Cortex XDR Admin
Cortex XDR Admin
Cortex XDR Admin
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2018-2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
August 4, 2019
Incident Response.............................................................................................25
Incidents Dashboard.................................................................................................................................27
Cortex XDR Incidents................................................................................................................. 28
Investigate Incidents....................................................................................................................29
Cortex XDR Alerts.................................................................................................................................... 33
Alert Sources................................................................................................................................. 36
Triage Alerts.................................................................................................................................. 37
Manage Alerts............................................................................................................................... 38
Alert Exclusions.............................................................................................................................39
Causality View...............................................................................................................................41
Timeline View................................................................................................................................43
Analytics Alert View.................................................................................................................... 44
Response Actions......................................................................................................................................47
Initiate a Live Terminal Session................................................................................................ 47
Run a Pathfinder Scan................................................................................................................ 52
Add an IP Address or Domain to the Cortex XDR EDL..................................................... 53
Administration....................................................................................................93
Manage Administrative Access..............................................................................................................95
Administrative Roles....................................................................................................................95
Assign Roles to Cortex XDR Users..........................................................................................95
Integrate External Threat Intelligence Services.................................................................................97
Integrate Demisto..................................................................................................................................... 99
Integrate Third-Party Apps.................................................................................................................. 100
Analytics Management..........................................................................................................................101
Analytics Status.......................................................................................................................... 101
Analytics Configuration Settings............................................................................................108
Analytics Management............................................................................................................. 116
Audit Admin Activity............................................................................................................................. 119
Logs.................................................................................................................... 121
Configure Log Forwarding for BIOC and IOC Alerts.................................................................... 123
Cortex XDR Log Format....................................................................................................................... 125
Configure Log Forwarding for Analytics Alerts.............................................................................. 133
Cortex XDR – Analytics Log Format................................................................................................. 134
iv TABLE OF CONTENTS
Cortex XDR™ Overview
The Cortex XDR™ app offers you complete visibility over network traffic, user behavior,
and endpoint activity. It simplifies threat investigation by correlating logs from your network
sensors (for example next-generation firewalls and Traps endpoint agents) to reveal threat
causalities and timelines. This enables you to easily identify the root cause of every alert. The
app also allows you to perform immediate response actions. Finally, to stop future attacks,
you can pro-actively define indicators of compromise (IOC) and behavioral rules to detect and
respond to malicious activity.
5
6 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Cortex XDR™ Overview
© 2019 Palo Alto Networks, Inc.
Cortex XDR Architecture
Cortex XDR consumes data from the Cortex Data Lake and can correlate and stitch together logs across
your different log sensors to derive event causality and timelines. A Cortex XDR deployment which uses the
full set of sensors can include the following components:
• Cortex XDR—The Cortex XDR app provides complete visibility into all your data in the Cortex Data Lake.
The app provides a single interface from which you can investigate and triage alerts, take remediation
actions, and define policies to detect the malicious activity in the future.
• Palo Alto Networks next-generation firewalls—On-premise or virtual firewalls that enforce network
security policies in your campus, branch offices, and cloud data centers.
• Cortex Data Lake—A cloud-based logging infrastructure that allows you to centralize the collection and
storage of logs from your log data sources.
• Analytics engine—Cloud-based network security service that utilizes data from the Cortex Data Lake to
automatically detect and report on post-intrusion threats. The analytics engine does this by identifying
good (normal) behavior on your network, so that it can notice bad (anomalous) behavior.
• Traps—Protects your endpoints from known and unknown malware and malicious behavior and
techniques. Traps performs its own analysis locally on the endpoint but also consumes WildFire threat
intelligence. The Traps agent reports all endpoint activity to the Cortex Data Lake for analysis by Cortex
XDR apps.
XDR
With Endpoint Detection and Response (EDR), enterprises rely on endpoint data as a means to trigger
cybersecurity incidents. As cybercriminals and their tactics have become more sophisticated, the time
to identify and contain breaches has only increased. XDR goes beyond the traditional EDR approach of
using only endpoint data to identify and respond to threats by applying machine learning across all your
enterprise, network, cloud, and endpoint data. This approach enables you to quickly find and stop targeted
attacks and insider abuse and remediate compromised endpoints.
Sensors
Cortex XDR™ uses your existing Palo Alto Networks products as sensors to collect logs and telemetry data.
A sensor can be any of the following Palo Alto Networks products that forwards data to the Cortex Data
Lake:
• Virtual (VM-Series) or physical firewalls—identifies known threats in your network and cloud data center
environments
• Analytics engine—Identifies anomalous behavior in your network
• Traps—Identifies threats on your Windows, Mac, and Linux endpoints and halts any malicious behavior
or files
While more sensors increases the amount of data Cortex XDR can analyze, you only need to deploy one
type of sensor, such as next-generation firewalls or Traps, to begin detecting and stopping threats with
Cortex XDR.
Log Stitching
To provide a complete picture of the events and activity surrounding an event, Cortex XDR™ correlates
network, endpoint, and cloud data across your detection sensors. The act of correlating logs from different
sources is referred to as log stitching. For example, if your firewalls detect malicious network activity, the
app can correlate that activity with endpoint logs to observe the impact of the activity and identify the
cause of the behavior.
Log stitching streamlines detection and reduces response time by eliminating the need for manual analysis
across different data sensors.
Causality Chain
When a malicious file, behavior, or technique is detected, Cortex XDR™ correlates available data across
your detection sensors to display the sequence of activity that led to the alert. This sequence of events is
called the causality chain. The causality chain is built from processes, events, insights, and alerts associated
with the activity. During alert investigation you should review the entire causality chain to fully understand
why the alert occurred.
Analytics Engine
The Cortex XDR™ app uses an analytics engine to examine your network and VPN traffic, and endpoint
activity data. The analytics engine retrieves logs from Cortex Data Lake to understand the normal behavior
for your endpoints and network (creates a baseline) so that it can raise alerts when abnormal activity
occurs. This analysis is highly sophisticated and performed on more than a thousand dimensions of data.
Internally, the analytics engine organizes its analytics activity into algorithms called detectors. Each detector
is responsible for raising an alert when worrisome behavior is detected. To raise alerts, each detector
compares the recent past behavior of your network entities to the expected baseline by examining the data
found in your firewall logs. A certain amount of log file time is required to establish a baseline and then a
certain amount of recent log file time is required to identify what is currently happening on your network.
The analytics engine accesses your logs as they are streamed to Cortex Data Lake and analyzes the data
as soon as it arrives. An Analytics alert is reported when the analytics engine determines an anomaly in
endpoint or network activity.
Tactic Description
Execution After attackers gain a foothold in your network, they can use
various techniques to execute malicious code on a local or
remote endpoint.
The Cortex XDR app detects malware and grayware on your
network using a combination of network activity, Pathfinder
scans of your endpoints, Traps endpoint data, and evaluation
of suspicious files using the WildFire® cloud service.
Lateral Movement To expand the footprint inside your network, and attacker
uses lateral movement techniques to obtain credentials to
gain additional access to more data in the network.
The analytics engine detects attacks during this phase by
examining administrative operations (such as SSH, RDP, and
HTTP), file share access, and user credential usage that is
beyond the norm for your network. Some of the symptoms
the app looks for are increased administrative activity, SMB
usage, and remote code execution.
Command and Control The command and control tactic allows an attacker to
remotely issue commands to and endpoint and receive
Analytics Detectors
The analytics engine for Cortex XDR retrieves your firewall logs from Cortex Data Lake to understand the
normal behavior for your network (creates a baseline) so that it can raise alerts when abnormal activity
occurs. This analysis is highly sophisticated and performed on more than a thousand dimensions of data.
Internally, the Cortex XDR app organizes its analytics activity into algorithms called detectors. Each detector
is responsible for raising an alert when your network is exhibiting worrisome behavior.
To raise alerts, each detector compares the recent past behavior of your network entities to the expected
baseline by examining the data found in your firewall logs. A certain amount of log file time is required to
establish a baseline and then a certain amount of recent log file time is required to identify what is currently
happening on your network. The Cortex XDR app accesses your logs as they are streamed to Cortex Data
Lake and analyzes the data as soon as it arrives.
There are four meaningful time intervals for Cortex XDR Analytics detectors:
Detection Frequency How often the Cortex XDR app runs the detector
algorithm. This is typically Usually this is a short
interval (10 minutes to 1 hour).
Learning Period The shortest amount of log file time before the app
can raise an alert. This is typically the time from when
a detector first starts running and when you see an
alert but, in some cases, detectors pause after an
upgrade as they enter a new learning period.
Most but not all detectors will wait until they have
a <learning period> amount of time before they
run. This learning period exists to give the detector
enough data to establish a baseline, which in turn
helps to avoid false positives.
The learning period is also referred to as the profiling
or waiting period and, informally, it is also referred to
as soak time.
Training Period The amount of logging time that the detector requires
to establish a baseline, and to identify the behavioral
limits beyond which an alert is raised. Because your
network is not static in terms of its topology or usage,
detectors are constantly updating the baselines
that they require for their analytics. For this update
process, the training period is how far back in time the
detector goes to update and tune the baseline.
This period is also referred to as the baseline period.
These time periods are different for every Cortex XDR Analytics detector. The actual amount of logging
data (measured in time) required to raise any given Cortex XDR Analytics alert is identified in the Cortex
XDR Analytics Alert Reference.
Hybrid Deployment
In a hybrid environment consisting of both Traps, and Palo Alto Networks firewalls, and optionally with
GlobalProtect or Prisma Access, the app provides better coverage in detecting anomalous activity,
and deeper insight into the causality chain of malicious activity. We recommend using both Traps for
endpoint data collection, and Palo Alto Networks firewalls to supply network logs. In a hybrid environment,
Pathfinder is still recommended for additional coverage and accuracy, to enable incident response (IR)
through a live terminal, and to scan any endpoints without a Traps agent installed.
17
18 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Get Started with Cortex XDR
© 2019 Palo Alto Networks, Inc.
Use the Cortex XDR Interface
Before you can get started with Cortex XDR, you must Set Up Cortex XDR Apps and Related
Services.
Cortex XDR provides an easy-to-use interface that you can access from the Cortex hub. The first time you
log in to the Cortex XDR app, you see the Incidents Dashboard. The next time you log in, the app displays
the Incidents table as the first page, however you can return to the dashboard from the Incidents menu at
any time.
In addition to the Incidents pages, and depending on your assigned role, you can explore and the following
areas in the app.
Interface Description
1. Incidents From the Incidents menu you can view and investigate incidents
from the dashboard and incidents table, and view alert exclusions.
• Dashboard—Provides an overview of the incidents prioritized by
severity
• Incidents—Lists all incidents in the app.
• Alert Exclusions—List all alert exclusion policies.
2. Investigation From the Investigation menu you can investigate a lead or hunt for
threats. You can access the Query Builder to search logs from your
Palo Alto Networks sensors, or the Query Center to view the status
of all queries, and Scheduled Queries to view the status and modify
the frequency of reoccurring queries.
3. Rules From the Rules menu you can create new rules to help improve
your security posture. As you investigate and research threats and
uncover specific indicators and behaviors associated with a threat,
you can create rules to detect and alert you when the behavior
occurs.
4. Response From the Response menu you can take action to respond to
threats. You can open a Live Terminal connection to an endpoint to
investigate processes and files locally and can add malicious domains
and IP addresses to an external dynamic list (EDL) enforceable on
your Palo Alto Networks firewall.
5. Settings and management From the gear icon, you can view a log of actions initiated by Cortex
XDR analysts, configure Cortex XDR settings to integrate with other
apps and services, and manage settings for the analytics engine.
7. User User who is logged into the Cortex XDR app and additional
information about the app including EDR log data retention.
The following topics describe additional management actions you can perform on page results:
• Filter Page Results
• Save and Share Filters
• Show or Hide Results
• Manage Columns and Rows
Manage Tables
Most pages in Cortex XDR present data in table format and provide controls to help you manage and filter
the results. If additional views or actions are available for a specific value, you can pivot (right-click) from
the value in the table. For example, you can view the incident details, or pivot to the Causality View for an
alert or you can pivot to the results for a query.
On most pages, you can also refresh ( ) the content on the page.
To manage tables in the app:
• Filter Page Results
• Save and Share Filters
• Show or Hide Results
• Manage Columns and Rows
STEP 4 | Enter a value to complete the filter criteria and then click outside of the filter to apply it to alert
results.
CMD fields have a 128 character limit. Shorten longer query strings to 127 characters and
add an asterisk (*).
Alternatively, you can select Include empty values to create a filter that excludes or includes results
when the field has an empty values.
STEP 5 | To add additional filters, click the + and repeat steps 2 through 4.
STEP 6 | Click out of the filter area into the results table to see the results.
• Save a filter:
Saved filters are listed on the Filters tab for the table layout and filter manager menu.
1. Save ( ) the active filter.
2. Enter a name to identify the filter.
You can create multiple filters with the same name. Saving a filter with an existing name will not
override the existing filter.
3. Choose whether to Share this filter or whether to keep it private for your own use only.
• Share a filter:
You can share a filter across your organization.
Unsharing a filter will turn a public filter private. Deleting a shared filter will remove it for all users.
CMD fields are limited to 128 characters. If you pivot on a CMD field with a truncated value,
the app shows or hides all results that match the first 128 characters.
The show or hide action is a temporary means of filtering the results: If you navigate away from the page
and later return, any results you previously hid will appear again.
To reduce the number of results displayed:
Cortex XDR updates the table to present the results in the desired row height view ranging from
short to tall.
Cortex XDR updates the table to present the results in the desired view: narrow, fixed width, or
scaled to the column heading.
25
26 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Incident Response
© 2019 Palo Alto Networks, Inc.
Incidents Dashboard
The Incidents dashboard is the first page you see in the Cortex XDR app when you log in and provides
a graphical summary of incidents in your environment, with incidents prioritized and listed by severity,
assignee, incident age, and affected hosts.
Interface Description
1. Incidents From the Incidents menu you can view the dashboard or the full table of
incidents.
2. Color Theme Toggle The theme toggle enables you to switch the interface theme colors for
the dashboard between light and dark.
3. Assigned Incidents The Assigned Incidents graph shows the distribution of incidents by
assignee and shows how many of the open incidents are aged. Aged
incidents have not been modified in seven days. Select an assignee
to open the incidents table filtered to display incidents only with the
selected assignee.
4. Open Incidents (Summary) The Open Incidents summary displays the total number of open
incidents by incident severity. Select a severity to open a filtered view of
incidents by the selected severity.
5. Open Incidents (Timeline) The Open Incidents graph shows all open incidents over time and shows
how many of the open incidents are aged. Aged incidents have not
been modified in seven days. Select the time range in the upper right to
view the number of open incidents over the last 1D (1 day), 7D (7 days),
and 30D (30 days). Hover over the graph to view the number of open
incidents on a specific day.
6. Top Hosts The Top Hosts area of the dashboard lists the hosts with the highest
number of incidents and the distribution of incidents by incident
severity. Select a host to view all incidents related to that host.
7. Top Incidents The Top Incidents table lists incident prioritized by alert severity. Select
an incident to view the incident details.
An attack can affect several hosts or users and raises different alert types stemming from a single event. All
artifacts, assets, and alerts from a threat event are gathered into an Incident.
The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules which
take into account different attributes. Examples of alert attributes include alert source, type, and time
period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it
with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped
with the same incident if an open incident already exists. Otherwise, the new incoming alert will create
a new incident. The Incidents table displays all incidents including the incident severity to enable you to
prioritize, track, and update incidents. For additional insight into the entire scope and cause of an event,
you can view all relevant assets, suspicious artifacts, and alerts within the incident details. You can also
track incidents, document the resolution, and assign analysts to investigate and take remedial action. Select
multiple incidents to take bulk actions on incidents.
The following table describes both the default and additional optional fields that you can view in the
Incidents table and lists the fields in alphabetical order.
Field Description
Check box to select one or more incidents on which to perform the following
actions.
• Assign incidents to an analyst in bulk
• Change the status of multiple incidents
• Change the severity of multiple incidents
• Merge incidents into a single incident
Alerts Breakdown The total number of alerts and number of alerts by severity.
Assigned To The user to which the incident is assigned. The assignee tracks which analyst
is responsible for investigating the threat. Incidents that have not been
assigned have a status of Unassigned.
Creation Time The time the first alert was added to a new incident.
Hosts The number of hosts affected by the incident. Right-click the host count to
view the list of hosts grouped by operating system.
Incident Description The description is generated from the alert name from the first alert added
to the incident, the host and user affected, or number of users and hosts
affected.
Last Updated The last time a user took an action or an alert was added to the incident.
Resolve Comment The user-added comment when the user changes the incident status to a
Resolved status.
Status Incidents have the status set to New when they are generated. To begin
investigating an incident, set the status to Under Investigation. The Resolved
status is subdivided into resolution reasons:
• Resolved - Threat Handled
• Resolved - Known Issue
• Resolved - Duplicate Incident
• Resolved - False Positive
Users Users affected by the alerts in the incident. If more than one user is affected,
click on + <n> more to see the list of all users in the incident.
From the Incidents page, you can right-click an incident to view the incident, and investigate the related
assets, artifacts, and alerts. For more information see Investigate Incidents.
Investigate Incidents
An attack event can affect several users or hosts and raise different types of alerts caused by a single event.
You can track incidents, assign analysts to investigate, and document the resolution. For a record log of all
actions taken by analysts in the incident, see Audit Admin Activity.
The Incident details page aggregates all alerts, insights, and affected assets and artifacts from those
alerts in a single location. From the Incident details page you can manage the alert and investigate an
event within the context and scope of a threat.
Select the incident status to update the status from New to Under Investigation to indicate
which incidents have been reviewed and to filter by status in the incidents table.
STEP 5 | Review the details of the incident, such as alerts and insights related to the event, and affected
assets and artifacts.
• Investigate Key Artifacts.
Key Artifacts list files and file hashes, signers, processes, domains, and IP addresses that are related
to the threat event. Each alert type contains certain key artifacts, and the app weighs and sorts
STEP 6 | If after reviewing the incident details, if you want to suppress one or more alerts from
appearing in the future, create an exclusion policy.
1. Enter a POLICY NAME to identify your alert exclusion.
2. Enter a descriptive COMMENT that identifies the reason or purpose of the alert exclusion policy.
3. Select Actions > Create Exclusion Policy.
4. Use the alert filters to add any the match criteria for the alert exclusion policy.
You can also right-click a specific value in the alert to add it as match criteria. The app refreshes to
show you which alerts in the incident would be excluded. To see all matching alerts including those
not related to the incident, clear the option to Show only alerts in the named incident.
3. Add a comment that explains the reason for closing the incident.
4. Select OK.
The Cortex XDR app no longer adds new alerts to the resolved incident and instead adds incoming
alerts to a new incident.
The Alerts page consolidates non-informational alerts from your detection sources to enable you to
efficiently and effectively triage the events you see each day. By analyzing the alert, you can better
understand the cause of what happened and the full story with context to validate whether an alert requires
additional action.
To view detailed information for an alert, you can also view details in the Causality View and Timeline View
views. From these views you can also view related informational alerts that are not presented on the Alerts
page.
By default, the Alerts page displays the alerts that it received over the last seven days (to modify the time
period, use the page Cortex XDR Alerts). Every 12 hours, Cortex XDR enforces a cleanup policy to remove
the oldest alerts that exceed the maximum alerts limit.
The following table describes both the default fields and additional optional fields that you can add to the
alerts table and lists the fields in alphabetical order.
Field Description
Status Indicator ( ) Identifies whether the EDR and corresponding firewall data
match and can be stitched together.
While the Cortex XDR app is trying to match existing
firewall data with expected EDR data the dot is temporarily
gray (up to 5 minutes) and the dot turns green once the data
sources are stitched together.
A gray dot for longer than 5 minutes indicates that the
Cortex XDR app is not receiving EDR data.
ACTION Action taken by the alert sensor with action status displayed
in parenthesis:
• Detected
• Detected (Download)
• Detected (Post Detected)
• Detected (Prompt Allow)
• Detected (Reported)
• Detected (Scanned)
• Prevented (Blocked)
• Prevented (Prompt Block)
ALERT NAME If the alert was generated by Cortex XDR, the Alert Name
will be the specific Cortex XDR rule that created the alert
(BIOC or IOC rule name). If from an external system, it will
carry the name assigned to it by Cortex XDR.
ALERT SOURCE Source of the alert: BIOC, Analytics BIOC, IOC, Traps,
Firewall, or Analytics.
CGO NAME The name of the process that started the causality chain
based on Cortex XDR causality logic.
CGO SIGNER The name of the software publishing vendor that signed the
file in the causality chain that led up to the alert.
DESCRIPTION Text summary of the event including the alert source, alert
name, severity, and file path. For alerts triggered by BIOC
and IOC rules, Cortex XDR displays detailed information
about the rule.
EVENT TYPE The type of event on which the alert was triggered:
• File Event
• Injection Event
• Load Image Event
• Network Event
• Process Execution
• Registry Event
FILE PATH When the alert triggered on a file (the Event Type is File)
this is the path to the file on the endpoint. If not, then N/A.
INITIATOR SIGNATURE Signing status of the process that initiated the activity:
• Unsigned
• Signed
• Invalid Signature
• Unknown
LOCAL PORT If the alert triggered on network activity (the Event Type is
Network Connection) this is the port on the endpoint that
triggered the alert. If not, then N/A.
REGISTRY FULL KEY If the alert triggered on registry modifications (the Event
Type is Registry) this is the full registry key that triggered
the alert. If not, then N/A.
REMOTE HOST If the alert triggered on network activity (the Event Type is
Network Connection) this is the IP address of the remote
host that triggered the alert. If not, then N/A.
SEVERITY The severity that was assigned to this alert when it was
triggered (or modified): Informational, Low, Medium, High,
or Unknown. For BIOC and IOCs, you define the severity
when you create the rule. Insights are low and informational
severity alerts that do not raise incidents, but provide
additional details when investigating an event. For the
severity associated with Traps events, see Log Types and
Severity Levels. For Analytics, see Cortex XDR – Analytics
Alert Severity Statuses.
TIMESTAMP The date and time when the alert was triggered, either by
Cortex XDR or by another Palo Alto Networks detection
sensor.
From the Alerts page, you can also perform additional actions to manage alerts and pivot on specific alerts
for deeper understanding of the cause and timeline of the event.
• Manage Alerts
• Causality View
• Timeline View
Alert Sources
To provide a complete picture of threats across your network and endpoints, Cortex XDR aggregates alerts
from your detection sources. In addition, Cortex XDR raises alerts based on the indicator rules that you
define.
The following table displays the possible alert sources:
IOC An alert from an indicator of compromise (IOC) alert source indicates Cortex
XDR identified a match to an IOC rule (for example a rule configured for a
specific IP address or SHA256 file hash.
Analytics BIOC An Analytics BIOC alert indicates a rule match for a single endpoint event,
while referencing profile data created by the analytics engine.
For information on the types of Analytics alerts, see the Cortex XDR Analytics
Alert Reference.
PAN NGFW An alert generated by Palo Alto Networks firewalls that detect anomalous
network activity. Firewall alerts that stem from the same source, with the
same alert name within 24 hours, are aggregated into a single alert with a +n
tag to show the number of additional alerts the firewall detected.
Analytics An Analytics alert is reported after the analytics engine ensures that an
anomaly in endpoint or network activity is truly suspicious. To create
baselines of normal behavior, as well as other network and endpoint profiles,
the analytics engine retrieves and analyzes logs from Cortex Data Lake. To
raise alerts, the analytics engine uses machine-learning algorithms (known
as detectors), comparing aspects of recent network and endpoint behavior
to the expected baselines and profiles. Analytics alerts reference behaviors
occurring over (sometimes long) stretches of time, rather than single events.
For information on the types of Analytics alerts, see the Cortex XDR Analytics
Alert Reference.
Triage Alerts
When the Cortex XDR app displays a new alert on the Alerts page, use the following steps to investigate
and triage the alert:
STEP 1 | Review the data shown in the alert such as the command-line arguments (CMD), process info,
etc.
For more information about the alert fields, see Cortex XDR Alerts.
STEP 3 | Review the Timeline View of review the sequence of events over time.
STEP 4 | If deemed malicious, consider responding by isolating the endpoint from the network.
Manage Alerts
From the Alerts page, you can manage the alerts you see and the information Cortex XDR displays about
each alert.
STEP 2 | Select Actions > Create New Incident and confirm the alerts.
STEP 3 | Verify the incident details, such as the severity and incident name, and optionally assign the
incident to an analyst.
See Investigate Incidents for incident details.
Copy Alerts
There are two ways you can copy an alert into memory: you can copy the URL of the alert record, or you
can copy the value for an alert field. With either option, you can paste the contents of memory into an
email to send. This is helpful if you need to share or discuss a specific alert with someone. If you copy a field
value, you can also easily paste it into a search or begin a query.
Analyze an Alert
To help you understand the full context of an alert, Cortex XDR provides a powerful analysis view that
empowers you to make a thorough analysis very quickly. There are two types of analysis views that are
available depending on the type of alert. The Causality View is available for BIOC, IOC, or Traps alerts that
are based on endpoint data and the Analytics View is available for Analytics alerts.
To start the analysis:
STEP 1 | From the Alerts page, locate the alert you want to analyze.
STEP 1 | From the Alerts page, locate the alert you want to analyze.
Alert Exclusions
The Alert Exclusions page displays all alert exclusions in Cortex XDR.
Field Description
Check box to select one or more alert exclusions on which you want to
perform actions.
BACKWARD SCAN Exclusion policy status for historic data, either enabled if you want to apply
STATUS the policy to previous alerts or disabled if you don’t want to apply the policy
to previous alerts.
COMMENT Administrator-provided comment that identifies the purpose or reason for the
exclusion policy.
DESCRIPTION Text summary of the policy that displays the match criteria.
MODIFICATION DATE Date and time when the exclusion policy was created or modified.
STEP 4 | Enter any comments to explain the purpose or intent behind the policy.
As you define the criteria, the app filters the results to display matches.
This action is irreversible: All historic excluded alerts will remain excluded if you disable or
delete the policy.
STEP 7 | Create and then select Yes to confirm the alert exception policy.
Causality View
The Causality View provides a powerful way to analyze and respond to alerts. The scope of the Causality
View is the Causality Instance (CI) to which this alert pertains. The Causality View presents the alert
(generated by Cortex XDR or sent to Cortex XDR from a supported alert source such as Traps) and includes
the entire process execution chain that led up to the alert. On each node in the CI chain, XDR app provides
information to help you understand what happened around the alert.
Section Description
Context Summarizes information about the alert you are analyzing, including the
host name, the process name on which the alert was raised, and the host IP
address.
Host Isolation You can choose to isolate the host, on which the alert was triggered, from the
network.
CI Chain Includes the graphic representation of the Causality Instance (CI) along with
other information and capabilities to enable you to conduct your analysis.
The Causality View presents a single CI chain. The CI chain is built from
processes nodes, events and alerts. The chain presents the process execution
and might also include events that these processes caused and alerts that
were triggered on the events or processes. The Causality Group Owner
(CGO) is displayed on the left side of the chain. The CGO is the process that
is responsible for all the other processes, events and alerts in the chain. You
need the entire CI to fully understand why the alert occurred.
The Causality View provides an interactive way to view the CI chain for an
alert. You can move it, extend it, and modify it. To adjust the appearance of
the CI chain, you can enlarge/shrink the chain for easy viewing using the size
controls on the right. You can also move the chain around by selecting and
dragging it. To return the chain to its original position and size, click in
the lower-right of the CI graph.
From any process node, you can also right-click to display additional actions
that you can perform during your investigation:
• Show parents and children—If the parent is not presented by default, you
can display it. If the process has children, XDR app displays the number
of children beneath the process name and allows you to display them for
additional information.
• Hide branch—Hide a branch from the Causality View.
Entity Data Provides additional information about the entity that you selected. The data
varies by the type of entity but typically identifies information about the
entity related to the cause of the alert and the circumstances under which the
alert occurred.
Events Table Displays all related events for the process node which matches the alert
criteria that were not triggered in the alert table but are informational BIOCs.
Timeline View
The Timeline provides a forensic timeline of the sequence of events, alerts, and informational BIOCs
involved in an attack. While the Causality View of an alert surfaces related events and processes that
Cortex XDR identifies as important or interesting, the Timeline displays all related events, alerts, and
informational BIOCs over time.
CGO (and process instances Cortex XDR displays the Causality Group Owner (CGO) and the host
that are part of the CGO) on which the CGO ran in the top left of the timeline. The CGO is the
parent process in the execution chain that Cortex XDR identified as
being responsible for initiating the process tree. In the example above,
wscript.exe is the CGO and the host it ran on was HOST488497.
You can also click the blue corner of the CGO to view and filter related
processes from the Timeline. This will add or remove the process and
related events or alerts associated with the process from the Timeline.
Timespan By default, Cortex XDR displays a 24-hour period from the start of the
investigation and displays the start and end time of the CGO at either
end of the timescale. You can move the slide bar to the left or right to
focus on any time-gap within the timescale. You can also use the time
filters above the table to focus on set time periods.
Related events, alerts, and Cortex XDR displays all the alerts, BIOCs (triggered and informational),
informational BIOCs and events a in this table. Clicking on a node in the activity area of the
Timeline filters the results you see here. Similar to other pages in Cortex
XDR, you can create filters to search for specific events.
Section Description
1. Context For Analytics alerts, the analytics view indicates the endpoint for which the
alert was raised.
For Analytics BIOC alerts, the Analytics view summarizes information about
the alert, including the source host name, IP address, the process name on
which the alert was raised, and the corresponding process ID.
2. Alert summary (Analytics alerts only) Describes the behavior that triggered the alert and
activity impact.
3. Graphic summary Similar to the Causality View, the analytics view provides a graphic
representation of the activity that triggered the alert and an interactive way
to view the chain of behavior for an Analytics alert. You can move the graphic,
extend it, and modify it. To adjust the appearance, you can enlarge/shrink
the chain for easy viewing using the size controls on the right. You can also
move the chain around by selecting and dragging it. To return the chain to its
original position and size, click in the lower-right of the graph.
The activity depicted in the graphic varies depending on the type of alert:
• Analytics alerts—You can view a summary of the aggregated activity
including the source host, the anomalous activity, connection count, and
the destination host. You can also select the host to view any relevant
profile information.
• Analytics BIOC alerts—You can view the specific event behavior including
the causality group owner that initiated the activity and related process
nodes. To view the summary of the specific event, you can select the
above the process node.
4. Alert description The alert description provides details and statistics related to the activity.
Beneath the description, you can also view the alert name, severity assigned
6. Response actions Actions you can take in response to an Analytics alert. These actions can
include isolating a host from the network, initiating a live terminal session,
running a Pathfinder scan, and adding an IP address or domain name to an
external dynamic list (EDL) that is enforceable in your Palo Alto Networks
firewall security policy.
Apr 9th 2019 10:54:02 Live Terminal session has started [success]
Apr 9th 2019 10:54:07 Live Terminal session end request [success]
Apr 9th 2019 10:54:08 Live Terminal session has ended [success]
STEP 2 | From the Live Terminal, locate the process which is causing abnormal behavior.
Select the tree view ( ) to switch between flat and tree views.
If the process is known malware, the row displays a red indicator and identifies the file using a malware
attribute.
STEP 2 | Navigate the file directory on the endpoint and manage files
From the file explorer, you can add, move, and delete a single file or multiple files.
You can search for files the following ways:
• Search for any text within the visible rows on the screen from the search bar.
• Double click a folder to explore its contents.
• Open in VirusTotal—VirusTotal aggregates known malware from antivirus products and online scan
engines. You can scan a file using the VirusTotal scan service to check for false positives or verify
suspected malware.
• Get WildFire Score—WildFire evaluates the file hash signature to compare it against known threats.
• Add the Sha256 as IOC—Add the SHA256 hash signature as an indicator of compromise and assign
the priority you want to assign to alerts that detect this hash value. The next time Cortex XDR
identifies a file with this hash signature, the app raises an alert.
• Mark as Interesting—Add an Interesting tag to any file or directory to easily locate the file. The files
you tag are recorded in the session report to help you locate them after you end the session.
• Remove from Interesting—If no threats are found, you can remove the Interesting tag.
cd
c:\windows\temp\ && <command1> && <command2>
STEP 2 | Select Command Line from the Live Terminal options on the left.
STEP 2 | Select Python to start the python command interpreter on the remote endpoint.
STEP 4 | Repeat these steps to add additional IP addresses or domains and then click Add when
finished.
55
56 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Search and Investigate
© 2019 Palo Alto Networks, Inc.
Cortex XDR Query Builder
The Query Builder is a powerful search tool at the heart of Cortex XDR that you can use to investigate any
lead quickly, expose the root cause of an alert, perform damage assessment, and hunt for threats from your
data sources. With Query Builder, you can build complex queries for entities and entity attributes so that
you can surface and identify connections between them. The Query Builder searches the raw data from the
logs received by the Cortex Data Lake for the entities and attributes you specify.
The Query Builder provides queries for the following types of entities:
• Process—Search on process execution and injection by process name, hash, path, command-line
arguments, and more. See Create a Process Query.
• File—Search on file creation and modification activity by file name and path. See Create a File Query.
• Network—Search network activity by IP address, port, host name, protocol, and more. See Create a
Network Query.
• Registry—Search on registry creation and modification activity by key, key value, path, and data. See
Create a Registry Query.
• Event Log—Search Windows event logs by username, log event ID, log level, and message. See Create an
Event Log Query.
• All Actions—Search across all network, registry, file, and process activity by endpoint or process. See
Query Across All Entities.
The Query Builder also provides flexibility for both on-demand query generation and scheduled queries.
STEP 6 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.
Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.
STEP 3 | Enter the search criteria for the file alerts query.
• File activity—Select the type or types of file activity you want to search: Create, Read, Rename,
Delete, or Write.
• File attributes—Define any additional process attributes for which you want to search. Use a pipe
(|) to separate multiple values (for example notepad.exe|chrome.exe). By default, Cortex XDR
will return the alerts that match the attribute you specify. To exclude an attribute value, toggle the =
option to =!. Attributes are:
• NAME—File name.
• PATH—Path to the file.
• PREVIOUS NAME—Previous name of a file.
• PREVIOUS PATH—Previous path of the file.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.
STEP 6 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.
Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.
STEP 3 | Enter the search criteria for the network alerts query.
• Network traffic type—Select the type or types of network traffic alerts you want to search: Incoming,
Outgoing, or Failed.
• Network attributes—Define any additional process attributes for which you want to search. Use a
pipe (|) to separate multiple values (for example 80|8080). By default, Cortex XDR will return the
alerts that match the attribute you specify. To exclude an attribute value, toggle the = option to
=!.Options are:
• REMOTE COUNTRY—Country from which the remote IP address originated.
• REMOTE IP—Remote IP address related to the communication.
• REMOTE PORT—Remote port used to make the connection.
• LOCAL IP—Local IP address related to the communication. Matches can return additional data if a
machine has more than one NIC.
• LOCAL PORT—Local port used to make the connection.
• PROTOCOL—Network transport protocol over which the traffic was sent.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.
STEP 6 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.
Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.
STEP 3 | Enter the search criteria for the registry alerts query.
• Registry action—Select the type or types of registry actions you want to search: Key Create, Key
Delete, Key Rename, Value Set, or Value Delete.
• Registry attributes—Define any additional registry attributes for which you want to search. By
default, Cortex XDR will return the alerts that match the attribute you specify. To exclude an
attribute value, toggle the = option to =!. Attributes are:
• KEY NAME—Registry key name.
• DATA—Registry key data value.
• REGISTRY FULL KEY—Full registry key path.
• KEY PREVIOUS NAME—Name of the registry key before modification.
• VALUE NAME—Registry value name.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.
STEP 6 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.
Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.
STEP 3 | Enter the search criteria for your Windows event log query.
Define any event attributes for which you want to search. By default, Cortex XDR will return the alerts
that match the attribute you specify. To exclude an attribute value, toggle the = option to =!. Attributes
are:
• • PROVIDER NAME—The provider of the event log.
• USERNAME—The username associated with the event.
• EVENT ID—The unique ID of the event.
• LEVEL—The event severity level.
• MESSAGE—The description of the event.
To specify an additional exception (match this value except), click the + to the right of the value and
specify the exception value.
STEP 5 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.
Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.
STEP 8 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.
Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.
Some examples of queries you can run across all entities include:
• All activities on a host
Specify one or more of the following attributes for the acting (parent) process.
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
• NAME—Name of the parent process.
• PATH—Path to the parent process.
• CMD—Command-line used to initiate the parent process including any arguments, up to 128
characters.
• MD5—MD5 hash value of the parent process.
• SHA256—SHA256 hash value of the process.
• USER NAME—User who executed the process.
• SIGNATURE—Signing status of the parent process: Signature Unavailable, Signed, Invalid Signature,
Unsigned, Revoked, Signature Fail.
• SIGNER—Entity that signed the certificate of the parent process.
• PID—Process ID of the parent process.
• Run search for both the process and the Causality actor—The causality actor—also referred to as the
causality group owner (CGO)—is the parent process in the execution chain that XDR app identified
as being responsible for initiating the process tree. Select this option if you want to apply the same
search criteria to the causality actor. If you clear this option, you can then configure different
attributes for the causality actor.
STEP 5 | Specify the time period for which you want to search for alerts.
Options are: Last 24H (hours), Last 7D (days), Last 1M (month), or select a Custom time period.
Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in the
Query Center.
The following table describes the fields that are available for each query in alphabetical order.
Field Description
DURATION Number of seconds it took for the query to complete or error out.
QUERY NAME For saved queries, the Query Name identifies the query specified by
the administrator. For scheduled queries, the Query Name identifies
the auto-generated name of the parent query. Scheduled queries also
display an icon to the left of the name to indicate that the query is
reoccurring.
STEP 2 | Locate the query for which you want to view the results.
If necessary, use the Filter to reduce the number of queries Cortex XDR – Investigation and Response
displays.
STEP 3 | Right click anywhere in the query row and then select Show results.
Cortex XDR displays the results in a new window.
STEP 5 | (Optional) If you want to refine your results, you can Modify a query from the query results.
Modify a Query
After you run a query you might find you need to change your search parameters such as to narrow the
search results or correct a search parameter. There are two ways you can modify a query: You can edit it in
the Query Center, or you can edit it from the results page. Both methods populate the criteria you specified
in the original query in a new query which you can modify and save.
Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query as resources are available, or Run to run the query immediately and view the results in
the Query Center.
Select the calendar icon to schedule a query to run on or before a specific date, Run in background to
run the query and review the result at a later time, or Run to run the query immediately and view the
results in the Query Center.
Rename a Query
If needed, you can rename a query at any time. If you later rerun the query, the new query will run using the
new name. You can also edit the name of a query when you Modify a Query.
The following table describes the fields that are available for each query in alphabetical order.
Field Description
NEXT EXECUTION Next execution time if the query is scheduled to run at a specific
frequency. If the query was only scheduled to run at a specific time and
date, this field will show None.
QUERY NAME For saved queries, the Query Name identifies the query specified by
the administrator. For scheduled queries, the Query Name identifies
the auto-generated name of the parent query. Scheduled queries also
display an icon to the left of the name to indicate that the query is
reoccurring.
SCHEDULE TIME Frequency or time at which the query was scheduled to run.
STEP 2 | Locate the scheduled query for which you want to view previous executions.
If necessary, use the Filter to reduce the number of queries Cortex XDR displays.
STEP 3 | Right click anywhere in the query row and then select Show all executed instances.
Cortex XDR filters the queries on the Query Center and displays the results in a new window.
STEP 3 | Right click anywhere in the query row and then select Edit.
STEP 4 | Adjust the schedule settings as needed, and then click OK.
STEP 3 | Right click anywhere in the query row and then select Remove to permanently remove the
scheduled query, or Disable to temporarily stop the query from running at the scheduled time.
If you disable a query you can later return to the Scheduled Queries page and Enable it.
STEP 3 | Right click anywhere in the query row and then select Rename.
STEP 4 | Edit the query name as desired, and then click OK.
STEP 3 | Right click anywhere in the query row and then select Copy.
STEP 4 | Edit the query name as desired, and then click OK.
STEP 1 | Use the threat intelligence you have to build a query using Cortex XDR Query Builder.
For example, if external threat intelligence indicates a confirmed threat that involves specific files or
behaviors, search for those characteristics.
STEP 2 | View the Results of a Query and refine as needed to filter out noise.
See Modify a Query.
STEP 4 | Open the Timeline View to view the sequence of events over time.
STEP 5 | Inspect the information again, and identify any characteristics you can use to create a BIOC
rule.
If you can create a BIOC rule, test and tune it, and then save it
STEP 6 | For alerts from Traps sensors, view the original security event in your Traps management
service instance.
79
80 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Manage Cortex XDR Rules
© 2019 Palo Alto Networks, Inc.
Cortex XDR Rules
Rules enable you to generate alerts and take other actions on threats that you define. Cortex XDR –
Investigation and Response supports the following rule types:
• Behavioral indicators of compromise (BIOCs)—Identifying threats based on their behaviors can be quite
complex. As you identify specific network, process, file, or registry activity that indicates a threat, you
create BIOCs that can alert you when the behavior is detected.
• Indicators of compromise (IOCs)—Known artifacts that are considered malicious or suspicious. IOCs are
static and based on criteria such as SHA256 hashes, IP addresses and domains, file names, and paths.
You create IOC rules based on information that you gather from various threat-intelligence feeds or that
you gather as a result of an investigation within Cortex XDR.
The following table describes the fields that are available for each BIOC rule in alphabetical order.
Field Description
COMMENT Free-form comments specified when the BIOC was created or modified.
EXCEPTIONS Exceptions to the BIOC rule. When there's a match on the exception,
the event will not trigger an alert.
INSERTION DATE Date and time when the BIOC rule was created.
MODIFICATION DATE Date and time when the BIOC was last modified.
NAME Unique name that describes the rule. Global BIOC rules defined by Palo
Alto Networks are indicated with a blue dot and cannot be modified or
deleted.
SEVERITY BIOC severity that was defined when the BIOC was created.
SOURCE User who created this BIOC, the file name from which it was created, or
Palo Alto Networks if delivered through content updates.
For the purpose of showing you the expected behavior of the rule before you save it,
Cortex XDR tests the BIOC on historical logs. After you save a BIOC rule, it will operate
on both historical logs and new data received from your log sensors (for example, Traps).
STEP 7 | Specify the SEVERITY you want to associate with the alert.
STEP 9 | Enter any additional comments such as why you created the BIOC.
Import Rules
You can use the import feature of Cortex XDR to import BIOCs from external feeds or that you previously
exported. The export/import capability is useful for rapid copying of BIOCs across different Cortex XDR
instances.
You can only import files that were exported from Cortex XDR. You can not edit an exported
file.
STEP 3 | Drag and drop the file on the import rules dialog or browse to a file.
STEP 5 | Refresh the BIOC Rules page to view matches (# of Hits) in your historical data.
STEP 6 | To investigate any matches, view the Alerts page and filter the Alert Name by the name of the
BIOC rule.
3.
The content status displays the date when the content was last updated, either automatically or
manually by an administrator.
4. If the status displays Could not check update, click the status to check for updates manually.
The following table describes the fields that are available for each IOC rule in alphabetical order.
COMMENT Free-form comments specified when the IOC was created or modified.
EXPIRATION DATE The date and time at which the IOC will be removed automatically.
INDICATOR The indicator value itself. For example, if the indicator type is a
destination IP address, this could be an IP address such as 1.1.1.1.
INSERTION DATE Date and time when the IOC was created.
MODIFICATION DATE Date and time when the IOC was last modified.
SEVERITY IOC severity that was defined when the IOC was created.
SOURCE User who created this IOC or the file name from which it was created.
TYPE Type of indicator: Full path, File name, Host name, Destination IP, MD5
hash.
STEP 4 | (Optional) Define any expiration criteria for your IOC rules.
If desired, you can also configure additional expiration criteria per IOC type to apply to all IOC rules.
In most cases, IOC types like Destination IP or Host Name are considered malicious only for a short
period of time since they are soon cleaned and then used by legitimate services, from which time they
only cause false positives. For these types of IOCs, you can set a short expiration period. The expiration
criteria you define for an IOC type will apply to all existing rules and additional rules that you create in
the future.
1. Select Settings.
2. Set the expiration for any relevant IOC type. Options are Never, 1 week, 1 month, 3 months, or 6
months.
3. Click Save.
Edit a Rule
After you create a rule, it may be necessary to tweak or change the rule settings.
STEP 3 | Right click anywhere in the rule and then select Edit.
STEP 5 | Adjust the schedule settings as needed, and then click OK.
STEP 3 | Right click any of the rows, and select Export selected.
The exported file is not editable, however you can use it as a source to import rules at a later date.
Copy a Rule
You can use an existing rule as a template to create a new one. Global BIOC rules cannot be deleted or
altered, but you can copy a global rule and edit the copy. See Manage Global BIOC Rules.
STEP 3 | Right click anywhere in the rule row and then select Copy to create a duplicate rule.
STEP 3 | Right click anywhere in the rule row and then select Remove to permanently delete the rule, or
Disable to temporarily stop the rule. If you disable a rule you can later return to the rule page
to Enable it.
Cortex XDR only supports exceptions with one attribute. See Add an Alert Exclusion Policy to
create advanced exceptions based on your filtered criteria.
STEP 3 | Configure the indicators and conditions for which you want to set the exception.
STEP 4 | Choose the scope of the exception, whether the exception applies to IOCs, BIOCs, or both.
93
94 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Administration
© 2019 Palo Alto Networks, Inc.
Manage Administrative Access
• Administrative Roles
• Assign Roles to Cortex XDR Users
Administrative Roles
Role-based access control (RBAC) enables you to use pre-configured roles to assign access rights to
administrative users. You can manage roles for all Cortex apps and services in the Cortex hub. By assigning
roles, you enforce the separation of access among functional or regional areas of your organization.
Each role extends specific privileges to users. The way you configure administrative access depends on the
security requirements of your organization. Use roles to assign specific access privileges to administrative
user accounts. The built-in roles provide specific access rights that cannot be changed.
The specific roles that you can assign for Cortex XDR users are as follows:
Role Privileges
Investigation and Response Access to the Alerts, Incidents, Investigation and Response
tabs. The Rules tab is not visible or accessible.
Investigation and Rules View Access to the Alerts, Incidents, and Investigation tabs, with
additional read-only access to rules.
Investigation, Rules View and Response Access to the Alerts, Incidents, Investigation and Response
tabs and read-only access to Rules.
Investigation, Rules and Response Access to all features except the app configuration pages
and audit logs.
5. If the user also needs to access Cortex XDR - Analytics settings and pages, select Cortex XDR -
Analytics and then assign an Administrative Role.
If the user is assigned the Account Administrator role, then you cannot assign the user any other
more granular role. To assign granular roles, Remove Account Administrator role, then assign the
desired granular role.
6. Save and then click Yes to confirm your role assignment changes.
WildFire provides verdicts and analysis reports to Cortex XDR users without requiring a
license key. Using WildFire for next-generation firewalls or other use-cases continues to
require an active license.
To view external threat intelligent verdicts in Cortex XDR – Investigation and Response incidents, you must
obtain the license key for the service and add it to the Cortex XDR Configuration. After you integrate any
services, you will see the verdict or verdict score when you Investigate Incidents.
To integrate an external threat intelligence service:
STEP 1 | Get your the API License Key for the service.
• Get your AutoFocus API key.
• Get your VirusTotal API key.
STEP 2 | Enter the license key in the Cortex XDR – Investigation and Response app.
Select the gear ( ) in the menu bar, then Settings > Threat Intelligence and then enter the license key.
Analytics Status
The Cortex XDR Analytics Status page provides information regarding the health and operational status
of the analytics engine. Each tab on the Status page displays the health and/or status information about a
specific aspect of the analytics engine:
• Analytics System Status—provides quick-reference on the overall health of the system.
If the system status is not OK, then the gear icon shows a red exclamation point. You can
find additional details under the System Status tab.
• Analytics Log Status—shows the number of logs recently received by Cortex XDR analytics engine.
• Analytics Traffic Status—shows the amount of network traffic observed by Cortex XDR analytics engine
in the recent past.
• Analytics Pathfinder Status—shows the connection and scan status of the Pathfinder VM(s).
• Analytics Traps Status—shows the number of hosts from which the app receives Traps data.
• Analytics Directory Sync Status—shows the connection status of the Directory Sync Service paired with
Cortex XDR.
• Analytics Network Coverage Status—provides a report on the networks that Cortex XDR analytics
engine is monitoring, as well as relevant statistics on the IPs and traffic observed on each network.
These status pages are accessible from > Analytics Management > Status.
To receive emails notifications for system alerts (once per 24 hours), select the gear on the top menu bar
of the Cortex XDR interface, and select Analytics Management > Configuration > System Alerts (see the
System Alerts Configuration for details).
Reports are displayed in the Network Coverage tab. Alternatively, you can export reports to a CSV file for
importation into a spreadsheet or similar software.
If you close your browser during report generation, the generation will continue in the
background.
First IP The first, or lowest, IP address in the network for which Cortex XDR
has observed traffic. Based on data retrieved from traffic logs.
Last IP The last, or highest, IP address in the network for which Cortex XDR
has observed traffic. Based on data retrieved from traffic logs.
Total IPs Seen The total number of IP addresses that Cortex XDR – Analytics has
observed operating on the network. Based on data retrieved from
traffic logs.
SSL % The percentage of IP addresses on the network that are using the
SSL protocol. Based on data retrieved from enhanced application
logs.
HTTP % The percentage of IP addresses on the network that are using the
HTTP protocol. Based on data retrieved from URL logs.
DNS % The percentage of IP addresses on the network that are using the
DNS protocol. Based on data retrieved from enhanced application
logs.
DHCP % The percentage of IP addresses on the network that are using the
DHCP protocol. Based on data retrieved from enhanced application
logs.
Attempted Pathfinder Scans The number of times that Pathfinder attempted to scan an endpoint
on the network.
Successful Pathfinder Scans The number of times that Pathfinder successfully scanned an
endpoint on the network.
Average Throughput The average number of bits per second sent across the network.
Based on data retrieved from traffic logs.
where xxxxxxx identifies the timestamp on the first log record that the app has. Similarly, if you select a
time that is after the last log record that the app has, then the following message is shown:
Finally, be aware that reports are rounded to a time interval that is determined by the report time range:
• Ten minutes for reports covering seven days or less.
• An hour for reports covering more than seven days.
If Cortex XDR rounds your time range to any of these intervals, it always rounds up so that
the time range you requested is fully contained in the report. It also provides the following
informational message:
Low coverage The app sees less than half of the hosts on the network performing
traffic using the identified protocol. For example, if a network
contains several hundred IPs but only 30% of those IPs are using
HTTP, then the app would flag this as low coverage. The warning
does not necessarily mean that there is a problem — HTTP traffic
comprising only 30% of the total might be perfectly normal for that
particular network — but Cortex XDR considers this unusual so it
flags the issue in the report.
Received and transmitted traffic Cortex XDR is observing considerably more send traffic than receive,
are not balanced or more receive than send, which is unexpected for TCP/IP traffic
(the difference is 25% or greater). This could indicate that the app
is not receiving all the logs that it should receive. A possible reason
for this is a misconfigured TAP interface or SPAN port on your next-
generation firewalls.
The Pathfinder network connection is from Pathfinder to the Cortex XDR cloud service.
Cortex XDR never needs to connect into your network.
Pathfinder Configuration
The Pathfinder page allows you to configure Pathfinder settings. Pathfinder is a virtual machine that you
install on your network for the purpose of investigating your network endpoints for suspicious/malicious
software and other artifacts.
The Analytics Audit Log records when Pathfinder sends a file to WildFire (select >
Analytics Management > Management > Audit).
• Enable N2PA 2-week monitoring for workstations (Off By Default)—With N2PA monitoring enabled,
Pathfinder activates Windows Instrumentation features on a suspicious device to start process logging
for that endpoint. Pathfinder then periodically scans the device to collect the process logs and sends
those logs to Cortex XDR. The app uses this additional forensic data to attribute network activity to
a specific process running on the endpoint. The app displays the additional forensic data that N2PA
collects along with device details, so that you can better isolate the origin of malicious network activity
and take action. When a device ceases to display suspicious behavior, Pathfinder stops collecting the
To locally configure a Pathfinder VM with the credentials it needs to scan your network,
select the gear on the menu bar, select > Analytics Management > Configuration >
Pathfinder, and follow the steps to Set Up Pathfinder.
Name Description
Per Asset Configuration Allows you to set Pathfinder configurations that are
specific to a subset of devices on your network. You
can override the default Pathfinder configuration on
a per-asset basis using this page. This requires you
to first have configured network assets using the
Network Segments Configuration.
If the network segment is a GlobalProtect or Prisma Access VPN pool, select Reserved for
VPN in the final column and do not assign a Pathfinder VM to the network segment.
To delete a segment, hover over the segment and click the trashcan icon, or delete the segment from your
CSV file and then reimport it.
You cannot remove or edit the default IPv4 and IPv6 address ranges from the table.
However, you can add ranges that are more specific than these defaults.
From the Network Segments page, you can access the IP Ranges Report page where you can generate
reports on the various networks that Cortex XDR is monitoring. Use the Open network coverage report link
to access this page.
For each network that Cortex XDR is monitoring, this report shows you relevant information such as the
number of IPs discovered by Cortex XDR, Pathfinder scan activity (attempts and successes), and the amount
of traffic seen on the network. Both the Network Segments page and the IP Ranges Report displays the
percentage of DNS, DHCP, HTTP, and SSL traffic that the Palo Alto Networks firewall logs for each IP range
(%DNS, %DHCP, %HTTP, %SSL). However, be aware that you must enable the firewall to send Enhanced
Application Logs to the Cortex Data Lake in order for Cortex XDR to display the percent coverage for these
types of application traffic.
EDL Configuration
Cortex XDR hosts two block lists, to which you can add IP addresses and domains as you triage alerts.
You can use a Cortex XDR external dynamic list (EDL) with a Palo Alto Networks firewall to provide an
integrated response to malicious network activity. With a Cortex XDR EDL as the source of a firewall
external dynamic list, the firewall can control user access to IP addresses and domains that the app has
found to be associated with an alert.
The following steps describe how to set up a Palo Alto Networks firewall to use the Cortex XDR EDL as the
source for an external dynamic list (EDL), and how to start building a block list.
Before you begin:
Validate the firewall DNS configuration to make sure that it can resolve the Cortex XDR FQDN.
Ensure the firewall has a direct internet connection; if another network device resides between the
firewall and the internet, make sure that device is configured to allow the traffic between the firewall
and Cortex XDR.
2. Enter login credentials that the Palo Alto Networks firewall should use to access the Cortex XDR
EDL.
STEP 2 | Record the IP Addresses Block List URL and the Domains Block List URL. You will need these
URLs in the coming steps to point the firewall to these lists.
3. Select Device > Certificate Management > Certificate Profile and Add a new certificate profile.
4. Give the profile a descriptive name and Add the certificate to the profile.
STEP 5 | Set the Cortex XDR EDL as the source for a firewall EDL.
For more detailed information about how Palo Alto Networks firewall EDLs work, how you can use
EDLs, and how to configure them, review how to Use an External Dynamic List in Policy.
1. On the firewall, select Objects > External Dynamic Lists and Add a new list.
2. Define the list Type as either IP List or Domain List.
3. Enter the IP Addresses Block List URL or the Domains Block List URL that you recorded in the last
step as the list Source.
4. Select the Certificate Profile that you created in the last step.
5. Select Client Authentication and enter the username and password that the firewall must use to
access the Cortex XDR EDL. These should be the same login credentials that you saved in Cortex
XDR, when enabling the EDL in the first step.
6. Use the Repeat field to define how frequently the firewall retrieves the latest list from Cortex XDR.
STEP 6 | Select Policies > Security and Add or edit a security policy rule to add the Cortex XDR EDL as
match criteria to a security policy rule.
Review the different ways you can Enforce Policy on an External Dynamic List; this topic describes the
complete workflow to add an EDL as match criteria to a security policy rule.
1. Select Policies > Security and Add or edit a security policy rule.
2. In the Destination tab, select Destination Zone and select the external dynamic list as the
Destination Address.
3. Click OK to save the security policy rule and Commit your changes.
You can also use the Cortex XDR domain list as part of a URL Filtering profile; when
attached to a security policy rule, a URL Filtering profile allows you to granularly
control user access to the domains on the list.
Select > Analytics Management > Management and then select EDL. Two lists are displayed: one for
IP addresses and one for domains. Here, you can delete any entries that you no longer want included on
the lists.
Analytics Management
From the Cortex XDR > Analytics Management > Management menu, you can manage whitelist rules,
view the audit log, and view the status of Pathfinder scans:
• Select Pathfinder to see ongoing and queued Pathfinder Scans, Pathfinder scan history, and suspicious
endpoints that are undergoing periodic scanning (N2PA monitoring).
• Select Audit to see the Analytics Audit Log, which records the triage activity that has occurred in the
Cortex XDR Analytics application lately.
• Select EDL to view Analytics External Dynamic List. You can add IP addresses and domains to the Cortex
XDR block lists as you triage alerts; a Palo Alto Networks firewall can then dynamically enforce policy
based on these lists.
Pathfinder Scans
When the analytics engine observes problematic traffic coming from an endpoint that does not have a
supported version of a Traps agent installed with Traps endpoint monitoring enabled, it uses Pathfinder to
investigate the endpoint. At any time, you can also initiate a Pathfinder scan for a particular device. If N2PA
(network-to-process association) monitoring is enabled, Pathfinder also automatically performs periodic
scanning for devices that have displayed suspicious behavior.
The > Analytics Management > Management > Pathfinder page displays status for all Pathfinder scan
types. You can view both in-progress and queued Pathfinder scans, a history of the scans Pathfinder has
performed, and a list of devices that are undergoing N2PA monitoring. You can also export the Scan History
and Hosts Under N2PA Monitoring lists to a flat-text file for the purposes of viewing them in a spreadsheet
application.
The Audit log separates security policy-related logs on the Analyst tab, and other configuration and
management changes on the Configuration tab.
The following table describes the default and optional additional fields that you can add in alphabetical
order.
Field Description
121
122 CORTEX XDR™ ADMINISTRATOR’S GUIDE | Logs
© 2019 Palo Alto Networks, Inc.
Configure Log Forwarding for BIOC and IOC
Alerts
Using the Log Forwarding app, you can forward Cortex XDR BIOC and IOC alerts to an external syslog or
email.
Cortex XDR – Investigation and Response logs are no longer included when you configure
a Cortex XDR – Analytics log forwarding profile. If you previously received Cortex XDR logs,
you must now set up a new log forwarding profile to receive Cortex XDR – Investigation and
Response logs.
STEP 1 | To activate and configure the Log Forwarding app, ensure you have the appropriate roles to
manage Cortex apps.
For more information, see Available Roles in the Cortex Hub Getting Started Guide.
STEP 3 | Forward BIOC and IOC alert logs to a Syslog Server or Email Server.
STEP 4 | (Optional) If you want to only send logs with a specific severity level, select the desired
Severity.
STEP 5 | (Optional) If you only want to send one type of alert log, select either BIOC or IOC as the Alert
Source.
If you select neither, the app forwards both BIOC and IOC alert logs.
STEP 6 | If you select an alert source, you can also select a specific alert category.
If you do not select an alert category, the app forwards all alerts from the selected alert source.
"/edrData/action_country","/edrData/action_download","/edrData/
action_external_hostname","/edrData/action_external_port","/
edrData/action_file_extension","/edrData/action_file_md5","/
edrData/action_file_name","/edrData/action_file_path","/
edrData/action_file_previous_file_extension","/edrData/
action_file_previous_file_name","/edrData/action_file_previous_file_path","/
edrData/action_file_sha256","/edrData/action_file_size","/edrData/
action_file_remote_ip","/edrData/action_file_remote_port","/edrData/
action_is_injected_thread","/edrData/action_local_ip","/edrData/
action_local_port","/edrData/action_module_base_address","/edrData/
action_module_image_size","/edrData/action_module_is_remote","/
edrData/action_module_is_replay","/edrData/action_module_path","/
edrData/action_module_process_causality_id","/
edrData/action_module_process_image_command_line","/
edrData/action_module_process_image_extension","/
edrData/action_module_process_image_md5","/edrData/
action_module_process_image_name","/edrData/
action_module_process_image_path","/edrData/
action_module_process_image_sha256","/edrData/
action_module_process_instance_id","/edrData/
action_module_process_is_causality_root","/edrData/
action_module_process_os_pid","/edrData/
action_module_process_signature_product","/edrData/
action_module_process_signature_status","/edrData/
action_module_process_signature_vendor","/edrData/
action_network_connection_id","/edrData/action_network_creation_time","/
edrData/action_network_is_ipv6","/edrData/action_process_causality_id","/
edrData/action_process_image_command_line","/edrData/
action_process_image_extension","/edrData/action_process_image_md5","/edrData/
action_process_image_name","/edrData/action_process_image_path","/edrData/
action_process_image_sha256","/edrData/action_process_instance_id","/edrData/
action_process_integrity_level","/edrData/action_process_is_causality_root","/
edrData/action_process_is_replay","/edrData/action_process_is_special","/
edrData/action_process_os_pid","/edrData/action_process_signature_product","/
edrData/action_process_signature_status","/edrData/
action_process_signature_vendor","/edrData/action_proxy","/edrData/
action_registry_data","/edrData/action_registry_file_path","/edrData/
action_registry_key_name","/edrData/action_registry_value_name","/
edrData/action_registry_value_type","/edrData/action_remote_ip","/edrData/
action_remote_port","/edrData/action_remote_process_causality_id","/
edrData/action_remote_process_image_command_line","/
edrData/action_remote_process_image_extension","/
edrData/action_remote_process_image_md5","/edrData/
action_remote_process_image_name","/edrData/
action_remote_process_image_path","/edrData/
action_remote_process_image_sha256","/edrData/
action_remote_process_is_causality_root","/edrData/
action_remote_process_os_pid","/edrData/
action_remote_process_signature_product","/edrData/
action_remote_process_signature_status","/edrData/
action_remote_process_signature_vendor","/edrData/
action_remote_process_thread_id","/edrData/
When alert logs are forwarded by email, each field is labeled, one line per field:
Email body format example:
edrData/action_country:
edrData/action_download:
edrData/action_external_hostname:
edrData/action_external_port:
edrData/action_file_extension: pdf
The following table summarizes the field prefixes and additional relevant fields available for BIOC and IOC
alert logs.
/edrData/action_file* Fields that begin with this prefix describe attributes of a file for which
Traps reported activity.
edrData/action_module* Fields that begin with this prefix describe attributes of a module for
which Traps reported module loading activity.
edrData/ Fields that begin with this prefix describe attributes and activity related
action_module_process* to processes reported by Traps that load modules such as DLLs on the
endpoint.
edrData/ Fields that begin with this prefix describe attributes of a process image
action_process_image* for which Traps reported activity.
edrData/action_registry* Fields that begin with this prefix describe registry activity and attributes
such as key name, data, and previous value for which Traps reported
activity.
edrData/action_network Fields that begin with this prefix describe network attributes for which
Traps reported activity.
edrData/ Fields that begin with this prefix describe attributes of remote processes
action_remote_process* for which Traps reported activity.
edrData/actor* Fields that begin with this prefix describe attributes about the acting
user that initiated the activity on the endpoint.
edrData/agent* Fields that begin with this prefix describe attributes about the Traps
agent deployed on the endpoint.
edrData/causality_actor* Fields that begin with this prefix describe attributes about the causality
group owner.
/local_insert_ts Date and time when Cortex XDR – Investigation and Response ingested
the app.
/source_insert_ts Date and time the alert was reported by the alert source.
/alert_name If the alert was generated by Cortex XDR – Investigation and Response,
the alert name will be the specific Cortex XDR rule that created the alert
(BIOC or IOC rule name). If from an external system, it will carry the
name assigned to it by Cortex XDR .
/alert_description Text summary of the event including the alert source, alert name,
severity, and file path. For alerts triggered by BIOC and IOC rules,
Cortex XDR displays detailed information about the rule.
[{""pretty_name"":""File"",""data_type"":null,
""render_type"":""entity"",""entity_map"":null},
{""pretty_name"":""action type"",
""data_type"":null,""render_type"":""attribute"",
""entity_map"":null},{""pretty_name"":""="",
""data_type"":null,""render_type"":""operator"",
""entity_map"":null},{""pretty_name"":""all"",
/bioc_category_enum_key Alert category based on the alert source. An example of a BIOC alert
category is Evasion. An example of a Traps alert category is Exploit
Modules.
/alert_action_status Action taken by the alert sensor with action status displayed in
parenthesis:
• Detected
• Detected (Download)
• Detected (Post Detected)
• Detected (Prompt Allow)
• Detected (Reported)
• Detected (Scanned)
• Prevented (Blocked)
• Prevented (Prompt Block)
/global_content_version_id Unique identifier for the content version in which a Palo Alto Networks
global BIOC rule was released.
/global_rule_id Unique identifier for an alert triggered by a Palo Alto Networks global
BIOC rule.
STEP 3 | Forward Logs from the Cortex Data Lake to a Syslog Server.
When you configure the Log Forwarding app, you can choose the Log Types you want to forward. To
forward Cortex XDR™ – Analytics logs, forward Magnifier alert logs.
sub_type: Update
time_generated: 1547717480
id: 4
version_info/document_version: 1
version_info/magnifier_version: 1.8
version_info/detection_version: 2019.2.0rc1
alert/url: https:\/\/ddc1...
alert/category: Recon
alert/type: Port Scan
alert/name: Port Scan
alert/description/html: \t<ul>\n\t\t<li>The device....
alert/description/text: The device ...
alert/severity: Low
alert/state: Reopened
alert/is_whitelisted: false
alert/ports: "[1,2,3,4,5,6,7,8,9,10,11...]
alert/internal_destinations/single_destinations: []
alert/internal_destinations/ip_ranges:
"[{""max_ip"":""..."",""name"":""..."",""min_ip"":""...""}]"
alert/external_destinations: []
alert/app_id:
alert/schedule/activity_first_seen_at: 1542178800
alert/schedule/activity_last_seen_at: 1542182400
alert/schedule/first_detected_at: 1542182400
alert/schedule/last_detected_at: 1542182400
user/user_name:
user/url:
user/display_name:
user/org_unit:
device/id: 2-85e40edd-b2d1-1f25-2c1e-a3dd576c8a7e
device/url: https:\/\/ddc1 ...
device/mac: 00-50-56-a5-db-b2
device/hostname: DC1ENV3APC42
device/ip: 10.201.102.17
device/ip_ranges:
"[{""max_ip"":""..."",""name"":""..."",""min_ip"":""..."",""asset"":""""}]"
device/owner:
device/org_unit:
files: []
time_generated Time the log record was sent to the Cortex Data Lake. Value is a Unix
Epoch timestamp.
id Unique identifier for the alert. Any given alert can generate multiple
log records—one when the alert is initially raised, and then additional
records every time the alert status changes. This ID remains constant for
all such alert records.
You can obtain the current status of the alert by looking for log
records with this id and the most recent alert/schedule/
last_detected_at timestamp.
version_info/ Identifies the log schema version number used for this log record.
document_version
version_info/ The version number of the Cortex XDR – Analytics instance that wrote
magnifier_version this log record.
version_info/ Identifies the version of the Cortex XDR – Analytics detection software
detection_version used to raise the alert.
alert/url Provides the full URL to the alert page in the Cortex XDR – Analytics
user interface.
alert/type Identifies the categorization to which the alert belongs. For example
Tunneling Process, Sandbox Detection, Malware, and so forth.
alert/name The alert name as it appears in the Cortex XDR – Analytics user
interface.
alert/severity Identifies the alert severity. These severities indicate the likelihood that
the anomalous network activity is a real attack.
• High—The alert is confirmed to be a network attack.
• Medium—The alert is suspicious enough to require additional
investigation.
• Low—The alert is unverified. Whether the alert is indicative of a
network attack is unknown.
alert/ports List of ports accessed by the network entity during its anomalous
behavior.
alert/internal_destinations/ Network destinations that the entity reached, or tried to reach, during
single_destinations the course of the network activity that caused Cortex XDR – Analytics
to raise the alert. This field contains a sequence of JSON objects, each
of which contains the following fields:
• ip—The destination IP address.
• name—The destination name (for example, a host name).
alert/internal_destinations/ IP address range subnets that the entity reached, or tried to reach,
ip_ranges during the course of the network activity that caused Cortex XDR –
Analytics to raise the alert. This field contains a sequence of JSON
objects, each of which contains the following fields:
• max_ip—Last IP address in the subnet.
• min_ip—First IP address in the subnet.
alert/schedule/ Time when Cortex XDR – Analytics first detected the network activity
activity_first_seen_at that caused it to raise the alert. Be aware that there is frequently a delay
between this timestamp, and the time when Cortex XDR – Analytics
raises an alert (see the alert/schedule/first_detected_at
field).
alert/schedule/ Time when Cortex XDR – Analytics last detected the network activity
activity_last_seen_at that caused it to raise the alert.
alert/schedule/ Time when Cortex XDR – Analytics first alerted on the network activity.
first_detected_at
alert/schedule/ Time when Cortex XDR – Analytics last alerted on the network activity.
last_detected_at
user/user_name The name of the user associated with this alert. This name is obtained
from Active Directory.
user/url Provides the full URL to the user page in the Cortex XDR – Analytics
user interface for the user who is associated with the alert.
user/display_name The user name as retrieved from Active Directory. This is the user name
displayed within the Cortex XDR – Analytics user interface for the user
who is associated with this alert.
user/org_unit The organizational unit of the user associated with this alert, as
identified using Active Directory.
device/id A unique ID assigned by Cortex XDR – Analytics to the device. All alerts
raised due to activity occurring on this endpoint will share this ID.
device/url Provides the full URL to the device page in the Cortex XDR – Analytics
user interface.
device/mac The MAC address of the network card in use on the device.
device/ip_ranges Identifies the subnet or subnets that the device is on. This sequence can
contain multiple inclusive subnets. Each element in this sequence is a
JSON object with the following fields:
device/owner The user name of the person who owns the device.
device/org_unit The organizational unit that owns the device, as identified by Active
Directory.
files Identifies the files associated with the alert. Each element in this
sequence is a JSON object with the following fields:
• full_path—The file full path (including the file name).
• md5—The file MD5 hash.