Palo Alto Networks

Cortex XDR:
Investigation and Response

Lab Guide
EDU-262
Cortex XDR 3.6
Courseware Version A
June 2023

© 2023 Palo Alto Networks, Inc. Page 1

Palo Alto Networks, Inc.
https://www.paloaltonetworks.com
© 2007–2023 Palo Alto Networks, Inc.
Palo Alto Networks, PAN-OS, Cortex and WildFire are registered trademarks of Palo Alto
Networks, Inc. All other marks mentioned herein may be trademarks of their respective
companies.

© 2023 Palo Alto Networks, Inc. Page 2

Table of Contents
Table of Contents……………………………………………………………………………. 4
Typographical Conventions…………………………………………………………………. 6
How to Use This Lab Guide………………………………………………………………… 7
Lab Environment……………………………………………………………………………. 7
Lab Systems, Accounts, and Passwords ...………………………………………………….. 8
Lab Guide Objectives ...…………………………………………………………………….. 8
Browser Recommendation ………………………………………………………………….. 8
Documentation ……………………………………………………………………………… 8
Menu Paths …………………………………………………………………………………. 9
Lab 0 Preparing Your Lab Environment …………………………………………11
Activity 0.1 Change Windows Endpoint Hostname ……………………………... 12
Activity 0.2 Access Cortex XDR Management Console ………………………… 14
Activity 0.3 Deploy Your Cortex XDR Agent …………………………………... 15
Activity 0.4 Create an Agent Settings Profile and a Policy Rule ………………... 18
Lab 1 Working with Enhanced Endpoint Data ………………………………….. 22
Activity 1.1 Analyze Alerts Stitched with Enhanced Endpoint Data ……………. 23
Activity 1.2 Manage Enhanced Endpoint Data Monitoring from Endpoints ……. 29
Lab 2 Working with Incidents …………………………………………………... 35
Activity 2.1 Work with the Advanced Incident View …………………………… 36
Activity 2.2 Score Your Incidents ……………………………………………….. 42
Activity 2.3 Investigate Files Using Hash View …………………………………. 50
Lab 3 Causality Analysis of Alerts ……………………………………………… 56
Activity 3.1 Analyze Alerts in Causality View ………………………………….. 57
Lab 4 Advanced Response Actions ……………………………………………... 64
Activity 4.1 Execute Scripts on Endpoints ………………………………………. 65
Lab 5 Building Search Queries ………………………………………………….. 70
Activity 5.1 Build and Manage Search Queries …………………………………..71

© 2023 Palo Alto Networks, Inc. Page 3

Lab 6 Working with Cortex XDR Rules …………………………………………78
Activity 6.1 Managing IOC Rules ……………………………………………….. 79
Activity 6.2 Managing BIOC Rules ……………………………………………... 81
Activity 6.3 Custom Prevention Rules …………………………………………... 85
Lab 7 Working with Network Assets ……………………………………………. 92
Activity 7.1 (*) Activate and Register a Broker VM …………………………….. 93
Activity 7.2 Scan IP Ranges with Network Mapper ……………………………... 96
Activity 7.3 Investigate Assets Using IP View …………………………………...100
Lab 8 Getting Started with XQL Queries ……………………………………….. 104
Activity 8.1 Get Started with XQL Development Environment ………………….105
Activity 8.2 Create XQL Queries with Multiple Stages …………………………. 108
Activity 8.3 Visualize Query Results ……………………………………………..112
Lab 9 Working with External Data ……………………………………………… 115
Activity 9.1 Create and Manage Datasets ………………………………………... 116
Activity 9.2 Insert External Alerts Using XDR API …………………………….. 120

© 2023 Palo Alto Networks, Inc. Page 4

Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.

Convention Meaning Example

Bolding Names of selectable items From the Cortex XDR management
in the web interface console, go to Incident Response >
Incidents.

Consolas font Text that you enter and Run cytool to stop the Cortex XDR agent:
coding examples cytool runtime stop

Calibri gray font Lab step results, Note that the start option does not
explanations, and warnings require the supervisor password.

Click Click the left mouse button Click the Alerts Table link at the upper
right, near the Filter button.

Right-click Click the right mouse Right-click anywhere on the profile, and
button then select Save As New.

Italics Parameter and meterpreter > command

placeholders

© 2023 Palo Alto Networks, Inc. Page 5

How to Use This Lab Guide
This Lab Guide contains exercises that correspond to modules in the Student Guide. Each
scenario-based set of lab instructions specifies the lab’s objectives and the requirements that
drive those objectives.
Solve the problems using admin guides, the information covered in the class lectures, and
additional guidance in the lab exercises.

Lab Environment
The following diagram provides a basic overview of the lab environment. The login to the lab
environment will give you access to the Desktop of winpoint1 as user PAN\Student from where
you will reach all other devices:

© 2023 Palo Alto Networks, Inc. Page 6

Lab Systems, Accounts, and Passwords
The following table shows systems in use in your lab environment along with user accounts and
passwords valid on individual systems.
XDR-Endpoint-A XDR-Endpoint-C VM-3
Hostname ####-winpoint1 ####-linpoint1
Operating system Windows Server 2016 Ubuntu Linux Broker VM (Linux)
Role ● Protected endpoint Attacker station Broker VM
● AD domain controller
Usernames ● Administrator root, student
● Student
Password Pal0Alt0 Pal0Alt0 !nitialPassw0rd
IP address 192.168.1.20 192.168.1.30 192.168.1.50

Lab Guide Objectives

After you have finished these labs, you should be able to complete these tasks:
● Investigate incidents
● Work with advanced alert analysis tools, such as Causality and Timeline Views
● Work with the Cortex XDR advanced response actions
● Search and investigate threats and suspicious activities
● Create and manage Cortex XDR rules
● Create XQL queries
● Work with datasets
● Insert external alerts using XDR API

Browser Recommendation
We strongly recommend that you use the Google Chrome browser to complete the lab exercises.
Other browsers may function equally well for most activities. However, we have found the
Chrome browser to consistently provide the best experience across all tasks.

© 2023 Palo Alto Networks, Inc. Page 7

Documentation
The Palo Alto Networks Cortex XDR documentation has useful information about configuration
options, system defaults, APIs, and release notes.
The Cortex XDR technical documents are available in PDF format for offline use and reference
and in HTML format for easy search at:
https://docs-cortex.paloaltonetworks.com/p/XDR
Cortex XDR documentation is as follows:
● Cortex XDR Release Notes
● Cortex XDR Prevent Administrator’s Guide
● Cortex XDR Pro Administrator’s Guide
● Cortex XQL Language Reference
● Cortex XDR API Reference
● XQL Schema Reference
● Cortex XDR Analytics Alert Reference
● Cortex XDR Agent Release Notes
● Cortex XDR Agent Administrator’s Guide
● Agent iOS Guide
● Agent Android Guide
● Compatibility Matrix

Menu Paths
In Cortex XDR UI v3.6, the top menu bar in the management console is moved to the left
navigation pane. To shorten the menu paths (breadcrumb trails) and to make the page name
independent of the menu types, only the page names are listed in the task steps. For example:
● Go to Configurations in the (Cortex XDR) management console.
● Go to Action Center in the (Cortex XDR) management console.
When it is not clear, use the following table to resolve the page names in such task steps to
find the full menu path in the Cortex XDR left navigation pane:

Name Full Path

© 2023 Palo Alto Networks, Inc. Page 8

 Asset Inventory Assets > Asset Inventory

Action Center Incident Response > Response > Action Center

Agent Installations Endpoints > Agent Installations

All Endpoints Endpoints > All Endpoints

BIOC Detection Rules > BIOC

Configurations Settings > Configurations

Exceptions Configuration Settings > Exceptions Configuration

Incident Configuration Incident Response > Incident Configuration

Incidents Incident Response > Incidents

IOC Detection Rules > IOC

Network Configuration Assets > Network Configuration

Policy Management Endpoints > Policy Management

Query Builder Incident Response > Investigation > Query Builder

Query Center Incident Response > Investigation > Query Center

Scheduled Queries Incident Response > Investigation > Scheduled Queries

The table is sorted by Name.

© 2023 Palo Alto Networks, Inc. Page 9

Lab 0 Preparing Your Lab Environment
Background
In this lab, you will prepare your hands-on lab environment. If you have taken EDU-260 within
the past week, and are taking EDU-262 with the same instructor, then Lab 0 will be unnecessary.
First, your instructor will introduce you to the client (endpoint) environment that you will be
using. Then, your instructor will provide your unique student ID in the class, and you will access
your endpoints to rename their hostnames using your student ID.
You’ll be using your existing Customer Support Portal (CSP) username and the Cortex XDR
instance address provided by your instructor. Go the Cortex XDR management console to verify
your access.
Then, you will deploy the Cortex XDR agent at your Windows endpoint. Your deployment will
begin by creating an agent installation package. Then, you will run the installer on the endpoint
to install the agent.
Finally, you will create a new Agent Settings Profile and a policy rule to apply your profile to
your endpoint.

Lab Objective
At the end of this lab session, you should be able to:
● Rename your Windows endpoint hostname
● Access the Cortex XDR management console
● Create a Cortex XDR agent installation package for Windows
● Install a Cortex XDR agent on your Windows endpoint
● Clone the default Agent Settings profile and modify the settings
● Clone the default policy rule and modify the settings

Activities
Activity 0.1 Change Windows Endpoint Hostname
Activity 0.2 Access Cortex XDR Management Console
Activity 0.3 Deploy Your Cortex XDR Agent
Activity 0.4 Create an Agent Settings Profile and a Policy Rule

© 2023 Palo Alto Networks, Inc. Page 10

Activity 0.1 Change Windows Endpoint Hostname
Because all the students in your class will use the same shared Cortex XDR instance, you need
unique endpoint hostnames to complete lab activities. Unique hostnames are key to
differentiating your endpoint-initiated data, such as your alerts in the alerts table, from everyone
else’s data in your class.
In this activity, you first will get your student ID, a four-digit number shown as #### in this
guide. Then, you will rename your Windows endpoint to a unique hostname using your ID.
Note: Your unique student ID is an essential element for successfully completing the activities in
this course, explained in detail as follows:
● Throughout this lab guide, the four-digit student ID is denoted as ####.
● In the Cortex XDR management console screenshots, you can see the ID 0000 as a prefix in
the name of objects including Windows endpoint, for example 0000-winpoint1.
● Your student ID will be the prefix in the names of all the objects that you create in the Cortex
XDR management console, such as naming a policy as ####-WinRL01.
● The hostname of your Windows endpoint will be prefixed by your student ID as ####-
winpoint.

Tasks
Task 1: Demo: Accessing Your Endpoints
Task 2: Get Your Student ID and Change the Windows Hostname

Task 1: Accessing Your Endpoints

Sign into winpoint1 using the lab access credential provided by your instructor. All lab activities
will be done from winpoint1.

Task 2: Get Your Student ID and Change the Windows Hostname

In this task, you first receive from the instructor your student ID, which you will use throughout
the lab activities. Then, you will access your Windows endpoint and change its hostname to
reflect your student ID.
Note: In the following, the batch file prep.bat uniquely prepares your client environment for lab
work, such as renaming your endpoint with a unique hostname and creating files with unique
filenames and hashes. Unique object names are required to be able to work in a shared XDR
instance environment. Thus, when working in the Cortex XDR management console, your
'objects' such as endpoint name and filenames will be easily, uniquely identified. For an example,
prep.bat copies the original putty.exe to putty####.exe and then appends a short random string to
the end of the file contents to give this new file a unique hash:

© 2023 Palo Alto Networks, Inc. Page 11

echo %random%-%random% >> putty####.exe
Also, the batch file runs the following Windows command to change the hostname:
wmic computersystem where name="%COMPUTERNAME%" rename "####-winpoint1"
Therefore, a reboot is required to make the hostname change effective.
1. Get your four-digit, unique student ID from your instructor:
My student ID: ………………………….
2. Sign in to winpoint1.
3. Open a Command Prompt window (Admin) by clicking the CMD icon on the Taskbar.
4. Change the directory to C:\Lab\Prep and run hostname to get your current hostname:
hostname
winpoint1
5. Run the batch file to prepare your Windows endpoint for the lab activities:
prep ####
where #### is your four-digit student ID.
Warning: This command will prompt you to restart your computer.
6. When prompted as follows, enter Y or y to reboot your endpoint:
Your endpoint will immediately RESTART. Do you want to continue [Y/n]?y
7. Once your endpoint has restarted, open a Command Prompt window, run hostname, and
verify that the hostname of your endpoint is now ####-winpoint1. Note, #### will be
replaced with your unique student number.

© 2023 Palo Alto Networks, Inc. Page 12

Activity 0.2 Access Cortex XDR Management
Console
In this activity, you first will get your CSP username and Cortex XDR instance address. Then,
you will verify your access to the Cortex XDR management console.

Tasks
Task 1: Get Your CSP Username and Cortex XDR Instance
Task 2: Verify Access to Your Cortex XDR Instance

Task 1: Get Your CSP Username and Cortex XDR Instance

In this task, you get your CSP username and Cortex XDR instance name, which you will use
throughout the lab activities.
1. Get your unique CSP username and password from your instructor.
My CSP username: ……………………………………………………….
2. The URL to access the shared Cortex XDR instance (tenant) that will be used by all
students in your class is:
The URL: https://atp-training.xdr.eu.paloaltonetworks.com

Task 2: Verify Access to Your Cortex XDR Instance

In this task, you will sign in to the Cortex XDR management console using your CSP username
to verify your initial access. Recall that the management console is shared by all students in your
class.
1. Sign in to ####-winpoint1 as PAN\Student, and then open a Chrome tab.
2. Enter the following URL given by your instructor in the previous task:
The URL: https://atp-training.xdr.eu.paloaltonetworks.com
3. Enter your CSP username and click Next.
4. Enter your password and click Sign In.

© 2023 Palo Alto Networks, Inc. Page 13

Activity 0.3 Deploy Your Cortex XDR Agent
In this activity, you will create a Cortex XDR agent-installation package for Windows from the
Cortex XDR management console and then install the agent on your Windows endpoint.

Tasks
Task 1: Create an Agent Installation Package for Windows
Task 2: Install the Cortex XDR Agent and Verify Installation
Task 3: Verify Cytool Functionality

Task 1: Create an Agent Installation Package for Windows

In this task, you first create a Cortex XDR agent installation package for Windows in the Cortex
XDR management console, and then you download the package on your endpoint.
1. Go to Agent Installations in the Cortex XDR management console.
2. Click Create at the upper right.
3. Fill in the dialog box as follows:
a. Enter ####-WinPKG01 in Name to identify this installation package.
b. Verify that Package Type is set to Standalone Installer by default.
c. Verify that Platform is set to Windows by default.
d. Click Version and select 8.0.2.42618
Warning: If you select an agent later than the specified version, some of the lab
activities may be affected.
Note: This agent may appear as [Outdated] but this is to be expected. The
recommended agent is the most current stable agent for use with this lab guide.
4. Click Create to save your package.
5. Find your newly created installation package in the table.
6. Review the fields Agent Version, Created Time, and Created By of your package.
7. Also check your package’s Status and wait until Competed.
You may need to refresh the Agent Installations page.
8. Right-click your package, and then select 64-bit installer > Download 64 bit installer
(.msi) to download the installation package.

© 2023 Palo Alto Networks, Inc. Page 14

Task 2: Install the Cortex XDR Agent and Verify Installation
In this task, you first install the agent on your Windows endpoint. Then you will open the Cortex
XDR agent console to verify the server connection. Finally, you will review the installation in
the Cortex XDR management console.
1. Open File Explorer and go to C:\Users\Student\Downloads.
Note: The file directory may be C:\Users\Student\Downloads on some lab endpoints.
2. Double-click the MSI installer file for the agent you previously downloaded to start the
XDR agent installation and proceed as follows:
a. If you see the Open File-Security Warning window, click Run.
b. Click Next on the Welcome screen.
c. Check “I accept the terms in the License Agreement” on the EULA and click Next.
d. Click Install to initiate the agent installation.
e. If you see the User Account Control window, click Yes.
f. Click Finish to complete the installation.
3. Open the Cortex XDR agent console, as follows:
a. In the Windows taskbar, click the Show hidden icons arrow.
b. Right-click the Cortex XDR tray icon to get the options, and then select Console:

4. In the Cortex XDR agent console:

a. Verify that Connection: Connected to <your home server> is displayed.
b. Verify that your hostname of your home server has the following pattern:
ch-<subdomain>.traps.paloaltonetworks.com, where the subdomain is specific to your
environment.
c. Review the date and time in Last Check-in.
d. Click Check In Now to force a server connection.
5. Verify the agent installation in the Cortex XDR management console, as follows:
a. Go to All Endpoints.
b. Find your endpoint ####-winpoint1.
c. Verify that ENDPOINT STATUS is Connected.

© 2023 Palo Alto Networks, Inc. Page 15

Task 3: Verify Cytool Functionality
In this task, you verify the command line application of the Cortex XDR agent, Cytool, located
in the agent installation folder.
Note: The Cortex XDR agent has a powerful command line tool called cytool that usually needs
to be run with administrative privileges. The CMD icon on the toolbar is configured to be run in
administrative mode. Throughout this course, whenever you are instructed to open a Command
Prompt window, be sure to use this icon. The background color of the Command Prompt
window changes to white to indicate administrative privilege.
1. Open a Command Prompt window (Admin) by clicking the CMD icon on the Taskbar.
2. Add the agent installation folder to the Windows PATH environment variable by
running the batch file C:\Lab\setPath.bat whose content is:
setx PATH "%PATH%;C:\Program Files\Palo Alto Networks\Traps"
3. To verify that the cytool command can run from any path:
a. Close and re-open a new Command Prompt window (Admin).
b. Type cytool and press Enter.

© 2023 Palo Alto Networks, Inc. Page 16

Activity 0.4 Create an Agent Settings Profile and a
Policy Rule
In this activity, you will clone the default Agent Settings profile to create a new profile.
Similarly, you will clone the Windows default policy rule to create a new rule that will link your
Windows endpoint and the newly created Agent Settings profile.

Tasks
Task 1: Create an Agent Settings Profile
Task 2: Create a Policy Rule
Task 3: Verify the Applied Profiles on Endpoints

Task 1: Create an Agent Settings Profile

In this task, you create a new Agent Settings profile by cloning the default, out-of-the-box
profile.
1. Go to Policy Management in the management console.
2. Select Prevention > Profiles in the left POLICY MANAGEMENT pane.
3. Expand Windows under PLATFORM and locate the profile with TYPE: Agent
Settings and NAME: Default.
Hint: Click the column TYPE to sort and then look for the name Default.
4. Right-click the profile, and then select Save As New to clone it.
5. Click Profile Name in General Information, and then enter ####-AgtPF01 to change
the default name "Default (Copy)".
6. Click Uninstall Password on the left.
7. Deselect Use Default.
8. Under Define Password type in a password. This password must be at least 9 characters
long. Ensure you type the same password into the Confirm Password area.
Note: You will need this password multiple times throughout the lab guide. Please write
this down and keep track of this password!
9. Click Create in the lower-right corner to save your new profile.

© 2023 Palo Alto Networks, Inc. Page 17

Task 2: Create a Policy Rule
In this task, you create a new policy rule by cloning the default, out-of-the-box policy rule to
apply your newly created Agent Settings profile to your endpoint.
1. Select Prevention > Policy Rules in the left POLICY MANAGEMENT pane.
2. Expand Windows under PLATFORM and locate the rule with NAME: Windows
Default.
Hint: It is the last policy rule in the Windows category.
3. Right-click the rule and select Save As New to clone it.
4. Fill in the General settings as follows:
a. Enter ####-WinRL01 in Policy Name.
b. Verify that Platform is Windows.
c. Click Agent Settings down arrow and select the newly created profile ####-AgtPF01.
d. Click Next in the lower-right corner.
5. Fill the filtering settings in Target as follows:
a. Click the Select field down arrow, and then select Endpoint Name.
b. Click Value, and then enter the name of your endpoint ####-winpoint1.
c. Don't forget to click the enter icon or press the Enter key.
d. Click the checkbox in the first column to select your endpoint.
e. Click Next.
6. Review the rule in Summary, and then click Done.
Recall that clicking Done does not save the rule because there is one more step:
ordering your rule. Cortex XDR evaluates rules from top to bottom to find an active
policy. By default, a new rule is placed at the top of the rule list.
Warning: Don’t try to reorder your rule. In your shared-tenant lab environment where
multiple students work on a single Cortex XDR instance, you may not control the order
of your rules. If the intersection of the rule targets is empty, the policy rule order
doesn’t matter, and you can ignore the order of your rule if it is not at the top. In the
next task, you will verify the rule that is associated with your specific endpoint.
7. Review the message on the lower right: “To complete the policy configuration, verify the
order and content of the rules or reorder it to assign agents with the correct policy.”
8. Click Save to complete the rule cloning.
Note: You will have to wait as long as a couple of minutes for the policy to save
completely due to this being a shared environment.

Task 3: Verify the Applied Profiles on Endpoints

In this task, you verify the applied profiles for ####-winpoint1.

© 2023 Palo Alto Networks, Inc. Page 18

 1. Go to All Endpoints in the management console, and then find your ####-winpoint1.
2. To enforce the policy settings from the previous task, manually initiate a heartbeat; right-
click ####-winpoint1, click Endpoint Control > Perform Heartbeat, and then click
OK to initiate.
3. Left click on your endpoint. Note a fly-out pop-up appears on the right of the screen.
4. Scroll down within the fly-out screen until you see Assigned Prevention Policy.
5. Verify that the assigned prevention policy is ####-WinRL01.

6. To also verify the associated profiles, right-click ####-winpoint1 and then select
Endpoint Data > View Endpoint Policy.
7. Review the Policy Details dialog and ensure that the name of the Agent Settings Profile
is ####-AgtPF01.

© 2023 Palo Alto Networks, Inc. Page 19

© 2023 Palo Alto Networks, Inc. Page 20
Lab 1 Working with Enhanced Endpoint Data
Background
This lab is designed to demonstrate the value of supporting alerts in alert analysis with enhanced
endpoint data (EED), the distinction between stitched and non-stitched alerts, and analysis tools
capabilities during analysis of stitched alerts that are supported by additional EED. EED is used
not only for threat detection globally across the organization by Cortex XDR but also by the
agent’s Behavioral Threat Protection (BTP) module to block attacks locally on endpoints. EED
can also be used in the creation of custom BTP rules. In this lab, you will verify the BTP and
EED relation using Cytool. Note, an endpoint must be assigned a Cortex XDR Pro license to
enable EED.

Lab Objective
At the end of this lab session, you should be able to:
● Configure upload of the EED
● Analyze alerts with and without EED and compare the results
● Manage (stop, start, and query) the EED from the endpoint
● Trace the agent log for the EED uploads

Activities
Activity 1.1 Analyze Alerts Stitched with Enhanced Endpoint Data
Activity 1.2 Manage Enhanced Endpoint Data Monitoring from Endpoints

© 2023 Palo Alto Networks, Inc. Page 21

Activity 1.1 Analyze Alerts Stitched with Enhanced
Endpoint Data
In this activity, you will compare Cortex XDR alert analysis tools with and without Enhanced
Endpoint Data (EED).

Tasks
Task 1: View Default EED Collection Settings
Task 2: Analyze Non-Stitched Alerts
Task 3: Enable EED Collection on Endpoints
Task 4: Analyze Stitched Alerts
Task 5: Debug Alerts in the Management Console

Task 1: View Default EED Collection Settings

In this task, you review the default EED collection settings in the applied Agent Settings Profile.
You do not change any settings in this task.
1. Go to All Endpoints in the Cortex XDR management console.
2. Right-click ####-winpoint1 and select Endpoint Data > View Endpoint Policy.
3. On the left, verify that the agent setting ####-AgtPF01 is applied to your endpoint.
4. In Agent Settings (####-AgtPF01), click XDR Pro Endpoints to view it in the right
pane:

5. Verify that Use Default (Disabled) is by default checked.

The XDR Pro Endpoints section contains individual settings for each XDR Pro feature,
including the EED collection setting Monitor and Collect Enhanced Endpoint Data.
When the XDR Pro Endpoints section is disabled, all Pro features are disabled. While
disabled, by default, the Cortex XDR agent does not collect any EED. Endpoints will need
to be using a Cortex XDR Pro license to enable this feature.
6. Click Close in the lower-right corner.

© 2023 Palo Alto Networks, Inc. Page 22

Task 2: Analyze Non-Stitched Alerts
In this task, you examine a non-stitched alert that is lacking the enhanced of additional logs such
as EED. You will verify that some investigation actions are disabled for non-stitched alerts.
1. Trigger an alert using a script-based attack, as follows:
a. Open File Explorer and run virlock.vbs from C:\Lab\Malware.
b. Ensure that the agent stops the execution and displays the Cortex XDR Prevention
Alert window.
c. Note the Prevention description: Behavioral threat detected.
2. Go to Incidents in the management console and then click the Alerts Table button.
3. To view only your alerts, select the MyHosts filter from ⋮ > Filters > MY FILTERS.
If you don’t see MyHosts in your list, you can create a filter with "Host contains ####"
and then save it under the name MyHosts.

4. Find the alert with ALERT NAME: Behavioral Threat and INITIATED BY: wscript.
5. Scroll right to the CGO columns and verify that for this row all columns beginning with
CGO are blank.
CGO stands for Causality Group Owner, which refers to a process. In a multistage attack
that involves multiple processes, the main process initiates the attack and is therefore
responsible for the attack. This main process is named CGO.
In the Alerts table, CGO fields are not populated for non-stitched alerts. In the absence
of EED, the alerts aren’t stitched and these fields are therefore blank.
6. Right-click the alert and verify that the Investigate Causality Chain > Open Card
actions are enabled whereas Open Timeline actions are disabled.
As you will see later in the course, full Open Card and Open Timeline actions are
dependent upon alert stitching. For un-stitched alerts, the Open Card feature is still
enabled, but the analysis is very limited.

© 2023 Palo Alto Networks, Inc. Page 23

 7. Select Investigate Causality Chain > Open Card in new tab to open the alert’s
Causality View page in a new browser tab.
8. Review the Causality Instance graph, and then right-click on wscript.exe to see the
available actions:

Although this attack involved multiple processes, the Causality Instance graph shows
only one process wscript.exe because EED collection is disabled.

Task 3: Enable EED Collection on Endpoints

In this task, you enable EED collection in the applied Agent Settings profile.
1. Go to Policy Management in the management console.
2. Select Prevention > Profiles in the left POLICY MANAGEMENT pane.
3. Expand Windows under PLATFORM and find your Agent Settings profile ####-
AgtPF01.
4. Right-click anywhere on the profile, and then select Edit Profile.
5. Click XDR Pro Endpoints on the left.
6. For XDR Pro Endpoints Capabilities, uncheck Use Default (Disabled), and then select
Enabled.
Enabling this section will lead to the display of section-specific settings.
7. For the next setting Monitor and Collect Enhanced Endpoint Data, uncheck Use
Default (Enabled) and then select Enabled.
Even if the default setting and your selection are the same, a common practice is to not
stick with the default settings because default settings are prone to change.
8. Read the note about enabling this setting.

© 2023 Palo Alto Networks, Inc. Page 24

 9. Click Save in the lower-right corner to save the changes to your profile.
Recall that ####-AgtPF01 already is associated with the applied policy rule to ####-
winpoint1.
10. On the endpoint, open the agent console and click Check In Now to force a heartbeat.

Task 4: Analyze Stitched Alerts

This task is like Task 2, but you are now analyzing a stitched alert, which is enhanced with EED.
You will verify that the investigation tools for stitched alerts can reveal all the processes
involved in an attack.
1. Trigger a new alert using the same script-based attack, as follows:
a. Open File Explorer and run virlock.vbs from C:\Lab\Malware.
b. Ensure that the agent displays the Cortex XDR Prevention Alert window.
Depending on the content update in Cortex XDR, this may generate more than one alert
2. Go to /alerts to open the Alerts page in the management console.
3. Using the MyHosts filter from ⋮ > Filters > MY FILTERS, ensure that only your alerts
are shown.
4. Locate the last two Behavioral Threat alerts at the top of the list.
Hint: To quickly add a filtering condition on Alert Name=Behavioral Threat, right-click
an alert with the name Behavioral Threat and select the filtering action Shows rows
with on the shortcut menu.
5. Scroll to the right to the CGO columns.
6. Repeatedly click the refresh icon until you see the CGO data for the last alert.
You might not immediately see any CGO data for the last alert generated after you
enabled EED collection. It can often take up to five minutes to show.

7. When the CGO data is available, right-click the alert. Notice that now, Open Timeline
actions are also enabled in the submenu Investigate Causality Chain, besides the Open
Card actions.
8. Select Investigate Causality Chain > Open Card in new tab to open the alert’s
Causality View page.
9. Review the Causality Instance graph and examine the other processes involved in the
attack:

© 2023 Palo Alto Networks, Inc. Page 25

 10. Right-click wscript.exe to display the available actions. Notice the new actions shown
for this stitched alert, including Show Parent and Investigate in timeline.

Task 5: Debug Alerts in the Management Console

In this task, you open the debug alert window to get more detailed information about the alert
and EED collection settings in effect at the time of alert generation.
1. Go to /alerts to open the Alerts page in the management console.
2. Find one of your Behavioral Threat alerts using filters on HOST and ALERT NAME.
3. Right-click the alert while pressing the Alt key to display the advanced shortcut menu.
4. Select the Debug alert action at the bottom.

© 2023 Palo Alto Networks, Inc. Page 26

 5. Examine the dialog with detailed information about the alert in JSON as follows:

6. Answer the following questions:

a. Is this a stitched alert? (Hint: See matching_status.)
b. What is the alert severity? (Hint: see severity)
c. What is the name of the rule that led this alert? (Hint: See alert_description.)
d. Is EED enabled? (Hint: See agent_data_collection_status.)
Note: agent_data_collection_status being true indicates EED has been not only enabled
but also uploaded to allow for stitching
Note: You can use control-f to find specific strings within the JSON.
7. Click Close to close the dialog box.

© 2023 Palo Alto Networks, Inc. Page 27

Activity 1.2 Manage Enhanced Endpoint Data
Monitoring from Endpoints
Cortex XDR uses enhanced endpoint data (EED) for threat detection globally across the
organization. The Behavioral Threat Protection module also uses EED to locally block attacks on
endpoints, regardless of the license assigned. You use the EED-related settings in an Agent
Settings profile to enable or disable EED uploads to the console. Uploaded EED allows for a
greater range of alerting than just threat prevention locally. To fully control EED collection on
endpoints, you can use Cytool.
In this activity, you work with Cytool to query, disable, and enable EED monitoring on your
endpoint. Also, you trace the EED uploading in the agent log, verify certain upload parameters,
and finally review the data type in the monitored and collected EED.
Note: Be aware of the difference in terminology for enhanced endpoint data. The Cortex XDR
management console displays this data as enhanced endpoint data. However, on endpoints,
the Cortex XDR agent uses different terms to refer to the same data. For example, the Cytool
command uses EDR and DSE in its respective command outputs to name the same enhanced
data.

Tasks
Task 1: Stop EED Monitoring
Task 2: View EDR-Related Settings
Task 3: View EDR Folder and Files
Task 4: Trace Agent Log for EED Uploads
Task 5: Check If Heartbeats Initiate EDR Upload

Task 1: Stop EED Monitoring

In this task, you stop EED monitoring and verify that the Behavioral Threat Protection module is
not active without EED monitoring, even though the module itself is not disabled.
1. Open a Command Prompt window (Admin) by clicking the CMD icon on the Taskbar.
2. Run Cytool with cytool event_collection /? to get the usage.
3. Run cytool event_collection query to query the EED collection status.
Note: The password here should be the one you set in Lab 0, Task 1.

© 2023 Palo Alto Networks, Inc. Page 28

 4. Verify the command output for EDR and DSE as follows:

5. Stop EED collection with cytool event_collection disable.

6. Rerun cytool event_collection query and verify the command output:

Note: All items in the State column should be Disabled now, whereas they were not all
disabled early.

7. Run C:\Lab\Malware\VirLock.vbs from File Explorer and verify that no prevention

occurred (i.e., the Cortex XDR Prevention Alert window isn’t displayed).
You did not disable Behavioral Threat Protection. Instead, you stopped the low-level
EED monitoring, which the Behavioral Threat Protection module consumes. PowerShell
should open, even if it is possibly later closed by XDR, but no Prevention Alert should
occur.
8. To restore the original setting:
a. Start the EED collection as follows:
cytool event_collection enable
b. Rerun C:\Lab\Malware\VirLock.vbs and verify that the Cortex XDR Prevention
Alert window is shown. This indicates the protection is once more enabled.

© 2023 Palo Alto Networks, Inc. Page 29

Task 2: View EDR-Related Settings
In this task, you open the trapsd.xml file and check two elements that can affect your EDR-
related hands-on labs. In this task, you open the trapsd.xml file and check for two settings
related to XDR agent EDR handling, which might affect your hands-on labs.
1. Open File Explorer and navigate to C:\Program Files\Palo Alto Networks\Traps\config.
Note: This is a hidden directory so you may need to directly type the location into File
Explorer to find it.
2. Click trapsd.xml, right-click the file, and select Edit with Notepad++.
If Notepad++ displays a pop-up window Notepad++ update, click No to ignore it.
3. Find the <log_level> tag and verify that it is set to six (Info):
<log_level>6</log_level>
Six (Info) is the current default log level. If it is less than six, the agent still uploads the
EDR data, but it does not log the EDR uploads. So, you can't monitor EDR uploads in the
log file. In that case, run Cytool to change the log level to Info, then force a heartbeat:
a. cytool log set_level 6 all
b. cytool checkin
4. Find the <keep_uploaded_edr_data> tag and verify that it is empty.
By default, uploaded EDR data is not retained and is removed after uploading.
If needed, you can change this default behavior and keep the uploaded EDR data by
changing this line, as follows:
<keep_uploaded_edr_data>1</keep_uploaded_edr_data>
Also note that you cannot save your changes to trapsd.xml while the XDR agent is
running. In order to save changes, disable the agent before enabling
keep_upload_edr_data, then re-enable the agent.
5. Close the file trapsd.xml.

Task 3: View EDR Folder and Files

In this task, you examine the Cyvera\LocalSystem\Edr folder that the XDR agent uses during
EDR monitoring and upload. Here you use a Command Prompt window running as
Administrator to navigate to the Edr folder instead of File Explorer. In the case of using File
Explorer, User Account Control (UAC) can limit File Explorer's permission to go beyond the
LocalSystem folder.
1. Open a Command Prompt window (Admin) and change the directory to the Edr folder:
cd \ProgramData\Cyvera\LocalSystem\Edr
2. List the files using the dir command.

© 2023 Palo Alto Networks, Inc. Page 30

 Warning: An empty Edr folder means there is no activity to log after the last upload. In
this case, perform some activity such as creating a fake file or folder.
By default, EDR archive files are not kept and are removed after periodic uploading.
Therefore, you may not see any file in the Edr folder.
3. Examine the files listed in the folder by name and type, as follows:

4. Note that unlike the screenshot shown above, your Edr folder does not contain the
"archive" subfolder and is unlikely to include any files either.
What does the archive folder do? During uploading, the XDR agent archives and then
compresses all the files in Edr into a single .xz file. It is this file that the agent uploads as
the EDR data log. Also, after this process the files directly in the Edr folder are deleted
for the next cycle.

Task 4: Trace Agent Log for EED Uploads

In this task, you monitor EDR uploads in the XDR agent log. Using the log, you check upload
parameters such as upload frequency, upload server address, and uploaded file.
1. Open File Explorer, type C:\ProgramData\Cyvera\Logs in the address bar, and press
Enter.
2. Click trapsd.log, right-click the file, and select Edit with Notepad++.
3. Press Ctrl + F to open the Find dialog.
4. Enter "Performing EDR upload" click Find Next, and then click Close to close the
dialog.
There will be several "Performing EDR upload" lines in the log file. For this task, it
doesn't matter which EDR upload cycle you examine.
5. Check for the thread ID in the log line. For example, below 4036 is the ID of the thread
responsible for the ongoing EDR upload. There will be a lengthy time-stamp prior to the
output below, and your ID will possibly vary from this example:
[1608:4036 ] {trapsd:Heartbeat:EDR Upload Scheduler:} Performing EDR upload

© 2023 Palo Alto Networks, Inc. Page 31

 6. Review the log entries for the EDR upload, shortened to fit as follows. (Hint: You can
follow the relevant log lines by following the thread ID in the file).
Performing EDR upload
Getting EDR archives to upload...
Starting to archive EDR data...
Creating EDR archive from 6 data files (has more data = false)
Successfully created EDR archive: C:\ProgramData\Cyvera\LocalSystem\Edr\edr-
2023-04-18_18-37-17-393.tar.xz
EDR data archiving resulted with 1 archive(s) (error code 0)
Found 1 EDR archive(s) to upload
A little further down in the file, you’ll find another line with the following text (but the same thread ID as
before)
Next scheduled EDR upload is in 299 seconds, interval is 300 seconds

7. Using the EDR upload log entries, verify that:

a. The EDR folder is Cyvera\LocalSystem\Edr.
b. The EDR archived (and compressed) file has TAR and XZ extensions.
c. Where is the file uploaded to?
The prefix -dc is for data center.
d. The upload interval is 300 seconds.

Task 5: Check If Heartbeats Initiate EDR Upload

In this task, you manually initiate a few heartbeats, and then count the number of occurrences of
the string "Performing EDR upload" in the log file to check if the heartbeats initiate EDR log
uploads.
1. Make sure the trapsd.log is the active tab in Notepad++.
2. Press Ctrl + F to open the Find dialog.
3. Enter "Performing EDR upload" and click Find All in Current Document.
4. In the lower Find results pane, note the number of hits. For example, there are 41 hits in
the following:

5. Open the agent console and click Check In Now twice to force two successive
heartbeats. Wait until the first heartbeat completes before initiating the next.
6. When you see the Notepad++ Reload dialog, click Yes to reload trapsg.log.

© 2023 Palo Alto Networks, Inc. Page 32

 7. Press Ctrl + F to open the Find dialog, verify the search key "Performing EDR upload",
and click Find All in Current Document.
8. In the lower Find results pane, note the updated number of hits.
9. Answer the questions:
a. Does clicking Check In Now in the agent console also initiate the next EDR upload?
b. What if you initiate heartbeats using Cytool, as follows?
cytool checkin

© 2023 Palo Alto Networks, Inc. Page 33

Lab 2 Working with Incidents
Background
An incident in the Cortex XDR management console is a container object from which you start
investigating a threat. Closing an incident means that an investigator fully handled the threat.
Cortex XDR provides several controls in the management console to manage an incident,
ranging from opening to closing. You can also analyze an incident’s content and take response
actions in the Cortex XDR management console. In this lab, you will be using those controls to
handle an incident that holds a behavioral threat alert.

Lab Objective
At the end of this lab session, you should be able to:
● Manage incidents, including changing status and assigning investigators
● Prioritize and close incidents
● View incident details, including its alert breakdown, key assets, and key artefacts
● Investigate files using Hash View

Activities
Activity 2.1 Work with the Advanced Incident View
Activity 2.2 Score Your Incidents
Activity 2.3 Investigate Files Using Hash View

© 2023 Palo Alto Networks, Inc. Page 34

Activity 2.1 Work with the Advanced Incident View
A Cortex XDR incident is an object from which you start investigating a threat. In this activity,
you first will manage an incident by performing tasks such as changing the incident status,
assigning an investigator, and manually starring the incident to prioritize. You also will view the
incident details, including its alert breakdown, key assets, and key artifacts, and you will obtain
threat intelligence data about the key artifacts. Finally, after you fully resolve the incident, you
will close the incident by changing its status.

Tasks
Task 1: Explore the Table view Mode
Task 2: Explore Incident View Types
Task 3: Explore Fields in the Header of Advanced View
Task 4: Work with Advanced View Tabs

Task 1: Explore the Table view Mode

In this task, you start working with incidents. You open the incident page in the management
console and then explore the Table view mode.
1. Go to Incidents in the management console.
2. If you don't see any incidents, remove Last Updated filter.
3. Find the Table view mode icon in the upper-right corner:

4. Hover over the icon to see the description: Switch to table view.

5. This means that the detail pane mode is on by default.

6. Click the pane icon a few times to see how the page changes. Notice that the top of the
page, including the page title bar and filter area, remains unchanged, while the bottom
changes depending on whether the Table view mode is on or off.
7. Turn the Table View on and proceed as follows:
a. Notice the icon is changed to .
b. Note that the page now shows the Incidents table.

© 2023 Palo Alto Networks, Inc. Page 35

 c. Briefly review the Incidents table.
8. Switch to Detailed view.

9. Notice that the page is divided horizontally into left and right panes.
10. Hover over the splitter between two panes, and then resize the panes by dragging the
splitter left and right.
11. Notice that the left pane shows a list of incidents and is scrollable.
12. Notice that each incident in the list is separated by a horizontal line.

Task 2: Explore Incident View Types

In this task, you will review two views that show the details of a selected item differently.
1. Go to Asset Inventory
2. In the top right corner, note what Page Layout the system defaults to. It should be
Advanced View

3. Click the menu dropdown near Advanced View to toggle between Legacy view then
back to Advanced view to see how the right pane returns to the default setting.

© 2023 Palo Alto Networks, Inc. Page 36

Task 3: Explore Fields in the Header of Advanced View
In this task, you will explore editable items in the header section of the Advanced view.
1. Create a sample attack to review its incident, as follows:
a. Double click virlock.vbs in C:\Lab\Malware and make sure that the agent blocked
the attack.
b. In the Cortex XDR Prevention Alert window, click Show details and make sure that
Component shows Behavioral Threat Protection.

2. Go to Incidents and ensure that Page layout is Table view. Navigate to Page Layout by
clicking on the three vertical dots in the top right corner of the screen and then selecting
Restore Default Layout.

© 2023 Palo Alto Networks, Inc. Page 37

 3. To see only your incidents, add a condition to the filtering criteria: Hosts Contains ####.
Note: You may need to get rid of an existing filter first by clicking on the trashcan icon,
and then adding filtering criteria by clicking on the downward facing arrow in the top
right of the pane.
4. In the left column, click the most recently created incident at the top of the list.
5. A pane will slide in from the right. In the right pane, in the Advanced view header,
perform the following actions:
a. To change severity, click H in the upper-left corner and select Medium.
Warning: Severity of your incident may be different. It may be C, H, M or L. In any
case, change the severity to a different severity.
Note: It may bundle your alert into an existing incident. If this is the case, find the
alert on the Alerts Table then pivot to the incident view for that alert. Alternatively
you can click “assign to me” in the top right corner of the incident to assign the case
to the currently logged in user.
b. Click the star ⭐.
c. Click Incident ID. Can you change ID?
d. Click Add incident name and type ####-testcase then hit either.
e. Click Unassigned and select yourself as the investigator.
Note: You may be able to select the option “Assign to me” to accomplish this.
6. Compare your settings with the following:

Note: Your incident may differ in some details from the one shown here.

Task 4: Work with Advanced View Tabs

In this task, you will work with Advanced view tabs. Each tab is specialized to show one aspect
of an incident.
1. Notice that the Advanced view tabs are placed in the order shown:

By default, the pinned tab is shown. Your pinned tab may vary. For instance, in the
above example, it would start in Timeline.
2. Notice the pin icon next to the tab names while hovering the mouse over the tab names.
Does it show up for all the options?
3. In the Key Assets & Artifacts tab, click its pin icon to pin this tab.

© 2023 Palo Alto Networks, Inc. Page 38

 4. Go to All Endpoints and then get back to the Incidents page. Which Advanced view tab
is shown by default?
Below you will open each tab and explore the types of information shown in each.
5. Click the Overview tab and review the information shown.
6. Click “See All” in the Alerts pane and proceed as follows:
a. How many alerts do you see in the list?
b. Can you identify the alert created when you ran virlock.vbs in the earlier task?
Hint: Check the timestamp.
c. Right-click one of the alerts in the table to see which actions are available on alerts.
d. Are there any insights in this incident? If available, right-click and review applicable
actions.
Note: There may be no insights for your incident. Sometimes you need to wait a few
minutes for insights to populate, and sometimes the insights aren’t populated at all.
7. Click Key Assets & Artifacts and proceed as follows:

a. Notice that the artifacts are listed in a scrollable list, and that you can also search for an
artifact.
b. Click the three-dot menu on an artifact to see actions available for artifacts.

© 2023 Palo Alto Networks, Inc. Page 39

 c. Notice that asset types, hosts, and users are also listed in their own lists:
d. Click the three-dot menu on a host asset to see actions available.

e. Click the three-dot menu on a user asset to see actions available.

8. Click Timeline and answer the questions:
a. When was the incident created?
b. What’s the last action on the incident, and when was it?
9. Click Executions and briefly review the graphs shown in this tab.
You will see and work with these types of graphs, called Causality Instance graphs, in a
later module.

© 2023 Palo Alto Networks, Inc. Page 40

Activity 2.2 Score Your Incidents
In this activity, you will work with the feature dynamically scoring incidents: Each time a new
alert is sent to an incident, the score of the alert can be added to the incident's score.
You will first create a scoring rule, create alerts that match the rule condition, and then inspect
the score of the containing incident.

Tasks
Task 1: Add a Scoring Rule
Task 2: Create an Alert and Find Its Incident ID
Task 3: Review Score Distribution of the Incident
Task 4: Move Your Alert to a New Incident
Task 5: Set Incident Score Manually
Task 6: Clean Up: Delete Your Scoring Rule

Task 1: Add a Scoring Rule

In this task, you will create a rule whose parent is the Root.
1. Go to Incident Configuration in the management console.
2. Select Incident Scoring in the page navigation pane and review the Scoring Rules table.
Note that the management console now shows two navigation panes. Page navigation
pane refers to the secondary pane, such as INCIDENT CONFIGURATION, shown as
follows. Also, in this document, the primary pane to the far left is called the Cortex XDR
navigation pane.

© 2023 Palo Alto Networks, Inc. Page 41

 3. To better see your own rule in the table, go to ⋮ > Layout and add the columns Rule ID
and Created By to the table. Click anywhere outside of the Layout for it to disappear.

The Bulleted numbers are added here to aid the student in identifying how to achieve
this effect.
4. Click the +Add Scoring Rule button on the upper right.
5. Review the content of the Create New Scoring Rule dialog box.
6. Enter the following rule details in the fields:
Rule Name: ####B (#### is your ID and B is for Base)
Score: Give any score from the interval 1-10.
Base Rule: Root
Comment: ####B
Apply score only to first alert of incident: Uncheck this option.
Hint: Unchecking means that not only the first, but also subsequent alerts matching the
alert condition will receive a score of your choice.

7. To create the rule condition, perform the followings in the filter area:
a. Click Select field and select Host.
b. Click Contains and replace it with (=).
c. Click Value and enter ####-winpoint1, your endpoint hostname.
d. Click the enter icon or press the Enter key.

© 2023 Palo Alto Networks, Inc. Page 42

 8. Compare your settings with the following new rule for the hostname 0420a-winpoint1.

9. Click Create.
Note that the Create action does not save rules. Don’t click Save until instructed to do
so.
10. View the rules in the Scoring Rules table. Find your newly created rule.
11. Click Save. Do you see your CSP username in Created By now?
12. Note the Rule ID of your rule for reference in subsequent tasks.

Note: Your Rule ID may differ from the above example.

Task 2: Create an Alert and Find Its Incident ID

In this task, you will have the agent generate an alert on the endpoint. Then, in the management
console, you will find the alert and its properties such as Alert ID and Incident ID. In the next
task, you will find out the score assigned to this alert when you see the components of the score
of its incident.
1. Run the malware C:\Lab\Malware\MalwareTestDog.exe to create a reference alert.
Make sure that the agent shows the Cortex XDR Prevention Alert window.
2. Open a new browser tab and go to /alerts to open the management console's Alerts page.
3. In the Alerts table, locate your alert associated with this attack.

© 2023 Palo Alto Networks, Inc. Page 43

 Hint: Use the Timestamp and Host attributes to filter the alerts in the table.
4. To better track this alert's score, go to ⋮ > Layout and add the Alert ID and Incident ID
columns to the table, as follows:
a. In Layout, enter id in the search field.
b. Select the Alert Id and Incident ID as shown in the list.
c. Also, to lock their positions in the table, click the lock icons.
5. For your alert, review Alert ID and Incident ID in the table.
Warning: The Incident ID of your alert may be momentarily blank.
6. Wait until Incident ID is populated for your alert. Then, note Alert ID and Incident ID
for the alert.
The Incident ID column is populated when your alert is associated with an incident.
7. Check the Incident ID column to see if there are other alerts associated with the same
Incident ID.
At this point you can remove the filter on the host to see all other alerts in your class in
the Alerts table.
You may notice that several other alerts are grouped under the same incident ID. Thus,
the incident whose score you will check might also be scored by other alerts. It is also
possible that this is made as a separate incident.

Task 3: Review Score Distribution of the Incident

In this task, you will open the incident containing your alert generated in the previous task.
Next, you will review how alert scores are added to the incident score. Remember that this
incident may not be newly created and can contain other alerts.
1. Go to the Alerts table in the management console and select your alert.
2. Right-click the alert and select Pivots to views > View related incident in the shortcut
menu.
Warning: If you don't see this action, wait until Incident ID for the alert is populated.
3. Review the incident shown in Advanced view page layout. Notice that the incident
navigation pane shown on the left is not shown.
A list of incidents is not required at this point. Instead, a specific incident should be
displayed with details.
4. In the Advanced view header above the tabs, check the number of alerts contained in this
incident.

© 2023 Palo Alto Networks, Inc. Page 44

 Note: In this example, the incident contains only one alert. But in your case, the instance
may contain multiple alerts, including alerts generated by other users. Also, keep in
mind that each of these alerts can contribute to the incident score.
5. Note the incident score in the top row next to the star icon.
In this example, the score is seven.
6. Go to > Manage Score in the incident's three-dot menu to see the score distribution.

Note: In the dialog that opens, the Rule based score option is selected. The other option
Set score manually is to manually change the score of an incident.

7. Find your scoring rule in the table using the Rule Id or Rule Name column.
8. Check the score your alert added in the Total Score column.
Question: Does Total Score change when you reproduce the same alert?
It depends on whether you have selected the option Apply score only to first alert of
incident in the rule. You can edit the scoring rules and change this setting.
9. Click Cancel to exit.

© 2023 Palo Alto Networks, Inc. Page 45

Task 4: Move Your Alert to a New Incident
In this task, you will move your alert to a new incident.
1. Go to /alerts to open the Alerts page.
2. Make sure you can see the Alert ID and Incident ID columns in the table.
3. In the Alerts table, find your alert created earlier in this activity.
Hint: Use the Alert ID of your alert.
4. Note the Incident ID of your alert.
In the dialog box, the ID is named the "source incident ID."
5. Right-click the alert and select Manage Alert > Move alert from incident.
The action Move alert from incident can move multiple alerts to a new incident if you
select multiple alerts and then perform this action.

6. Notice the two options under Define Destination Incident for specifying destination
incident.
7. Select Create new Incident:

© 2023 Palo Alto Networks, Inc. Page 46

 8. Review the options in the Define Incident Scoring section and notice that Destination
Incident currently does not have an ID, whereas the Source Incident does have an ID; in
this case, the Source Incident is 12329.
9. Check the option This action will move 1 alert to a new incident.
Note that you can select multiple alerts and perform the Move alert from incident
action. In this case, the checkbox message will show the number of selected alerts.
10. Click Ok.
11. Back in the Alerts table, refresh the Alerts table then review the Incident ID column for
your alert.
Warning: The ID of the "target" incident may not be instantly displayed in the table
which is why we refresh the table.
12. Refresh the table until you see a new incident ID that is different from the source incident
ID.

Task 5: Set Incident Score Manually

In this task, you will manually set the score of the incident created in the previous task. Note that
this new incident contains only your alert.
1. Right-click your alert and select Pivots to views > View related incident.
2. In the Advanced view header, check the number of alerts contained in this new incident.
Warning: You should only see one alert in this incident.
3. Go to > Manage Score in the incident's three-dot menu.
4. Verify that the incident is only scored according to your rule.
5. Select the option Set score manually.
6. Enter 12 and click Apply.
7. Check that score in the header now shows the new manually assigned score as well as the
old rule-based score. You may need to hover your mouse to see this information.

Task 6: Clean Up: Delete Your Scoring Rule

In this task, you will delete your scoring rule.

© 2023 Palo Alto Networks, Inc. Page 47

 1. In a new browser tab, go to Incident Configuration in the management console.
2. Click Incident Scoring in the navigation pane and find your rule.
Hint: Search the Rule ID or Created By columns for your rule.
3. Right-click your rule, select Delete rule in the shortcut menu, and click Delete and save
to approve.
4. Open the browser tab where the incident is displayed.
5. Go to > Manage Score in the incident's three-dot menu to see what happens when
you delete a scoring rule.

© 2023 Palo Alto Networks, Inc. Page 48

Activity 2.3 Investigate Files Using Hash View
In this activity, you will investigate an artifact shown in the Key Assets & Artifacts tab. The file
is a well-known Windows file wscript.exe, also known as Windows Script Host. You will open
the file in Hash View, where you will review the search summary and work with the graphical
representation of the search results.

Tasks
Task 1: Open Artifacts in Hash View
Task 2: Get Started With Hash View
Task 3: Review the Hash View Graphic
Task 4: Change Clustering Options

Task 1: Open Artifacts in Hash View

In this task, you will first search for a specific alert in the Alerts table. Then you will open the
incident containing the alert. On the Incidents page, you will navigate to the Key Assets and
Artifacts tab, locate the file artifact, and then perform the right-click action Open Hash View on
the file.
1. Add /alerts after your tenant domain to open the Alerts page.
2. Make sure you can see the ALERT NAME and CGO NAME columns in the table.
If you can’t find either or both columns, you may either need to scroll the bar at the
bottom of the pane to find them or return to the Layout by clicking on the three vertical
dots in the top right of the pane, and then check the boxes next to these two items.
3. Find an alert with ALERT NAME Behavioral Threat and CGO NAME wscript.exe.
Hint: If you can't find such an alert, open File Explorer on your endpoint, navigate to
C:\Lab\Malware, and then double-click virlock.vbs to run. Refresh your Alerts Table until
you see this new alert. It is also possible that the CGO NAME will remain blank but the
new alert will appear. Continue if this occurs.
4. Right-click the alert and select Pivots to views > View related incident
Hint: It can sometimes take a couple of minutes for the alert to be added to an incident.
Wait a few minutes if you don’t see View Related Incident right away, then try again.
5. Now click the Key Assets & Artifacts tab if it is not opened by default.
6. Find wscript.exe in the artifact list and review the summary information:

© 2023 Palo Alto Networks, Inc. Page 49

 7. Click the three-dot menu (⋮) on an artifact and select Open Hash View.

Task 2: Get Started With Hash View

In this task, you will first briefly explore the different sections of the Hash View. Then, you will
focus on the summary section.
1. Briefly review the Hash View page, noting the three sections as follows:
a. CLUSTER DATA BY occupies all horizontal dimensions.
You can select various clustering and data grouping options in this section.
b. The area under CLUSTER DATA BY is divided vertically into two sections.
c. There is a graph on the right.
The graph shows the search results for the hash by grouping the results according to
your selection in the CLUSTER DATA BY. If you change the settings in CLUSTER DATA
BY, the graph is updated.
Note: Your Hash View may not provide a graph and instead say “No results found for
this hash.” You can attempt to come back to it later, as sometimes this takes a few
minutes to populate.
d. The right part shows some summary information about the investigated value, here is a
file hash.
In the following steps you will work on the summary section on the right.
2. Click Actions to see the available actions related to this file, but don’t perform any
actions.
3. Read the investigation summary information under the hash value, starting with “We
identified …”
Note: Yours may read “Could not find any process executions or file activity for this
hash…,” in which case, return in a few minutes as the data may not have populated yet.
4. Note the timeframe setting in CLUSTER DATA BY.
5. Note the time frame for searching the logs, 7 days in this example.
6. In the Threat Intelligence section, click View Report to open the WildFire file analysis
report, review the report, and then close it.

© 2023 Palo Alto Networks, Inc. Page 50

 7. In the Recent Open Incidents section, review the incidents that report this hash as an
artifact.
8. Which is the incident that you started investigation? Check your origination Incident ID
and find it in Related Open Incidents:

Task 3: Review the Hash View Graphic

In this task, you will work with the graphic that visualizes the search results based on your option
settings in CLUSTER DATA BY. Note that the screenshots shown here may differ from what
you see, depending on the 7-day logs found on the Cortex XDR instance. Your incident may also
not have spawned a Hash View Graphic for you to work with.
1. In CLUSTER DATA BY, verify that the settings are as follows:

2. Review the graphic and note how the graphic visualizes the search results.
You do not see the search results directly. Instead, you see the interactive graph that
shows the results.
3. Notice that in the graphic:
a. The file hash node is displayed in blue. This is the file hash we searched for.
Information about color coding: The examined file is displayed in blue or red,
corresponding Benign or Malware. For example, the file shown below is malicious.

b. The file wcript.exe (5954…d9eb) was called by cmd.exe. This is the primary
(Initiating Process) node.

© 2023 Palo Alto Networks, Inc. Page 51

 This process is known as an initiating processes that started wscript.exe. Remember
that the primary clustering option in CLUSTER DATA BY is Initiating Process.
c. The numbers shown in the Initiating Process nodes represent the number of
executions per Initiating Process.
For example, for this graphic, wscript.exe was called one time by cmd.exe.
d. The secondary nodes (Host) where each Initiating Process run wscript.exe are
displayed next to the primary (Initiating Process) nodes.
Remember that the secondary clustering option in CLUSTER DATA BY is Host.
4. On your endpoint, try to run the same malicious file in two different ways:
a. Open a Command Prompt window (cmd.exe), run C:\Lab\Malware\virlock.vbs, and
verify that the agent blocked the attempt.
Hint: Run the commands "cd \lab\malware" and "virlock" from the command line.
b. Open a File Explorer (explorer.exe), double-click C:\Lab\Malware\virlock.vbs to
run, and verify that the agent blocked the attempt.
5. Return to the Hash View in the browser.
6. Refresh the browser page using F5 or the refresh button.

© 2023 Palo Alto Networks, Inc. Page 52

 7. Note the updates in the graphic. For example, now there is an explorer.exe node.

Task 4: Change Clustering Options

In this task, you will change the clustering options in CLUSTER DATA BY. Different clustering
options will be reflected in the graphic after you click Apply.
1. In CLUSTER DATA BY, click primary, select Target Process, and then click Apply.
2. Review the graphic and note how the primary grouping Target Process changed it:

Now, the graph shows the processes invoked by wscript.exe.

© 2023 Palo Alto Networks, Inc. Page 53

 3. Also note the direction of the arrows coming out of wscript.exe, the blue hash at the
center.
The direction of the arrow between processes indicates the direction of the parent-child
relationship.

© 2023 Palo Alto Networks, Inc. Page 54

Lab 3 Causality Analysis of Alerts
Background
Cortex XDR Pro provides you with several analysis views to investigate stitched alerts in depth.
In this lab, you will investigate a script-based attack using Causality View in the management
console. The source of the script that formulated the attack is provided to you so that you can
compare statements in the source code and the graphically reconstructed information in Causality
View.

Lab Objective
At the end of this lab session, you should be able to:
● Investigate alerts in Causality View

Activities
Activity 3.1 Analyze Alerts in Causality View

© 2023 Palo Alto Networks, Inc. Page 55

Activity 3.1 Analyze Alerts in Causality View
In this activity, you will investigate a Behavioral Threat alert in Causality View. You first will
run a script on your endpoint to trigger an alert of type Behavioral Threat. The script creates a
.vbs file in the startup folder, then creates an .exe file, and then writes some dummy characters to
the files. It also runs two scripting engines, one of which takes an encoded parameter (a
command to execute). A shortened version of the script source is given below. Your task is to
analyze the alert in Causality View to uncover components of the attack.
set vf = fs.CreateTextFile(APPDATA&"\microsoft\windows\Start Menu\Programs\Startup\V.vbs")
vf.Write("…")

set tf = fs.CreateTextFile(USERPROFILE & "\funny.exe")

tf.write("MZdummy")
tf.Attributes = tf.Attributes OR HIDDEN

WScript.Sleep(2000)
objShell.Exec("mshta.exe")
WScript.Sleep(4000)
objShell.Exec("powershell -ep bypass -windowstyle hidden -e ZABp...")

Tasks
Task 1: Simulate a Behavioral Attack
Task 2: Open the Alert in Causality View
Task 3: Open the Alert in Causality View: Details Section
Task 4: Open the Alert in Causality View: Events Section

Task 1: Simulate a Behavioral Attack

In the first part of this task, you run a script to simulate a behavioral attack. The Cortex XDR
agent detects and blocks the attack, and then creates and uploads a prevention alert. In the next
part of the task, you will find and review this alert in the management console.
1. Open File Explorer, go to C:\Lab\Malware\Views, and double-click VirLockViews.vbs
to run it.
You must wait about six seconds to receive blocking due to sleep times between process
calls, as follows:
WScript.Sleep(2000)
objShell.Exec("mshta.exe")
WScript.Sleep(4000)
2. Ensure that the agent blocks the attack and shows the Cortex XDR Prevention Alert
window.
3. Click the Show details button in the window to open the details pane.

© 2023 Palo Alto Networks, Inc. Page 56

 4. Scroll through the pane and verify the following attributes:
Application information:
Application name: Microsoft ® Windows Based Script Host
Application location: C:\Windows\System32\wscript.exe
Prevention information:
Component: Behavioral Threat Protection
Prevention description: Behavioral threat detected
5. To find this alert in the Alerts table in the management console:
a. Go to the alerts page in /alerts in a new browser tab.
b. Locate the most recent Behavioral Threat alert in ALERT NAME.
The table is automatically sorted by TIMESTAMP. Use filters to display only your
alerts.
c. To easily locate this alert in the following tasks, note the ALERT ID and
TIMESTAMP.
6. Wait until Cortex XDR stitches the alert: Check CGO NAME and repeatedly click the
refresh icon until you see a process name in this field.
You may have to wait up to five minutes.
7. Verify that CGO NAME in the table is wscript.exe.
Note: If you run the script from a Command Prompt window, the CGO NAME is set to
cmd.exe. If you run it from file explorer, it should be wscript.exe.

Task 2: Open the Alert in Causality View

In the previous task, you generated a Behavioral Threat attack on your endpoint and then located
the alert in the Cortex XDR management console. In this task, you investigate the alert in
Causality View.
1. Right-click the stitched alert that you generated in the previous task and select
Investigate Causality Chain > Open Card in a new tab.
2. In Causality View page of the alert, review the following four sections, from top to
bottom:
a. Section 1 (Header): Title bar that summarizes alert and endpoint details
b. Section 2 (Graph): Causality Instance graph of the attack
c. Section 3 (Details): Details about the selected node in the graph
d. Section 4 (Events): Events related to the selected node in the graph

© 2023 Palo Alto Networks, Inc. Page 57

 3. In Section 1, verify that you can find the hostname, IP address, and MAC address of
the endpoint where the alert was generated. Make sure you scan all four areas for
pertinent information.
4. Verify the following information about the Causality Instance graph:

a. There are three nodes in the graph: two process nodes, and an alert node (the red
exclamation mark).
Note: Depending on your client environment setup, you may also see a client terminal
session node.
b. The wscript.exe node is labeled CGO.
c. Only the wscript.exe node created some alerts.
d. The mshta.exe node has a single child, indicated by the number inside the icon.
e. The icon of a selected node changes its background color to blue.
f. Depending on your node selection in the graph, the data in the Details and Events
sections (Sections 3 and 4) changes.
5. Check if there is the icon in front of the process names.

© 2023 Palo Alto Networks, Inc. Page 58

 The icon indicates that the process is still running. Do you see this icon on your
graph?
6. Hover the mouse over one of the process nodes and wait until the PROCESS
INFORMATION dialog box appears.

The PROCESS INFORMATION dialog summarizes data shown in the Details section.
7. Right-click the mshta.exe node and perform the following steps:
a. Review the applicable actions on this node.
b. Verify that Terminate is disabled (because the process is not running).
c. You have already found that mshta.exe had only one child process. To add it to the
graph, click the View Children action.
8. Right-click the wscript.exe node and perform the following steps:
a. Review the applicable actions for this node.
b. Click Show Parent to add a node to the graph for the parent process of wscript.exe.
c. Compare your graph with the following:

9. On the explorer.exe node, perform the following steps:

a. Check the number of child processes on this node.

© 2023 Palo Alto Networks, Inc. Page 59

 This number varies depending on your workload (i.e., running applications) on your
endpoint.
b. Right-click explorer.exe and select View children to open the list of children.
When the number of child processes is more than five, Cortex XDR shows a list of the
child processes in a table. Then you can select some processes to display them as
nodes in the graph.
c. Randomly select two processes from the table and click OK.
d. Now examine the enlarged Causality Instance graph.
e. Right-click the added nodes and select Hide Branch to remove them from the graph.

Task 3: Open the Alert in Causality View: Details Section

In this task, you will continue where you left off in the previous task. In the Details pane of
Causality View, you will get specific attributes of the two processes that are displayed as nodes
in the Causality Instance graph.
1. In the Causality Instance graph, notice that the explorer.exe, the parent process of the
GGO is still running on the endpoint.
Note: It is assumed that you did not restart your endpoint after generating the alert.
Hint: Check for the presence of the icon in the process name.
2. To verify that explorer.exe is still running on the endpoint:
a. Click the explorer.exe node.
b. Go to the Details section and look for the PID field.
c. If the PID is not visible, enlarge the section by clicking the arrow icon in the upper-
right corner of the section.

d. Note the PID of explorer.exe.

Many details will vary between your explorer.exe and the example above.
e. Open a Command Prompt window on the endpoint.
f. Enter the following tasklist command, replacing <pid> with the PID:
tasklist /fi "pid eq <pid>"

© 2023 Palo Alto Networks, Inc. Page 60

 Note: Your PID may be different than the one displayed here
3. Click the PowerShell process node in the graph and verify the following:
a. Check PATH to verify that the PowerShell executable file is in a subfolder in
C:\Windows\System32.
The file should be exactly in the following path, but this path may be different
depending on your endpoint OS type and version:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
b. Check SIGNATURE to verify that PowerShell is a legitimate Microsoft application, as
it’s signed by Microsoft Corporation.
c. Check USERNAME to verify that the authority that PowerShell run is PAN\Student.
d. Check CMD to get PowerShell command line parameters, as follows:
powershell -ep bypass -windowstyle hidden -e ZABpA...
Here, the -ep option is for execution policy, and -e is for encoded command. The
encoded command is truncated to fit the line.
e. To decode the -e parameter, click the icon in the CMD and note the command
PowerShell intended to run:

f. To close the dialog the press Escape key.

Task 4: Open the Alert in Causality View: Events Section

In this task you will review the Events section at the bottom of Causality View. Specifically,
you will inspect files created and modified by the malicious script.
1. To review the node-specific tabs in the Events pane at the bottom, do the following:
a. Click the wscript.exe node and inspect the tabs, as follows:

b. Click the explorer.exe node and inspect the tabs.

c. Compare the tabs available for the various nodes in the graph.
2. Now, click the wscript.exe node and then click the All Actions tab in the pane.
3. In the table, locate the columns ACTION and DESCRIPTION.

© 2023 Palo Alto Networks, Inc. Page 61

 4. Note the two files created by the script that was run by wscript.exe, as follows:

5. Now click on the File tab in the pane and view all file actions performed by wscript.exe.
This includes creating, modifying and reading files.
6. Answer the question: How many different file operations can you see in the table,
including File Write Path in DESCRIPTION?
7. Open File Explorer to C:\Lab\Malware\Views\ and then open VirLockViews.vbs in
Notepad++ and locate the related script statements about these file operations, such as:

© 2023 Palo Alto Networks, Inc. Page 62

Lab 4 Advanced Response Actions
Background
One of the most important types of response actions is to run remote scripts on multiple selected
endpoints. In this way, you can quickly respond to attacks in your entire organization. In this lab,
you will upload a custom Python script to the management console and run it remotely on your
endpoint. You will also learn how to collect script output per endpoint — in this case, your
endpoint.

Lab Objective
At the end of this lab session, you should be able to:
● Upload custom Python scripts to the management console
● Remotely execute scripts on endpoints

Activities
Activity 4.1 Execute Scripts on Endpoints

© 2023 Palo Alto Networks, Inc. Page 63

Activity 4.1 Execute Scripts on Endpoints
In this activity, you run your custom Python script remotely on your endpoint. First, you upload
the script to the Scripts Library in the Cortex XDR management console. Then, you will run the
script similarly to how you run any other action in the Action Center. Remember that remote
script execution requires the appropriate roles; hence, you will first verify your sign-in user role
in the About dialog box.

Tasks
Task 1: Verify Sign-In User’s Role
Task 2: Create a Script Library Entry
Task 3: Run Your Script
Task 4: Clean Up: Delete Your Script

Task 1: Verify Sign-In User’s Role

In this task, you verify your XDR role as the user signed to the Cortex XDR management
console.
1. Click your CSP username at the bottom of the navigation pane in the Cortex XDR
management console.
2. Select About.
3. Find Role at the top of the dialog.

Task 2: Create a Script Library Entry

In this task, you will create a script library entry in the Cortex XDR management console. To
create the entry, you load your script code (the source file), specify the name of the function
definition as the entry point, and then also specify the data types for the function's input/output
parameters.
1. Open File Explorer, go to C:\Lab\262\Script, right-click ping2.py, and click Edit with
Notepad++.
2. Note the ping function definition:
def ping(ip="192.168.1.20", cnt=1):
Note: The function ping() makes a system call to run the Windows ping command:
ping -n <cnt> <ip>
where <cnt> is the number of echo requests and <ip> is the IP address of the target
host.

© 2023 Palo Alto Networks, Inc. Page 64

 3. Go to Action Center in the Cortex XDR management console.
Note: You’ll need to be logged into the web console from within the lab environment’s
browser, not your local machine, for the remainder of this task.
4. Click Agent Scripts Library in the ACTION CENTER pane.
5. Review available scripts in the library by viewing the columns NAME, DESCRIPTION,
CREATED BY, COMPATIBLE OS, and OUTCOME.
6. Click the +New Script button.
7. Review the in-page navigation options on the left side of the page.
8. Note the Upload Script section and perform the following steps:
a. Note the warning about the supported Python modules:
When developing your own scripts, always ensure you only use the listed support
modules.
b. Click Browse, and then select the file C:\Lab\262\Script\ping2.py.
9. Within the Definitions section, perform the following steps:
a. Within the Script Name field, enter ping2-####.
b. Enter your #### ID in Description.
c. Notice the setting Mark as high risk script; do not check it.
d. Click only Windows for Supported OS.
10. Click Input and perform the following steps:
a. Select Run by entry point.
b. Click the down arrow to open the list of functions (entry points), and then select ping.
c. Note the two input parameters of ping and select Number for cnt, as follows:

The cnt parameter is the number of echo requests to send. It is the option -n in the
Windows ping command.
11. Click Output and verify that Output Type is set to Auto Detect.
12. Click Create in the lower-right corner.

© 2023 Palo Alto Networks, Inc. Page 65

 13. Find your script in the Scripts Library table.

Task 3: Run Your Script

In this task, you run the script that you uploaded in the previous task remotely on the endpoint.
1. Right-click your script ping2-#### in the table and select the action Run.
2. In SCRIPT PARAMETERS on the right, enter these parameters as follows:

3. Click Next.
4. Select your endpoint ####-winpoint1 as the targeted endpoint, and then click Next.
5. Review Summary and click Run.
6. To track how the script is progressing, click All Actions in the ACTION CENTER
pane.
7. Using either DESCRIPTION or CREATED BY, find your script action.
8. Right-click the action and click Additional data to open the Detailed results dialog box.
9. Review the header:

10. In Script Results, notice the two buttons; click DETAILED:

11. Check the RETURN VALUE column in the table.

Note that the value shown in RETURN VALUE depends on the connectivity of the IP
address you entered.
12. Right-click the result (the row of the table) and select View stdout.
13. Compare what you find with the following log:

© 2023 Palo Alto Networks, Inc. Page 66

 The return value of your Python function ping() is the string in the parentheses. It is this
value shown under RETURN VALUE.
Warning: If you enter a hostname in the ip field of ping() and the Windows ping
command cannot resolve the host, RETURN VALUE displays '<string>: check name' and
the action will erroneously be considered successful. A successful response will also be
present for responses such as “Destination Host Unreachable” as it is considered a valid
response. Our ping2 script cannot be used to determine connectivity based on its status
output alone. From our console’s perspective, the script has indeed run successfully,
that is, without any errors .
In the following example, ping.exe sends three ICMP requests and gets one reply from
the default gateway:
Reply from 192.0.0.32: Destination host unreachable.
Request timed out.
Request timed out.

Ping statistics for 192.0.0.168:

Packets: Sent = 3, Received = 1, Lost = 2 (66% loss),
14. Click Close and then click X to also close the Detailed results dialog box.

Task 4: Clean Up: Delete Your Script

The script is no longer needed in this course and to reduce the number of objects in the
management console, you will delete your script.
1. Click Agent Scripts Library in the ACTION CENTER pane.
2. Find your script ping2-### in the Scripts Library table.
3. Right-click your script, select Delete in the shortcut menu, and click Yes to approve.

© 2023 Palo Alto Networks, Inc. Page 67

© 2023 Palo Alto Networks, Inc. Page 68
Lab 5 Building Search Queries
Background
Building search queries is a technique to investigate leads in the raw datasets stored in your Data
Lake. In this lab, you will explore using search queries, including building, cloning, running in
the foreground or background, and scheduling.

Lab Objective
At the end of this lab session, you should be able to:
● Build search queries of any type
● Work on the results table
● Manage queries in the Query Center
● Work with scheduled queries

Activity
Activity 5.1 Build and Manage Search Queries

© 2023 Palo Alto Networks, Inc. Page 69

Activity 5.1 Build and Manage Search Queries
In this activity, you will build a file query to search accesses to the script files on your endpoint.
The motivation for such a query can be to uncover script creation, modification, and execution
in your site. During this activity, you will run your query as a foreground task, a background
task, and a scheduled task.

Tasks
Task 1: Build a File Search Query
Task 2: Work on the Results Table
Task 3: Manage Queries in Query Center
Task 4: Work with Scheduled Queries
Task 5: Clean Up: Delete Your Scheduled Query

Task 1: Build a File Search Query

In this task, you build a file search query to investigate accesses to script files with the extension
vbs. You will limit the search by your endpoint and by time within the last seven days.
1. Go to Query Builder in the Cortex XDR management console.
2. Notice the XQL Search button at the top.
3. Below XQL Search, review the form-based query options, such as Process or File.
4. Click File, and then review the file-based query form.
5. Notice the default query name at the top.
6. To change the default query name, click the small pencil next to the default name, and
then enter your ID #### in front of the default name.
7. In the FILE section, perform the following steps:
a. Review the checkboxes and make sure that All is checked.
The checkboxes show operations on files in the OS, such as creating or deleting a file.
b. Under the checkboxes, review the file attribute options, such as name or path.
c. Click NAME and enter *.vbs.
d. Under NAME check the operator and ensure that the = operator is selected.
The default operator should be =
8. Click +HOST and enter the name of your endpoint, ####-winpoint1, in the
HOST_NAME field.
9. Under HOST_NAME check the operator and ensure that the = operator is selected.

© 2023 Palo Alto Networks, Inc. Page 70

 The default operator should be =
10. In the TIME section, select Last 7D.
11. Ensure your query looks similar the following screenshot:

12. Notice the options on the lower right of the page for when to run the query:

13. Click the calendar icon , to review the scheduling options, then click Cancel.
14. Click Run to run the query at once.
Cortex XDR starts running your query as a foreground task; until it completes the search,
you cannot navigate in the management console.

Task 2: Work on the Results Table

In this task, you will review the result of your query in the Results table. Note that your search
query is file based. So, each row of the results table shows a file found according to the criteria
you specify. If the search engine can't find any files according to the criteria, Cortex XDR
displays an empty Results table on the page.
1. On the Results page, notice the URL in the form of /results-table/<Execution ID>.
You can save this URL, for example, you can bookmark it, and then later use it to open
this results page. There will be more information on Execution ID in the next task.
2. At the top of the page, check File, Host, and Time in the definition of your query, which
looks like this:

3. In the Results table section, check the number of entities found.

© 2023 Palo Alto Networks, Inc. Page 71

 4. Review the columns in the Results table. For better visibility, go to ⋮ > Layout then
select and lock the columns FILE_NAME, SRC_PROCESS_NAME, and
ACTION_TYPE.
Remember that Layout has a search field to easily find attributes.

5. To modify query criteria, click the icon at the end of the query definition.

6. In FILE, change NAME to virlock*.vbs, then click Run, and then perform the following
steps in the Results table:
a. Check the number of entities found.
b. Find one row where SRC_PROCESS_NAME is wscript.exe.
c. Right-click the row to open the shortcut menu and verify that you can pivot to the
Investigate Causality Chain actions Open Card and Open Timeline are available.
Note that when you change the query definition and run it, Cortex XDR creates a new
query with the same name but different Query ID. In the next task, you will review the
queries in the Query Center of the management console.

Task 3: Manage Queries in Query Center

In this task, you open the Query Center of the management console to manage the search queries
you built earlier. You will review the columns in the query table, the actions in the shortcut
menu, and close and rerun your query.
1. Go to Query Center in the Cortex XDR management console.
2. Find your query starting with ####-QUERY in QUERY NAME.
You should have two queries with the same name starting ####-Query. The second
query was created when you modified the definition of the first query.
3. Note that QUERY NAME does not uniquely identify queries.
Which attribute uniquely identifies a query in Query Center?

© 2023 Palo Alto Networks, Inc. Page 72

 4. Go to ⋮ > Layout and enable and lock Query ID and Execution ID.

Query Center displays all queries, including all executions of scheduled queries.
Therefore, it is the Execution ID that uniquely identifies queries in Query Center, as
shown in the following:

5. Using the columns as a reference, answer the following questions:

a. What is the status of your queries?
b. How many entities did each of your queries return?
Hint: Check QUERY STATUS and NUM OF RESULTS.
6. Right-click the query with file name = *.vbs in QUERY DESCRIPTION to open the
shortcut menu and review the actions.
7. Click Save as a new query that opens Query Builder to clone your query.
8. At the top of the page, note the default query name. Also, hover the mouse over the name
to see that the name is editable.
When you clone a query, you can use the name of the source query as the new name, or
you can change it. Cortex XDR automatically will assign a new Query ID to the new
query.
9. In the File section, make the following modifications:
a. Deselect the all checkbox.
b. Select the create and write checkboxes.
c. Enter *.exe in NAME.

© 2023 Palo Alto Networks, Inc. Page 73

 10. Click Run in background.
Cortex XDR starts running your query as a background task. While it is processing the
query, you can keep working in the management console. When the search task is
completed, Cortex XDR sends a notification.
11. When you see a red circle in the management console Notifications, click Notifications:

12. Notice the message that says Query execution completed, and then click View to open
the Results page.

Task 4: Work with Scheduled Queries

In this task, you configure your query to run daily.
1. Go to Query Center in the Cortex XDR management console.
2. Find one of your queries starting with ####-QUERY in QUERY NAME.
Hint: Use the filter Query Name Contains ####-QUERY.
3. Right-click the query and click Schedule.
4. Select Run query by date and time and then select Run daily at.
5. Enter a time three minutes ahead of your current time, and then click OK:

Cortex XDR sends this query to its scheduler.

6. Go to Scheduled Queries in the Cortex XDR management console.
7. Find your query starting with ####-QUERY by name.

© 2023 Palo Alto Networks, Inc. Page 74

 Even if you have multiple queries with the same Query Name, you should only see one
query in the Scheduled Queries table. Also, this table does not have Execution ID; it is
Query ID that uniquely identifies queries in this table.
8. Review the attributes (columns) SCHEDULED TIME and NEXT EXECUTION.
9. Wait until NEXT EXECUTION shows the next day, which means Cortex XDR
executed your query scheduled today.
10. Right-click your scheduled query and click Show executed queries > Show executed
queries in new tab.
This action opens Query Center in a new browser tab with the query table filtered by
the query ID you selected. When Cortex XDR executes your scheduled query, each
scheduled execution creates a new query that has the same query name and ID as the
originating query.
11. Check the table showing only the past executions of your scheduled query. Note that each
execution is uniquely identified by EXECUTION ID.

Task 5: Clean Up: Delete Your Scheduled Query

In this task, you will delete the scheduled query you created in the previous task.
1. Return to Scheduled Queries in the Cortex XDR management console.
2. Find your query by name starting with ####-QUERY.
3. Right click your query, select Remove, and click Yes to confirm.
Note: In a Security Operation Center, it is far more common to disable rather than
remove scheduled queries, for purposes of accountability.
4. If you have created more than one scheduled query, right-click on each and remove it.

© 2023 Palo Alto Networks, Inc. Page 75

© 2023 Palo Alto Networks, Inc. Page 76
Lab 6 Working with Cortex XDR Rules
Background
In this lab, you create and manage IOC and BIOC rules in the Cortex XDR management console.
For IOC, you will import preset indicators provided in a text file. You will make changes before
importing the file. For BIOC, you will create a process based BIOC rule to capture PowerShell
runs.

Lab Objective
At the end of this lab session, you should be able to:
● Create and manage IOC rules
● Create and manage BIOC rules
● Create rules exceptions

Activities
Activity 6.1 Managing IOC Rules
Activity 6.2 Managing BIOC Rules
Activity 6.3 Custom Prevention Rules

© 2023 Palo Alto Networks, Inc. Page 77

Activity 6.1 Managing IOC Rules
In this activity, you first access the IOC Rules Table in the Cortex XDR management console,
briefly review the table columns, and then import a text file containing the indicators to create a
few rules. You will also test one of your rules and review the alert created accordingly.

Tasks
Task 1: Import a List of Indicators as IOC Rules
Task 2: Trigger Your Rule

Task 1: Import a List of Indicators as IOC Rules

In this task, you will access the IOC Rules table in the Cortex XDR management console, briefly
review the table columns, and then import a text file containing mixed-type indicators.
1. Go to IOC in the Cortex XDR management console.
Now you will import indicators from a sample file as IOC rules.
2. Review the list of indicators in C:\Lab\262\Rules\IOC_samples.txt, as follows:
a. Open the file in Notepad++ and review the content of the file.
b. Note that each indicator is placed in a separate line.
c. Also note that the indicators in this file are of mixed type.
d. Close the file.
3. Click +Add IOC to add your rules.
4. Click the Single IOC tab and perform the following steps:
a. In the Indicator field, note the sample indicators, such as chrome.exe and 192.168.2.1.
b. Click Type and review the IOC indicator types.
c. Click Severity and review the options.
d. Note that the severity options for IOC rules are the same as the alert severity options.
5. Click the Upload File tab and perform the following steps:
a. Click Data Format and review the format options.
Data Format specifies the type of the indicators in the input file.
b. Make sure that Data Format is Mixed.
c. Click browse in Drag and Drop and select C:\Lab\262\Rules\IOC_samples.txt.
d. Click Severity and select Medium.
e. At the bottom, click Upload.
6. To find your IOC rules, create a filter on the SOURCE column. As the filter value, enter
your email address associated with your CSP username.

© 2023 Palo Alto Networks, Inc. Page 78

 7. Review the IOC Rules table and note that a separate IOC rule is created for each
indicator in the sample file.
Note that there is no NAME column in the table. IOC rules don't have the name
attribute. An IOC rule is uniquely identified by the Indicator attribute.
8. Right-click one of your rules and review the available IOC rule actions.

Task 2: Trigger Your Rule

In this task you will test one of the IOC rules created in the previous task. You will specifically
test the rule with the risky-####.js indicator attribute. To test your rule, you will create a
JavaScript file named risky-####.js on your endpoint. When the Cortex XDR agent loads the
enhanced endpoint data (EED) to Cortex XDR, the rules matching engine recognizes the name
of the JS file created and then generates an IOC type alert.
1. Open Notepad++ and create a new file from File > New.
To open Notepad++ click on the endpoint’s start button, then type Notepad++ into the
search bar.
2. Type a dummy string, such as Hi!, and press Ctrl + S to save the file.
3. Enter risky-####.js into File name, and then click Save.
4. Remember that EED logs are uploaded every five minutes, so you may need to wait.
5. Return to the IOC Rules page in the management console.
6. Find the rule with the indicator risky-####.js.
7. Refresh the IOC Rules page until you see a new hit in the # OF ALERTS column:

Recall that you may have to wait up to five minutes.

8. Open a new browser tab and go to the Alerts page in the management console.
Hint: Remember that you can use the relative path /alerts to go to this page.
9. To easily find the alert created by your IOC rule, use either HOST or RULE ID columns
in the Alerts table.
10. Review the attributes shown in the columns for this alert:

© 2023 Palo Alto Networks, Inc. Page 79

Activity 6.2 Managing BIOC Rules
In this activity, you first access the BIOC page in the Cortex XDR management console and
review the BIOC Rules table. Then, you will create your own BIOC rule, trigger your rule to
create an alert, and examine this BIOC-type alert from the Alerts page of the Cortex XDR
management console.

Tasks
Task 1: Explore the BIOC Rules Table
Task 2: Create a BIOC Rule
Task 3: Trigger Your Rule

Task 1: Explore the BIOC Rules Table

In this task, you access the BIOC Rules page in the Cortex XDR management console and then
review the BIOC Rules table on the page.
1. Go to BIOC in the Cortex XDR management console.
2. Hover the cursor over Content up to date and perform the following steps:
a. Check the Version.
b. Check the Content Release Date.
c. Check the Last Version Check.
d. Click Content up to date to manually check for a new version.
3. Go to ⋮ > Layout, enable the Source attribute, and then review the SOURCE column in
the table.
4. Select one of the Palo Alto Networks BIOC rules related with PowerShell.
Hint: Select any rule with "Source=Palo Alto Networks" and "Name Contains
PowerShell".

5. Answer the following questions:

a. Is this rule, by default, enabled or disabled?
b. Which MITRE ATT&CK tactics does this rule attempt to trigger on?

© 2023 Palo Alto Networks, Inc. Page 80

 c. Which resource type can trigger this rule?
6. Click +Add BIOC on the page.
7. Briefly review the options on the page to create a BIOC rule. Does this page look familiar
to you?
8. Open a new browser tab and go to Query Builder in the management console.
9. Switch between the two tabs a few times and notice that the two pages are almost
identical. Also, compare page URLs and page titles.
Indeed, the URLs of the two pages are very close to each other:
● Rule Builder (+Add BIOC) : /investigation/query-builder/bioc
● Query Builder : /investigation/query-builder
10. What difference between the two lists did you find? Why do you think there is a
difference between these two lists?

Task 2: Create a BIOC Rule

In this task, you create your own BIOC rule based on a process that runs on your endpoint.
1. Return to the browser tab, the Rule Builder (or to start over, go to BIOC in the Cortex
XDR management console and click +Add BIOC).
2. Click Process and review the options to create a rule condition.
1. Notice the default BIOC rule name at the top.
2. Click the default name and enter ####-BIOC-01.
3. In the PROCESS section, perform the following steps:
a. Verify that Execution already is checked.
b. Enter powershell.exe in NAME and make sure that equal sign (=) is selected.
4. Click +HOST at the bottom, and then enter ####-winpoint1 to HOST_NAME and
Windows to HOST OS.
Note: You must have the endpoint name exactly match your endpoint’s name or the
rule will not trigger.
5. Ensure your rule settings look like the following screenshot:

© 2023 Palo Alto Networks, Inc. Page 81

 6. Click Test in the lower-right corner, and then review Results.
The Test action applies the rule to your historical data.
7. If needed, edit your rule by pressing the icon on this page.
8. Click Save and specify the following rule attributes in the Create BIOC Rule dialog:
a. Ensure that Name is ####-BIOC-01.
b. Click Type, review the attack types, and select Tampering.
c. Click Severity, review the levels, and select High.
d. Click Comment and enter ####.
9. Click OK to save your rule.

Task 3: Trigger Your Rule

In this task, you first run powershell.exe on your endpoint. This run will trigger your rule in
Cortex XDR and then an alert will be generated accordingly. You can then review this BIOC
type alert in the Alerts table.
1. Open a Command Prompt window (Admin) by clicking the CMD icon on the toolbar.
2. Run powershell.exe, and then enter exit.
3. Open a new browser tab and go to the Alerts page in the management console.
4. Find the alert with "ALERT NAME=####-BIOC-01". Refresh the Alerts table (or the
Alerts page on the browser tab) until you see the alert, similar to the following:

Note that the EED is loaded every 5 minutes. So, it can take up to 5 minutes after
running PowerShell for the alert to show.
5. After you locate the alert, verify that:
a. The alert Name is equal to the BIOC rule name.
b. The alert Severity is High as specified in the rule definition.
c. The alert Category is Tampering as specified in the rule definition.

© 2023 Palo Alto Networks, Inc. Page 82

 d. Question: Why was this alert only Detected and not blocked?
Note that with BIOC rules, detection only occurs in the cloud components of Cortex
XDR, not in the agent. Therefore, action against this alert can only be Detected. In the
next activity, you will see a method for exporting BIOC rules to endpoints.
6. Return to the BIOC Rules page on the other tab and find your rule ####-BIOC-01 by
NAME.
7. On the right, find the column # OF ALERS and view the number of hits for your rule.
8. Right-click your rule and review the right-click rule actions.
9. Select Disable and click Yes.

© 2023 Palo Alto Networks, Inc. Page 83

Activity 6.3 Custom Prevention Rules
When creating a BIOC rule in the previous activity, you may have noticed that the BIOC rule
based on the process name can be written as an IOC rule. After all, a process name is a static
property to be used as a filename indicator in the IOC. In this activity, you will create another
BIOC rule with two dynamic properties that make the behavior part of the BIOC rules. You will
add username and command line arguments to your rule.
Next, you will create a custom prevention rule that makes the BIOC rule like a behavioral threat
prevention rule; the Cortex XDR agent will be able to leverage this custom prevention rule to
block attacks on the endpoint.

Tasks
Task 1: Explore the BIOC Rules Table
Task 2: Test Your BIOC Rule
Task 3: Create a Restrictions Profile
Task 4: Create a Custom Prevention Rule
Task 5: Test Your Custom Prevention Rule
Task 6: Delete Your Custom Prevention Rule

Task 1: Explore the BIOC Rules Table

In this task, you will create another process-based BIOC rule with command line argument and
username. Note that any two BIOC rules in the Cortex XDR management console must be
different in terms of rule Behavior. In the previous BIOC rule, "host_name=####-winpoint"
provided uniqueness. In this BIOC rule, the command line argument (CMD in form) will ensure
uniqueness.
3. Go to BIOC in the Cortex XDR management console and click +Add BIOC.
4. Click Process.
1. Click the default name and enter ####-BIOC-02.
2. In the PROCESS section, perform the following steps:
a. Click NAME and enter notepad.exe. Make sure that equal sign (=) is selected.
b. Click CMD, click the equal sign (=), select "=~", and then enter ####.
It means "CMD Contains ####", where #### is your ID.
c. Click USER_NAME, click the equal sign (=), select "=~", and then enter
Administrator
3. Verify your settings with:

© 2023 Palo Alto Networks, Inc. Page 84

 4. Click Save and specify the following rule attributes in the Create BIOC Rule dialog:
a. Ensure that Name is ####-BIOC-02.
b. Click Type, review the attack types, and select Execution.
c. Click Severity, review the levels, and select Medium.
d. Click Comment and enter ####-02.
5. Click OK to save your rule.

Task 2: Test Your BIOC Rule

In this task, you will run notepad.exe with varying behaviors, such as running it under a different
username and changing its command line arguments. Then you will check the Alerts table to
verify that the rule matching engine triggered an alert only when you run notepad.exe with the
specified dynamic properties in the rule definition.
1. Open a Command Prompt window (Admin) by clicking the CMD icon on the toolbar.
2. Type the command whoami to get the current user.
whoami
pan\student
3. Read the following notes for the following steps:
a. In the commands, replace #### with your ID.
For example, if your ID is 0420, run the command "notepad 0420.txt".
b. When Notepad is open, you can exit without saving.
Your BIOC rule controls the running of processes, not files created by processes.
4. Run Notepad as follows. Don't save and exit Notepad.
notepad.exe ####.txt
This command runs under pan\student; see the whoami command above. Therefore, it
does not match to your BIOC rule.
You may receive a pop-up asking you to create a new file. For now, click No and close
the notepad window.
5. Now, type the following command to run notepad.exe as Administrator.
runas /user:Administrator "notepad ####.txt"
6. Enter Pal0Alt0 as password for the local Administrator account.
Notepad run under the user Administrator, so it will match the rule. You can also specify
AD domain for a user, as follows:

© 2023 Palo Alto Networks, Inc. Page 85

 runas /user:PAN\Administrator "notepad ####.txt"
Note that the EED is loaded every 5 minutes. You can run a malware file such as
C:\Lab\Malware\MalwareTestDog.exe to start the loading immediately. When the agent
blocks the attack, it loads both alert data and logs.
7. Return to the Alerts page and refresh the page in the browser tab.
8. Check the Alerts table and find your new alert with USER NAME contains
Administrator.
Hint: Lock columns like USER NAME and INITIATOR CMD from the Layout in the Alerts
table:

Task 3: Create a Restrictions Profile

In this task, you create a new Restrictions profile by cloning the default profile. Then you enable
Custom Prevent Rules in the profile so that you can associate your last BIOC rules with this
Restrictions rule. The Restrictions rule transfers the BIOC rule to the endpoint that the XDR
agent uses to prevent attacks defined in the BIOC rule.
1. Go to Policy Management in the management console.
2. Select Prevention > Profiles in the pane POLICY MANAGEMENT.
3. Expand Windows under PLATFORM and locate the profile with TYPE: Restrictions
and NAME: Default.
4. Right-click the profile, and then select Save As New to clone it.
5. Click Profile Name in General Information, and then enter ####-RestPF02.
6. Click Custom Prevention Rules in the left in-page navigation. Or scroll down to it.
7. Unselect Use Default (Disabled) and select Enabled in Action Mode:

© 2023 Palo Alto Networks, Inc. Page 86

 8. Click Create in the lower-right corner to create and save your new profile.
9. To link your profile with the applied policy rule, perform the following steps:
a. Go to Policy Management and select Prevention > Policy Rules.
b. Expand Windows under PLATFORM and locate the rule NAME: ####-WinRL01.
c. Right-click the rule and select Edit.
d. Click Restrictions down arrow and select the newly created profile ####-RestPF02.
e. Click Next in the lower-right corner.
f. Click Next in Target, click Done in Summary, and then click Save.

Task 4: Create a Custom Prevention Rule

In this task, you create a Custom Prevention Rule by associating your BIOC rule with the
applied Restrictions profile.
1. Go to BIOC in the Cortex XDR management console and find your rule ####-BIOC-02.
Note: You may need to filter the name column for ####.
2. Right-click the rule and select Add to restrictions profile.

© 2023 Palo Alto Networks, Inc. Page 87

 3. Click Windows profiles and select your Restrictions profile ####-RestPF02:

4. Click Add.

Task 5: Test Your Custom Prevention Rule

In this task, you test your custom prevention rule.
1. In the XDR agent console, click Check In Now to force a heartbeat.
2. Open a Command Prompt window (Admin) by clicking the CMD icon on the toolbar.
3. Type the following command to run notepad.exe as the current user and note that the
XDR agent does not block this command.
notepad ####B.txt
4. Close notepad.

© 2023 Palo Alto Networks, Inc. Page 88

 5. Type the following command with the password Pal0Alt0 to run notepad.exe as
PAN\Student. Note also that the XDR agent does not block this command:
runas /user:pan\student "notepad ####B.txt"
This step was just a preparation for the next step to keep the difference between
commands to a minimum. Otherwise, this and the previous step run the same command
under the same authority.
6. Now, type the following command with the password Pal0Alt0 to run notepad.exe as
PAN\Administrator:
runas /user:administrator "notepad ####B.txt"
7. Notice that the agent blocked this command and showed the Cortex XDR Prevention
Alert window with Prevention description: Behavioral threat detected.
8. Open a new browser tab and go to /alerts to open the management console's Alerts page.
9. In the Alerts table, locate your alert associated with this prevention.

Task 6: Delete Your Custom Prevention Rule

In this task, you will delete your custom prevention rule from the applied Restrictions profile.
Remember that a custom prevention rule is just a relationship between a BIOC rule and a
Restrictions profile.
1. Go to Policy Management in the management console.
2. Select Prevention > Profiles in the pane POLICY MANAGEMENT.
3. Expand Windows under PLATFORM and locate the profile with TYPE: Restrictions
and NAME: ####-RestPF02.
4. Right-click the profile, and then select Edit.
5. Click Custom Prevention Rules in the left in-page navigation. Or scroll down to it.
6. Note the table Prevention BIOC Rules in this section.
7. Right-click your BIOC rule select Delete.

© 2023 Palo Alto Networks, Inc. Page 89

 8. Click Save in the lower-right corner to save your profile.

© 2023 Palo Alto Networks, Inc. Page 90

Lab 7 Working with Network Assets
Background
The Cortex XDR management console provides some special investigation views that can
graphically display relevant information about object types such as hash values, IP addresses,
and hostnames. The Investigation Views include the Hash View and IP View. In this lab, first
you will investigate a file hash in the Hash View. Then, you will open an IP address in the IP
View.

Lab Objective
At the end of this lab session, you should be able to:
● Investigate files using their hash values in the Hash View
● Investigate IP addresses in the IP View

Activities
Activity 7.1 (*) Activate and Register a Broker VM
Activity 7.2 Scan IP Ranges with Network Mapper
Activity 7.3 Investigate Assets Using IP View

* This lab duplicates operations performed in Activity 11.1 in EDU 260.

© 2023 Palo Alto Networks, Inc. Page 91

Activity 7.1 (*) Activate and Register a Broker VM
A Broker VM image has already been downloaded and deployed to your network. The IP
address of your Broker VM is 192.168.1.50. But it has not been activated yet.
In this activity, you will activate your Broker VM. Activation includes authenticating the
communication between your Broker VM and the Cortex XDR instance; therefore, you will also
generate an authentication token.

Tasks
Task 1: Generate an Authentication Token
Task 2: Register Your Broker VM
Task 3: Verify Activation of Your Broker VM

Task 1: Generate an Authentication Token

In this task, you generate an authentication token from the management console. You will use
the token in the registration task.
1. Open to the Cortex XDR management console and go to Settings > Configurations >
Broker VM.
2. To see the options, click the Add Broker button on the upper right and review the
options listed under the Download header.
Note: A Broker VM image has already been downloaded and deployed to your network.
The IP address of your Broker VM is 192.168.1.50.
3. Click Generate Token.

4. Read the warning: “Notice! This token will not be accessible once you close this
window.”
5. To copy the token, click the icon next to the token .
6. Make sure that the icon changed to .
7. Open a text file and paste the token.
8. Click Done to close the dialog box.

© 2023 Palo Alto Networks, Inc. Page 92

Task 2: Register Your Broker VM
In this task, you open the console of your Broker VM using the default password. After you
change the password, you complete its network configuration. You will skip the optional settings
and register your Broker VM using the authentication token generated earlier.
1. Open a browser tab and go to your Broker VM console at
https://192.168.1.50:4443
Note: The https:// at the beginning of the above URL is essential for connecting to the
Broker VM. The port has change to 4443 since Broker VM v19. Previous version used the
standard port 443.
2. Enter the default password !nitialPassw0rd.
3. Enter br0ker-vm as the new password twice and click Apply.
4. In the Broker VM console, scroll up and down to see the configuration sections.
5. Go to the section Network Interfaces.
6. Verify that the network parameters IP, Netmask, and Default Gateway were
automatically provided.
7. Enter 8.8.8.8 to DNS and then click the Enter icon.
8. Ensure that your network parameters are as follows:

9. Click Save.
10. Go to the section Proxy Server and read the introduction: “Define a proxy server address
to route broker communication.”
11. Check the settings in Proxy Server, but do not make any changes. Your Broker VM can
connect directly to the internet.
Note: Do not confuse this section with the proxy service provided to Cortex XDR agents
by a Broker VM. The settings here are for a proxy server needed by a Broker VM if the
VM must connect to the internet through a proxy.
12. Skip all the other sections, including NTP and SSH Access, and scroll down to the
bottom of the page.
13. Find the Register button at the bottom and click Register.
14. Copy and paste the authentication token that you created earlier to the TOKEN field.
15. Click Register and wait until you see the confirmation message Registration Complete.
Note: Registration of your Broker VM can take up to 30 seconds.

© 2023 Palo Alto Networks, Inc. Page 93

 16. Click Done to close the registration dialog box.

Task 3: Verify Activation of Your Broker VM

In this task, you verify the activation of your Broker VM. Note that there will be many Broker
VMs registered to the same Cortex XDR instance. To uniquely identify each registered Broker
VM, Cortex XDR assigns a unique device ID to each VM. In the task, you will get the device ID
of your VM.
1. In the Broker VM console, scroll up to the section Network Interfaces.
2. Find the green text above the section in the following template:

Where the blurred text is the unique ID of your Broker VM assigned by the Cortex XDR
instance.
3. Go to the Broker VM table in the management console at Settings > Configurations >
Broker VM.
4. Find your Broker VM in the table by finding your Broker VM ID in the Device Name
column.

5. Check the APPS column and notice that no applets have been activated yet.

© 2023 Palo Alto Networks, Inc. Page 94

Activity 7.2 Scan IP Ranges with Network Mapper
In this activity, you will first create an IP address range with a specific name in the management
console. Next, you will configure and activate Network Mapper on your Broker VM instance. As
part of the configuration, you will select the IP range by name, so the mapper will scan the IP
addresses in the range.

Tasks
Task 1: Create New IP Address Ranges
Task 2: Activate Network Mapper

Task 1: Create New IP Address Ranges

In this task, you will create new IP address ranges.
Note! The IP address range must be unique. So, if you use an existing first and last IP address
pair, you will get the error "A Range with these First and Last IPs already exists". If uniqueness
is not ensured due to historical IP range objects in the table, you can delete them or skip this task.
If you skip this task, you can select any of the available IP Address Range objects in the Network
Mapper activation task, which is the next task.
1. Go to NETWORK CONFIGURATION > IP Address Ranges in the management
console.
2. Click Add New Range > Create New.
3. Enter the name and IP address range as follows:
Name : ####-Range-1
Ip Address, Range Or Cidr : 192.168.1.0-192.168.1.1<X>
Here X is the last two digits of your ID ####. For example, if your ID is 5025, the second
IP in the range will be 192.168.1.125.
The last IP address of your IP range must meet two requirements. First, it should not exist
(the beginning of the range is already the same for the whole class: 192.168.1.0 for all).
Second, it must be greater than 50 for critical IP addresses to stay in range. Note that your
broker VM's IP address ends in .50 while your endpoint's IP ends in .20.

© 2023 Palo Alto Networks, Inc. Page 95

 4. Check the table for your IP address range:

Task 2: Activate Network Mapper

In this task, you will activate the network mapper on your Broker VM.
1. Go to Configurations > Data Broker > Broker VMs in the management console.
2. Right-click your Broker VM and select Add App > Network Mapper:

3. Review the configuration options in the Activate Network Mapper dialog.

a. View the Scan Method options but don't change.
b. View the Scanning Scheduler options but don't change; you will scan manually.

© 2023 Palo Alto Networks, Inc. Page 96

 4. Click the Scanned Ranges drop-down list. Type your #### ID to narrow the list.
5. Select your range that you created in the previous task, and then click .
Note that you can enter multiple IP ranges in this list. On each addition, you must click
to add the range to the list.
6. Click Activate.
7. Check the APPS column for your Broker VM instance. Note the status of activation, as
follows:

8. Wait until you see "Network Mapper" without “activating”.

9. Left-click Network Mapper and look at the bottom of its menu for Scan Now.

10. Hover the mouse over your Network Mapper and review the pop-up dialog. Do you see
any detected hosts?

© 2023 Palo Alto Networks, Inc. Page 97

 11. Go to ASSET INVENTORY > All Assets in the management console.
12. Check the SOURCES column. You should see Broker Scanner, as follows:

Note: Your table may differ from this table depending on your lab environment IP
configuration. Also, because all student endpoints have the same IP network
configuration, it is impossible to determine which Network Mapper in the classroom is
reporting unmanaged assets. Remember that a Network Mapper primarily reports
unmanaged assets; therefore, you may not see XDR Agent in the Source column for your
endpoint even though its IP address is in the range you defined.

© 2023 Palo Alto Networks, Inc. Page 98

Activity 7.3 Investigate Assets Using IP View
In this activity you will open the Assets table, find your endpoint, and then search for its IP
address using the IP View. The IP View will provide a graphical representation of the search
results around the IP address along with an investigation summary.
Note! Expectations from this activity should be limited for the accuracy of the numeric
information in the search result because the same IP address 192.168.1.20, is used for the
student endpoints named ####-winpoint1.

Tasks
Task 1: Open IP View
Task 2: Change Clustering Options

Task 1: Open IP View

In this task, you will investigate the network connections of your Windows endpoint using the IP
View.
1. Go to ASSET INVENTORY > All Assets in the management console.
2. Find your ####-winpoint1 endpoint in the Assets table using NAME.
3. Check that the right-click menu options vary depending on which cell (field) you right-
click, as follows:
a. Right-click the NAME cell of your endpoint and note the available actions.
b. Now, right-click the IP ADDRESSES cell and note these actions.

4. Click Open IP View to open the IP address in the IP View.

© 2023 Palo Alto Networks, Inc. Page 99

 5. Note the default clustering options in CLUSTER DATA BY:

6. Note also the graphic drawn according to the clustering options:

7. Note the followings:

a. The direction of the arrows coming out 192.168.1.20 shows the connection type
Outgoing.
b. The primary clustering Destination Countries groups outgoing connections per
country.
c. Click a country to review breakdown of the Outgoing connections per App-ID, such
as IP and UDP:

Task 2: Change Clustering Options

In this task, you will change the clustering options in CLUSTER DATA BY. Different clustering
options will be reflected in the graphic after you click Apply.

© 2023 Palo Alto Networks, Inc. Page 100

 1. To reset the clustering options, delete the parameters from the URL in the browser
address bar.
Hint: Parameters are name-value pairs after "?" in URLs. So, delete all after "?" inclusive,
check that the relative path is paloaltonetworks.com/overview-360/ip/192.168.1.20,
and then press Enter.
2. In CLUSTER DATA BY:
a. Click connection type, select Incoming, click Apply, and review the graph.
b. Note that the direction of the arrow pointing to the traffic flow changed inwards.
3. In CLUSTER DATA BY:
a. Click primary and select Source IP.
b. Click secondary and select Source Port, click Apply, and review the graph:

192.168.1.10 is the gateway. But, depending on the actual lab implementation in your
case, you may see a different IP for the gateway.
4. In CLUSTER DATA BY:
a. Change the options as follows, click Apply, and review the graph:

b. Note that there are now five nodes in the graph:

© 2023 Palo Alto Networks, Inc. Page 101

© 2023 Palo Alto Networks, Inc. Page 102
Lab 8 Getting Started with XQL Queries
Background
Learning a programming language can present some challenges for security analysts and
administrators. Learning a data access language like XQL can be even more challenging, as it
involves learning two different data types: language syntax and data schema. The purpose of this
lab is to get you started on your journey learning XQL.

Lab Objective
At the end of this lab session, you should be able to:
● Become familiar with the XQL development environment in the management console
● Become familiar with XQL language syntax
● Write simple XQL queries
● Become familiar with the schema of the default dataset
● Visualize results tables

Activities
Activity 8.1 Get Started with XQL Development Environment
Activity 8.2 Create XQL Queries with Multiple Stages
Activity 8.3 Visualize Query Results

© 2023 Palo Alto Networks, Inc. Page 103

Activity 8.1 Get Started with XQL Development
Environment
In this activity, you will explore the XQL development environment in the Cortex XDR
management console. You will enter your first query in the XQL editor, then review the features
of the XQL editor such as the content assist, error checking, color coding. Next, you will run the
query and check the results.

Tasks
Task 1: Get Started with XQL Editor
Task 2: Run Your Query

Task 1: Get Started with XQL Editor

In this task, you will start using the XQL editor and explore its error-checking capabilities.
1. Go to Query Builder in the Cortex XDR management console.
2. Click XQL Search.
Alternatively, you can go to the relative path /xql.
3. Examine the page and notice that the page is divided into two panes:

4. Notice the following items in the upper pane:

a. The text field where you type your XQL query. This is the XQL editor.
b. Timeframe buttons above the editor. You can specify the timeframe of a query using
these buttons.
A query's time frame limits the logs the engine checks for the query. For example,
when you select 24H, your query only considers logs created in the last 24 hours.
c. Save As, Run in background and Run buttons at the bottom of the editor.
5. Notice the tabs in the lower pane, such as Query Results and XQL Helper.
6. Click the editor, and then type hello.

© 2023 Palo Alto Networks, Inc. Page 104

 7. Notice that hello is underlined with a red, wavy underline, indicating that hello is not
recognized.
8. To comment out the line with hello, add two forward slashes (//) at the beginning of the
line. Check out that error indicator disappeared.
For comment out multiple lines, start the block with /* and end with */. Any text
between /* and */ will be ignored by the XQL query compiler.
9. Select and delete the line with hello. A suggestion list should appear. If it does not, click
Ctrl + Space:

This feature is also known as Content Assist, or sometimes autocomplete.

10. Select from the list or type dataset and notice that there is still an underline:

11. To get an error description, hover the mouse over the icon :
An “operator” is missing. The dataset stage expects a dataset name.
12. Type a dummy dataset name, myset1, after an equal sign (=) with spaces on either side.
13. Notice that this time, myset1 is underlined to indicate that it is not a valid dataset:

A dataset name is invalid, it doesn’t exist. A valid dataset must be provided before the
underline and error indicator disappears.
14. Delete myset1, and then click Ctrl + Space to see if a suggestion list is provided:

15. Select or type xdr_data, the name of the default dataset:

16. Note the color coding; for example, XQL keywords are displayed in green.
There should no longer be an “X” indicating an error, nor should there be a red
underline.

© 2023 Palo Alto Networks, Inc. Page 105

Task 2: Run Your Query
In this task, you will run your query and then examine the Query Results tab, which shows the
search results.
1. Make sure that you have the following query in the editor:
dataset = xdr_data
2. Click the timeframe button 7D in the upper-right corner.
Selecting this button sets the search period for the last week.
3. Click Run to run your query.
4. Notice that the Query Results tab opens automatically, showing the results table.
5. Also notice that now your query has a name that is displayed above the editor and in the
Query Results.
6. In the tab Query Results, notice the FIELDS pane on the left. Check out that it is
scrollable and collapsible. Note that if you wanted to, you could constrict results of
queries using fields to narrow down your results.

© 2023 Palo Alto Networks, Inc. Page 106

Activity 8.2 Create XQL Queries with Multiple Stages
In the previous activity, you examined the XQL development environment in the management
console to edit and run XQL queries. In this activity, you create an XQL query with several
stages to search for file events on your endpoint.

Tasks
Task 1: Create a Query With Config and Filter Stages
Task 2: Focus on Specific Fields Using Fields Stage
Task 3: Shape the Results Table
Task 4: Save Your Query

Task 1: Create a Query With Config and Filter Stages

In this task, you create an XQL query with config and filter stages. With the query, you will
search for events performed on your endpoint by processes whose names contain “Notepad”.
Replace #### with your own ID in the following queries.
1. Make sure that you have the following valid query in the editor:
dataset = xdr_data
2. Click the end of line and press Enter to create a new line.
The query engine ignores line breaks. We add them to the query for easier reading.
3. Enter a filter stage to get logs originated from your endpoint:
| filter agent_hostname = "####-winpoint1"
Remember to separate the stages with the delimiting character pipe at the beginning of
the line.
If you have issue with your keyboard like pipe (|) character not appearing when you type
it on your keyboard, then please log out by clicking on Start > right-click on the user sign
and click Sign out. The keyboard layout should be fixed once you log back in. Enter a
new filter stage to get logs relevant to processes whose names contain “Notepad”:
| filter actor_process_image_name contains "Notepad"
Note that the first letter of "Notepad" is uppercase.
4. Make sure your full query looks like this:
dataset = xdr_data
| filter agent_hostname = "####-winpoint1"
| filter actor_process_image_name contains "Notepad"

© 2023 Palo Alto Networks, Inc. Page 107

 Note: Spaces and capitalization matter here. Pay special attention to even these small
details when using a query language.
5. Click the Run button to run your query.
6. Check the results table, which is likely to be empty.
There can be several reasons for having an empty results table, such as due to
unsuitable timeframes of the search or a mismatch of process names.
7. Notice that the string comparison here is case-sensitive:
actor_process_image_name contains "Notepad"
8. To make string comparisons case-insensitive, add the config stage at the beginning of
your query, as follows:
config case_sensitive = false
| dataset = xdr_data
9. Click Run again to run your query and verify that the results table is not empty.
10. Before you start the next task, make sure that your query code is as follows:

Don’t forget to add the | before dataset!

Task 2: Focus on Specific Fields Using Fields Stage

You may want to see only some fields in the results table. In this task, you specify the fields you
want to see in the results table using the fields stage.
1. Add a fields stage to your query to show only the actor process:
| fields actor_process_image_name
2. Note that the run button is currently greyed out. We’ll need to add more to the field in
order to make the query complete.
3. Add as ACTOR to the fields name and run your query:
| fields actor_process_image_name as ACTOR
4. Note how the column name in the results table is changed to ACTOR.
5. Add more fields to your query, as follows:
a. action_file_name as FILE
b. action_file_size as SIZE
c. event_type as TYPE
d. event_sub_type as SUBTYPE

© 2023 Palo Alto Networks, Inc. Page 108

 6. Make sure that your fields stage looks like this:

7. Run your query and review the results table.

Task 3: Shape the Results Table

You want to remove duplicate entries in the results table for a particular field and sort the table
by a field. You also want to limit the number of records in the table. In this task, you add stages
to your query to shape your result set.
1. Review the SUBTYPE column in the results table to see the event subtypes.
The event in this example is of file type, so the subtype indicates file operations such as
file opening, writing, and closing.
2. To remove duplicate SUBTYPE records, append the dedup stage on SUBTYPE, as
follows:
| dedup SUBTYPE by asc _time
3. Run the query and note that SUBTYPE now contains unique values.
4. To sort the results table on SUBTYPE, append the sort stage, as follows:
| sort asc SUBTYPE
5. Finally, add the limit stage to limit the result set to only five records:
| limit 5
6. Run the query and note the number of records in the results table.

Task 4: Save Your Query

In this task, you save your query in the Query Library.
1. Before saving your query, make sure that your query in the editor looks like this (with
your endpoint’s name on line 3):

© 2023 Palo Alto Networks, Inc. Page 109

 If not, you can copy and paste the content from C:\Lab\262\xql\query1.txt. You’ll need
to edit the content of that file to include your endpoint’s name on line 3.
2. Click the Save As button and review the options.
3. Select Query to Library, which opens a dialog box.
4. As the query name, enter q1_#### in the Query Name field. Remember to replace ####
with your ID.
5. Click Save.
6. To verify, click the Query Library tab.
7. Find your newly saved query and click it:

8. Note the action link Use In Query in the lower-right corner:

a. Delete your query in the editor area.
b. Click Use In Query.

© 2023 Palo Alto Networks, Inc. Page 110

Activity 8.3 Visualize Query Results
The Cortex XDR management console displays query results in a results table. You can view the
results table in other forms, such as histograms, and charts in various types such as graph or pie
charts. In this activity, you will test these results table visualization options.

Tasks
Task 1: View Results Table as a Histogram
Task 2: View Results Table as a Graph

Task 1: View Results Table as a Histogram

In this task, you create a histogram based on a selected field in the results table. The histogram is
a type of frequency table, so the field type chosen to create a histogram must be countable. For
example, fields containing arrays or JSON are not countable, whereas string and number types
are countable.
1. If the query that you created and saved in the library is not open in the XQL query editor:
a. Click the Query Library tab.
b. Find your query named q1_#### and click it.
c. Click the link Use In Query on the lower right.
2. In the editor, comment out the stages dedup, sort, and limit using /* */, as follows:
/* | dedup SUBTYPE by asc _time
| sort asc SUBTYPE
| limit 5 */
3. To test, run the query and view the results table.
4. Review the SUBTYPE column and note that because you commented out the dedup
stage, you now see duplicated records in this column.
Consider below that you need numbers per unique event subtype, such as the number
of file opens. Cortex XDR can provide you histogram views.
5. Note the FIELDS pane to the left of the results table.
6. Click SUBTYPE in the FIELDS pane:

© 2023 Palo Alto Networks, Inc. Page 111

 7. Review the table, shown as a histogram.
8. Click X in the header to close it.

Task 2: View Results Table as a Graph

In this task, you test the graphical display of results tables. Before you specify the chart
parameters, you will add some XQL stages to your query to prepare the data in the results table.
1. Go to the XQL query editor and add the following line at the end of your query:
| dedup FILE by asc SIZE | limit 10 | sort desc SIZE
2. Run your new query.
3. Click the graph view option in the middle:

4. Review the Chart Editor.

© 2023 Palo Alto Networks, Inc. Page 112

 5. Select Column in Main > Graph Type.

6. Select FILE in Data > X-axis.

7. Select SIZE in Data > Y-axis.
8. Compare your graph with the following:

© 2023 Palo Alto Networks, Inc. Page 113

Lab 9 Working with External Data
Background
Cortex XDR stores external data in datasets. In this lab, you will learn two management console
methods for creating datasets. In one method, your XQL query saves the results to a target
dataset. In the other, you use a management console action to import an external log file as a
dataset. You will also learn about the attributes of the datasets in the Datasets table and take
actions on them.
In addition to datasets, in this lab you will work with the Cortex XDR API to insert external
alerts to Cortex XDR.

Lab Objective
At the end of this lab session, you should be able to:
● Create datasets using XQL
● Create datasets by importing files
● Manage datasets, including changing the default dataset
● Create Cortex XDR API keys
● Use the Cortex XDR API to insert alerts externally to Cortex XDR

Activities
Activity 9.1 Create and Manage Datasets
Activity 9.2 Insert External Alerts Using XDR API

© 2023 Palo Alto Networks, Inc. Page 114

Activity 9.1 Create and Manage Datasets
In this task, you will work on the Dataset Management page in the management console. You
will change the default dataset, import a dataset, and delete the dataset.

Tasks
Task 1: Create a Dataset Using XQL
Task 2: Manage Your Datasets
Task 3: Create a Dataset by Importing
Task 4: Clean Up: Delete Your Datasets

Task 1: Create a Dataset Using XQL

In this task, you run an XQL query that will automatically save the results to a dataset.
1. Open a new browser tab, go to Query Builder in the Cortex XDR management console,
and click XQL Search.
Alternatively, you can go to the relative path /xql in the new browser tab.
2. To bring the query you created earlier to the XQL editor:
a. Click the Query Library tab.
b. Enter q1_#### in the search field and then click it to select:

c. Click the link Use In Query in the lower-right corner of the right pane.
3. Run the query to test and check the results table.
4. Click the Schema tab to open.
5. Verify that there are 940 fields in the dataset.
Note: Next to the word Schema, the console will say “Found # results.” This number
represents the number of schema currently in the Cortex XDR console and may be
different in later Cortex XDR versions.

© 2023 Palo Alto Networks, Inc. Page 115

 6. Add a target stage to your query; remember to replace #### with your ID:
| target type = dataset ds1_####
The target stage will automatically save the result table to the specified dataset when
the query is executed.
7. Click Run to run your query.
There will be no virtual difference in two runs, without and with a target stage.
Meanwhile, the target stage saved the result table to a new dataset.
For the following step: you may need to wait about 1 minute for the dataset to be
created.
8. To check if the new dataset was created:
a. Delete all of the query code in the editor area.
b. Type the following query in the editor:
dataset = ds1_####
c. Click Run to run the query.
9. Click the Schema tab to open.
a. How many fields does ds1_#### have?
b. Which fields are automatically included in the dataset?

Task 2: Manage Your Datasets

In this task, you will review the Datasets table in the management console.
1. Go to Configurations in the Cortex XDR management console.
2. Click Data Management > Dataset Management in the CONFIGURATIONS pane.
3. Review the Datasets table and answer the following questions:
a. About how many datasets are in the table? Many or few?
b. Do you know some datasets? Do you recognize any of them?
c. Which dataset shows Yes in the Default Query Target column?
To display Default Query Target (three vertical dots), go to Layout and enable the
column.
d. How many different types do you see in Type? What do you believe these types
represent?
e. What could Total Events represent?
4. Find your dataset ds1_#### and right-click it to open the shortcut menu.
5. Review the available actions for this dataset.
6. Click View Schema and note that the action opens the XQL page in the management
console.

© 2023 Palo Alto Networks, Inc. Page 116

Task 3: Create a Dataset by Importing
In this task, you will create a dataset (a lookup table) by importing a CSV file in the management
console. You will modify the log file before importing.
1. Open the text file C:\Lab\262\dataset\ds2_#### in Notepad++.
Note: You may need to open Notepad++ in Administrator mode in order to save.
2. Note that the file contains logs in CSV (comma-separated value) format.
3. Make a new line at the bottom and add a new log, such as:
“5”,"2023-05-17 09:02:10","EDU-262 ####"
You can change the time-date and message values as you wish. Ensure the remainder is
the same as the previous lines such as quotation marks and commas.
4. Save and close the file.
5. Go to Configurations in the Cortex XDR management console.
6. Click Data Management > Dataset Management in the CONFIGURATIONS pane.
7. Click the +Lookup button.
8. Click browse and select C:\Lab\262\dataset\ds2_####.
9. Click Add and then read the notification message in the top right corner of the screen.
10. Click the notification icon near the Tenant Navigator and check the status. Proceed once
you receive the “Lookup Upload” success notification.
11. Refresh the Datasets table and find your newly created dataset.
12. Open the right-click menu and review the available actions.
13. Select the View Schema action.
Remember that this action automatically opens the XQL page in the management
console.
14. Note that the XQL editor shows this query:
dataset = ds2_####
Warning: You may temporarily see the error:
"dataset name is invalid - does not exist"
After waiting for a while, refresh the page and check the XQL editor for the error. It
should clear after a minute or two.
15. Click the Run button and review the result table.
16. Compare the result table with your initial text file. Pay special attention to the line you
added and how it differs from the previous 4.

© 2023 Palo Alto Networks, Inc. Page 117

Task 4: Clean Up: Delete Your Datasets
In this task, you will delete your two datasets.
1. Go to Configurations in the Cortex XDR management console.
2. Click Data Management > Dataset Management in the CONFIGURATIONS pane.
3. Click the filter icon in the Dataset Name column header.
4. Enter your ID #### into the field.
5. Make sure that only your datasets are visible and that the others are filtered out.
In the following steps, note that you cannot select multiple datasets with the Delete
action; you can only delete datasets one at a time.
6. Right-click ds1_####, click Delete, and then click Yes to approve.
7. Right-click ds2_####, click Delete, and then click Yes to approve.

© 2023 Palo Alto Networks, Inc. Page 118

Activity 9.2 Insert External Alerts Using XDR API
In this activity, you use the Cortex XDR API to insert alerts to Cortex XDR externally. In the
first step, you will create an API key for authentication. Next, you will work on a text file to
enter the communication parameters. Then, to insert your alert externally, you will run a Python
script that remotely calls the Cortex XDR API named /insert_parsed_alerts.

Tasks
Task 1: Create Your API Key
Task 2: Enter Communication Parameters
Task 3: Review the External Alert
Task 4: Run the Script to Insert the Alert
Task 5: Debug the External Alert

Task 1: Create Your API Key

In this task, you create an API key that your Python script will use to authenticate its access to
Cortex XDR. Note that Cortex XDR displays API keys only once. So, you will use a blank text
file to copy and paste your API key before closing the corresponding dialog box.
1. Open Notepad++ and create a new file to temporarily save your API key.
The name of the file is not important.
2. Go to Configurations in the Cortex XDR management console.
3. Click Configurations > Integrations > API Keys.
4. Review the columns of the API Keys table.
5. Click +New Key and review the Generate API Key dialog.
6. On the left in Security Level:
a. Select Standard as the key type.
b. Check Enable Expiration Date, click the automatically populated date and time, and
select two weeks after the current date (today).
7. Enter your ID #### into the comment text box.
8. Select Instance Administrator in the Role list.
When connected to the management console, your API code will execute as Instance
Administrator.
9. Review the privileges of your role selection in Components.

© 2023 Palo Alto Networks, Inc. Page 119

 10. Compare your settings with the following:

11. Click Save, and then review the Generated Key dialog. Read the message: “Notice! This
key will not be accessible once you close this window.”
12. To copy your newly generated key, perform either of the following:
a. Highlight the entire key using your mouse, and then press Ctrl + C.
b. Click the icon .
13. Go to the newly created file in Notepad++, paste the key (Ctrl + V), and save the file.
14. Return to the management console and click Close to close the dialog box.
15. In the API Keys table, find your key using Created By and look for your name or
possibly the Comment column looking for ####.
16. Verify the role as Instance Administrator and note the key ID. You’ll need this Key ID
later, so either remember it or write it down.

Task 2: Enter Communication Parameters

In this task, you will enter the communication parameters between the external app (in this case
your Python script) and Cortex XDR into a settings file. The parameters include subdomain,
region, API key, and API key ID. You will also enter your student ID in the file.
1. Open File Explorer and go to C:\Lab\262\API.
2. Right-click the file mySettings.txt and edit it with Notepad++.
3. Review the structure of the file:
a. Lines starting with (#) are comments to give more information and you can safely
ignore them.
b. Each non-comment line contains a setting in name-value pairs.
c. Angle brackets (< >) are placeholders that you replace with your own settings.
4. The parameters are:

© 2023 Palo Alto Networks, Inc. Page 120

 a. Subdomain and region can be copied from the URL of the management console at
<subdomain>.xdr.<region>.paloaltonetworks.com.
b. You already copied the authorization key to a Notepad++ file in the previous task.
c. You can get your key ID from the API Keys page in the management console.
5. Review the following sample for the completed settings file:

Note: Your studentId, keyId and key will vary from the example above.
6. Save the file mySettings.txt.

Task 3: Review the External Alert

In this task, you will review a JSON file that contains the details of an alert. Typically, the JSON
file contains data for multiple alerts. The curly braces ({ }) in the file are placeholders that will
be replaced with your #### ID when you run the Python script. You will not make any changes
to the file.
1. Open File Explorer and go to C:\Lab\262\API.
2. Right-click the file myAlert.json and open it with Notepad++.
3. Briefly review the alert details:
{ "request_data": {
"alerts": [
{
"product": "EDU-26X",
"vendor": "EDU.Labs",
"local_ip": "192.168.1.15",
"local_port": 35398,
"remote_ip": "192.168.2.25",
"remote_port": 25,
"event_timestamp": 123,
"severity": "Medium",
"alert_name": "{}-EDU-26X",
"alert_description": "{}-External alert example"
} ]

© 2023 Palo Alto Networks, Inc. Page 121

 } }
4. Note a key-value pair on the second line: "alerts" : [… ].
Square brackets denote an array of some objects. There is only one alert in this file.
5. Check the "product" and "vendor" keys.
Cortex XDR will combine them to create the Alert Source field.
6. Notice the value of "remote_ip".
Cortex XDR will display this value as an artifact in the incident.
7. Check the value of "event_timestamp".
The value shown here is just a placeholder. The Python script will replace this value with
the current date-time in the Unix timestamp format. Unix timestamp is the number of
seconds that have elapsed since Jan 1, 1970 (UTC).
8. Notice the curly braces ({}) in the values of the "alert_name" and "alert_description":
"alert_name": "{}-EDU-26X",
"alert_description": "{}-External alert example"
The previously reviewed Python script will substitute your #### ID before sending the
alert data in JSON.
9. Check the sample external alerts in the Alerts table as follows. Then, associate the alert
fields in the table with the JSON file shown above in this task:

Task 4: Run the Script to Insert the Alert

In this task, you run a Python script to insert the alert shown in the previous task to Cortex XDR.
The script opens the JSON file and changes some alert attributes in memory before sending it.
After running the script on the command line, you will examine your alert in the Alerts table.
1. Go to the folder C:\Lab\262\API in File Explorer.
2. Open the Python script insertAlerts.py in Notepad++ and briefly review the source.
Note: Do not just double-click the file as this will run it rather than edit it.
3. Open a Command Prompt window (Admin) by clicking the CMD icon on the toolbar.
Change the directory to C:\Lab\262\API.
4. Run the script by typing it’s name. This will insert the alert to Cortex XDR, as follows:

© 2023 Palo Alto Networks, Inc. Page 122

 c:\Lab\262\API\insertAlerts.py
<Response [200]>
"Response" here means the HTTP response message. The return value in brackets ([ ]) is
the response status. Status codes include 2XX (Success) and 4XX (Client Error) (200: OK,
401: Unauthorized, 403: Forbidden, 404: Not Found). If you get 401, verify your API ID
and API key. If you get Traceback messages, verify the API URL. The 500 code indicates a
server error. For example, this code may indicate a required field is missing. Carefully
review all instructions in this lab section if you receive a 500 error.
5. Go to the Alerts page at /alerts in the management console (or refresh the page if it is
already open).
6. Check the Alert Name or Description column to find your externally inserted alert.
You may need to wait 1-2 minutes.
7. Review your alert in the Alerts table.

8. To open the incident that contains this alert, right-click the alert and select Pivots to
views > View related incident in the shortcut menu.
You may need to wait for this action to be available; check the Incident ID column.
9. Now click the Key Assets & Artifacts tab if it is not opened by default:

10. Notice that the IP address shown as an artifact is the IP address in the JSON file:
"remote_ip": "192.168.2.25"
You can also see this IP address as an artifact under "Additional artifacts found" in the
Timeline tab.
11. Rerun the script from the command line as follows, and then open and refresh the Alerts
table in the management console:

© 2023 Palo Alto Networks, Inc. Page 123

 python insertAlerts.py
Do you see a new external alert in the Alerts table?
12. Note the plus (+) sign in Alert Name and verify that the number increases each time you
run the script. You may need to refresh your Alerts Table in order to see the additional
alerts.

Task 5: Debug the External Alert

In this task, you debug your external alert in the management console.
1. Go to the Alerts table in the management console and select your external alert.
2. Hold down the Alt key and then Right-click the alert to display the advanced shortcut
menu.
3. Select the Debug alert action at the bottom.

4. Scroll down until you see "original_alert_json" in the JSON content. Review and
compare the content under this key, as follows:

© 2023 Palo Alto Networks, Inc. Page 124

 .

© 2023 Palo Alto Networks, Inc. Page 125

 PAN-EDU-262 XDR 3.6 Version A

© 2023 Palo Alto Networks, Inc. Page 126