Getting started with Threat Hunting? Watch this webinar and review the resources available in the video. 

Alert Tuning Fundamentals Watch this Customer Success webinar, where we introduce the Alert Tuning concept and share ample knowledge and best practices. We invite you to register for the second part of this series, where we will demonstrate real-world use cases to help you better understand the Alert Tuning process. You can review the second part here: Alert Tuning Part 2       Alert Tuning Options:  Alert Tuning Cheat sheet   Additional read (make sure to review the applicable XDR license guide): Alert Exclusion  IOC/BIOC Suppression Rules Disable Prevention Rules: Pro | Prevent  Legacy Agent Exceptions: Pro | Prevent  Support Exception Rules: Pro | Prevent  Starred Incident: Prevent | Pro  Smartscore (available for XDR Pro licenses)  Have a question?  Post it on our Discussions forum  Cortex XDR 

Don't miss out on the second part of the series and put knowledge into action! 

Click to watch the third and final episode of the Parsing & Correlation Rules webinar series. Don't miss out on all the resources shared below the video! 

Don't miss out on Part 1 of the Paring & Correlation Rules series: Getting Started with Parsing Rules! Click to review the webinar and the additional resources linked in this article.  Parsing & Correlation Rules features require an XDR Pro product license 

Watch the second part of the webinar series: Parsing & Correlation Rules - the Core of Detection, where we covered the Correlation Rule workflows, Correlation Rule creation, post creation Correlation Rule options, and real-world examples!

Click to review this webinar and check out the queries and other useful resources we share. 

Watch the complete webinar series and learn about the power add-on feature: Forensics 

Forensics Module - Part 1 Part 1 of the webinar series Discover the World of Forensics covers the Forensics module overview, the reasons why and how to harness this module, a review of the ideal order of Forensics evidence collection, and introduces Forensic artifacts and terms.      Additional resources: Commands: PSReadLine: Get location with: Get-PSReadlineOption %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt DNS Cache: Get list with: Get-DnsClientCache ipconfig /displaydns XDR Admin Guide Forensics Module:  https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Forensics-Add-on-Options Have a question? Post it on our Discussions forum Cortex XDR 

Check out the Exceptions Configuration webinar, and make sure to review the additional resources at the bottom of this article! Register for our next webinar series here

This webinar covers the latest release of Cortex XDR, which delivers new features and enhancements. Watch the video to learn more! 

In this webinar, we dive deep into the powerful Broker VM feature and discover how to utilize this Cortex XDR Pro feature to retrieve Syslog logs from any log source that can forward Syslog.

This webinar covers Cortex XDR Collectors deployment and administration and a demonstration of use cases to show how security visibility can be extended by ingesting, parsing, and consuming on-premise third-party logs.   * Available for Product License: Cortex XDR Pro Per TB.   You can read more about the license types here.     Additional read: XDR Collectors   XDR Collector Machine Requirements and Supported Operating Systems Resources Required to Enable Access to XDR Collectors Configure the XDR Collector Upgrade Scheduler Add an XDR Collector Profile for Windows Manage XDR Collectors   Filebeat and Winlogbeat   Configure Filebeat Inputs Configure Filebeat Modules Configure Winlogbeat Modules https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/external-data-ingestion https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/data-management/create-parsing-rules https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-correlation-rules https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-xdr-customer-success-webinar-advanced-xql-workshop/ta-p/540388  XQL Syntax - https://beacon.paloaltonetworks.com/student/collection/666205/path/1469524 XQL Building Blocks - https://beacon.paloaltonetworks.com/student/collection/666205/path/1472045 XQL Functions - https://beacon.paloaltonetworks.com/student/collection/666205/path/1559611 How-to Video Series: Ingest and Parse Custom Log Sources with XDR Collector -  Cortex XDR How-To Video: XDR Collector Log Ingestion Cortex XDR How-To Video: Broker VM Syslog Collection Cortex XDR How-To Video: Custom Parsing Rules Cortex XDR How-To Video: Advanced Parsing Rules - Modifying Logs Cortex XDR How-To Video: Advanced Parsing Rules - Multiple Rules https://regex101.com/ Have a question? Post it on our Discussions forum Cortex XDR 

Advanced XQL This webinar covers how to utilize XQL to build out use cases, including an extensive XQL building demo.  For the best experience, we recommend watching the videos in a full-screen view.  Make sure to review the XQL queries under the videos:   Intro & Extraction Demo:    Scenario Introduction:   User Group Demo:   XQL queries:  Extraction demo:  Extraction Using arrayindex() and regextract() config case_sensitive = false | dataset = xdr_data // Using the xdr dataset | fields action_evtlog_message, event_type, action_evtlog_event_id, agent_hostname , action_evtlog_data_fields | filter event_type = ENUM.EVENT_LOG | filter action_evtlog_event_id in(4720) | alter SID_RegExtract = regextract(action_evtlog_message, "[\n\r][ \t]*Security ID:[ \t]*([^\n\r]*)") | alter AccountName_RegExtract = regextract(action_evtlog_message, "[\n\r][ \t]*Account Name:[ \t]*([^\n\r]*)") | alter AccountDomain_RegExtract = regextract(action_evtlog_message, "[\n\r][ \t]*Account Domain:[ \t]*([^\n\r]*)") | alter Subject_SID = arrayindex(SID_RegExtract , 0) | alter Target_SID = arrayindex(SID_RegExtract , 1) | alter Subject_AccountName = arrayindex(AccountName_RegExtract , 0) | alter Target_AccountName = arrayindex(AccountName_RegExtract , 1) | alter Subject_DomainName = arrayindex(AccountDomain_RegExtract , 0) | alter Target_DomainName = arrayindex(AccountDomain_RegExtract , 1) | alter Subject_SID_directEXT = arrayindex(regextract(action_evtlog_message, "[\n\r][ \t]*Security ID:[ \t]*([^\n\r]*)") , 0) | alter Subject_AccountName_directExt = arrayindex(regextract(action_evtlog_message, "[\n\r][ \t]*Account Name:[ \t]*([^\n\r]*)"), 0) | alter Target_AccountName_directExt = arrayindex(regextract(action_evtlog_message, "[\n\r][ \t]*Account Name:[ \t]*([^\n\r]*)"), 1) =================================== Extraction Using json_extract_scalar() config case_sensitive = false | dataset = xdr_data // Using the xdr dataset | fields action_evtlog_message, event_type, action_evtlog_event_id, agent_hostname , action_evtlog_data_fields | filter event_type = ENUM.EVENT_LOG | filter action_evtlog_event_id in(4720) | alter Subject_Account_Name = json_extract_scalar(action_evtlog_data_fields , "$.SubjectUserName") | alter Target_Account_Name = json_extract_scalar(action_evtlog_data_fields , "$.TargetUserName")   User group data JASON extraction demo: config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4720 | fields action_evtlog_message , action_evtlog_data_fields , action_evtlog_event_id , agent_hostname , agent_ip_addresses , action_evtlog_description , agent_hostname | alter Creator_Account_Name = json_extract_scalar(action_evtlog_data_fields , "$.SubjectUserName") | alter Creator_Account_SID = json_extract_scalar(action_evtlog_data_fields , "$.SubjectUserSid") | alter Created_Account_Name = json_extract_scalar(action_evtlog_data_fields , "$.TargetUserName") | alter Created_Account_SID = json_extract(action_evtlog_data_fields , "$.TargetSid") | alter Creator_Domain_name = json_extract_scalar(action_evtlog_data_fields , "$.SubjectDomainName") | alter Creator_User_Type = if ((Creator_Domain_name = agent_hostname ), "Local_User", "Domain_User") | join ( preset = xdr_event_log | filter action_evtlog_event_id = 4732 | alter Group_Member_SID = json_extract(action_evtlog_data_fields , "$.MemberSid") | alter User_Group_Name = json_extract_scalar(action_evtlog_data_fields , "$.TargetUserName") | alter Action_Account_Name = json_extract_scalar(action_evtlog_data_fields , "$.SubjectUserName") | alter User_Group_SID = json_extract_scalar(action_evtlog_data_fields , "$.TargetSid")) as DemoXQL demoxql.Group_Member_SID = Created_Account_SID | fields Creator_Account_Name , Created_Account_Name , Action_Account_Name , agent_hostname, Creator_Domain_name , Creator_User_Type ,User_Group_Name , User_Group_SID , action_evtlog_event_id , action_evtlog_message , action_evtlog_data_fields | filter (User_Group_Name = """Administrators""") | sort desc _time | join ( preset = host_inventory_users | fields endpoint_name , disabled as Is_Created_Account_Disabled , password_expired as Is_Created_Account_password_expired, name , full_name as Created_Account_full_name ) as AddedHostInventory addedhostinventory.endpoint_name = agent_hostname | filter name = Created_Account_Name | fields Creator_Account_Name , Action_Account_Name ,Created_Account_Name , Is_Created_Account_Disabled , Is_Created_Account_password_expired , agent_hostname , Creator_Domain_name ,Creator_User_Type , User_Group_Name , User_Group_SID , action_evtlog_event_id , action_evtlog_message , action_evtlog_data_fields  Recommended guides: Cortex XDR XQL Language Reference   Cortex XDR XQL Schema Reference    Have a question?  Post it on our Discussions forum Cortex XDR       

Active Scanning Watch this webinar to learn about Cortex XDR active scanning, malware scanning concepts, file exemption flow, and more!   Helpful resources covered during the webinar: FAQ:  Configure scan on a specific file/folder (scroll to the solution to review the reply) Periodic scanning frequency,  custom scans, and quick scans Malware scan and malicious files Track scan status: Periodic Endpoint Scanning Report Active Scanning on Endpoints How to utilize XDR API: Cortex XDR Customer Success Webinar: Intro to API XDR Pro administration webinars:  Endpoint Administration - Part 1   |   Endpoint Administration Part 2  XDR/XSOAR: XDR Content Pack on XSOAR Marketplace Webinar XQL Enhancements Cortex XDR How-To Video: Personal XQL Library  Have a question?  Post it on our Discussions forum Cortex XDR 

Software Installations Blocking  This webinar covers the use cases for using Cortex XDR to block software installations in your environment, including event types, BIOC rules creation, and how to perform investigation & response using Host Insights.  Watch the webinar below:    Additional read: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BIOC-Rule https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Investigate-an-Asset Have a question?  Post it on our Discussions forum Cortex XDR 

Intro To API This webinar covers the concept of REST APIs and the Cortex XDR API, foundational topics such as HTTP requests, URI components, and tools such as Postman and demonstrates how you can successfully make calls to various Cortex XDR API endpoints.  This webinar is designed for beginner professionals.  Useful resources: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview Postman: https://www.postman.com/ Coretx XDR 3.4 Postman Collection (available to download at the bottom of this article) Ready to learn more? Watch our next webinar:  How to Perform Response Actions via Action Center and Cortex XDR API     Have a question?  Post it on our Discussions forum Cortex XDR 

Cortex XDR Action Center This webinar provides an overview of the Action Center and demonstrates examples of how to perform response actions and leverage Cortex XDR API. Watch the full webinar, and download the scripts shared through the demo below:   Useful resources: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Action-Center https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Response-Actions https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Response-Action-APIs Get familiarized with Cortex API with our previous webinar: Intro to Cortex XDR API    

Endpoint Administration Part 2 Missed Endpoint Administration Part 1? Click HERE to watch This webinar covers the Cortex XDR agent-related administration task, including agent architecture, Linux agent, and demos.       Useful commands: =========================== On Windows - https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/troubleshoot-cortex-xdr-for-windows/cytool =========================== - Run CMD as administrator - Change directory to Cortex XDR binary folder - un command 'cd "C:\Program Files\Palo Alto Networks\Traps" ' - Enter the Supervisor Password (=Uninstall Password) for privileged commands   Drivers & Services cytool runtime query Persistent DB's cytool persist list Registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cyvera Computer\HKEY_LOCAL_MACHINE\SYSTEM\Cyvera File System C:\Program Files\Palo Alto Networks\Traps C:\ProgramData\Cyvera\ cytool protect query cytool protect disable TSF C:\Users\<Username>\AppData\Roaming\PaloAltoNetworks\Traps\support Agent Debug logs To set Log Level: cytool log level_set 7 all To collect Log 'cytool log collect' return log level back to default cytool log level_set 6 all   Procump If we are seeing the virtual memory exhaustion for cyveraserver.exe occur daily at a certain time procdump -ma PID, where 4572 is the PID number of active cyveraserver.exe   =============== Linux: =============== For user space mode (minimum supported kernel version is v5) uname -an cat /proc/version dmesg | grep Linux lsb_release -a su cd /opt/traps/bin ./cytool /? Processes Protected by Cortex XDR ./cytool enum info Websocket ./cytool websocket query Checkin ./cytool Checkin Last Time Checkin ./cytool last_checkin Cortex XDR Processes ./cytool runtime query Agent files and directories  (for logs, edr, download, etc) cat /opt/traps/config/common.xml Cortex XDR or Traps configuration cat /opt/traps/config/trapsd.xml Connectivity ./cytool connectivity_test Agent version cat /opt/traps/version.txt Agent ID cat /etc/traps/agent.id Distribution ID cat /opt/traps/config/trapsd.xml | grep -i distribution_id cat /opt/traps/config/db_backup/distribution_id.txt   Reconnect ./cytool reconnect ./cytool reconnect force XXX (replace XXX with the distribution ID) Proxy IP address Configured cat /opt/traps/config/trapsd.xml | grep -i proxy_list To restart Cortex XDR processes (This does not survive reboot) ./cytool runtime query ./cytool runtime stop all ./cytool runtime start all ./cytool runtime restart all ./cytool runtime query   To change Cortex XDR processes behaviour at OS startup ./cytool startup query ./cytool startup disable all ./cytool startup enable all ./cytool startup query To check the protection status of the agent ./cytool security query To query, disable and enable event_collection ./cytool event_collection query ./cytool event_collection disable ./cytool event_collection enable ./cytool event_collection query To check Linux Operation Mode (Empty: kernel module not installed or user space, otherwise, Kernel operation mode) lsmod | grep traps Resource Utilization top -s ps -ef | grep pmd ps aux | grep pmd When has pmd being running systemctl status traps_pmd   Verify the agent was installed on the endpoint dpkg -l | grep cortex-agent rpm -qa | grep cortex-agent logs /var/log/traps/pmd.log ./cytool log collect sudo strace -ff -o cytool_tsf /opt/traps/bin/cytool log collect =============== Adaptive Policy: cytool adaptive_collection /? cytool adaptive_collection query Disable Adaptive Policy cytool adaptive_policy interval 0 ===============   If you have any questions about the topic presented, please post them on our discussion page.  Cortex XDR   

Endpoint Administration Webinar Part 1 This webinar covers the Cortex XDR agent-related administrative tasks from installations, architecture, common issues, and our pro tips!   Watch the video and use the resources that were shared during the webinar, listed below:      Resources: Adding proxy list during the installation: msiexec /i c:\install\cortexxdr.msi proxy_list=”My.Network.Name:808,10.196.20.244:8080”   For endpoint side-local uninstall - Disable Tamper Protect first cytool protect disable XQL custom widget for count of endpoints by minor release: config case_sensitive = false timeframe=30d |dataset = endpoints | filter endpoint_status = ENUM.CONNECTED or endpoint_status = ENUM.DISCONNECTED  | alter agent_version_formatted = regextract(agent_version ,"^\D*(\d+(?:\.\d+)?)") | arrayexpand agent_version_formatted | comp count (agent_version_formatted ) as no_of_agents by agent_version_formatted | fields agent_version_formatted , no_of_agents  | sort asc agent_version_formatted | view graph type = column subtype = grouped,horizontal header = "Count of Endpoints by Minor Release" show_callouts = `true` xaxis = agent_version_formatted yaxis = no_of_agents legend = `false` xaxistitle = "Agents by Minor Release"  List of duplicate endpoints: dataset = endpoints | fields endpoint_id, endpoint_name, last_seen  | comp count() as count by endpoint_name addrawdata = true as raw_data | filter count > 1 | sort desc count | alter endpoint_name = arrayindex (raw_data, 0) -> endpoint_name | alter endpoint_id = arrayindex (raw_data, 0) -> endpoint_id | alter last_seen = arrayindex (raw_data, 0) -> last_seen   XQL custom widget for top 20 duplicate endpoints: dataset = endpoints | fields endpoint_id, endpoint_name, last_seen  | comp count() as no_of_duplicates by endpoint_name | filter no_of_duplicates > 1 | fields endpoint_name, no_of_duplicates  | sort desc no_of_duplicates | view graph type = column subtype = grouped,horizontal header = "Top 20 duplicate endpoints" show_callouts = `true` xaxis = endpoint_name yaxis = no_of_duplicates legend = `false` xaxistitle = "Number of duplicates per endpoint"    Count of endpoints per operational status: dataset = endpoints  | fields endpoint_name, is_edr_enabled  | comp count_distinct(endpoint_name) as counter by is_edr_enabled | view graph type = pie show_callouts = `true` xaxis = is_edr_enabled yaxis = counter    Live Terminal command samples with Shift + Enter to execute: hostname C:\"Program Files"\"Palo Alto Networks"\Traps\cytool info   Live Terminal Python script  samples with Shift + Enter to execute: import os print(os.listdir('c:\\users'))   Demo Cytool commands (Tool used: Process Explorer) The list below is not an exhaustive list of = Attached Slide 24 and use the cytool helper to see all the available cytool commands   =========================== On Windows - https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/troubleshoot-cortex-xdr-for-windows/cytool ===========================   Run CMD as administrator Change directory to Cortex XDR binary folder - un command 'cd "C:\Program Files\Palo Alto Networks\Traps" ' Enter the Supervisor Password (Uninstall Password) for privileged commands: cytool runtime query cytool protect query cytool websocket query cytool connectivity_test   Another variant without changing path: C:\"Program Files"\"Palo Alto Networks"\Traps\cytool info   An alternative way to pause protection: cytool security [enable | disable]         enable           Enables security profiles.         disable          Disables security profiles.   ID extraction & reconnection To extract the distribution ID locally and reconnect back the agent (new distribution_id can be copied from your Cortex XDR tenant as well) cat /opt/traps/config/trapsd.xml | grep -i distribution_id Cytool reconnect cytool reconnect force DISTRIBUTION_ID   Try without distribution ID first;  Note: cytool reconnect force command will create duplicates and a new instance. As a result, its not meant to be used multiple times    =========================== On macOS  ===========================   sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime query sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime stop all sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime start all sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool checkin ============================ Linux ============================   Processes Protected by Cortex XDR: ./cytool enum Websocket: ./cytool websocket query Checkin: ./cytool Checkin Last Time Checkin: ./cytool last_checkin Agent files and directories in use for logs, EDR, download, etc: cat /opt/traps/config/common.xml Connectivity: ./cytool connectivity_test Agent version: cat /opt/traps/version.txt Agent Distribution ID: cat /opt/traps/config/trapsd.xml | grep -i distribution_id cat /opt/traps/config/db_backup/distribution_id.txt Proxy IP address Configured: cat /opt/traps/config/trapsd.xml | grep -i proxy_list   =========================   Agent functionality: In order to implement the agent functionality, the agent includes the ff components Drivers Services Cytool runtime query: Processes: the processes that start running when the service starts or when needed: cyserver.exe cortex-xdr-payload.exe tlaworker.exe cytray.exe cyveraconsole.exe   DLL: cyinjct.dll cyvrtrap.dll cyvera.dll Registry:  Holds important keys of policy information, policy configurations, protected processes Computer\HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\policy Cortex XDR     

Watch this Cortex XDR  webinar to learn about incidents resources followed by demos;  We discussed prioritizing incidents, handling them depending on the incidents/alerts' sources, and guiding SOC analysts with immediate threat response or threat hunting experience.   Stay tuned for our June webinar invites!

This webinar provides a deep dive into what is Global Analytics and its benefits. Watch the video to learn more about the capabilities of this feature:      Agenda: 1. What are supply chain attacks? 2. What is Global Analytics? 3. Supply Chain Attack Protection with Global Analytics   For additional information read the blog: How Cortex XDR Global Analytics Protects Against Supply Chain Attacks Cortex XDR   

This Cortex Customer Success webinar, Dashboards and Reporting, will give you essential insight on data points and empower you to respond quickly. Including a demo to show how to use your dashboards to their full potential.

Join us for our Cortex Customer Success webinar, Asset Management. This webinar will demo and review unmanaged asset discovery, host inventory, and vulnerability assessment.

Prioritize incidents efficiently with XDR Incident Scoring Rules!

Watch this webinar to learn about XQL API usage, requirements, previous limitations it addresses, common issues, and use cases.

Learn how to Protect Kubernetes Clusters with XDR and get a brief overview of our EA Program, XDR 3.1, and our new certification!

Learn about the benefits of Managed Threat Hunting with Cortex XDR from Palo Alto Network experts. 

This Cortex Customer Success webinar episode covers the XDR content pack on XSOAR marketplace and how to effectively use XDR with XSOAR.