additional access to more data in the network.
The analytics engine detects attacks during this phase by
examining administrative operations (such as SSH, RDP, and
HTTP), file share access, and user credential usage that is
beyond the norm for your network. Some of the symptoms
the app looks for are increased administrative activity, SMB
usage, and remote code execution.

Command and Control The command and control tactic allows an attacker to
remotely issue commands to and endpoint and receive

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 11


© 2019 Palo Alto Networks, Inc.
Tactic Description
information from it. The analytics engine identifies intruders
using this tactic by looking for anomalies in outbound
connections, DNS lookups, and endpoint processes with
bound ports. The app is looking for unexplained changes
in the periodicity of connections and failed DNS lookups,
changes in random DNS lookups, and other symptoms that
suggest an attacker has gained initial control of a system.

Exfiltration Exfiltration tactics are techniques to receive data from a


network, such as valuable enterprise data. The app seeks to
identify it by examining outbound connections with a focus
on the volume of data being transferred. Increases in this
volume are an important symptom of data exfiltration.

Analytics Detectors
The analytics engine for Cortex XDR retrieves your firewall logs from Cortex Data Lake to understand the
normal behavior for your network (creates a baseline) so that it can raise alerts when abnormal activity
occurs. This analysis is highly sophisticated and performed on more than a thousand dimensions of data.
Internally, the Cortex XDR app organizes its analytics activity into algorithms called detectors. Each detector
is responsible for raising an alert when your network is exhibiting worrisome behavior.
To raise alerts, each detector compares the recent past behavior of your network entities to the expected
baseline by examining the data found in your firewall logs. A certain amount of log file time is required to
establish a baseline and then a certain amount of recent log file time is required to identify what is currently
happening on your network. The Cortex XDR app accesses your logs as they are streamed to Cortex Data
Lake and analyzes the data as soon as it arrives.
There are four meaningful time intervals for Cortex XDR Analytics detectors:

Time Interval Description

Detection Frequency How often the Cortex XDR app runs the detector
algorithm. This is typically Usually this is a short
interval (10 minutes to 1 hour).

Learning Period The shortest amount of log file time before the app
can raise an alert. This is typically the time from when
a detector first starts running and when you see an
alert but, in some cases, detectors pause after an
upgrade as they enter a new learning period.
Most but not all detectors will wait until they have
a <learning period> amount of time before they
run. This learning period exists to give the detector
enough data to establish a baseline, which in turn
helps to avoid false positives.
The learning period is also referred to as the profiling
or waiting period and, informally, it is also referred to
as soak time.

12 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview


© 2019 Palo Alto Networks, Inc.
Time Interval Description

Test Period The amount of logging time that a detector uses to


determine if unusual activity is occurring on your
network. The detector compares test period data to
the baseline created during the training period, and
uses that comparison to identify abnormal behavior.

Training Period The amount of logging time that the detector requires
to establish a baseline, and to identify the behavioral
limits beyond which an alert is raised. Because your
network is not static in terms of its topology or usage,
detectors are constantly updating the baselines
that they require for their analytics. For this update
process, the training period is how far back in time the
detector goes to update and tune the baseline.
This period is also referred to as the baseline period.

When establishing a baseline,


detectors compute limits beyond
which network activity will require an
alert. In some cases, detectors do not
compute baseline limits; instead they
are predetermined by Cortex XDR
engineers. The engineers determine
the values used for predetermined
limits using statistical analysis of
malicious activity recorded worldwide.
The engineers routinely perform this
statistical analysis and update the
predetermined limits as needed with
each release of the Cortex XDR.

These time periods are different for every Cortex XDR Analytics detector. The actual amount of logging
data (measured in time) required to raise any given Cortex XDR Analytics alert is identified in the Cortex
XDR Analytics Alert Reference.

Cortex XDR Analytics Data Sources


Each detector supplies the Cortex XDR analytics engine with different log types and data it can use to raise
alerts on anomalous or malicious behavior. The logs and data that the engine analyzes depends on the data
sources you set up for use with the app. Some alerts are raised as a result of endpoint data recorded by
Traps and some alerts are raised as a result of network data coming from firewalls or remote endpoints
using Prisma Access or GlobalProtect clientless VPN. In some cases, one type of log is required to raise an
alert while another type of log provides additional coverage and details.
The Cortex XDR Analytics Alert Reference identifies the logs that are required by each detector and alert.
The analytics engine can analyze logs and data from one or more of the following sources:
• Palo Alto Networks Next-Generation Firewalls
• GlobalProtect™ and Prisma Access
• Traps Agents and Traps Management Service
• Hybrid Deployment

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 13


© 2019 Palo Alto Networks, Inc.
Palo Alto Networks Next-Generation Firewalls
Palo Alto Networks Firewalls perform traditional and next-generation firewall activities. The Cortex XDR
analytics engine can analyze Palo Alto Networks firewall logs to obtain intelligence about the traffic on your
network. A Palo Alto Networks firewall can also enforce Security policy based on IP addresses and domains
associated with Analytics alerts with external dynamic lists.
Panorama provides centralized administration for Palo Alto Networks next-generation firewalls and
provides cohesive policy management and unified reporting across firewalls. When you configure your
next-generation firewalls to forward required logs to Cortex Data Lake, you must add the firewall as a
managed device on Panorama. You can control which log types the firewall sends to the service. To provide
greater coverage and accuracy, enable enhanced application logs on your Palo Alto Networks firewalls. To
configure firewalls to support the Cortex XDR, see Set Up Cortex XDR.
In a firewall-only deployment, you can make use of Pathfinder to monitor endpoints. Pathfinder scans
hosts, servers, and workstations for malicious activity. The app can also use the analysis from traffic logs
in combination with other data sources (for example Traps or Pathfinder) to increase coverage of your
network and endpoints, and to provide more context when investigating alerts.
If you use GlobalProtect or GlobalProtect cloud service to extend your firewall security coverage to your
mobile endpoint users, the Cortex XDR – Analytics app can also analyze VPN traffic, as described in the
following section.
GlobalProtect™ and Prisma Access
GlobalProtect and Prisma Access secure mobile endpoint traffic. The analytics engine can analyze
the GlobalProtect VPN traffic to detect anomalous behavior on mobile endpoints connected through
GlobalProtect or Prisma Access.
A firewall deployment with GlobalProtect or Prisma Access extends the same detection capability available
with firewall logs within your network, to your mobile endpoints that roam outside of your firewall-
protected network. The same firewall prerequisites apply to deployments with or without GlobalProtect
and Prisma Access. Cortex XDR creates a Mobile VPN User device type which profiles all of the user’s VPN
traffic.

Traps Agents and Traps Management Service


Traps provides continuous monitoring and reporting of endpoint activity. The Cortex XDR analytics engine
can analyze activity and traffic based entirely on endpoint activity data sent from Traps. For better coverage
and greater insight into investigations, use a combination of Traps and firewalls to supply activity logs for
analysis. You can also use Traps management service to manage your endpoints. To use Traps with the
Cortex XDR, you must install Traps 6.0 or a later release on your Windows endpoints (Windows 7 SP1 or
later) and enable data collection. Data collection enables Traps to monitor activity on the endpoint and
collect forensic information that the Cortex XDR app can use to detect suspicious behavior.
Deployment with Traps™ Only
If you do not use Palo Alto Networks firewalls in your deployment, the Cortex XDR analytics engine uses
endpoint activity data that is collected by Traps agents to detect anomalous network behavior originating
from those endpoints.

Hybrid Deployment
In a hybrid environment consisting of both Traps, and Palo Alto Networks firewalls, and optionally with
GlobalProtect or Prisma Access, the app provides better coverage in detecting anomalous activity,
and deeper insight into the causality chain of malicious activity. We recommend using both Traps for
endpoint data collection, and Palo Alto Networks firewalls to supply network logs. In a hybrid environment,
Pathfinder is still recommended for additional coverage and accuracy, to enable incident response (IR)
through a live terminal, and to scan any endpoints without a Traps agent installed.

14 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview


© 2019 Palo Alto Networks, Inc.
The Cortex XDR app can also use other Palo Alto Networks services to aid it in its analytics and reporting
functions. The more data sources that send logs and data to Cortex Data Lake, the higher the accuracy and
coverage Cortex XDR can provide. More data sources provide more context when investigating alerts. For
example, the app uses the WildFire® cloud service to analyze suspicious files that Pathfinder scanned on
your endpoints.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview 15


© 2019 Palo Alto Networks, Inc.
16 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview
Get Started with Cortex XDR
For information on activating Cortex XDR components, see the Cortex XDR Setup Guide.

> Use the Cortex XDR Interface

17
18 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR
© 2019 Palo Alto Networks, Inc.
Use the Cortex XDR Interface
Before you can get started with Cortex XDR, you must Set Up Cortex XDR Apps and Related
Services.

Cortex XDR provides an easy-to-use interface that you can access from the Cortex hub. The first time you
log in to the Cortex XDR app, you see the Incidents Dashboard. The next time you log in, the app displays
the Incidents table as the first page, however you can return to the dashboard from the Incidents menu at
any time.
In addition to the Incidents pages, and depending on your assigned role, you can explore and the following
areas in the app.

Interface Description

1. Incidents From the Incidents menu you can view and investigate incidents
from the dashboard and incidents table, and view alert exclusions.
• Dashboard—Provides an overview of the incidents prioritized by
severity
• Incidents—Lists all incidents in the app.
• Alert Exclusions—List all alert exclusion policies.

2. Investigation From the Investigation menu you can investigate a lead or hunt for
threats. You can access the Query Builder to search logs from your
Palo Alto Networks sensors, or the Query Center to view the status
of all queries, and Scheduled Queries to view the status and modify
the frequency of reoccurring queries.

3. Rules From the Rules menu you can create new rules to help improve
your security posture. As you investigate and research threats and
uncover specific indicators and behaviors associated with a threat,
you can create rules to detect and alert you when the behavior
occurs.

4. Response From the Response menu you can take action to respond to
threats. You can open a Live Terminal connection to an endpoint to
investigate processes and files locally and can add malicious domains
and IP addresses to an external dynamic list (EDL) enforceable on
your Palo Alto Networks firewall.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR 19


© 2019 Palo Alto Networks, Inc.
Interface Description

5. Settings and management From the gear icon, you can view a log of actions initiated by Cortex
XDR analysts, configure Cortex XDR settings to integrate with other
apps and services, and manage settings for the analytics engine.

6. Notifications View Cortex XDR notifications such as when a query completes.

7. User User who is logged into the Cortex XDR app and additional
information about the app including EDR log data retention.

The following topics describe additional management actions you can perform on page results:
• Filter Page Results
• Save and Share Filters
• Show or Hide Results
• Manage Columns and Rows

Manage Tables
Most pages in Cortex XDR present data in table format and provide controls to help you manage and filter
the results. If additional views or actions are available for a specific value, you can pivot (right-click) from
the value in the table. For example, you can view the incident details, or pivot to the Causality View for an
alert or you can pivot to the results for a query.

On most pages, you can also refresh ( ) the content on the page.
To manage tables in the app:
• Filter Page Results
• Save and Share Filters
• Show or Hide Results
• Manage Columns and Rows

Filter Page Results


To reduce the number of results, you can filter by any heading and value. When you apply a filter, Cortex
XDR displays the filter criteria above the results table. You can also filter individual columns for specific
values using the icon to the right of the column heading.
Some fields also support additional operators such as =, !=, Contains, not Contains, *, !*.
There are two ways you can filter results:
• By column using the filter next to a field heading
• By building a filter query for one or more fields
Filters are persistent. When you navigate away from the page and return, any filter you added remain
active.
To build a filter using one or more fields:

STEP 1 | From an Cortex XDR page, select Filter.


Cortex XDR adds the filter criteria above the top of the table. For example, on the filter page:

20 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR


© 2019 Palo Alto Networks, Inc.
STEP 2 | Select the field by which you want to filter.

STEP 3 | Select the operator by which to match the criteria.


In most cases this will be = to include results that match the value you specify, or != to exclude results
that match the value.

STEP 4 | Enter a value to complete the filter criteria and then click outside of the filter to apply it to alert
results.

CMD fields have a 128 character limit. Shorten longer query strings to 127 characters and
add an asterisk (*).

Alternatively, you can select Include empty values to create a filter that excludes or includes results
when the field has an empty values.

STEP 5 | To add additional filters, click the + and repeat steps 2 through 4.

STEP 6 | Click out of the filter area into the results table to see the results.

STEP 7 | Next steps:


• If at any time you want to remove the filter, click the X next to it. To remove all filters, click the trash
icon. To temporarily disable a filter, right click the filter and select Disable (you can later right-click
the disabled filter and Enable it. When you click into the table, Cortex XDR applies any active filters.
• Save and Share Filters.

Save and Share Filters


You can save and share filters across your organization.

• Save a filter:
Saved filters are listed on the Filters tab for the table layout and filter manager menu.
1. Save ( ) the active filter.
2. Enter a name to identify the filter.
You can create multiple filters with the same name. Saving a filter with an existing name will not
override the existing filter.
3. Choose whether to Share this filter or whether to keep it private for your own use only.

• Share a filter:
You can share a filter across your organization.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR 21


© 2019 Palo Alto Networks, Inc.
1. Select the table layout and filter menu indicated by the three vertical dots, then select Filters.

2. Select the filter to share and click the share icon.


3. If needed, you can later unshare ( ) or delete ( ) a filter.

Unsharing a filter will turn a public filter private. Deleting a shared filter will remove it for all users.

Show or Hide Results


As an alternative to building a filter query from scratch or using the column filters, you can pivot from rows
and specific values to define the match criteria to fine tune the results in the table. You can also pivot on
empty values to show only results with empty values or only results that do not have empty values in the
column from which you pivot.

CMD fields are limited to 128 characters. If you pivot on a CMD field with a truncated value,
the app shows or hides all results that match the first 128 characters.

The show or hide action is a temporary means of filtering the results: If you navigate away from the page
and later return, any results you previously hid will appear again.
To reduce the number of results displayed:

• Hide or show only results that match a specific field value.


This option is available for fields which have a finite list of options.
1. Right click the matching field value by which you want to hide or show.
2. Select the desired action:
• Hide rows with <field value>
• Show rows with <field value>
• Hide empty rows
• Show empty rows

• Hide a specific row.


Right click anywhere in the row, and select Hide this row.

• Permanently remove a row.


Right click anywhere in the row, and select Remove.

22 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR


© 2019 Palo Alto Networks, Inc.
Manage Columns and Rows
From Cortex XDR pages, you can manage how you want to view the results table and what information you
want XDR app to display.
• Adjust the row height
• Adjust the column width
• Add or remove fields in the table
Any adjustments you make to the columns or rows persist when you navigate away from and later return to
the page.

• Adjust the row height:


1. On the Cortex XDR page select the menu indicated by three vertical dots to the right of the Filter
button.
2. Select the desired ROW VIEW option.

Cortex XDR updates the table to present the results in the desired row height view ranging from
short to tall.

• Adjust the column width:


1. On the Cortex XDR page, select the menu indicated by three vertical dots to the right of the Filter
button.
2. Select the desired column width option from the COLUMN MANAGER.

Cortex XDR updates the table to present the results in the desired view: narrow, fixed width, or
scaled to the column heading.

• Add or remove fields in the table:


1. On an Cortex XDR page, select the menu indicated by three vertical dots to the right of the Filter
button.
2. Below the column manager, select the fields you want to add or clear any fields you want to hide.
Cortex XDR adds or remove the fields to the table as you select or clear the fields.
3. If desired, drag and drop the fields to change the order in which they appear in the table.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR 23


© 2019 Palo Alto Networks, Inc.
24 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR
Incident Response
> Cortex XDR Incidents
> Cortex XDR Alerts
> Response Actions

25
26 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response
© 2019 Palo Alto Networks, Inc.
Incidents Dashboard
The Incidents dashboard is the first page you see in the Cortex XDR app when you log in and provides
a graphical summary of incidents in your environment, with incidents prioritized and listed by severity,
assignee, incident age, and affected hosts.

Interface Description

1. Incidents From the Incidents menu you can view the dashboard or the full table of
incidents.

2. Color Theme Toggle The theme toggle enables you to switch the interface theme colors for
the dashboard between light and dark.

3. Assigned Incidents The Assigned Incidents graph shows the distribution of incidents by
assignee and shows how many of the open incidents are aged. Aged
incidents have not been modified in seven days. Select an assignee
to open the incidents table filtered to display incidents only with the
selected assignee.

4. Open Incidents (Summary) The Open Incidents summary displays the total number of open
incidents by incident severity. Select a severity to open a filtered view of
incidents by the selected severity.

5. Open Incidents (Timeline) The Open Incidents graph shows all open incidents over time and shows
how many of the open incidents are aged. Aged incidents have not
been modified in seven days. Select the time range in the upper right to
view the number of open incidents over the last 1D (1 day), 7D (7 days),
and 30D (30 days). Hover over the graph to view the number of open
incidents on a specific day.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 27


© 2019 Palo Alto Networks, Inc.
Interface Description

6. Top Hosts The Top Hosts area of the dashboard lists the hosts with the highest
number of incidents and the distribution of incidents by incident
severity. Select a host to view all incidents related to that host.

7. Top Incidents The Top Incidents table lists incident prioritized by alert severity. Select
an incident to view the incident details.

Cortex XDR Incidents


The Incidents table lists all incidents in the Cortex XDR app.

An attack can affect several hosts or users and raises different alert types stemming from a single event. All
artifacts, assets, and alerts from a threat event are gathered into an Incident.
The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules which
take into account different attributes. Examples of alert attributes include alert source, type, and time
period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it
with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped
with the same incident if an open incident already exists. Otherwise, the new incoming alert will create
a new incident. The Incidents table displays all incidents including the incident severity to enable you to
prioritize, track, and update incidents. For additional insight into the entire scope and cause of an event,
you can view all relevant assets, suspicious artifacts, and alerts within the incident details. You can also
track incidents, document the resolution, and assign analysts to investigate and take remedial action. Select
multiple incidents to take bulk actions on incidents.
The following table describes both the default and additional optional fields that you can view in the
Incidents table and lists the fields in alphabetical order.

Field Description

Check box to select one or more incidents on which to perform the following
actions.
• Assign incidents to an analyst in bulk
• Change the status of multiple incidents
• Change the severity of multiple incidents
• Merge incidents into a single incident

28 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
Field Description

Actions Manage multiple incidents with Actions.

Alerts Breakdown The total number of alerts and number of alerts by severity.

Assigned To The user to which the incident is assigned. The assignee tracks which analyst
is responsible for investigating the threat. Incidents that have not been
assigned have a status of Unassigned.

Creation Time The time the first alert was added to a new incident.

Hosts The number of hosts affected by the incident. Right-click the host count to
view the list of hosts grouped by operating system.

Incident Description The description is generated from the alert name from the first alert added
to the incident, the host and user affected, or number of users and hosts
affected.

Incident ID A unique number to identify the incident.

Incident Name A user-defined incident name.

Last Updated The last time a user took an action or an alert was added to the incident.

Resolve Comment The user-added comment when the user changes the incident status to a
Resolved status.

Severity The highest alert in the incident or the user-defined severity.

Status Incidents have the status set to New when they are generated. To begin
investigating an incident, set the status to Under Investigation. The Resolved
status is subdivided into resolution reasons:
• Resolved - Threat Handled
• Resolved - Known Issue
• Resolved - Duplicate Incident
• Resolved - False Positive

Total Alerts The total number of alerts in the incident.

Users Users affected by the alerts in the incident. If more than one user is affected,
click on + <n> more to see the list of all users in the incident.

From the Incidents page, you can right-click an incident to view the incident, and investigate the related
assets, artifacts, and alerts. For more information see Investigate Incidents.

Investigate Incidents
An attack event can affect several users or hosts and raise different types of alerts caused by a single event.
You can track incidents, assign analysts to investigate, and document the resolution. For a record log of all
actions taken by analysts in the incident, see Audit Admin Activity.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 29


© 2019 Palo Alto Networks, Inc.
Use the following steps to investigate an incident:

STEP 1 | Select Incidents.

STEP 2 | Locate the incident you want to investigate.


There are several ways you can filter or sort incidents. To identify the incidents with the highest threat
impact, you can filter by the incident Severity. You can also filter for New incidents to view only the
incidents that have not yet been investigated.
After you locate an incident you want to investigate, right-click it and select View Incident.

The Incident details page aggregates all alerts, insights, and affected assets and artifacts from those
alerts in a single location. From the Incident details page you can manage the alert and investigate an
event within the context and scope of a threat.

STEP 3 | Assign an incident to an analyst.


Select the assignee (or Unassigned in the case of a new incident) below the incident description and
begin typing the analyst’s email address for automated suggestions. Users must have logged into the app
to appear in the auto-generated list.

STEP 4 | Assign an incident status.

Select the incident status to update the status from New to Under Investigation to indicate
which incidents have been reviewed and to filter by status in the incidents table.

STEP 5 | Review the details of the incident, such as alerts and insights related to the event, and affected
assets and artifacts.
• Investigate Key Artifacts.
Key Artifacts list files and file hashes, signers, processes, domains, and IP addresses that are related
to the threat event. Each alert type contains certain key artifacts, and the app weighs and sorts

30 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
alerts into Incidents based on the key artifacts. If the key artifact is determined by the app or third-
party threat intelligence services to be malicious, the app displays the Threat Intelligence service
result with the corresponding key artifact. Different key artifacts have different weights according to
their impact and case. The app analyzes the alert type, related causality chains, and key artifacts to
determine which incident has the highest correlation with the alert, and the Cortex XDR app groups
the alert with that incident.
The Threat Intelligence column in the Key Artifacts panel lists the WildFire (WF) verdicts, VirusTotal
(VT) scores, and AutoFocus (AF) tags if the appropriate product licenses are available. As an example
of what to investigate: if WildFire identifies the file as malware, the row with the artifact displays a
red malware icon. To add supported third-party services, see Integrate External Threat Intelligence
Services.
Right-click a file or process under Key Artifacts to view the entire artifact report.
• Investigate Key Assets.
Key Assets identify the scope of endpoints and users affected by the threat. Right-click an asset to
filter alerts by that asset.
• Investigate Alerts.
The Cortex XDR app separates out high and medium severity alerts on the Alerts tab and low
severity and informational alerts on the Insights tab. Incidents are only created through medium
or high severity alerts. Review the alerts and, if additional context is required, review the related
insights.
During your investigation, you can also perform additional management of alerts, which include:
• Analyze an Alert
• View the Alert Causality
• View the Alerts in a Timeline
• Create an Incident from Multiple Alerts
• Create Alert Exclusions

STEP 6 | If after reviewing the incident details, if you want to suppress one or more alerts from
appearing in the future, create an exclusion policy.
1. Enter a POLICY NAME to identify your alert exclusion.
2. Enter a descriptive COMMENT that identifies the reason or purpose of the alert exclusion policy.
3. Select Actions > Create Exclusion Policy.
4. Use the alert filters to add any the match criteria for the alert exclusion policy.
You can also right-click a specific value in the alert to add it as match criteria. The app refreshes to
show you which alerts in the incident would be excluded. To see all matching alerts including those
not related to the incident, clear the option to Show only alerts in the named incident.

5. Create the exclusion policy and confirm the action.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 31


© 2019 Palo Alto Networks, Inc.
If you later need to make changes, you can view, modify, or delete the exclusion policy from the
Incidents > Alert Exclusions page.

STEP 7 | (Optional) Change the incident severity.


The default severity is based on the highest alert in the incident. To manually change the severity select
Actions > Change Incident Severity and choose the new severity. The smaller severity bubble indicates
the original severity.

STEP 8 | Track and share your investigation progress.


Add notes or comments to track your investigative steps and any remedial actions taken.

Select the note to add and edit the incident notes. You can use notes to add code snippets to the
incident or add a general description of the threat.
• Use the comments to coordinate the investigation between analysts and track the progress of the

investigation. Select the comments to view or manage comments.


Collapse the comment threads for an overview of the discussion.
If needed, Search to find specific words or phrases in the comments.

STEP 9 | Resolve the incident.


After the incident is resolved:
1. Set the status to Resolved.
Select the status from the Incident details or select Actions > Change Incident Status.
2. Select the reason the resolution was resolved.

3. Add a comment that explains the reason for closing the incident.
4. Select OK.
The Cortex XDR app no longer adds new alerts to the resolved incident and instead adds incoming
alerts to a new incident.

32 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
Cortex XDR Alerts
The Alerts page shows a table of all alerts in Cortex XDR.

The Alerts page consolidates non-informational alerts from your detection sources to enable you to
efficiently and effectively triage the events you see each day. By analyzing the alert, you can better
understand the cause of what happened and the full story with context to validate whether an alert requires
additional action.
To view detailed information for an alert, you can also view details in the Causality View and Timeline View
views. From these views you can also view related informational alerts that are not presented on the Alerts
page.
By default, the Alerts page displays the alerts that it received over the last seven days (to modify the time
period, use the page Cortex XDR Alerts). Every 12 hours, Cortex XDR enforces a cleanup policy to remove
the oldest alerts that exceed the maximum alerts limit.
The following table describes both the default fields and additional optional fields that you can add to the
alerts table and lists the fields in alphabetical order.

Field Description

Status Indicator ( ) Identifies whether the EDR and corresponding firewall data
match and can be stitched together.
While the Cortex XDR app is trying to match existing
firewall data with expected EDR data the dot is temporarily
gray (up to 5 minutes) and the dot turns green once the data
sources are stitched together.
A gray dot for longer than 5 minutes indicates that the
Cortex XDR app is not receiving EDR data.

Check box to select one or more alerts on which to perform


actions. Select multiple alerts to assign all selected alerts to
an analyst, or to change the status or severity of all selected
alerts.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 33


© 2019 Palo Alto Networks, Inc.
Field Description

ACTION Action taken by the alert sensor with action status displayed
in parenthesis:
• Detected
• Detected (Download)
• Detected (Post Detected)
• Detected (Prompt Allow)
• Detected (Reported)
• Detected (Scanned)
• Prevented (Blocked)
• Prevented (Prompt Block)

ALERT ID A unique identifier that Cortex XDR assigns to each alert.

ALERT NAME If the alert was generated by Cortex XDR, the Alert Name
will be the specific Cortex XDR rule that created the alert
(BIOC or IOC rule name). If from an external system, it will
carry the name assigned to it by Cortex XDR.

For alerts coming from firewalls, if duplicate


alerts with the same name and host are
raised within 24 hours, they are aggregated
and identified by a +n tag.

ALERT SOURCE Source of the alert: BIOC, Analytics BIOC, IOC, Traps,
Firewall, or Analytics.

APP ID Related App-ID for an alert. App-ID is a traffic classification


system that determines what an application is irrespective
of port, protocol, encryption (SSH or SSL) or any other
evasive tactic used by the application. When known, you can
also pivot to the Palo Alto Networks Applipedia entry that
describes the detected application.

CATEGORY Alert category based on the alert source. An example of a


BIOC alert category is Evasion. An example of a Traps alert
category is Exploit Modules.

CGO CMD Command-line arguments of the Causality Group Owner.

CGO NAME The name of the process that started the causality chain
based on Cortex XDR causality logic.

CGO SIGNATURE Signing status of the CGO:


• Unsigned
• Signed
• Invalid Signature
• Unknown

34 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
Field Description

CGO SIGNER The name of the software publishing vendor that signed the
file in the causality chain that led up to the alert.

CID Unique identifier of the causality instance generated by


Cortex XDR.

DESCRIPTION Text summary of the event including the alert source, alert
name, severity, and file path. For alerts triggered by BIOC
and IOC rules, Cortex XDR displays detailed information
about the rule.

EVENT TYPE The type of event on which the alert was triggered:
• File Event
• Injection Event
• Load Image Event
• Network Event
• Process Execution
• Registry Event

FILE PATH When the alert triggered on a file (the Event Type is File)
this is the path to the file on the endpoint. If not, then N/A.

FILE MD5 MD5 hash value of the file.

FILE SHA256 SHA256 hash value of the file.

HOST NAME The endpoint or server on which this alert triggered.

HOST OS Operating system of the endpoint or server on which this


alert triggered.

INITIATED BY The name of the process that initiated an activity such as a


network connection or registry change.

INITIATOR CMD Command-line used to initiate the process including any


arguments.

INITIATOR SIGNATURE Signing status of the process that initiated the activity:
• Unsigned
• Signed
• Invalid Signature
• Unknown

INITIATOR SIGNER Signer of the process that triggered the alert.

LOCAL IP If the alert triggered on network activity (the Event Type is


Network Connection) this is the IP address of the host that
triggered the alert. If not, then N/A.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 35


© 2019 Palo Alto Networks, Inc.
Field Description

LOCAL PORT If the alert triggered on network activity (the Event Type is
Network Connection) this is the port on the endpoint that
triggered the alert. If not, then N/A.

REGISTRY DATA If the alert triggered on registry modifications (the Event


Type is Registry) this is the registry data that triggered the
alert. If not, then N/A.

REGISTRY FULL KEY If the alert triggered on registry modifications (the Event
Type is Registry) this is the full registry key that triggered
the alert. If not, then N/A.

REMOTE HOST If the alert triggered on network activity (the Event Type is
Network Connection) this is the IP address of the remote
host that triggered the alert. If not, then N/A.

SEVERITY The severity that was assigned to this alert when it was
triggered (or modified): Informational, Low, Medium, High,
or Unknown. For BIOC and IOCs, you define the severity
when you create the rule. Insights are low and informational
severity alerts that do not raise incidents, but provide
additional details when investigating an event. For the
severity associated with Traps events, see Log Types and
Severity Levels. For Analytics, see Cortex XDR – Analytics
Alert Severity Statuses.

TIMESTAMP The date and time when the alert was triggered, either by
Cortex XDR or by another Palo Alto Networks detection
sensor.

From the Alerts page, you can also perform additional actions to manage alerts and pivot on specific alerts
for deeper understanding of the cause and timeline of the event.
• Manage Alerts
• Causality View
• Timeline View

Alert Sources
To provide a complete picture of threats across your network and endpoints, Cortex XDR aggregates alerts
from your detection sources. In addition, Cortex XDR raises alerts based on the indicator rules that you
define.
The following table displays the possible alert sources:

Alert Source Name Description

IOC An alert from an indicator of compromise (IOC) alert source indicates Cortex
XDR identified a match to an IOC rule (for example a rule configured for a
specific IP address or SHA256 file hash.

36 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
Alert Source Name Description

BIOC An alert from a behavioral indicator of compromise (BIOC) alert source


indicates Cortex XDR identified a match to a BIOC rule matching a specific
causality chain of events.

Analytics BIOC An Analytics BIOC alert indicates a rule match for a single endpoint event,
while referencing profile data created by the analytics engine.
For information on the types of Analytics alerts, see the Cortex XDR Analytics
Alert Reference.

PAN NGFW An alert generated by Palo Alto Networks firewalls that detect anomalous
network activity. Firewall alerts that stem from the same source, with the
same alert name within 24 hours, are aggregated into a single alert with a +n
tag to show the number of additional alerts the firewall detected.

Traps A Traps alert is an endpoint-related security event reported by the Traps


agents to your Traps management service instance. Depending on the
capabilities you enable in your security policy, Traps can block and alert on
malware, exploits, and malicious activity. Traps can run on Windows, Mac,
and Linux endpoints.

Analytics An Analytics alert is reported after the analytics engine ensures that an
anomaly in endpoint or network activity is truly suspicious. To create
baselines of normal behavior, as well as other network and endpoint profiles,
the analytics engine retrieves and analyzes logs from Cortex Data Lake. To
raise alerts, the analytics engine uses machine-learning algorithms (known
as detectors), comparing aspects of recent network and endpoint behavior
to the expected baselines and profiles. Analytics alerts reference behaviors
occurring over (sometimes long) stretches of time, rather than single events.
For information on the types of Analytics alerts, see the Cortex XDR Analytics
Alert Reference.

Triage Alerts
When the Cortex XDR app displays a new alert on the Alerts page, use the following steps to investigate
and triage the alert:

STEP 1 | Review the data shown in the alert such as the command-line arguments (CMD), process info,
etc.
For more information about the alert fields, see Cortex XDR Alerts.

STEP 2 | Analyze the chain of execution in the Causality View.


When the app correlates an alert with additional endpoint data, the Alerts table displays a green dot to
the left of the alert row to indicate the alert is eligible for analysis in the Causality View. If the alert has a
gray dot, the alert is not eligible for analysis in the Causality View. This can occur when there is no EDR
data collected for an event, EDR data collection is disabled by policy, or the app has not yet finished
processing the EDR data. To view the reason analysis is not available, hover over the gray dot.

STEP 3 | Review the Timeline View of review the sequence of events over time.

STEP 4 | If deemed malicious, consider responding by isolating the endpoint from the network.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 37


© 2019 Palo Alto Networks, Inc.
STEP 5 | Inspect the information again to identify any behavioral details that you can use to Create a
BIOC Rule.
If you can create a BIOC rule, test and tune the logic for the rule, and then save it.

Manage Alerts
From the Alerts page, you can manage the alerts you see and the information Cortex XDR displays about
each alert.

• Create an Incident from Multiple Alerts


• Copy Alerts
• Analyze an Alert
• Investigate an Alert in Timeline
• Add an Alert Exclusion Policy

Create an Incident from Multiple Alerts


To quickly manage alerts within an incident, select multiple alerts and, for example, move alerts between
incidents or change the status of multiple alerts at once. You can also track groups of alerts by creating a
new incident with those alerts.

STEP 1 | Select the alerts you want to group into an incident.


From the Alerts page or the Incident details page check the desired alerts.

STEP 2 | Select Actions > Create New Incident and confirm the alerts.

STEP 3 | Verify the incident details, such as the severity and incident name, and optionally assign the
incident to an analyst.
See Investigate Incidents for incident details.

Copy Alerts
There are two ways you can copy an alert into memory: you can copy the URL of the alert record, or you
can copy the value for an alert field. With either option, you can paste the contents of memory into an
email to send. This is helpful if you need to share or discuss a specific alert with someone. If you copy a field
value, you can also easily paste it into a search or begin a query.

38 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
• Create a URL for an alert record:
1. From the Alerts page, right-click the alert you want to send.
2. Select Copy alert URL.
Cortex XDR saves the URL to memory.
3. Paste the URL into an email or use as needed to share the alert.

• Copy a field value in an alert record:


1. From the Alerts page, right-click the field in the alert that you want to copy.
2. Select Copy.
Cortex XDR saves the field contents to memory.
3. Paste the value into an email or use as needed to share information from the alert.

Analyze an Alert
To help you understand the full context of an alert, Cortex XDR provides a powerful analysis view that
empowers you to make a thorough analysis very quickly. There are two types of analysis views that are
available depending on the type of alert. The Causality View is available for BIOC, IOC, or Traps alerts that
are based on endpoint data and the Analytics View is available for Analytics alerts.
To start the analysis:

STEP 1 | From the Alerts page, locate the alert you want to analyze.

STEP 2 | Right-click anywhere in the alert, and select Analyze.


Cortex XDR opens the alert in the corresponding view. Review the chain of execution and available data,
and navigate through the processes on the tree.

Investigate an Alert in Timeline


The Timeline provides another way for you to investigate alerts quickly by enabling you to observe the
timeline of activity related to an alert. The Timeline View is available for alerts on endpoint data (BIOC, IOC,
Traps).
To investigate an alert in timeline:

STEP 1 | From the Alerts page, locate the alert you want to analyze.

STEP 2 | Right-click anywhere in the alert, and select Investigate in timeline.


Cortex XDR opens the alert in the Timeline View.

STEP 3 | Review the sequence of events over time.

Alert Exclusions
The Alert Exclusions page displays all alert exclusions in Cortex XDR.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 39


© 2019 Palo Alto Networks, Inc.
An alert exclusion is a policy that contains a set of alert match criteria that you want to suppress from
Cortex XDR. You can Add an Alert Exclusion Policy from scratch or you can base the exclusion off of alerts
that you investigate in an incident. After you create an exclusion policy, Cortex XDR hides any future alerts
that match the criteria from incidents and search query results. If you choose to apply the policy to historic
results as well as future alerts, the app identifies any historic alerts as grayed out.
The following table describes both the default fields and additional optional fields that you can add to the
alert exclusions table and lists the fields in alphabetical order.

Field Description

Check box to select one or more alert exclusions on which you want to
perform actions.

BACKWARD SCAN Exclusion policy status for historic data, either enabled if you want to apply
STATUS the policy to previous alerts or disabled if you don’t want to apply the policy
to previous alerts.

COMMENT Administrator-provided comment that identifies the purpose or reason for the
exclusion policy.

DESCRIPTION Text summary of the policy that displays the match criteria.

MODIFICATION DATE Date and time when the exclusion policy was created or modified.

NAME Descriptive name provided to identify the exclusion policy.

POLICY ID Unique ID assigned to the exclusion policy.

STATUS Exclusion policy status, either enabled or disabled.

USER User that last modified the exclusion policy.

USER EMAIL Email associated with the administrative user.

Add an Alert Exclusion Policy


Through the process of triaging alerts or resolving an incident, you can determine a specific alert does not
indicate a threat. If you do not want Cortex XDR to display alerts that match certain criteria, you can create
an alert exclusion policy. After you create an exclusion policy, the app hides any future alerts that match the
criteria, and excludes the alerts from incidents and search query results. If you choose to apply the policy to
historic results as well as future alerts, the app identifies any historic alerts as grayed out.
There are two ways to create an exclusion policy. You can define the exclusion criteria when you
Investigate Incidents or you can create an alert exclusion from scratch.

40 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
To build an alert exclusion policy from scratch:

STEP 1 | Select Incidents > Alert Exclusions.

STEP 2 | Select + Add Exclusion Policy.

STEP 3 | Enter a Policy Name to identify the exclusion policy.

STEP 4 | Enter any comments to explain the purpose or intent behind the policy.

STEP 5 | Define the exclusion criteria.


Use either the filters at the top to build your exclusion criteria. Or, to use existing alert values to
populate your exclusion criteria, right click the value, and select Add rows with <value> to policy. For
example, right-click a value in the Alert Source column to base the criteria on an IOC alert source.

As you define the criteria, the app filters the results to display matches.

STEP 6 | Review the results.


The app alerts in the table will be excluded from appearing in the app after the policy is created and
optionally, any existing alert matches will be grayed out.

This action is irreversible: All historic excluded alerts will remain excluded if you disable or
delete the policy.

STEP 7 | Create and then select Yes to confirm the alert exception policy.

Causality View
The Causality View provides a powerful way to analyze and respond to alerts. The scope of the Causality
View is the Causality Instance (CI) to which this alert pertains. The Causality View presents the alert
(generated by Cortex XDR or sent to Cortex XDR from a supported alert source such as Traps) and includes
the entire process execution chain that led up to the alert. On each node in the CI chain, XDR app provides
information to help you understand what happened around the alert.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 41


© 2019 Palo Alto Networks, Inc.
The Causality View comprises five sections:

Section Description

Context Summarizes information about the alert you are analyzing, including the
host name, the process name on which the alert was raised, and the host IP
address.

Host Isolation You can choose to isolate the host, on which the alert was triggered, from the
network.

CI Chain Includes the graphic representation of the Causality Instance (CI) along with
other information and capabilities to enable you to conduct your analysis.
The Causality View presents a single CI chain. The CI chain is built from
processes nodes, events and alerts. The chain presents the process execution
and might also include events that these processes caused and alerts that
were triggered on the events or processes. The Causality Group Owner
(CGO) is displayed on the left side of the chain. The CGO is the process that
is responsible for all the other processes, events and alerts in the chain. You
need the entire CI to fully understand why the alert occurred.
The Causality View provides an interactive way to view the CI chain for an
alert. You can move it, extend it, and modify it. To adjust the appearance of
the CI chain, you can enlarge/shrink the chain for easy viewing using the size
controls on the right. You can also move the chain around by selecting and

dragging it. To return the chain to its original position and size, click in
the lower-right of the CI graph.
From any process node, you can also right-click to display additional actions
that you can perform during your investigation:
• Show parents and children—If the parent is not presented by default, you
can display it. If the process has children, XDR app displays the number
of children beneath the process name and allows you to display them for
additional information.
• Hide branch—Hide a branch from the Causality View.

42 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
Section Description
• Blacklist a process—If after investigating the activity in the CI chain, you
want to blacklist a process across your entire organization, you can block it
by the SHA256 hash value.
The color of a process node also correlates to the WildFire verdict.
• Blue—Benign.
• Yellow—Grayware.
• Red—Malware.
• Light gray—Unknown verdict.
• Dark gray—The verdict is inconclusive.

Entity Data Provides additional information about the entity that you selected. The data
varies by the type of entity but typically identifies information about the
entity related to the cause of the alert and the circumstances under which the
alert occurred.

Events Table Displays all related events for the process node which matches the alert
criteria that were not triggered in the alert table but are informational BIOCs.

To view statistics for files on VirusTotal, you can pivot from


the Initiator MD5 or SHA256 value of the file on the Files tab.

Timeline View
The Timeline provides a forensic timeline of the sequence of events, alerts, and informational BIOCs
involved in an attack. While the Causality View of an alert surfaces related events and processes that
Cortex XDR identifies as important or interesting, the Timeline displays all related events, alerts, and
informational BIOCs over time.

The Timeline screen consists of four parts:

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 43


© 2019 Palo Alto Networks, Inc.
Section Description

CGO (and process instances Cortex XDR displays the Causality Group Owner (CGO) and the host
that are part of the CGO) on which the CGO ran in the top left of the timeline. The CGO is the
parent process in the execution chain that Cortex XDR identified as
being responsible for initiating the process tree. In the example above,
wscript.exe is the CGO and the host it ran on was HOST488497.
You can also click the blue corner of the CGO to view and filter related
processes from the Timeline. This will add or remove the process and
related events or alerts associated with the process from the Timeline.

Timespan By default, Cortex XDR displays a 24-hour period from the start of the
investigation and displays the start and end time of the CGO at either
end of the timescale. You can move the slide bar to the left or right to
focus on any time-gap within the timescale. You can also use the time
filters above the table to focus on set time periods.

Activity Depending on the type of activities involved in the CI chain of events,


the activity section can present any of the following three lanes across
the page:
• Alerts—The alert icon indicates when the alert occurred.
• BIOCs—The category of the alert is displayed on the left (for
example: tampering or lateral movement). Each BIOC event also
indicates a color associated with the alert severity. An informational
severity can indicate something interesting has happened but there
weren’t any triggered alerts. These events are likely benign but are
byproducts of the actual issue.
• Event information—The event types include process execution,
outgoing or incoming connections, failed connections, data upload,
and data download. Process execution and connections are indicated
by a dot. One dot indicates one connection while many dots
indicates multiple connections. Uploads and Downloads are indicated
by a bar graph that shows the size of the upload and download.
The lanes depict when activity occurred and provide additional statistics
that can help you investigate. For BIOC and Alerts, the lanes also depict
activity nodes—highlighted with their severity color: high (red), medium
(yellow), low (blue), or informational (gray)—and provide additional
information about the activity when you hover over the node.

Related events, alerts, and Cortex XDR displays all the alerts, BIOCs (triggered and informational),
informational BIOCs and events a in this table. Clicking on a node in the activity area of the
Timeline filters the results you see here. Similar to other pages in Cortex
XDR, you can create filters to search for specific events.

Analytics Alert View


The analytics alert view provides a detailed summary of the behavior that triggered an Analytics or Analytics
BIOC alert. This view also provides a visual depiction of the behavior and additional information you can use
to assess the alert. This includes the endpoint on which the activity was initiated, the user that performed
the action, the technique the analytics engine observed, and activity and interactions with other hosts inside
or outside of your network.

44 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
Figure 1: Analytics View of an Analytics Alert

Section Description

1. Context For Analytics alerts, the analytics view indicates the endpoint for which the
alert was raised.
For Analytics BIOC alerts, the Analytics view summarizes information about
the alert, including the source host name, IP address, the process name on
which the alert was raised, and the corresponding process ID.

2. Alert summary (Analytics alerts only) Describes the behavior that triggered the alert and
activity impact.

3. Graphic summary Similar to the Causality View, the analytics view provides a graphic
representation of the activity that triggered the alert and an interactive way
to view the chain of behavior for an Analytics alert. You can move the graphic,
extend it, and modify it. To adjust the appearance, you can enlarge/shrink
the chain for easy viewing using the size controls on the right. You can also
move the chain around by selecting and dragging it. To return the chain to its
original position and size, click in the lower-right of the graph.
The activity depicted in the graphic varies depending on the type of alert:
• Analytics alerts—You can view a summary of the aggregated activity
including the source host, the anomalous activity, connection count, and
the destination host. You can also select the host to view any relevant
profile information.
• Analytics BIOC alerts—You can view the specific event behavior including
the causality group owner that initiated the activity and related process
nodes. To view the summary of the specific event, you can select the
above the process node.

4. Alert description The alert description provides details and statistics related to the activity.
Beneath the description, you can also view the alert name, severity assigned

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 45


© 2019 Palo Alto Networks, Inc.
Section Description
to the alert, time of the activity, alert tactic (category) and type, and links to
the MITRE summary of the attack tactic.

5. Events table Displays events related to the alert.

6. Response actions Actions you can take in response to an Analytics alert. These actions can
include isolating a host from the network, initiating a live terminal session,
running a Pathfinder scan, and adding an IP address or domain name to an
external dynamic list (EDL) that is enforceable in your Palo Alto Networks
firewall security policy.

46 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
Response Actions
• Initiate a Live Terminal Session
• Run a Pathfinder Scan
• Add an IP Address or Domain to the Cortex XDR EDL

Initiate a Live Terminal Session


To investigate and respond to alerts, you can use the Live Terminal to initiate a remote connection to an
endpoint. Cortex XDR establishes a connection on Windows endpoints using either the Traps agent or a
Pathfinder VM using an RCP connection.
The endpoint must be monitored by Pathfinder or Traps and run Windows 7 SP1 or higher to establish a
live terminal session. Pathfinder installs an agent on the endpoint that deletes itself after the remote session
closes. If the endpoint is monitored by both Pathfinder and Traps, the Cortex XDR app uses the Traps Live
Terminal to establish a remote connection (and does not use Pathfinder).
All actions taken from the Live Terminal are logged, and can be download the session report as a text file
when closing the live terminal session.
• Start a Live Terminal Session
• Investigate and Manage Processes
• Investigate and Manage Files
• Run Windows Commands
• Run Python Commands and Scripts

Start a Live Terminal Session


There are multiple ways you can start a live terminal session to an endpoint. You can start a live terminal
directly from an alert in the alerts table, or search for a hostname or IP address to connect to.

The endpoint must be monitored by Pathfinder or Traps to establish a connection. For


the search to identify hostnames, the hostname must be known by Cortex XDR. If it is
newly connected, or the endpoint is not monitored by Cortex XDR – Analytics, search by IP
address instead.

To start a live terminal session, do one of the following:


• Right-click a hostname in an alert to start a live terminal from the alerts table.
• Select Response > Live Terminal and search by hostname or IP address.
When you disconnect the live terminal session, Save the session report or Close without saving.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 47


© 2019 Palo Alto Networks, Inc.
The session report is a text log that contains all actions taken in the live terminal session, including
commands issued and the response, and a log of tasks and processes that you marked as interesting. The
following example displays a sample session report:

Live Terminal Session Summary Initiated by user <username> on target


<hostname> at Apr 9th 2019 10:54:24

Apr 9th 2019 10:54:02 Live Terminal session has started [success]
Apr 9th 2019 10:54:07 Live Terminal session end request [success]
Apr 9th 2019 10:54:08 Live Terminal session has ended [success]

No artifacts marked as interesting

Investigate and Manage Processes


From the Live Terminal you can monitor processes running on the endpoint. The Task Manager displays the
task attributes, owner, and resources used. If you discover an anomalous process while investigating the
cause of an alert, you can take immediate action to terminate the process or the whole process tree, and
block processes from running.

48 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
STEP 1 | Start a Live Terminal Session.

STEP 2 | From the Live Terminal, locate the process which is causing abnormal behavior.

Select the tree view ( ) to switch between flat and tree views.
If the process is known malware, the row displays a red indicator and identifies the file using a malware
attribute.

STEP 3 | Right-click the process, and take the desired action:


• Terminate process—Terminate the process.
• Suspend process—To stop an attack while investigating the cause, you can suspend a process or
process tree without killing it entirely.
• Resume process—Resume a suspended process.
• Open in VirusTotal—VirusTotal aggregates known malware from antivirus products and online scan
engines. You can scan a file using the VirusTotal scan service to check for false positives or verify
suspected malware.
• Get WildFire Score—WildFire evaluates the file hash signature to compare it against known threats.
• Add the Sha256 as IOC—Add the SHA256 hash signature as an indicator of compromise and assign
the priority you want to assign to alerts that detect this hash value. The next time Cortex XDR
identifies a file with this hash signature, the app raises an alert.
• Download binary—Download the file binary to your local host for further investigation and analysis.
• Mark as Interesting—Add an Interesting tag to a process to easily locate the process in the session
report after you end the session.
• Remove from Interesting—If no threats are found, you can remove the Interesting tag.
• Copy Value—Copy the cell value to your clipboard.

STEP 4 | Select Disconnect to end the Live Terminal session.


The live terminal agent is removed from the endpoint. Choose whether to save the remote session
report including files and tasks marked as interesting. Administrator actions are not saved to the
endpoint.

Investigate and Manage Files


The File Explorer enables you to navigate the file directory on the remote endpoint and take remedial
action to:

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 49


© 2019 Palo Alto Networks, Inc.
• Create, manage, and download files, folders and drives, including connected external drives and devices
such as USB drives and CD-ROM.
• View file attributes, creation and last modified dates, and the file owner.
• Investigate files for malicious content.
To navigate files on a remote endpoint from the Cortex XDR follow these steps:

STEP 1 | Start a Live Terminal Session.

STEP 2 | Navigate the file directory on the endpoint and manage files
From the file explorer, you can add, move, and delete a single file or multiple files.
You can search for files the following ways:
• Search for any text within the visible rows on the screen from the search bar.
• Double click a folder to explore its contents.

STEP 3 | Perform basic management actions on a file.


• View file attributes
• Rename files and folders
• Export the table as a CSV file
• Move and delete files and folders

STEP 4 | Investigate files for malware


Right-click a file to take investigative action. You can take the following actions:

• Open in VirusTotal—VirusTotal aggregates known malware from antivirus products and online scan
engines. You can scan a file using the VirusTotal scan service to check for false positives or verify
suspected malware.
• Get WildFire Score—WildFire evaluates the file hash signature to compare it against known threats.
• Add the Sha256 as IOC—Add the SHA256 hash signature as an indicator of compromise and assign
the priority you want to assign to alerts that detect this hash value. The next time Cortex XDR
identifies a file with this hash signature, the app raises an alert.
• Mark as Interesting—Add an Interesting tag to any file or directory to easily locate the file. The files
you tag are recorded in the session report to help you locate them after you end the session.
• Remove from Interesting—If no threats are found, you can remove the Interesting tag.

50 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
• Copy Value—Copies the cell value to your clipboard.

STEP 5 | Select Disconnect to end the live terminal session.


The remote terminal agent is removed from the endpoint. Choose whether to save the remote session
report including files and tasks marked as interesting. Administrator actions are not saved to the
endpoint.

Run Windows Commands


The Live Terminal provides a command-line interface that enables you to run Windows commands on a
remote endpoint. Each command runs independently and is not persistent. To chain multiple commands
together so as to perform them in one action, use && to join commands. For example:

cd
c:\windows\temp\ && <command1> && <command2>

STEP 1 | Start a Live Terminal Session

STEP 2 | Select Command Line from the Live Terminal options on the left.

STEP 3 | Run commands to manage the endpoint.


Examples include file management or launching batch files.

STEP 4 | Select Disconnect to end the Live Terminal session.


The live terminal agent is removed from the endpoint. Choose whether to save the remote session
report including files and tasks marked as interesting. Administrator actions are not saved to the
endpoint.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 51


© 2019 Palo Alto Networks, Inc.
Run Python Commands and Scripts
The Live Terminal provides a Python command line interface that you can use to run Python commands and
scripts.
The Python command interpreter uses Unix command syntax, supports Python 3 with standard Python
libraries, and is less resource intensive than the graphical interface. To issue Python commands or scripts on
the endpoint, follow these steps:

STEP 1 | Start a Live Terminal Session.

STEP 2 | Select Python to start the python command interpreter on the remote endpoint.

STEP 3 | Run commands or scripts.

STEP 4 | Select Disconnect to end the live terminal session.


The live terminal agent is removed from the endpoint. Choose whether to save the remote session
report including files and tasks marked as interesting. Administrator actions are not saved to the
endpoint.

Run a Pathfinder Scan


When Cortex XDR observes problematic traffic coming from an endpoint that does not use or support
Traps, it uses Pathfinder to investigate the endpoint. At any time, you can also initiate a Pathfinder scan
for a particular device. If N2PA (network-to-process association) monitoring is enabled, Pathfinder also
automatically performs periodic scanning for devices that have displayed suspicious behavior.
The Management > Pathfinder displays status for all of these Pathfinder scan types. You can view both in-
progress and queued Pathfinder scans, a history of the scans Pathfinder has performed, and a list of devices
that are undergoing N2PA monitoring. You can export the Scan History and Hosts Under N2PA Monitoring
lists to a flat-text file for the purposes of viewing them in a spreadsheet application.
To enable N2PA monitoring, click the gear on the top menu bar, select Configuration > Pathfinder and
enable Network to Process Association (N2PA). (For details, see Pathfinder Configuration).

STEP 1 | Initiate a Pathfinder scan for a particular endpoint.


1. Open the Analytics View of an Analytics or BIOC Analytics alert.
2. Select Actions > Pathfinder .

52 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


© 2019 Palo Alto Networks, Inc.
3. Use your preconfigured credentials or configure an alternate account under which to run the
Pathfinder scan.
4. Scan the host.

STEP 2 | View the status of the scan.

Select > Analytics Management > Pathfinder.


Cortex XDR displays any on-going and queued Pathfinder Scans, the Pathfinder scan history, and
suspicious endpoints that are undergoing periodic scanning (N2PA monitoring).

Add an IP Address or Domain to the Cortex XDR EDL


Cortex XDR hosts two block lists, to which you can add IP addresses and domains as you triage alerts.
You can use a Cortex XDR external dynamic list (EDL) with a Palo Alto Networks firewall to provide an
integrated response to malicious network activity. With a Cortex XDR EDL as the source of a firewall
external dynamic list, the firewall can control user access to IP addresses and domains that the app has
found to be associated with an alert.
Before you can add to the EDL, you must configure the Cortex XDR EDL.

STEP 1 | Open the Add to EDL dialog.


There are two ways you can open the dialog: From the Response menu or in the analyze view of an
Analytics alert select Actions > Add to EDL.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response 53


© 2019 Palo Alto Networks, Inc.
STEP 2 | Enter the IP address or domain you want to add.

STEP 3 | Click the arrow to the right of the entry.

STEP 4 | Repeat these steps to add additional IP addresses or domains and then click Add when
finished.

54 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response


Search and Investigate
> Cortex XDR Query Builder
> Cortex XDR Query Center
> Cortex XDR Scheduled Queries
> Research a Known Threat

55
56 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate
© 2019 Palo Alto Networks, Inc.
Cortex XDR Query Builder
The Query Builder is a powerful search tool at the heart of Cortex XDR that you can use to investigate any
lead quickly, expose the root cause of an alert, perform damage assessment, and hunt for threats from your
data sources. With Query Builder, you can build complex queries for entities and entity attributes so that
you can surface and identify connections between them. The Query Builder searches the raw data from the
logs received by the Cortex Data Lake for the entities and attributes you specify.

The Query Builder provides queries for the following types of entities:
• Process—Search on process execution and injection by process name, hash, path, command-line
arguments, and more. See Create a Process Query.
• File—Search on file creation and modification activity by file name and path. See Create a File Query.
• Network—Search network activity by IP address, port, host name, protocol, and more. See Create a
Network Query.
• Registry—Search on registry creation and modification activity by key, key value, path, and data. See
Create a Registry Query.
• Event Log—Search Windows event logs by username, log event ID, log level, and message. See Create an
Event Log Query.
• All Actions—Search across all network, registry, file, and process activity by endpoint or process. See
Query Across All Entities.
The Query Builder also provides flexibility for both on-demand query generation and scheduled queries.

Create a Process Query


From the Query Builder you can investigate connections between processes, child processes, and
endpoints.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate 57


© 2019 Palo Alto Networks, Inc.
For example, you can create a process query to search for processes executed on a specific endpoint.
To build a process query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select PROCESS.

STEP 3 | Enter the search criteria for the process query.


• Process action—Select the type of process action you want to search: On process Execution,
Injection into another process, or both.
• Process attributes—Define any additional process attributes for which you want to search.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
By default, Cortex XDR will return results that match the attribute you specify. To exclude an
attribute value, toggle the = option to !=. Attributes are:
• NAME—Name of the process. For example, notepad.exe.
• CMD—Command-line used to initiate the process including any arguments, up to 128 characters.
• SIGNATURE—Signing status of the process: Signature Unavailable, Signed, Invalid Signature,
Unsigned, Revoked, Signature Fail.
• PATH—Path to the process. For example, C:\Program Files (x86)\Notepad
\notepad.exe.
• PID—Process ID.
• SIGNER—Signer of the process.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.

STEP 4 | (Optional) Limit the scope to a specific acting process:

58 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate


© 2019 Palo Alto Networks, Inc.
Specify one or more of the following attributes for the acting (parent) process.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signature Unavailable, Signed, Invalid Signature,
Unsigned, Revoked, Signature Fail.
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.
• Run search for both the process and the Causality actor—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that XDR app identified
as being responsible for initiating the process tree. Select this option if you want to apply the same
search criteria to the causality actor. If you clear this option, you can then configure different
attributes for the causality actor.

STEP 5 | (Optional) Limit the scope to an endpoint or endpoint attributes:


Specify one or more of the following attributes: HOST NAME, HOST IP address, or HOST OS.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 6 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 7 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 8 | When you are ready, View the Results of a Query.

Create a File Query


From the Query Builder you can investigate connections between file activity and endpoints.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate 59


© 2019 Palo Alto Networks, Inc.
Some examples of file queries you can run include:
• Files modified on specific endpoints.
• Files that exist on specific endpoints.
To build a file query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select FILE.

STEP 3 | Enter the search criteria for the file alerts query.
• File activity—Select the type or types of file activity you want to search: Create, Read, Rename,
Delete, or Write.
• File attributes—Define any additional process attributes for which you want to search. Use a pipe
(|) to separate multiple values (for example notepad.exe|chrome.exe). By default, Cortex XDR
will return the alerts that match the attribute you specify. To exclude an attribute value, toggle the =
option to =!. Attributes are:
• NAME—File name.
• PATH—Path to the file.
• PREVIOUS NAME—Previous name of a file.
• PREVIOUS PATH—Previous path of the file.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.

STEP 4 | (Optional) Limit the scope to a specific acting process:

60 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate


© 2019 Palo Alto Networks, Inc.
Specify one or more of the following attributes for the acting (parent) process.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signature Unavailable, Signed, Invalid Signature,
Unsigned, Revoked, Signature Fail.
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.
• Run search for both the process and the Causality actor—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that XDR app identified
as being responsible for initiating the process tree. Select this option if you want to apply the same
search criteria to the causality actor. If you clear this option, you can then configure different
attributes for the causality actor.

STEP 5 | (Optional) Limit the scope to an endpoint or endpoint attributes:


Specify one or more of the following attributes: HOST NAME, HOST IP address, or HOST OS.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 6 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 7 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 8 | When you are ready, View the Results of a Query.

Create a Network Query


From the Query Builder you can investigate connections between network activity, acting processes, and
endpoints.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate 61


© 2019 Palo Alto Networks, Inc.
Some examples of network queries you can run include:
• Network connections to or from a specific IP address and port number.
• Processes that created network connections.
• Network connections between specific endpoints.
To build a network query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select NETWORK.

STEP 3 | Enter the search criteria for the network alerts query.
• Network traffic type—Select the type or types of network traffic alerts you want to search: Incoming,
Outgoing, or Failed.
• Network attributes—Define any additional process attributes for which you want to search. Use a
pipe (|) to separate multiple values (for example 80|8080). By default, Cortex XDR will return the
alerts that match the attribute you specify. To exclude an attribute value, toggle the = option to
=!.Options are:
• REMOTE COUNTRY—Country from which the remote IP address originated.
• REMOTE IP—Remote IP address related to the communication.
• REMOTE PORT—Remote port used to make the connection.
• LOCAL IP—Local IP address related to the communication. Matches can return additional data if a
machine has more than one NIC.
• LOCAL PORT—Local port used to make the connection.
• PROTOCOL—Network transport protocol over which the traffic was sent.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.

STEP 4 | (Optional) Limit the scope to a specific acting process:

62 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate


© 2019 Palo Alto Networks, Inc.
Specify one or more of the following attributes for the acting (parent) process.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signature Unavailable, Signed, Invalid Signature,
Unsigned, Revoked, Signature Fail.
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.
• Run search for both the process and the Causality actor—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that XDR app identified
as being responsible for initiating the process tree. Select this option if you want to apply the same
search criteria to the causality actor. If you clear this option, you can then configure different
attributes for the causality actor.

STEP 5 | (Optional) Limit the scope to an endpoint or endpoint attributes:


Specify one or more of the following attributes: HOST NAME, HOST IP address, or HOST OS.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 6 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 7 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 8 | When you are ready, View the Results of a Query.

Create a Registry Query


From the Query Builder you can investigate connections between registry activity, processes, and
endpoints.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate 63


© 2019 Palo Alto Networks, Inc.
Some examples of registry queries you can run include:
• Modified registry keys on specific endpoints.
• Registry keys that exist on specific endpoints.
To build a registry query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select REGISTRY.

STEP 3 | Enter the search criteria for the registry alerts query.
• Registry action—Select the type or types of registry actions you want to search: Key Create, Key
Delete, Key Rename, Value Set, or Value Delete.
• Registry attributes—Define any additional registry attributes for which you want to search. By
default, Cortex XDR will return the alerts that match the attribute you specify. To exclude an
attribute value, toggle the = option to =!. Attributes are:
• KEY NAME—Registry key name.
• DATA—Registry key data value.
• REGISTRY FULL KEY—Full registry key path.
• KEY PREVIOUS NAME—Name of the registry key before modification.
• VALUE NAME—Registry value name.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.

STEP 4 | (Optional) Limit the scope to a specific acting process:

64 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate


© 2019 Palo Alto Networks, Inc.
Specify one or more of the following attributes for the acting (parent) process.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signature Unavailable, Signed, Invalid Signature,
Unsigned, Revoked, Signature Fail.
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.
• Run search for both the process and the Causality actor—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that XDR app identified
as being responsible for initiating the process tree. Select this option if you want to apply the same
search criteria to the causality actor. If you clear this option, you can then configure different
attributes for the causality actor.

STEP 5 | (Optional) Limit the scope to an endpoint or endpoint attributes:


Specify one or more of the following attributes: HOST NAME, HOST IP address, or HOST OS.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 6 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 7 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 8 | When you are ready, View the Results of a Query.

Create an Event Log Query


From the Query Builder you can search Windows, event log attributes and investigate event logs across
endpoints with Traps installed.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate 65


© 2019 Palo Alto Networks, Inc.
Some examples of event log queries you can run include:
• Critical level messages on specific endpoints.
• Message descriptions with specific keywords on specific endpoints.
To build a file query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select EVENT LOG.

STEP 3 | Enter the search criteria for your Windows event log query.
Define any event attributes for which you want to search. By default, Cortex XDR will return the alerts
that match the attribute you specify. To exclude an attribute value, toggle the = option to =!. Attributes
are:
• • PROVIDER NAME—The provider of the event log.
• USERNAME—The username associated with the event.
• EVENT ID—The unique ID of the event.
• LEVEL—The event severity level.
• MESSAGE—The description of the event.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.

66 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate


© 2019 Palo Alto Networks, Inc.
STEP 4 | (Optional) Limit the scope to an endpoint or endpoint attributes:
Specify one or more of the following attributes: HOST NAME, HOST IP address, or HOST OS.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 5 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 6 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 7 | When you are ready, View the Results of a Query.

STEP 8 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 9 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

STEP 10 | When you are ready, View the Results of a Query.

Query Across All Entities


From the Query Builder you can perform a simple search for hosts and processes across all file, network,
registry, and process alerts.

Some examples of queries you can run across all entities include:
• All activities on a host

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate 67


© 2019 Palo Alto Networks, Inc.
• All activities initiated by a process on a host.
To build a query:

STEP 1 | From Cortex XDR, select INVESTIGATION > Query Builder.

STEP 2 | Select ALL ACTIONS.

STEP 3 | (Optional) Limit the scope to a specific acting process:

Specify one or more of the following attributes for the acting (parent) process.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signature Unavailable, Signed, Invalid Signature,
Unsigned, Revoked, Signature Fail.
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.
• Run search for both the process and the Causality actor—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that XDR app identified
as being responsible for initiating the process tree. Select this option if you want to apply the same
search criteria to the causality actor. If you clear this option, you can then configure different
attributes for the causality actor.

STEP 4 | (Optional) Limit the scope to an endpoint or endpoint attributes:


Specify one or more of the following attributes: HOST NAME, HOST IP address, or HOST OS.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.

STEP 5 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.

STEP 6 | Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.

68 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate


© 2019 Palo Alto Networks, Inc.
STEP 7 | When you are ready, View the Results of a Query.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate 69


© 2019 Palo Alto Networks, Inc.
Cortex XDR Query Center
From the Query Center you can manage and view the results of all simple and complex queries created
from the Query Builder. The Query Center displays information about the query including the query
parameters and allows you to adjust and rerun queries as needed.

The following table describes the fields that are available for each query in alphabetical order.

Field Description

CREATED BY User who created or scheduled the query.

DURATION Number of seconds it took for the query to complete or error out.

ERROR Any errors encountered during the search.

NUM OF RESULTS Number of results returned by the query.

QUERY DESCRIPTION The query parameters used to run the query.

QUERY ID Unique identifier of the query.

QUERY NAME For saved queries, the Query Name identifies the query specified by
the administrator. For scheduled queries, the Query Name identifies
the auto-generated name of the parent query. Scheduled queries also
display an icon to the left of the name to indicate that the query is
reoccurring.

QUERY STATUS Status of the query:


• Queued—The query is queued and will run when there is an available
slot.
• Running
• Failed
• Partially completed—The query was stopped after exceeding the
maximum number of results permitted (10,000 alerts). To reduce the
number of results returned, you can adjust the query settings and
rerun.

70 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate


© 2019 Palo Alto Networks, Inc.
Field Description
• Stopped—The query was stopped by an administrator.
• Completed
• Deleted—The query was pruned.

RESULTS SAVED Yes or No.

TIMESTAMP Date and time the query was created.

Manage Your Queries


From the Query Center, you can view details about and results for all manual and scheduled queries. The
Query Center also provides management functions that allow you to modify, rerun, schedule, and remove
queries. Similar to the Alerts page, you can also refresh the page to view updated status for queries, filter
available queries based on fields in the query table, and manage the fields presented in the Query Center.

• View the Results of a Query


• Modify a Query
• Rerun or Schedule a Query to Run
• Rename a Query
• Manage Scheduled Queries

View the Results of a Query


After you run a query, you can view the alerts that match your search criteria. To view the results:

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate 71


© 2019 Palo Alto Networks, Inc.
STEP 1 | Select INVESTIGATION > Query Center.

STEP 2 | Locate the query for which you want to view the results.
If necessary, use the Filter to reduce the number of queries Cortex XDR – Investigation and Response
displays.

STEP 3 | Right click anywhere in the query row and then select Show results.
Cortex XDR displays the results in a new window.

STEP 4 | (Optional) Export the results to a tab-separated values (TSV) file.


At the top of the table, click Export to file and then enter your Cortex XDR credentials.

STEP 5 | (Optional) If you want to refine your results, you can Modify a query from the query results.

Modify a Query
After you run a query you might find you need to change your search parameters such as to narrow the
search results or correct a search parameter. There are two ways you can modify a query: You can edit it in
the Query Center, or you can edit it from the results page. Both methods populate the criteria you specified
in the original query in a new query which you can modify and save.

• Modify a query from the Query Center.


1. Select INVESTIGATION > Query Center.
2. Right click anywhere in the query and then select Edit as a new query.
3. If desired, enter a descriptive name to identity the query.
4. Then modify the search parameters as desired.
5. Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in
the Query Center.

• Modify a query from the query results.


1. View the Results of a Query.
2. At the top of the query, click the pencil icon to the right of the query parameters.
Cortex XDR opens the query settings page.
3. Modify the search parameters as desired.

72 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate


© 2019 Palo Alto Networks, Inc.
4. Choose when to run the query.

Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query and review the result at a later time, or Run to run the query immediately and view the
results in the Query Center.

Rerun or Schedule a Query to Run


If you want to rerun a query, you can either schedule it to run on or before a specific date, or you can rerun
it immediately. Cortex XDR will create a new query in the Query Center. When the query completes, Cortex
XDR displays a notification in the notification bar.

• Rerun a query immediately.


1. Select INVESTIGATION > Query Center.
2. Right click anywhere in the query and then select Rerun Query.
Cortex XDR initiates the query immediately.

• Schedule a query to run:


1. Select INVESTIGATION > Query Center.
2. Right click anywhere in the query and then select Schedule.
3. Choose the desired schedule option and the date and time the query should run:

• Run one time query on a specific date


• Run query by date and time—Schedule a reoccurring query at a frequency of your choice.
4. Click OK to schedule the query.
Cortex XDR creates a new query and schedules it to run on or by the selected date and time.
5. View the status of the scheduled query on the Cortex XDR Scheduled Queries page.
At any time, you can view or make changes to the query on the Scheduled Queries page. For
example, you can edit the frequency, view when the query will next run, or disable the query.

Rename a Query
If needed, you can rename a query at any time. If you later rerun the query, the new query will run using the
new name. You can also edit the name of a query when you Modify a Query.

STEP 1 | Select INVESTIGATION > Query Center.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate 73


© 2019 Palo Alto Networks, Inc.
STEP 2 | Right click anywhere in the query and then select Rename.

STEP 3 | Enter the new query name and click OK.

74 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate


© 2019 Palo Alto Networks, Inc.
Cortex XDR Scheduled Queries
From the Scheduled Queries page, you can easily view all scheduled and reoccurring queries created from
the Query Builder. The Scheduled Queries page displays information about the query including the query
parameters and allows you to adjust or modify the schedule as needed. To edit a query schedule, right click
the query and select the desired action.

The following table describes the fields that are available for each query in alphabetical order.

Field Description

CREATED BY User who created or scheduled the query.

NEXT EXECUTION Next execution time if the query is scheduled to run at a specific
frequency. If the query was only scheduled to run at a specific time and
date, this field will show None.

QUERY DESCRIPTION The query parameters used to run the query.

QUERY ID Unique identifier of the query.

QUERY NAME For saved queries, the Query Name identifies the query specified by
the administrator. For scheduled queries, the Query Name identifies
the auto-generated name of the parent query. Scheduled queries also
display an icon to the left of the name to indicate that the query is
reoccurring.

RESULTS SAVED Yes or No.

SCHEDULE TIME Frequency or time at which the query was scheduled to run.

TIMESTAMP Date and time the query was created.

Manage Scheduled Queries


From the Scheduled Queries page, you can perform additional actions to manage your scheduled and
reoccurring queries.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate 75


© 2019 Palo Alto Networks, Inc.
• View Completed Queries
• Edit the Query Frequency
• Disable or Remove a Query
• Rename a Scheduled Query
• Copy a Scheduled Query

View Completed Queries


To view completed queries:

STEP 1 | Select INVESTIGATION > Scheduled Queries.

STEP 2 | Locate the scheduled query for which you want to view previous executions.
If necessary, use the Filter to reduce the number of queries Cortex XDR displays.

STEP 3 | Right click anywhere in the query row and then select Show all executed instances.
Cortex XDR filters the queries on the Query Center and displays the results in a new window.

Edit the Query Frequency


STEP 1 | Select INVESTIGATION > Scheduled Queries.

STEP 2 | Locate the scheduled query that you want to edit.


If necessary, use the Filter to reduce the number of queries Cortex XDR displays.

STEP 3 | Right click anywhere in the query row and then select Edit.

STEP 4 | Adjust the schedule settings as needed, and then click OK.

Disable or Remove a Query


If you no longer need a query you can temporarily disable or permanently remove it.

STEP 1 | Select INVESTIGATION > Scheduled Queries.

STEP 2 | Locate the scheduled query that you want to change.


If necessary, use the Filter to reduce the number of queries Cortex XDR displays.

STEP 3 | Right click anywhere in the query row and then select Remove to permanently remove the
scheduled query, or Disable to temporarily stop the query from running at the scheduled time.
If you disable a query you can later return to the Scheduled Queries page and Enable it.

76 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate


© 2019 Palo Alto Networks, Inc.
Rename a Scheduled Query
STEP 1 | Select INVESTIGATION > Scheduled Queries.

STEP 2 | Locate the scheduled query that you want to change.


If necessary, use the Filter to reduce the number of queries Cortex XDR displays.

STEP 3 | Right click anywhere in the query row and then select Rename.

STEP 4 | Edit the query name as desired, and then click OK.

Copy a Scheduled Query


STEP 1 | Select INVESTIGATION > Scheduled Queries.

STEP 2 | Locate the scheduled query that you want to copy.


If necessary, use the Filter to reduce the number of queries Cortex XDR displays.

STEP 3 | Right click anywhere in the query row and then select Copy.

STEP 4 | Edit the query name as desired, and then click OK.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate 77


© 2019 Palo Alto Networks, Inc.
Research a Known Threat
This topic describes what steps you can take to investigate a lead. A lead can be:
• An alert from a non-Palo Alto Networks system with information relevant to endpoints or firewalls.
• Information from online articles or other external threat intelligence that provides well-defined
characteristics about the threat.
• Users or hosts that have been reported as acting abnormally.

STEP 1 | Use the threat intelligence you have to build a query using Cortex XDR Query Builder.
For example, if external threat intelligence indicates a confirmed threat that involves specific files or
behaviors, search for those characteristics.

STEP 2 | View the Results of a Query and refine as needed to filter out noise.
See Modify a Query.

STEP 3 | Select an event of interest, and open the Causality View.


Review the chain of execution and data, navigate through the processes on the tree, and analyze the
information.

STEP 4 | Open the Timeline View to view the sequence of events over time.

STEP 5 | Inspect the information again, and identify any characteristics you can use to create a BIOC
rule.
If you can create a BIOC rule, test and tune it, and then save it

STEP 6 | For alerts from Traps sensors, view the original security event in your Traps management
service instance.

To pivot to an associated Traps management service instance, you must be assigned a


role that enables you to manage the Traps management service instance from the Cortex
hub.

1. Right-click the alert and View in TMS.


2. Drill-down into security event details surrounding the event and modify policy rules or create
exceptions as needed.

78 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate


Manage Cortex XDR Rules
> Cortex XDR Rules
> Working with BIOCs
> Working with IOCs
> Manage Existing Rules

79
80 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules
© 2019 Palo Alto Networks, Inc.
Cortex XDR Rules
Rules enable you to generate alerts and take other actions on threats that you define. Cortex XDR –
Investigation and Response supports the following rule types:
• Behavioral indicators of compromise (BIOCs)—Identifying threats based on their behaviors can be quite
complex. As you identify specific network, process, file, or registry activity that indicates a threat, you
create BIOCs that can alert you when the behavior is detected.
• Indicators of compromise (IOCs)—Known artifacts that are considered malicious or suspicious. IOCs are
static and based on criteria such as SHA256 hashes, IP addresses and domains, file names, and paths.
You create IOC rules based on information that you gather from various threat-intelligence feeds or that
you gather as a result of an investigation within Cortex XDR.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules 81


© 2019 Palo Alto Networks, Inc.
Working with BIOCs
Behavioral indicators of compromise (BIOCs) enable you to alert and respond to behaviors—tactics,
techniques, and procedures. Instead of hashes and other traditional indicators of compromise, BIOC rules
detect the behavior of processes, registry, files, and network activity.
To enable you to take advantage of the latest threat research, Cortex XDR automatically receives
preconfigured rules from Palo Alto Networks. These global rules are delivered to all tenants with content
updates. In cases where you need to override a global BIOC rule, you can disable it or set a rule exception.
You can also configure additional BIOC rules as you investigate threats on your network and endpoints.
BIOC rules are highly customizable: you can create a BIOC rule that is simple or quite complex.
As soon as you create or enable a BIOC rule, the app begins to monitor input feeds for matches. Cortex
XDR also analyzes historical data collected in the Cortex Data Lake. Whenever there is a match, or hit, on a
BIOC rule, Cortex XDR logs an alert.
• BIOC Rule Details
• Create a BIOC Rule
• Manage Existing Rules
• Manage Global BIOC Rules

BIOC Rule Details


From Rules > BIOC, you can view all user-defined and preconfigured behavioral indicator of compromise
(BIOC) rules. To search for a specific BIOC rule, you can filter by one or more fields in the BIOC rules table.
From the BIOC page, you can also manage or clone existing rules.

The following table describes the fields that are available for each BIOC rule in alphabetical order.

Field Description

# OF HITS The number of hits (matches) on this behavior.

BEHAVIOR A schematic of the behavior of the rule.

82 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules


© 2019 Palo Alto Networks, Inc.
Field Description

COMMENT Free-form comments specified when the BIOC was created or modified.

EXCEPTIONS Exceptions to the BIOC rule. When there's a match on the exception,
the event will not trigger an alert.

INSERTION DATE Date and time when the BIOC rule was created.

MODIFICATION DATE Date and time when the BIOC was last modified.

NAME Unique name that describes the rule. Global BIOC rules defined by Palo
Alto Networks are indicated with a blue dot and cannot be modified or
deleted.

RULE ID Unique identification number for the rule.

TYPE Type of BIOC rule:


• Collection
• Credential Access
• Dropper
• Evasion
• Execution
• Evasive
• Exfiltration
• File Privilege Manipulation
• File Type Obfuscation
• Infiltration
• Lateral Movement
• Other
• Persistence
• Privilege Escalation
• Reconnaissance
• Tampering

SEVERITY BIOC severity that was defined when the BIOC was created.

SOURCE User who created this BIOC, the file name from which it was created, or
Palo Alto Networks if delivered through content updates.

STATUS Rule status: Enabled or Disabled.

Create a BIOC Rule


After identifying a threat and its characteristics, you can configure rules for behavioral indicators of
compromise (BIOCs). After you enable a BIOC rule, Cortex XDR searches for matches in your Cortex Data
Lake and raise an alert if a match is detected. Going forward, the app also alerts you when any new match is
detected.
• Create a Rule from Scratch
• Import Rules

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules 83


© 2019 Palo Alto Networks, Inc.
Create a Rule from Scratch
To define a BIOC, you configure the entity and any related activity or characteristics. An entity can be
a specific process, registry, file, or network host. An entity activity can describe the various actions that
are relevant to that type of entity. For example, for a Registry entity, the actions are: Write, Rename,
and Delete. If you can identify a threat by additional attributes, you can also specify those characteristics
as additional entity information in the BIOC. For example, for a Process, you can add a process name,
command-line argument used to call the process, or a user name.

STEP 1 | From Cortex XDR, select Rules > BIOC.

STEP 2 | Select + Add Rule.

STEP 3 | Configure the BIOC criteria.


Define any relevant activity or characteristics for the entity type. Creating a new BIOC rule is similar to
the way that you create a search with Query Builder.

STEP 4 | Test your BIOC rule.


Rules that you do not refine enough can create thousands of alerts. As a result, it is highly recommended
that you test the behavior of a new or edited BIOC rule before you save it. For example, if a rule will
return thousands of hits because you negated a single parameter, it is a good idea to test the rule before
you save it and make it active.
When you test the rule, Cortex XDR immediately searches for rule matches across all your Cortex Data
Lake data. If there are surprises, now is the time to see them and adjust the rule definition.

For the purpose of showing you the expected behavior of the rule before you save it,
Cortex XDR tests the BIOC on historical logs. After you save a BIOC rule, it will operate
on both historical logs and new data received from your log sensors (for example, Traps).

STEP 5 | Save your BIOC rule.

STEP 6 | Enter a descriptive name to identify the BIOC rule.

STEP 7 | Specify the SEVERITY you want to associate with the alert.

STEP 8 | Select a rule TYPE which describes the activity.

STEP 9 | Enter any additional comments such as why you created the BIOC.

STEP 10 | Click OK.

Import Rules
You can use the import feature of Cortex XDR to import BIOCs from external feeds or that you previously
exported. The export/import capability is useful for rapid copying of BIOCs across different Cortex XDR
instances.

You can only import files that were exported from Cortex XDR. You can not edit an exported
file.

STEP 1 | From Cortex XDR, select Rules > BIOC.

84 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules


© 2019 Palo Alto Networks, Inc.
STEP 2 | Select Import Rules.

STEP 3 | Drag and drop the file on the import rules dialog or browse to a file.

STEP 4 | Click Import.


Cortex XDR loads any BIOC rules. This process may take a few minutes depending on the size of the file.

STEP 5 | Refresh the BIOC Rules page to view matches (# of Hits) in your historical data.

STEP 6 | To investigate any matches, view the Alerts page and filter the Alert Name by the name of the
BIOC rule.

Manage Global BIOC Rules


Cortex XDR checks for the latest update of global BIOC rules. If there are no new global BIOC rules, the
app displays a content status of Content up to date next to the BIOC rules table heading. A dot to
the left of the rule name indicates a global BIOC rule. You can also view the optional Source column to see
which rules are pushed by Palo Alto Networks.
• Get the latest global BIOC rules.
• Copy a global BIOC rule.
• Add a Rule Exception.

• Get the latest global BIOC rules.


1. Navigate to Rules > BIOC.
2. To view the content details, hover over the status to show the global rules version number and last
check date.

3.
The content status displays the date when the content was last updated, either automatically or
manually by an administrator.

4. If the status displays Could not check update, click the status to check for updates manually.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules 85


© 2019 Palo Alto Networks, Inc.
The last updated date changes when the download is successful.

• Copy a global BIOC rule.


You cannot directly modify a global rule, but you can copy global rules as a template to create new rules.

• Add a Rule Exception.


Although you cannot edit global rules, you can add exceptions to the rule.

86 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules


© 2019 Palo Alto Networks, Inc.
Working with IOCs
IOCs provide the ability to alert on known malicious objects on endpoints across the organization. You can
load IOC lists from various threat-intelligence sources into the Cortex XDR app or define them individually.
You can define the following types of IOCs:
• Full path
• File name
• Domain
• Destination IP address
• MD5 hash
• SHA256 hash
After you define or load IOCs, the app checks for matches in the endpoint data collected from Traps agents.
Checks are both retroactive and ongoing: The app looks for IOC matches in all data collected in the past and
continues to evaluate new any new data it receives in the future.
Alerts for IOCs are identified by a source type of IOC (see Cortex XDR Alerts for more information).
• IOC Rule Details
• Create an IOC Rule
• Manage Existing Rules

IOC Rule Details


From the Rules > IOC page, you can view all indicators of compromise (IOCs) configured from or uploaded
to the Cortex XDR app. To filter the number of IOC rules you see, you can create filter by one or more
fields in the IOC rules table. From the IOC page, you can also manage or clone existing rules.

The following table describes the fields that are available for each IOC rule in alphabetical order.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules 87


© 2019 Palo Alto Networks, Inc.
Field Description

# OF HITS The number of hits (matches) on this indicator.

COMMENT Free-form comments specified when the IOC was created or modified.

EXPIRATION DATE The date and time at which the IOC will be removed automatically.

INDICATOR The indicator value itself. For example, if the indicator type is a
destination IP address, this could be an IP address such as 1.1.1.1.

INSERTION DATE Date and time when the IOC was created.

MODIFICATION DATE Date and time when the IOC was last modified.

RULE ID Unique identification number for the rule.

SEVERITY IOC severity that was defined when the IOC was created.

SOURCE User who created this IOC or the file name from which it was created.

STATUS Rule status: Enabled or Disabled.

TYPE Type of indicator: Full path, File name, Host name, Destination IP, MD5
hash.

Create an IOC Rule


There are two options for creating new IOC rules:
• Configure a single IOC.
• Upload a file in comma separated value (CSV) format that contains up to 20,000 IOCs. For example, you
can upload multiple file paths and MD5 hashes for an IOC rule. To help you format the upload file in the
syntax that Cortex XDR – Investigation and Response will accept, you can download the example file.

STEP 1 | From Cortex XDR, select Rules > IOC.

STEP 2 | Select + Add IOC.

STEP 3 | Configure the IOC criteria.

88 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules


© 2019 Palo Alto Networks, Inc.
If after investigating a threat, you identify a malicious artifact, you can create an alert for the Single IOC
right away.
1. Configure the INDICATOR value on which you want to match.
2. Configure the IOC TYPE. Options are Full Path, File Name, Domain, Destination IP, and MD5 or
SHA256 Hash.
3. Configure the SEVERITY you want to associate with an alert for the IOC: Informational, Low,
Medium, or High.
4. (Optional) Enter a comment that describes the IOC.
5. Click Create.
If you want to match on multiple indicators, you can upload the criteria in a CSV file.
1. Select Upload File.
2. Drag and drop the CSV file containing the IOC criteria in the drop area of the Upload File dialog or
browse to the file.
Cortex XDR supports a file with multiple IOCs in a pre-configured format. For help determining the
format syntax, Cortex XDR provides an example text file that you can download.
3. Configure the SEVERITY you want to associate with an alert for the IOCs: Informational, Low,
Medium, or High.
4. Define the DATA FORMAT of the IOCs in the CSV file. Options are Mixed, Full Path, File Name,
Domain, Destination IP, and MD5 or SHA256 Hash.
5. Click Upload.

STEP 4 | (Optional) Define any expiration criteria for your IOC rules.
If desired, you can also configure additional expiration criteria per IOC type to apply to all IOC rules.
In most cases, IOC types like Destination IP or Host Name are considered malicious only for a short
period of time since they are soon cleaned and then used by legitimate services, from which time they
only cause false positives. For these types of IOCs, you can set a short expiration period. The expiration
criteria you define for an IOC type will apply to all existing rules and additional rules that you create in
the future.
1. Select Settings.
2. Set the expiration for any relevant IOC type. Options are Never, 1 week, 1 month, 3 months, or 6
months.
3. Click Save.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules 89


© 2019 Palo Alto Networks, Inc.
Manage Existing Rules
After you create a BIOC or IOC rule, you can take the following actions:
• Edit a Rule
• Export a Rule (BIOC Only)
• Copy a Rule
• Disable or Remove a Rule
• Add a Rule Exception

Edit a Rule
After you create a rule, it may be necessary to tweak or change the rule settings.

STEP 1 | Select RULES and the type of rule (BIOC).

STEP 2 | Locate the rule you want to edit.

STEP 3 | Right click anywhere in the rule and then select Edit.

STEP 4 | Edit the rule settings as needed.


For BIOCs, you can edit the rule settings which include the name, severity, and BIOC type. You can also
click the pencil icon next to the BIOC summary to edit the behavioral characteristics. If you make any
changes, Test and then Save the rule.

STEP 5 | Adjust the schedule settings as needed, and then click OK.

Export a Rule (BIOC Only)


STEP 1 | Select RULES > BIOC.

STEP 2 | Select the rules that you want to export.

STEP 3 | Right click any of the rows, and select Export selected.
The exported file is not editable, however you can use it as a source to import rules at a later date.

Copy a Rule
You can use an existing rule as a template to create a new one. Global BIOC rules cannot be deleted or
altered, but you can copy a global rule and edit the copy. See Manage Global BIOC Rules.

STEP 1 | Select RULES and the type of rule (BIOC or IOC).

STEP 2 | Locate the rule you want to copy.

STEP 3 | Right click anywhere in the rule row and then select Copy to create a duplicate rule.

Disable or Remove a Rule


If you no longer need a rule you can temporarily disable or permanently remove it.

90 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules


© 2019 Palo Alto Networks, Inc.
You cannot delete global BIOCs delivered with content updates.

STEP 1 | Select RULES and the type of rule (BIOC or IOC).

STEP 2 | Locate the rule that you want to change.

STEP 3 | Right click anywhere in the rule row and then select Remove to permanently delete the rule, or
Disable to temporarily stop the rule. If you disable a rule you can later return to the rule page
to Enable it.

Add a Rule Exception


If you want to create a rule to take action on specific behaviors but also want to exclude one or more
indicators from the rule, you can create a rule exception. An indicator can include the SHA256 hash of a
process, process name, process path, vendor name, user name, causality group owner (CGO) full path, or
process command-line arguments. For more information about these indicators, see Cortex XDR Rules. For
each exception, you also specify the rule scope to which exception applies.

Cortex XDR only supports exceptions with one attribute. See Add an Alert Exclusion Policy to
create advanced exceptions based on your filtered criteria.

STEP 1 | From Cortex XDR, select Rules > Rule Exceptions.

STEP 2 | Select + New Exception.

STEP 3 | Configure the indicators and conditions for which you want to set the exception.

STEP 4 | Choose the scope of the exception, whether the exception applies to IOCs, BIOCs, or both.

STEP 5 | Save the exception.


By default, activity matching the indicators does not trigger any rule. As an alternative, you can select
one or more rules. After you save the exception, the Exceptions count for the rule increments. If you
later edit the rule, you will also see the exception defined in the rule summary.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules 91


© 2019 Palo Alto Networks, Inc.
92 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules
Administration
> Manage Administrative Access
> Integrate External Threat Intelligence Services
> Integrate Demisto
> Integrate Third-Party Apps
> Analytics Management
> Audit Administrator Activity

93
94 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration
© 2019 Palo Alto Networks, Inc.
Manage Administrative Access
• Administrative Roles
• Assign Roles to Cortex XDR Users

Administrative Roles
Role-based access control (RBAC) enables you to use pre-configured roles to assign access rights to
administrative users. You can manage roles for all Cortex apps and services in the Cortex hub. By assigning
roles, you enforce the separation of access among functional or regional areas of your organization.
Each role extends specific privileges to users. The way you configure administrative access depends on the
security requirements of your organization. Use roles to assign specific access privileges to administrative
user accounts. The built-in roles provide specific access rights that cannot be changed.
The specific roles that you can assign for Cortex XDR users are as follows:

Role Privileges

Hub roles Assign one of three common hub administrative roles to


provide full access to your Cortex XDR instances. Access
to and management of Analytics features also requires an
administrative role assigned to Cortex XDR - Analytics.

Investigation Access to the alerts, incidents, and investigation tabs. The


user can view alerts and incidents, run and schedule queries,
but cannot view rules.

Investigation and Response Access to the Alerts, Incidents, Investigation and Response
tabs. The Rules tab is not visible or accessible.

Investigation and Rules View Access to the Alerts, Incidents, and Investigation tabs, with
additional read-only access to rules.

Investigation, Rules View and Response Access to the Alerts, Incidents, Investigation and Response
tabs and read-only access to Rules.

Investigation, Rules and Response Access to all features except the app configuration pages
and audit logs.

Assign Roles to Cortex XDR Users


When your organization purchases Cortex XDR, the Account Administrator can use the Palo Alto Networks
Cortex hub to assign roles to other members that have accounts in the Customer Support Portal.

STEP 1 | If necessary, add a new Customer Support Portal user.


The user must have a Customer Support Portal account with the appropriate access to access Cortex
apps. To manage roles for other Cortex XDR apps, see Manage Roles in the Cortex XDR Setup Guide.

STEP 2 | Manage the level of access for a Cortex user.


1. Log in to the hub and select > Manage Roles.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 95


© 2019 Palo Alto Networks, Inc.
2. Use the sidebar to filter users as needed or the search field to search for users.
3. Select one or more users and then Assign Roles.
4. Select Cortex XDR and select the Administrative Role to assign.
If the user already has the Account Administrator role, then you cannot assign the user any other
more granular role. To assign granular roles, Remove Account Administrator role, then assign the
desired granular role.

5. If the user also needs to access Cortex XDR - Analytics settings and pages, select Cortex XDR -
Analytics and then assign an Administrative Role.
If the user is assigned the Account Administrator role, then you cannot assign the user any other
more granular role. To assign granular roles, Remove Account Administrator role, then assign the
desired granular role.
6. Save and then click Yes to confirm your role assignment changes.

96 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
Integrate External Threat Intelligence Services
To aid you with threat investigation, Cortex XDR displays the WildFire-issued verdict for each Key Artifact
in an incident. To provide additional verification sources, you can integrate an external threat intelligence
service with Cortex XDR . The threat intelligence services the app supports are:
• AutoFocus™—AutoFocus groups conditions and indicators related to a threat with a tag. Tags can
be user-defined or come from threat-research team publications and are divided into classes, such as
exploit, malware family, and malicious behavior. When you add the service, the relevant tags display
in the incident details page under Key Artifacts. See the AutoFocus Administrator’s Guide for more
information on AutoFocus tags.
• VirusTotal—VirusTotal provides aggregated results from over 70 antivirus scanners, domain blacklist
services, and user contributions. The VirusTotal score is represented as a fraction, where, for example,
a score of 34/52 means out of 52 queried services, 34 services determined the artifact to be malicious.
When you add the service, the relevant VirusTotal score displays in the incident details page under Key
Artifacts.
• WildFire®—WildFire detects known and unknown threats, such as malware. The WildFire verdict
contains detailed insights into the behavior of identified threats. See Cortex XDR Architecture for more
information on applications and services used by the Cortex XDR app. The WildFire verdict displays next
to relevant Key Artifacts in the incidents details page.

WildFire provides verdicts and analysis reports to Cortex XDR users without requiring a
license key. Using WildFire for next-generation firewalls or other use-cases continues to
require an active license.
To view external threat intelligent verdicts in Cortex XDR – Investigation and Response incidents, you must
obtain the license key for the service and add it to the Cortex XDR Configuration. After you integrate any
services, you will see the verdict or verdict score when you Investigate Incidents.
To integrate an external threat intelligence service:

STEP 1 | Get your the API License Key for the service.
• Get your AutoFocus API key.
• Get your VirusTotal API key.

STEP 2 | Enter the license key in the Cortex XDR – Investigation and Response app.

Select the gear ( ) in the menu bar, then Settings > Threat Intelligence and then enter the license key.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 97


© 2019 Palo Alto Networks, Inc.
STEP 3 | Test your license key.
Select Test. If there is an issue, an error message provides more details.

STEP 4 | Verify the service integration in an incident.


After adding the license key, you should see the additional verdict information from the service included
in the Key Artifacts of an incident. You can right-click the service, such as VirusTotal (VT) or AutoFocus
(AF), to see the entire verdict. See Investigate Incidents for more information on where these services
are used within the Cortex XDR – Investigation and Response app.

98 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
Integrate Demisto
Demisto™ enables automated and coordinated threat response with the ability to adjust and test response
playbooks. You can manage incidents from the Demisto interface and leverage the Cortex XDR Causality
Analytics Engine and detection capabilities. Changes to one app are reflected in the other.
To manage incidents from the application of your choice, see Integrate Third-Party Apps and the Cortex
XDR API Reference for more information on using the API to integrate third-party applications.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 99


© 2019 Palo Alto Networks, Inc.
Integrate Third-Party Apps
You can leverage the Cortex XDR API to leverage Cortex XDR investigation capabilities and log stitching
from external incident management applications, such as ServiceNow®. After you generate your API key
and set up the API to query Cortex XDR, third-party apps can receive incident updates, request additional
data about incidents, and make changes such as to set the status and change the severity, or assign an
owner. Changes occur bidirectionally so that a change from one app is reflected in the other. For more
information, see the Cortex XDR API Reference.
For more information on how to integrate Cortex XDR with Demisto response playbooks, see Integrate
Demisto.

100 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
Analytics Management
From Cortex XDR, you can manage settings for the analytics engine. To view and manage analytics settings,
you must be assigned an administrative role in the hub for the Cortex XDR - Analytics app.
• Analytics Status
• Analytics Configuration Settings
• Analytics Management

Analytics Status
The Cortex XDR Analytics Status page provides information regarding the health and operational status
of the analytics engine. Each tab on the Status page displays the health and/or status information about a
specific aspect of the analytics engine:
• Analytics System Status—provides quick-reference on the overall health of the system.

If the system status is not OK, then the gear icon shows a red exclamation point. You can
find additional details under the System Status tab.
• Analytics Log Status—shows the number of logs recently received by Cortex XDR analytics engine.
• Analytics Traffic Status—shows the amount of network traffic observed by Cortex XDR analytics engine
in the recent past.
• Analytics Pathfinder Status—shows the connection and scan status of the Pathfinder VM(s).
• Analytics Traps Status—shows the number of hosts from which the app receives Traps data.
• Analytics Directory Sync Status—shows the connection status of the Directory Sync Service paired with
Cortex XDR.
• Analytics Network Coverage Status—provides a report on the networks that Cortex XDR analytics
engine is monitoring, as well as relevant statistics on the IPs and traffic observed on each network.

These status pages are accessible from > Analytics Management > Status.

Analytics System Status


The Analytics System status tab provides quick-reference information that describes the overall health of
the analytics engine. If the system status is not OK, then the gear icon shows a red exclamation point, and
the System tab provides an alert that identifies the nature of the problem.

To receive emails notifications for system alerts (once per 24 hours), select the gear on the top menu bar
of the Cortex XDR interface, and select Analytics Management > Configuration > System Alerts (see the
System Alerts Configuration for details).

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 101


© 2019 Palo Alto Networks, Inc.
Analytics Log Status
The Analytics Log status tab provides information on the app log reception. Use this tab to see how many
logs the app has received, how fast it is receiving them, and the types of logs it is receiving.

Analytics Traffic Status


The Analytics Traffic status tab provides information about how much network traffic the app is observing.
It provides statistics on overall traffic volume, as well as internal-to-internal and internal-to-external traffic.
If the numbers shown here seem lower than they should be, then check to ensure all your next-generation
firewalls are configured to forward their logs to the Cortex Data Lake.

Analytics Pathfinder Status


The Pathfinder status tab provides information on your Pathfinder installation(s). If this tab does not show
you the proper Pathfinder VM count, or if your Pathfinder scans are failing at a high rate, you should
troubleshoot your Pathfinder configurations.

102 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
Analytics Traps Status
The Traps status tab provides statistics about the number of Traps agents that are sending data for analysis
by the analytics engine.

Analytics Directory Sync Status


The Analytics Directory Sync status tab indicates whether the Cortex XDR analytics engine is configured to
use the Directory Sync Service. If the Cortex XDR analytics engine is configured to use the Directory Sync
Service, this tab displays the health of that service.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 103


© 2019 Palo Alto Networks, Inc.
Analytics Network Coverage Status
The Analytics Network Coverage status tab provides a report on the networks that the app is monitoring.
For each monitored network, the report provides metrics for a specified time range that you define. Only
networks that have had traffic during the reporting interval are shown in the report.
• Network Coverage Metrics
• Network Coverage Report Time Ranges
• Network Coverage Warnings

104 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
For a more detailed report on a given network, select the network name in the left hand
column.

Reports are displayed in the Network Coverage tab. Alternatively, you can export reports to a CSV file for
importation into a spreadsheet or similar software.

If you close your browser during report generation, the generation will continue in the
background.

Network Coverage Metrics


Each Network Coverage report provides the following information:

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 105


© 2019 Palo Alto Networks, Inc.
Metric Description

First IP The first, or lowest, IP address in the network for which Cortex XDR
has observed traffic. Based on data retrieved from traffic logs.

Last IP The last, or highest, IP address in the network for which Cortex XDR
has observed traffic. Based on data retrieved from traffic logs.

Total IPs Seen The total number of IP addresses that Cortex XDR – Analytics has
observed operating on the network. Based on data retrieved from
traffic logs.

SSL % The percentage of IP addresses on the network that are using the
SSL protocol. Based on data retrieved from enhanced application
logs.

HTTP % The percentage of IP addresses on the network that are using the
HTTP protocol. Based on data retrieved from URL logs.

DNS % The percentage of IP addresses on the network that are using the
DNS protocol. Based on data retrieved from enhanced application
logs.

DHCP % The percentage of IP addresses on the network that are using the
DHCP protocol. Based on data retrieved from enhanced application
logs.

Attempted Pathfinder Scans The number of times that Pathfinder attempted to scan an endpoint
on the network.

Successful Pathfinder Scans The number of times that Pathfinder successfully scanned an
endpoint on the network.

Average Throughput The average number of bits per second sent across the network.
Based on data retrieved from traffic logs.

Network Coverage Report Time Ranges


To generate a Network Coverage report, you must identify a time range. You can select from three
predefined time ranges, or create a custom range.

106 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
Predefined time ranges are Latest hour, Latest day, and Latest week. These reports cover an hour, day, or
week of activity from the last log record that Cortex XDR has received. In other words, they represent the
latest available time range worth of activity. Because the app should be continually receiving logs, these
time ranges should reflect time ranges up to the current time. However, if log reception has paused or
stopped, then these time ranges will represent historical data. As an extreme example, if the app stopped
receiving logs a month in the past, then Latest Hour will show you network activity represented by the last
hour worth of logs from the previous month.
The custom time range allows you to generate reports over an interval that you define. Use this to create
reports that cover up to 30 days. Log data must exist for the time range that you specify. If you attempt to
select a start time for your report that is prior to the first log record that the app has, then Cortex XDR will
indicate the problem with:

The start time cannot be earlier than: xxxxxxx

where xxxxxxx identifies the timestamp on the first log record that the app has. Similarly, if you select a
time that is after the last log record that the app has, then the following message is shown:

The end time cannot be later than: xxxxxxx

Finally, be aware that reports are rounded to a time interval that is determined by the report time range:
• Ten minutes for reports covering seven days or less.
• An hour for reports covering more than seven days.

If Cortex XDR rounds your time range to any of these intervals, it always rounds up so that
the time range you requested is fully contained in the report. It also provides the following
informational message:

Selected time ranges were modified to match available


time resolution.

Network Coverage Warnings


It is possible for Cortex XDR to place a warning on individual cells in the network coverage report. Warnings
indicate that the network traffic the app has observed is unexpected in some way. To see the warning text,
hover your cursor over the warning icon.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 107


© 2019 Palo Alto Networks, Inc.
Warning Text Description

Low coverage The app sees less than half of the hosts on the network performing
traffic using the identified protocol. For example, if a network
contains several hundred IPs but only 30% of those IPs are using
HTTP, then the app would flag this as low coverage. The warning
does not necessarily mean that there is a problem — HTTP traffic
comprising only 30% of the total might be perfectly normal for that
particular network — but Cortex XDR considers this unusual so it
flags the issue in the report.

Received and transmitted traffic Cortex XDR is observing considerably more send traffic than receive,
are not balanced or more receive than send, which is unexpected for TCP/IP traffic
(the difference is 25% or greater). This could indicate that the app
is not receiving all the logs that it should receive. A possible reason
for this is a misconfigured TAP interface or SPAN port on your next-
generation firewalls.

Analytics Configuration Settings


Click > Analytics Management > Configuration to access Pathfinder and analytics engine settings.
• Pathfinder VMs Configuration—Pair Pathfinder VMs with Cortex XDR and monitor Pathfinder VM
status.
• Pathfinder Configuration—Configure the Pathfinder default configuration. To monitor Pathfinder
scanning activity, instead select Management > Pathfinder.
• Network Segments Configuration—Configure which of your IP ranges Cortex XDR will monitor for
Analytics alerts. Also report on the activities for each IP range the app is monitoring.
• Directory Sync Configuration—Tell Cortex XDR which Active Directory domain to use when paired with
the Palo Alto Networks Directory Sync Service.
• System Alerts Configuration—Configure emailed system alerts. A system alert occurs if the system
experiences any kind of an internal error.
• EDL Configuration—External block lists (EDL) can be used as the source for a Palo Alto Networks firewall
external dynamic list (EDL). This allows you to enforce your security policy based on IP addresses and
domains found to be associated with an alert.

Pathfinder VMs Configuration


The Analytics Pathfinder VMs page allows you to pair Pathfinder virtual machines installed on your network
with your Cortex XDR app. This page also allows you to monitor the status of your Pathfinder VMs.

108 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
Pairing is the process of creating a network connection between your Cortex XDR Analytics system and the
Pathfinder VM(s) running on your network. The pairing process requires a pairing token, which you obtain
using the Generate pairing token button on this page.
This is one step in the workflow to Set Up Pathfinder.

The Pathfinder network connection is from Pathfinder to the Cortex XDR cloud service.
Cortex XDR never needs to connect into your network.

Pathfinder Configuration
The Pathfinder page allows you to configure Pathfinder settings. Pathfinder is a virtual machine that you
install on your network for the purpose of investigating your network endpoints for suspicious/malicious
software and other artifacts.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 109


© 2019 Palo Alto Networks, Inc.
When you first click on this tab, the Default Configuration screen is displayed. Use this screen to specify
what and how Pathfinder scans:
• Allow automatic scans for workstations (On By Default)—Enable Pathfinder to automatically scan
endpoints.
• Allow automatic scans for servers (Off By Default)—Enable Pathfinder to automatically scan servers.
• Allow uploading suspicious files to WildFire (On By Default)—Enable this option to allow Pathfinder to
send suspicious files for WildFire analysis, or disable it so that Pathfinder sends WildFire only the file
hash (MD5 and SHA-256).
When WildFire™ identifies a file as malware, the analytics engine generates a malware alert. However,
the malware alert provides more expansive detection with this option is enabled. WildFire can identify
known malware based on only the file hash, but must execute and observe the file itself to identify
previously-unknown, zero-day malware.

The Analytics Audit Log records when Pathfinder sends a file to WildFire (select >
Analytics Management > Management > Audit).
• Enable N2PA 2-week monitoring for workstations (Off By Default)—With N2PA monitoring enabled,
Pathfinder activates Windows Instrumentation features on a suspicious device to start process logging
for that endpoint. Pathfinder then periodically scans the device to collect the process logs and sends
those logs to Cortex XDR. The app uses this additional forensic data to attribute network activity to
a specific process running on the endpoint. The app displays the additional forensic data that N2PA
collects along with device details, so that you can better isolate the origin of malicious network activity
and take action. When a device ceases to display suspicious behavior, Pathfinder stops collecting the

110 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
event logs after a two week period. Otherwise, N2PA monitoring continues until suspicious activity is no
longer detected with the device.
In the Credentials section, you can specify the login credentials that Pathfinder uses by default to scan
your Microsoft Windows endpoints. Alternatively, you can select Use local Pathfinder VM credentials and
instead specify these login credentials locally on the Pathfinder VM.

To locally configure a Pathfinder VM with the credentials it needs to scan your network,
select the gear on the menu bar, select > Analytics Management > Configuration >
Pathfinder, and follow the steps to Set Up Pathfinder.

Navigate to the other tabs on this page to continue to configure Pathfinder:

Name Description

Global Settings Allows you to configure how Pathfinder behaves


relative to your entire network. Use this tab to
indicate whether Pathfinder should automatically scan
devices when it first discovers them (N2PA is never
used for newly discovered devices). Also use this tab
to identify the DNS domains that Pathfinder uses to
locate, connect to, and scan a host.

Per Asset Configuration Allows you to set Pathfinder configurations that are
specific to a subset of devices on your network. You
can override the default Pathfinder configuration on
a per-asset basis using this page. This requires you
to first have configured network assets using the
Network Segments Configuration.

Network Segments Configuration


The Analytics Network Segments page allows you to view and manage the internal networks and mobile
endpoints that the Cortex XDR analytics engine is monitoring.
This page lists the IP address ranges that Cortex XDR monitors. By default, Cortex XDR is configured to
monitor the standard internal IP address ranges (for example, 10.x.x.x, 172.16.x.x, and 192.168.x.x). If you
have non-standard internal IP address ranges that the app should monitor, or use GlobalProtect or Prisma
Access to secure mobile endpoint traffic, add those IP address ranges to the table. For GlobalProtect and
Prisma Access IP address ranges, also select Reserve for VPN to enable the Cortex XDR app to recognize
the network segment as a VPN IP address pool.
To add a network segment to the table, click the + in the upper-right corner. Alternatively, you can export
the table to CSV, modify it, and then reimport the modified file. See Set Up Cortex XDR – Analytics for
more information on configuring network segments.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 111


© 2019 Palo Alto Networks, Inc.
You can also use this page to edit existing network segment start and end IP addresses. If your edits result
in an error (that is, you provide an illegal IP address or create overlapping ranges), the page will provide an
error indicator for the improper values.
You can use this page to assign a Pathfinder VM to a network segment. Use the column in the segment
table row to select the Pathfinder VM that you want to monitor the segment.

If the network segment is a GlobalProtect or Prisma Access VPN pool, select Reserved for
VPN in the final column and do not assign a Pathfinder VM to the network segment.

To delete a segment, hover over the segment and click the trashcan icon, or delete the segment from your
CSV file and then reimport it.

You cannot remove or edit the default IPv4 and IPv6 address ranges from the table.
However, you can add ranges that are more specific than these defaults.

From the Network Segments page, you can access the IP Ranges Report page where you can generate
reports on the various networks that Cortex XDR is monitoring. Use the Open network coverage report link
to access this page.
For each network that Cortex XDR is monitoring, this report shows you relevant information such as the
number of IPs discovered by Cortex XDR, Pathfinder scan activity (attempts and successes), and the amount
of traffic seen on the network. Both the Network Segments page and the IP Ranges Report displays the
percentage of DNS, DHCP, HTTP, and SSL traffic that the Palo Alto Networks firewall logs for each IP range
(%DNS, %DHCP, %HTTP, %SSL). However, be aware that you must enable the firewall to send Enhanced
Application Logs to the Cortex Data Lake in order for Cortex XDR to display the percent coverage for these
types of application traffic.

Directory Sync Configuration


The Directory Sync Service is an optional service that enables you to add additional details to triage and
alert information. To use the Directory Sync Service with Cortex XDR Analytics, you must first activate and
configure Directory Sync. See the Directory Sync Service Getting Started Guide for instructions on how to
do this.
Then, Set Up Directory Sync Service to work with Cortex XDR Analytics. As part of this task, use the
Directory Sync page to tell Cortex XDR Analytics which Active Directory domain to use.

112 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
System Alerts Configuration
Use the Cortex XDR Analytics System Alerts page to configure delivery of system alerts. A system alert
occurs if the app experiences any kind of an internal error. To view current system status, select >
Analytics Management > Status.

EDL Configuration
Cortex XDR hosts two block lists, to which you can add IP addresses and domains as you triage alerts.
You can use a Cortex XDR external dynamic list (EDL) with a Palo Alto Networks firewall to provide an
integrated response to malicious network activity. With a Cortex XDR EDL as the source of a firewall
external dynamic list, the firewall can control user access to IP addresses and domains that the app has
found to be associated with an alert.
The following steps describe how to set up a Palo Alto Networks firewall to use the Cortex XDR EDL as the
source for an external dynamic list (EDL), and how to start building a block list.
Before you begin:
Validate the firewall DNS configuration to make sure that it can resolve the Cortex XDR FQDN.
Ensure the firewall has a direct internet connection; if another network device resides between the
firewall and the internet, make sure that device is configured to allow the traffic between the firewall
and Cortex XDR.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 113


© 2019 Palo Alto Networks, Inc.
STEP 1 | Enable EDL.
1.
Select > Analytics Management > Configuration and then select EDL.

2. Enter login credentials that the Palo Alto Networks firewall should use to access the Cortex XDR
EDL.

STEP 2 | Record the IP Addresses Block List URL and the Domains Block List URL. You will need these
URLs in the coming steps to point the firewall to these lists.

Test the URLs in a browser to confirm that they are active.

STEP 3 | Save the EDL configuration.

STEP 4 | Enable the firewall to authenticate the Cortex XDR EDL.


1. Download and save the following root certificate: https://certs.godaddy.com/repository/gd-class2-
root.crt.
2. On the firewall, select Device > Certificate Management > Certificates and Import the certificate.
Make sure to give a descriptive name, and select OK to save the certificate.

3. Select Device > Certificate Management > Certificate Profile and Add a new certificate profile.
4. Give the profile a descriptive name and Add the certificate to the profile.

114 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
5. Select OK to save the certificate profile.

STEP 5 | Set the Cortex XDR EDL as the source for a firewall EDL.
For more detailed information about how Palo Alto Networks firewall EDLs work, how you can use
EDLs, and how to configure them, review how to Use an External Dynamic List in Policy.
1. On the firewall, select Objects > External Dynamic Lists and Add a new list.
2. Define the list Type as either IP List or Domain List.
3. Enter the IP Addresses Block List URL or the Domains Block List URL that you recorded in the last
step as the list Source.
4. Select the Certificate Profile that you created in the last step.
5. Select Client Authentication and enter the username and password that the firewall must use to
access the Cortex XDR EDL. These should be the same login credentials that you saved in Cortex
XDR, when enabling the EDL in the first step.
6. Use the Repeat field to define how frequently the firewall retrieves the latest list from Cortex XDR.

7. Click OK to add the new EDL.

STEP 6 | Select Policies > Security and Add or edit a security policy rule to add the Cortex XDR EDL as
match criteria to a security policy rule.
Review the different ways you can Enforce Policy on an External Dynamic List; this topic describes the
complete workflow to add an EDL as match criteria to a security policy rule.
1. Select Policies > Security and Add or edit a security policy rule.
2. In the Destination tab, select Destination Zone and select the external dynamic list as the
Destination Address.
3. Click OK to save the security policy rule and Commit your changes.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 115


© 2019 Palo Alto Networks, Inc.
You do not need to perform additional commit or make any subsequent configuration changes for
the firewall to enforce the EDL as part of your security policy; even as you update the Cortex XDR
EDL, the firewall will enforce the list most recently retrieved from Cortex XDR.

You can also use the Cortex XDR domain list as part of a URL Filtering profile; when
attached to a security policy rule, a URL Filtering profile allows you to granularly
control user access to the domains on the list.

STEP 7 | Start building your Cortex XDR EDL.


1. Select Triage and select a host or user to see the associated alerts.
2. Select an alert that the host or user triggered.
3. Select Actions and Add to Block List to see the full list of IP addresses and domains associated with
the alert. From this list, select the entries you want to add and then Submit.
Entries that are already included in a EDL appear as selected.

STEP 8 | View and manage the Cortex XDR EDL.

Select > Analytics Management > Management and then select EDL. Two lists are displayed: one for
IP addresses and one for domains. Here, you can delete any entries that you no longer want included on
the lists.

Analytics Management
From the Cortex XDR > Analytics Management > Management menu, you can manage whitelist rules,
view the audit log, and view the status of Pathfinder scans:
• Select Pathfinder to see ongoing and queued Pathfinder Scans, Pathfinder scan history, and suspicious
endpoints that are undergoing periodic scanning (N2PA monitoring).
• Select Audit to see the Analytics Audit Log, which records the triage activity that has occurred in the
Cortex XDR Analytics application lately.
• Select EDL to view Analytics External Dynamic List. You can add IP addresses and domains to the Cortex
XDR block lists as you triage alerts; a Palo Alto Networks firewall can then dynamically enforce policy
based on these lists.

Pathfinder Scans
When the analytics engine observes problematic traffic coming from an endpoint that does not have a
supported version of a Traps agent installed with Traps endpoint monitoring enabled, it uses Pathfinder to
investigate the endpoint. At any time, you can also initiate a Pathfinder scan for a particular device. If N2PA
(network-to-process association) monitoring is enabled, Pathfinder also automatically performs periodic
scanning for devices that have displayed suspicious behavior.

The > Analytics Management > Management > Pathfinder page displays status for all Pathfinder scan
types. You can view both in-progress and queued Pathfinder scans, a history of the scans Pathfinder has
performed, and a list of devices that are undergoing N2PA monitoring. You can also export the Scan History
and Hosts Under N2PA Monitoring lists to a flat-text file for the purposes of viewing them in a spreadsheet
application.

116 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
• To initiate a Pathfinder scan for a particular device, select Actions > Pathfinder Scan from
the Analyze view of an Analytics alert.

Endpoints with supported versions of Traps agents installed and


endpoint monitoring enabled are constantly being monitored and do not
require additional Pathfinder scans.
• To enable N2PA monitoring, click the gear on the top menu bar, select Configuration >
Pathfinder and enable Network to Process Association (N2PA). (For details, see
Pathfinder Configuration).

Analytics Audit Log


The Analytics Audit log lists the recent triage activity that you and your team has performed in Cortex XDR.
This includes all changes to alert statuses and whitelist rules. The log identifies who performed the change,
when the change occurred, and the host to which the change is related.

The Audit log separates security policy-related logs on the Analyst tab, and other configuration and
management changes on the Configuration tab.

Analytics External Dynamic List


Cortex XDR™ hosts two built-in block lists, to which you can easily add IP addresses and domains that you
find as you triage alerts. You can use these block lists as sources for a Palo Alto Networks firewall external
dynamic list (EDL); this allows you to enforce security policy based on IP addresses and domains that the
app has found to be associated with anomalous and malicious network activity.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 117


© 2019 Palo Alto Networks, Inc.
Any IP addresses and domains associated with an alert can be added to a block list. To enable block lists,
and configure a Palo Alto Networks firewall to use them as EDL sources, see EDL Configuration.

118 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


© 2019 Palo Alto Networks, Inc.
Audit Admin Activity
From Response > Auditing, you can track the status of all administrative and investigative actions. Cortex
XDR stores audit logs within the app for one year. Use the page filters to narrow the results or Manage
Columns and Rows to add or remove fields as needed.

The following table describes the default and optional additional fields that you can add in alphabetical
order.

Field Description

Email Email address of the administrative user

Description Descriptive summary of the administrative action

Host Name Name of any relevant affected hosts

ID Unique ID for the action

Result Result of the administrative action: Success, Partial, or Fail.

Subtype Sub category of action

Timestamp Time the action took place

Type Type of activity logged, one of the following:


• Live Terminal—Remote terminal sessions created and actions taken
in the file manager or task manager, a complete history of commands
issued, their success, and the response.
• Response—Remedial actions taken, for example to isolate a host and
undo isolate host, or blacklist a file hash signature, or undo a hash
blacklist
• Result—Whether the action taken was successful or failed, and the
result reason when available.
• Authentication—User sessions started, along with the user name that
started the session.
• Incident Management—Actions taken on incidents and on the assets,
alerts, and artifacts in incidents.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration 119


© 2019 Palo Alto Networks, Inc.
Field Description

User Name User who performed the action

120 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration


Logs
With the Log Forwarding app, you can easily forward Cortex XDR™ BIOC, IOC, and Analytics
alerts to an external syslog receiver or email. The Log Forwarding app uses two log formats
to send logs depending on the type of alert: one for BIOC and IOC alerts, and another for
Analytics alerts.

> Configure Log Forwarding for BIOC and IOC Alerts


> Cortex XDR Log Format
> Configure Log Forwarding for Analytics Alerts
> Cortex XDR – Analytics Log Format

121
122 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs
© 2019 Palo Alto Networks, Inc.
Configure Log Forwarding for BIOC and IOC
Alerts
Using the Log Forwarding app, you can forward Cortex XDR BIOC and IOC alerts to an external syslog or
email.

Cortex XDR – Investigation and Response logs are no longer included when you configure
a Cortex XDR – Analytics log forwarding profile. If you previously received Cortex XDR logs,
you must now set up a new log forwarding profile to receive Cortex XDR – Investigation and
Response logs.

STEP 1 | To activate and configure the Log Forwarding app, ensure you have the appropriate roles to
manage Cortex apps.
For more information, see Available Roles in the Cortex Hub Getting Started Guide.

STEP 2 | Add a Log Forwarding App Instance.


Before you can use the Log Forwarding app, you must activate it. You can then add a Log Forwarding
app instance to the Cortex Hub for each instance of the Cortex Data Lake you have purchased. Each
instance of the Log Forwarding app can forward logs to a single destination and is associated with only
one instance of the Cortex Data Lake.

STEP 3 | Forward BIOC and IOC alert logs to a Syslog Server or Email Server.

1. Select Cortex XDR – Investigation & Response as the Log Vendor.


2. Select Alert as the Log Type
3. Use the default (Predefined) filter to select the BIOC and IOC alert logs the app will forward or enter
a Custom query.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs 123


© 2019 Palo Alto Networks, Inc.
You only need to enter a query if you want to use conditions to further refine the types of logs the
app forwards. See the Log Forwarding App Getting Started Guide for details on custom queries.

STEP 4 | (Optional) If you want to only send logs with a specific severity level, select the desired
Severity.

STEP 5 | (Optional) If you only want to send one type of alert log, select either BIOC or IOC as the Alert
Source.
If you select neither, the app forwards both BIOC and IOC alert logs.

STEP 6 | If you select an alert source, you can also select a specific alert category.
If you do not select an alert category, the app forwards all alerts from the selected alert source.

124 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs


© 2019 Palo Alto Networks, Inc.
Cortex XDR Log Format
Cortex XDR™ logs its IOC and BIOC alerts to the Cortex Data Lake. When alert logs are forwarded from
Cortex Data Lake, each log record has the following format:
Syslog format:

"/edrData/action_country","/edrData/action_download","/edrData/
action_external_hostname","/edrData/action_external_port","/
edrData/action_file_extension","/edrData/action_file_md5","/
edrData/action_file_name","/edrData/action_file_path","/
edrData/action_file_previous_file_extension","/edrData/
action_file_previous_file_name","/edrData/action_file_previous_file_path","/
edrData/action_file_sha256","/edrData/action_file_size","/edrData/
action_file_remote_ip","/edrData/action_file_remote_port","/edrData/
action_is_injected_thread","/edrData/action_local_ip","/edrData/
action_local_port","/edrData/action_module_base_address","/edrData/
action_module_image_size","/edrData/action_module_is_remote","/
edrData/action_module_is_replay","/edrData/action_module_path","/
edrData/action_module_process_causality_id","/
edrData/action_module_process_image_command_line","/
edrData/action_module_process_image_extension","/
edrData/action_module_process_image_md5","/edrData/
action_module_process_image_name","/edrData/
action_module_process_image_path","/edrData/
action_module_process_image_sha256","/edrData/
action_module_process_instance_id","/edrData/
action_module_process_is_causality_root","/edrData/
action_module_process_os_pid","/edrData/
action_module_process_signature_product","/edrData/
action_module_process_signature_status","/edrData/
action_module_process_signature_vendor","/edrData/
action_network_connection_id","/edrData/action_network_creation_time","/
edrData/action_network_is_ipv6","/edrData/action_process_causality_id","/
edrData/action_process_image_command_line","/edrData/
action_process_image_extension","/edrData/action_process_image_md5","/edrData/
action_process_image_name","/edrData/action_process_image_path","/edrData/
action_process_image_sha256","/edrData/action_process_instance_id","/edrData/
action_process_integrity_level","/edrData/action_process_is_causality_root","/
edrData/action_process_is_replay","/edrData/action_process_is_special","/
edrData/action_process_os_pid","/edrData/action_process_signature_product","/
edrData/action_process_signature_status","/edrData/
action_process_signature_vendor","/edrData/action_proxy","/edrData/
action_registry_data","/edrData/action_registry_file_path","/edrData/
action_registry_key_name","/edrData/action_registry_value_name","/
edrData/action_registry_value_type","/edrData/action_remote_ip","/edrData/
action_remote_port","/edrData/action_remote_process_causality_id","/
edrData/action_remote_process_image_command_line","/
edrData/action_remote_process_image_extension","/
edrData/action_remote_process_image_md5","/edrData/
action_remote_process_image_name","/edrData/
action_remote_process_image_path","/edrData/
action_remote_process_image_sha256","/edrData/
action_remote_process_is_causality_root","/edrData/
action_remote_process_os_pid","/edrData/
action_remote_process_signature_product","/edrData/
action_remote_process_signature_status","/edrData/
action_remote_process_signature_vendor","/edrData/
action_remote_process_thread_id","/edrData/

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs 125


© 2019 Palo Alto Networks, Inc.
action_remote_process_thread_start_address","/edrData/
action_thread_thread_id","/edrData/action_total_download","/edrData/
action_total_upload","/edrData/action_upload","/edrData/action_user_status","/
edrData/action_username","/edrData/actor_causality_id","/edrData/
actor_effective_user_sid","/edrData/actor_effective_username","/edrData/
actor_is_injected_thread","/edrData/actor_primary_user_sid","/edrData/
actor_primary_username","/edrData/actor_process_causality_id","/edrData/
actor_process_command_line","/edrData/actor_process_execution_time","/edrData/
actor_process_image_command_line","/edrData/actor_process_image_extension","/
edrData/actor_process_image_md5","/edrData/actor_process_image_name","/
edrData/actor_process_image_path","/edrData/actor_process_image_sha256","/
edrData/actor_process_instance_id","/edrData/actor_process_integrity_level","/
edrData/actor_process_is_special","/edrData/actor_process_os_pid","/edrData/
actor_process_signature_product","/edrData/actor_process_signature_status","/
edrData/actor_process_signature_vendor","/edrData/actor_thread_thread_id","/
edrData/agent_content_version","/edrData/agent_host_boot_time","/edrData/
agent_hostname","/edrData/agent_id","/edrData/agent_ip_addresses","/edrData/
agent_is_vdi","/edrData/agent_os_sub_type","/edrData/agent_os_type","/
edrData/agent_session_start_time","/edrData/agent_version","/edrData/
causality_actor_causality_id","/edrData/causality_actor_effective_user_sid","/
edrData/causality_actor_effective_username","/
edrData/causality_actor_primary_user_sid","/edrData/
causality_actor_primary_username","/edrData/
causality_actor_process_causality_id","/edrData/
causality_actor_process_command_line","/edrData/
causality_actor_process_execution_time","/edrData/
causality_actor_process_image_command_line","/
edrData/causality_actor_process_image_extension","/
edrData/causality_actor_process_image_md5","/edrData/
causality_actor_process_image_name","/edrData/
causality_actor_process_image_path","/edrData/
causality_actor_process_image_sha256","/edrData/
causality_actor_process_instance_id","/edrData/
causality_actor_process_integrity_level","/edrData/
causality_actor_process_is_special","/edrData/
causality_actor_process_os_pid","/edrData/
causality_actor_process_signature_product","/edrData/
causality_actor_process_signature_status","/edrData/
causality_actor_process_signature_vendor","/edrData/event_id","/
edrData/event_is_simulated","/edrData/event_sub_type","/edrData/
event_timestamp","/edrData/event_type","/edrData/event_utc_diff_minutes","/
edrData/event_version","/edrData/host_metadata_hostname","/edrData/
missing_action_remote_process_instance_id","/facility","/generatedTime","/
recordType","/recsize","/trapsId","/uuid","/xdr_unique_id","/
meta_internal_id","/external_id","/is_visible","/is_secdo_event","/
severity","/alert_source","/internal_id","/matching_status","/
local_insert_ts","/source_insert_ts","/alert_name","/alert_category","/
alert_description","/bioc_indicator","/matching_service_rule_id","/
external_url","/xdr_sub_type","/bioc_category_enum_key","/
alert_action_status","/agent_data_collection_status","/attempt_counter","/
case_id","/global_content_version_id","/global_rule_id","/is_whitelisted"

When alert logs are forwarded by email, each field is labeled, one line per field:
Email body format example:

edrData/action_country:
edrData/action_download:
edrData/action_external_hostname:
edrData/action_external_port:
edrData/action_file_extension: pdf

126 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs


© 2019 Palo Alto Networks, Inc.
edrData/action_file_md5: null
edrData/action_file_name: XORXOR2614081980.pdf
edrData/action_file_path: C:\ProgramData\Cyvera\Ransomware
\16067987696371268494\XORXOR2614081980.pdf
edrData/action_file_previous_file_extension: null
edrData/action_file_previous_file_name: null
edrData/action_file_previous_file_path: null
edrData/action_file_sha256: null
edrData/action_file_size: 0
edrData/action_file_remote_ip: null
edrData/action_file_remote_port: null
edrData/action_is_injected_thread:
edrData/action_local_ip:
edrData/action_local_port:
edrData/action_module_base_address:
edrData/action_module_image_size:
edrData/action_module_is_remote:
edrData/action_module_is_replay:
edrData/action_module_path:
edrData/action_module_process_causality_id:
edrData/action_module_process_image_command_line:
edrData/action_module_process_image_extension:
edrData/action_module_process_image_md5:
edrData/action_module_process_image_name:
edrData/action_module_process_image_path:
edrData/action_module_process_image_sha256:
edrData/action_module_process_instance_id:
edrData/action_module_process_is_causality_root:
edrData/action_module_process_os_pid:
edrData/action_module_process_signature_product:
edrData/action_module_process_signature_status:
edrData/action_module_process_signature_vendor:
edrData/action_network_connection_id:
edrData/action_network_creation_time:
edrData/action_network_is_ipv6:
edrData/action_process_causality_id:
edrData/action_process_image_command_line:
edrData/action_process_image_extension:
edrData/action_process_image_md5:
edrData/action_process_image_name:
edrData/action_process_image_path:
edrData/action_process_image_sha256:
edrData/action_process_instance_id:
edrData/action_process_integrity_level:
edrData/action_process_is_causality_root:
edrData/action_process_is_replay:
edrData/action_process_is_special:
edrData/action_process_os_pid:
edrData/action_process_signature_product:
edrData/action_process_signature_status:
edrData/action_process_signature_vendor:
edrData/action_proxy:
edrData/action_registry_data:
edrData/action_registry_file_path:
edrData/action_registry_key_name:
edrData/action_registry_value_name:
edrData/action_registry_value_type:
edrData/action_remote_ip:
edrData/action_remote_port:
edrData/action_remote_process_causality_id:
edrData/action_remote_process_image_command_line:
edrData/action_remote_process_image_extension:

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs 127


© 2019 Palo Alto Networks, Inc.
edrData/action_remote_process_image_md5:
edrData/action_remote_process_image_name:
edrData/action_remote_process_image_path:
edrData/action_remote_process_image_sha256:
edrData/action_remote_process_is_causality_root:
edrData/action_remote_process_os_pid:
edrData/action_remote_process_signature_product:
edrData/action_remote_process_signature_status:
edrData/action_remote_process_signature_vendor:
edrData/action_remote_process_thread_id:
edrData/action_remote_process_thread_start_address:
edrData/action_thread_thread_id:
edrData/action_total_download:
edrData/action_total_upload:
edrData/action_upload:
edrData/action_user_status:
edrData/action_username:
edrData/actor_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_effective_user_sid: S-1-5-18
edrData/actor_effective_username: NT AUTHORITY\SYSTEM
edrData/actor_is_injected_thread: false
edrData/actor_primary_user_sid: S-1-5-18
edrData/actor_primary_username: NT AUTHORITY\SYSTEM
edrData/actor_process_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_process_command_line:
edrData/actor_process_execution_time: 1559827133585
edrData/actor_process_image_command_line:
edrData/actor_process_image_extension:
edrData/actor_process_image_md5:
edrData/actor_process_image_name: System
edrData/actor_process_image_path: System
edrData/actor_process_image_sha256:
edrData/actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_process_integrity_level: 16384
edrData/actor_process_is_special: 1
edrData/actor_process_os_pid: 4
edrData/actor_process_signature_product: Microsoft Windows
edrData/actor_process_signature_status: 1
edrData/actor_process_signature_vendor: Microsoft Corporation
edrData/actor_thread_thread_id: 64
edrData/agent_content_version: 58-9124
edrData/agent_host_boot_time: 1559827133585
edrData/agent_hostname: padme-7
edrData/agent_id: a832f35013f16a06fc2495843674a3e9
edrData/agent_ip_addresses: ["10.196.172.74"]
edrData/agent_is_vdi: false
edrData/agent_os_sub_type: Windows 7 [6.1 (Build 7601: Service Pack 1)]
edrData/agent_os_type: 1
edrData/agent_session_start_time: 1559827592661
edrData/agent_version: 6.1.0.13895
edrData/causality_actor_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/causality_actor_effective_user_sid:
edrData/causality_actor_effective_username:
edrData/causality_actor_primary_user_sid: S-1-5-18
edrData/causality_actor_primary_username: NT AUTHORITY\SYSTEM
edrData/causality_actor_process_causality_id:
edrData/causality_actor_process_command_line:
edrData/causality_actor_process_execution_time: 1559827133585
edrData/causality_actor_process_image_command_line:
edrData/causality_actor_process_image_extension:
edrData/causality_actor_process_image_md5:
edrData/causality_actor_process_image_name: System

128 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs


© 2019 Palo Alto Networks, Inc.
edrData/causality_actor_process_image_path: System
edrData/causality_actor_process_image_sha256:
edrData/causality_actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA==
edrData/causality_actor_process_integrity_level: 16384
edrData/causality_actor_process_is_special: 1
edrData/causality_actor_process_os_pid: 4
edrData/causality_actor_process_signature_product: Microsoft Windows
edrData/causality_actor_process_signature_status: 1
edrData/causality_actor_process_signature_vendor: Microsoft Corporation
edrData/event_id: AAABa13u2PQsqXnCAB1qjw==
edrData/event_is_simulated: false
edrData/event_sub_type: 1
edrData/event_timestamp: 1560649063308
edrData/event_type: 3
edrData/event_utc_diff_minutes: 120
edrData/event_version: 20
edrData/host_metadata_hostname:
edrData/missing_action_remote_process_instance_id:
facility:
generatedTime: 2019-06-16T01:37:43
recordType: alert
recsize:
trapsId:
uuid:
xdr_unique_id: ae65c92c6e704023df129c728eab3d3e
meta_internal_id: None
external_id: 318b7f91-ae74-4860-abd1-b463e8cd6deb
is_visible: null
is_secdo_event: null
severity: SEV_010_INFO
alert_source: BIOC
internal_id: None
matching_status: null
local_insert_ts: null
source_insert_ts: 1560649063308
alert_name: BIOC-16
alert_category: CREDENTIAL_ACCESS
alert_description: File action type = all AND name = *.pdf
bioc_indicator:
"[{""pretty_name"":""File"",""data_type"":null,""render_type"":""entity"",
""entity_map"":null},{""pretty_name"":""action type"",""data_type"":null,
""render_type"":""attribute"",""entity_map"":null},{""pretty_name"":""="",
""data_type"":null,""render_type"":""operator"",""entity_map"":null},
{""pretty_name"":""all"",""data_type"":null,""render_type"":""value"",
""entity_map"":null},{""pretty_name"":""AND"",""data_type"":null,
""render_type"":""connector"",""entity_map"":null},
{""pretty_name"":""name"",""data_type"":""TEXT"",
""render_type"":""attribute"",""entity_map"":""attributes""},
{""pretty_name"":""="",""data_type"":null,""render_type"":""operator"",
""entity_map"":""attributes""},{""pretty_name"":""*.pdf"",
""data_type"":null,""render_type"":""value"",
""entity_map"":""attributes""}]"
matching_service_rule_id: 200
external_url: null
xdr_sub_type: BIOC - Credential Access
bioc_category_enum_key: null
alert_action_status: null
agent_data_collection_status: null
attempt_counter: null
case_id: null
global_content_version_id:
global_rule_id:

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs 129


© 2019 Palo Alto Networks, Inc.
is_whitelisted: false

The following table summarizes the field prefixes and additional relevant fields available for BIOC and IOC
alert logs.

Field Name Definition

/edrData/action_file* Fields that begin with this prefix describe attributes of a file for which
Traps reported activity.

edrData/action_module* Fields that begin with this prefix describe attributes of a module for
which Traps reported module loading activity.

edrData/ Fields that begin with this prefix describe attributes and activity related
action_module_process* to processes reported by Traps that load modules such as DLLs on the
endpoint.

edrData/ Fields that begin with this prefix describe attributes of a process image
action_process_image* for which Traps reported activity.

edrData/action_registry* Fields that begin with this prefix describe registry activity and attributes
such as key name, data, and previous value for which Traps reported
activity.

edrData/action_network Fields that begin with this prefix describe network attributes for which
Traps reported activity.

edrData/ Fields that begin with this prefix describe attributes of remote processes
action_remote_process* for which Traps reported activity.

edrData/actor* Fields that begin with this prefix describe attributes about the acting
user that initiated the activity on the endpoint.

edrData/agent* Fields that begin with this prefix describe attributes about the Traps
agent deployed on the endpoint.

edrData/causality_actor* Fields that begin with this prefix describe attributes about the causality
group owner.

Additional useful fields:

/severity Severity assigned to the alert:


• SEV_010_INFO
• SEV_020_LOW
• SEV_030_MEDIUM
• SEV_040_HIGH
• SEV_090_UNKNOWN

/alert_source Source of the alert: BIOC or IOC

130 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs


© 2019 Palo Alto Networks, Inc.
Field Name Definition

/local_insert_ts Date and time when Cortex XDR – Investigation and Response ingested
the app.

/source_insert_ts Date and time the alert was reported by the alert source.

/alert_name If the alert was generated by Cortex XDR – Investigation and Response,
the alert name will be the specific Cortex XDR rule that created the alert
(BIOC or IOC rule name). If from an external system, it will carry the
name assigned to it by Cortex XDR .

/alert_category Alert category based on the alert source.


• BIOC alert categories:
• OTHER
• PERSISTENCE
• EVASION
• TAMPERING
• FILE_TYPE_OBFUSCATION
• PRIVILEGE_ESCALATION
• CREDENTIAL_ACCESS
• LATERAL_MOVEMENT
• EXECUTION
• COLLECTION
• EXFILTRATION
• INFILTRATION
• DROPPER
• FILE_PRIVILEGE_MANIPULATION
• RECONNAISSANCE
• IOC alert categories:
• HASH
• IP
• PATH
• DOMAIN_NAME
• FILENAME
• MIXED

/alert_description Text summary of the event including the alert source, alert name,
severity, and file path. For alerts triggered by BIOC and IOC rules,
Cortex XDR displays detailed information about the rule.

/bioc_indicator A JSON representation of the rule characteristics. For example:

[{""pretty_name"":""File"",""data_type"":null,
""render_type"":""entity"",""entity_map"":null},
{""pretty_name"":""action type"",
""data_type"":null,""render_type"":""attribute"",
""entity_map"":null},{""pretty_name"":""="",
""data_type"":null,""render_type"":""operator"",
""entity_map"":null},{""pretty_name"":""all"",

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs 131


© 2019 Palo Alto Networks, Inc.
Field Name Definition
""data_type"":null,""render_type"":""value"",
""entity_map"":null},{""pretty_name"":""AND"",
""data_type"":null,""render_type"":""connector"",
""entity_map"":null},{""pretty_name"":""name"",
""data_type"":""TEXT"",
""render_type"":""attribute"",
""entity_map"":""attributes""},
{""pretty_name"":""="",""data_type"":null,
""render_type"":""operator"",
""entity_map"":""attributes""},
{""pretty_name"":""*.pdf"",""data_type"":null,
""render_type"":""value"",
""entity_map"":""attributes""}]"

/bioc_category_enum_key Alert category based on the alert source. An example of a BIOC alert
category is Evasion. An example of a Traps alert category is Exploit
Modules.

/alert_action_status Action taken by the alert sensor with action status displayed in
parenthesis:
• Detected
• Detected (Download)
• Detected (Post Detected)
• Detected (Prompt Allow)
• Detected (Reported)
• Detected (Scanned)
• Prevented (Blocked)
• Prevented (Prompt Block)

/case_id Unique identifier for the incident.

/global_content_version_id Unique identifier for the content version in which a Palo Alto Networks
global BIOC rule was released.

/global_rule_id Unique identifier for an alert triggered by a Palo Alto Networks global
BIOC rule.

/is_whitelisted Boolean indicating whether the alert is excluded or not.

132 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs


© 2019 Palo Alto Networks, Inc.
Configure Log Forwarding for Analytics Alerts
STEP 1 | To activate and configure the Log Forwarding app, ensure you have the Cortex Data Lake role
in the Customer Support Portal.
For more information, see About Roles in the Cortex Hub Getting Started Guide.

STEP 2 | Add a Log Forwarding App Instance.


Before you can use the Log Forwarding app, you must activate it. You can then add a Log Forwarding
app instance to the Cortex Hub for each instance of the Cortex Data Lake you have purchased. Each
instance of the Log Forwarding app can forward logs to a single destination and is associated with only
one instance of the Cortex Data Lake.

STEP 3 | Forward Logs from the Cortex Data Lake to a Syslog Server.
When you configure the Log Forwarding app, you can choose the Log Types you want to forward. To
forward Cortex XDR™ – Analytics logs, forward Magnifier alert logs.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs 133


© 2019 Palo Alto Networks, Inc.
Cortex XDR – Analytics Log Format
Cortex XDR™ – Analytics logs its alerts to the Cortex Data Lake as Magnifier alert logs. When Magnifier
alert logs are forwarded to a syslog receiver, each log record has the following format:
Syslog format: sub_type,time_generated,id,version_info/document_version,version_info/
magnifier_version,version_info/detection_version,alert/url,alert/category,alert/type,alert/name,alert/
description/html,alert/description/text,alert/severity,alert/state,alert/is_whitelisted,alert/
ports,alert/internal_destinations/single_destinations,alert/internal_destinations/ip_ranges,alert/
external_destinations,alert/app_id,alert/schedule/activity_first_seen_at,alert/schedule/
activity_last_seen_at,alert/schedule/first_detected_at,alert/schedule/last_detected_at,user/
user_name,user/url,user/display_name,user/org_unit,device/id,device/url,device/mac,device/
hostname,device/ip,device/ip_ranges,device/owner,device/org_unit,files
Email body format example:
When Magnifier alert logs are forwarded by email, each field is labeled, one line per field:

sub_type: Update
time_generated: 1547717480
id: 4
version_info/document_version: 1
version_info/magnifier_version: 1.8
version_info/detection_version: 2019.2.0rc1
alert/url: https:\/\/ddc1...
alert/category: Recon
alert/type: Port Scan
alert/name: Port Scan
alert/description/html: \t<ul>\n\t\t<li>The device....
alert/description/text: The device ...
alert/severity: Low
alert/state: Reopened
alert/is_whitelisted: false
alert/ports: "[1,2,3,4,5,6,7,8,9,10,11...]
alert/internal_destinations/single_destinations: []
alert/internal_destinations/ip_ranges:
"[{""max_ip"":""..."",""name"":""..."",""min_ip"":""...""}]"
alert/external_destinations: []
alert/app_id:
alert/schedule/activity_first_seen_at: 1542178800
alert/schedule/activity_last_seen_at: 1542182400
alert/schedule/first_detected_at: 1542182400
alert/schedule/last_detected_at: 1542182400
user/user_name:
user/url:
user/display_name:
user/org_unit:
device/id: 2-85e40edd-b2d1-1f25-2c1e-a3dd576c8a7e
device/url: https:\/\/ddc1 ...
device/mac: 00-50-56-a5-db-b2
device/hostname: DC1ENV3APC42
device/ip: 10.201.102.17
device/ip_ranges:
"[{""max_ip"":""..."",""name"":""..."",""min_ip"":""..."",""asset"":""""}]"
device/owner:
device/org_unit:
files: []

The following table describes each field:

134 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs


© 2019 Palo Alto Networks, Inc.
Field Name Definition

sub_type Alert log subtype. Values are:


• New—First log record for the alert with this record id.
• Update—Log record identifies an update to a previously logged alert.
• StateOnlyUpdate—Alert state is updated. For internal use only.

time_generated Time the log record was sent to the Cortex Data Lake. Value is a Unix
Epoch timestamp.

id Unique identifier for the alert. Any given alert can generate multiple
log records—one when the alert is initially raised, and then additional
records every time the alert status changes. This ID remains constant for
all such alert records.
You can obtain the current status of the alert by looking for log
records with this id and the most recent alert/schedule/
last_detected_at timestamp.

version_info/ Identifies the log schema version number used for this log record.
document_version

version_info/ The version number of the Cortex XDR – Analytics instance that wrote
magnifier_version this log record.

version_info/ Identifies the version of the Cortex XDR – Analytics detection software
detection_version used to raise the alert.

alert/url Provides the full URL to the alert page in the Cortex XDR – Analytics
user interface.

alert/category Identifies the alert category, which is a reflection of the anomalous


network activity location in the attack life cycle. Possible categories are:
• C&C—The network activity is possibly the result of malware
attempting to connect to its Command & Control server.
• Exfiltration—A large amount of data is being transferred to an
endpoint that is external to the network.
• Lateral—The network activity is indicative of an attacker who is
attempting to move from one endpoint to another on the network.
• Malware—A file has been discovered on an endpoint that is probably
malware or riskware. Malware alerts can also be raised based on
network activity that is indicative of automated malicious traffic
generation.
• Recon—The network activity is indicative an attacker that is
exploring the network for endpoints and other resources to attack.

alert/type Identifies the categorization to which the alert belongs. For example
Tunneling Process, Sandbox Detection, Malware, and so forth.

alert/name The alert name as it appears in the Cortex XDR – Analytics user
interface.

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs 135


© 2019 Palo Alto Networks, Inc.
Field Name Definition

alert/description/html The alert textual description in HTML formatting.

alert/description/text The alert textual description in plain text.

alert/severity Identifies the alert severity. These severities indicate the likelihood that
the anomalous network activity is a real attack.
• High—The alert is confirmed to be a network attack.
• Medium—The alert is suspicious enough to require additional
investigation.
• Low—The alert is unverified. Whether the alert is indicative of a
network attack is unknown.

alert/state Identifies the alert state.


• Open—The alert is currently active and should be undergoing triage
or investigation by the network security analysts.
• Reopened—The alert was previously resolved or dismissed, but new
network activity has caused Cortex XDR – Analytics to reopen the
alert.
• Archived—No action was taken on the alert in the Cortex XDR –
Analytics user interface, and no further network activity has occurred
that caused it to remain active.
• Resolved—Network personnel have taken enough action to end the
attack.
• Dismissed—The anomaly has been examined and deemed to be
normal, sanctioned, network activity.

alert/is_whitelisted Indicates whether the alert is whitelisted. Whitelisting indicates that


anomalous-appearing network activity is legitimate. If an alert is
whitelisted, then it is not visible in the Cortex XDR Analytics user
interface. Alerts can be dismissed or archived and still have a whitelist
rule.

alert/ports List of ports accessed by the network entity during its anomalous
behavior.

alert/internal_destinations/ Network destinations that the entity reached, or tried to reach, during
single_destinations the course of the network activity that caused Cortex XDR – Analytics
to raise the alert. This field contains a sequence of JSON objects, each
of which contains the following fields:
• ip—The destination IP address.
• name—The destination name (for example, a host name).

alert/internal_destinations/ IP address range subnets that the entity reached, or tried to reach,
ip_ranges during the course of the network activity that caused Cortex XDR –
Analytics to raise the alert. This field contains a sequence of JSON
objects, each of which contains the following fields:
• max_ip—Last IP address in the subnet.
• min_ip—First IP address in the subnet.

136 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs


© 2019 Palo Alto Networks, Inc.
Field Name Definition
• name—Subnet name.

alert/external_destinations Provides a list of destinations external to the monitored network that


the entity tried to reach, or actually reached, during the activity that
raised this alert. This list can contain IP addresses or fully qualified
domain names.

alert/app_id The App-ID associated with this alert.

alert/schedule/ Time when Cortex XDR – Analytics first detected the network activity
activity_first_seen_at that caused it to raise the alert. Be aware that there is frequently a delay
between this timestamp, and the time when Cortex XDR – Analytics
raises an alert (see the alert/schedule/first_detected_at
field).

alert/schedule/ Time when Cortex XDR – Analytics last detected the network activity
activity_last_seen_at that caused it to raise the alert.

alert/schedule/ Time when Cortex XDR – Analytics first alerted on the network activity.
first_detected_at

alert/schedule/ Time when Cortex XDR – Analytics last alerted on the network activity.
last_detected_at

user/user_name The name of the user associated with this alert. This name is obtained
from Active Directory.

user/url Provides the full URL to the user page in the Cortex XDR – Analytics
user interface for the user who is associated with the alert.

user/display_name The user name as retrieved from Active Directory. This is the user name
displayed within the Cortex XDR – Analytics user interface for the user
who is associated with this alert.

user/org_unit The organizational unit of the user associated with this alert, as
identified using Active Directory.

device/id A unique ID assigned by Cortex XDR – Analytics to the device. All alerts
raised due to activity occurring on this endpoint will share this ID.

device/url Provides the full URL to the device page in the Cortex XDR – Analytics
user interface.

device/mac The MAC address of the network card in use on the device.

device/hostname The device host name.

device/ip The device IP address.

device/ip_ranges Identifies the subnet or subnets that the device is on. This sequence can
contain multiple inclusive subnets. Each element in this sequence is a
JSON object with the following fields:

CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs 137


© 2019 Palo Alto Networks, Inc.
Field Name Definition
• asset—The asset name assigned to the device from within the
Cortex XDR Analytics user interface.
• max_ip—Last IP address in the subnet.
• min_ip—First IP address in the subnet.
• name—Subnet name.

device/owner The user name of the person who owns the device.

device/org_unit The organizational unit that owns the device, as identified by Active
Directory.

files Identifies the files associated with the alert. Each element in this
sequence is a JSON object with the following fields:
• full_path—The file full path (including the file name).
• md5—The file MD5 hash.

138 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs

You might also like