Getting started with Threat Hunting? Watch this webinar and review the resources available in the video. 

Alert Tuning Fundamentals Watch this Customer Success webinar, where we introduce the Alert Tuning concept and share ample knowledge and best practices. We invite you to register for the second part of this series, where we will demonstrate real-world use cases to help you better understand the Alert Tuning process. You can review the second part here: Alert Tuning Part 2       Alert Tuning Options:  Alert Tuning Cheat sheet   Additional read (make sure to review the applicable XDR license guide): Alert Exclusion  IOC/BIOC Suppression Rules Disable Prevention Rules: Pro | Prevent  Legacy Agent Exceptions: Pro | Prevent  Support Exception Rules: Pro | Prevent  Starred Incident: Prevent | Pro  Smartscore (available for XDR Pro licenses)  Have a question?  Post it on our Discussions forum  Cortex XDR 

Don't miss out on the second part of the series and put knowledge into action! 

Click to watch the third and final episode of the Parsing & Correlation Rules webinar series. Don't miss out on all the resources shared below the video! 

Don't miss out on Part 1 of the Paring & Correlation Rules series: Getting Started with Parsing Rules! Click to review the webinar and the additional resources linked in this article.  Parsing & Correlation Rules features require an XDR Pro product license 

Watch the second part of the webinar series: Parsing & Correlation Rules - the Core of Detection, where we covered the Correlation Rule workflows, Correlation Rule creation, post creation Correlation Rule options, and real-world examples!

Click to review this webinar and check out the queries and other useful resources we share. 

Forensics Module - Part 1 Part 1 of the webinar series Discover the World of Forensics covers the Forensics module overview, the reasons why and how to harness this module, a review of the ideal order of Forensics evidence collection, and introduces Forensic artifacts and terms.      Additional resources: Commands: PSReadLine: Get location with: Get-PSReadlineOption %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt DNS Cache: Get list with: Get-DnsClientCache ipconfig /displaydns XDR Admin Guide Forensics Module:  https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Forensics-Add-on-Options Have a question? Post it on our Discussions forum Cortex XDR 

Check out the Exceptions Configuration webinar, and make sure to review the additional resources at the bottom of this article! Register for our next webinar series here

This webinar covers the latest release of Cortex XDR, which delivers new features and enhancements. Watch the video to learn more! 

In this webinar, we dive deep into the powerful Broker VM feature and discover how to utilize this Cortex XDR Pro feature to retrieve Syslog logs from any log source that can forward Syslog.

This webinar covers Cortex XDR Collectors deployment and administration and a demonstration of use cases to show how security visibility can be extended by ingesting, parsing, and consuming on-premise third-party logs.   * Available for Product License: Cortex XDR Pro Per TB.   You can read more about the license types here.     Additional read: XDR Collectors   XDR Collector Machine Requirements and Supported Operating Systems Resources Required to Enable Access to XDR Collectors Configure the XDR Collector Upgrade Scheduler Add an XDR Collector Profile for Windows Manage XDR Collectors   Filebeat and Winlogbeat   Configure Filebeat Inputs Configure Filebeat Modules Configure Winlogbeat Modules https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/external-data-ingestion https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/data-management/create-parsing-rules https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-correlation-rules https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-xdr-customer-success-webinar-advanced-xql-workshop/ta-p/540388  XQL Syntax - https://beacon.paloaltonetworks.com/student/collection/666205/path/1469524 XQL Building Blocks - https://beacon.paloaltonetworks.com/student/collection/666205/path/1472045 XQL Functions - https://beacon.paloaltonetworks.com/student/collection/666205/path/1559611 How-to Video Series: Ingest and Parse Custom Log Sources with XDR Collector -  Cortex XDR How-To Video: XDR Collector Log Ingestion Cortex XDR How-To Video: Broker VM Syslog Collection Cortex XDR How-To Video: Custom Parsing Rules Cortex XDR How-To Video: Advanced Parsing Rules - Modifying Logs Cortex XDR How-To Video: Advanced Parsing Rules - Multiple Rules https://regex101.com/ Have a question? Post it on our Discussions forum Cortex XDR 

Active Scanning Watch this webinar to learn about Cortex XDR active scanning, malware scanning concepts, file exemption flow, and more!   Helpful resources covered during the webinar: FAQ:  Configure scan on a specific file/folder (scroll to the solution to review the reply) Periodic scanning frequency,  custom scans, and quick scans Malware scan and malicious files Track scan status: Periodic Endpoint Scanning Report Active Scanning on Endpoints How to utilize XDR API: Cortex XDR Customer Success Webinar: Intro to API XDR Pro administration webinars:  Endpoint Administration - Part 1   |   Endpoint Administration Part 2  XDR/XSOAR: XDR Content Pack on XSOAR Marketplace Webinar XQL Enhancements Cortex XDR How-To Video: Personal XQL Library  Have a question?  Post it on our Discussions forum Cortex XDR 

Software Installations Blocking  This webinar covers the use cases for using Cortex XDR to block software installations in your environment, including event types, BIOC rules creation, and how to perform investigation & response using Host Insights.  Watch the webinar below:    Additional read: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BIOC-Rule https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Investigate-an-Asset Have a question?  Post it on our Discussions forum Cortex XDR 

Intro To API This webinar covers the concept of REST APIs and the Cortex XDR API, foundational topics such as HTTP requests, URI components, and tools such as Postman and demonstrates how you can successfully make calls to various Cortex XDR API endpoints.  This webinar is designed for beginner professionals.  Useful resources: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview Postman: https://www.postman.com/ Coretx XDR 3.4 Postman Collection (available to download at the bottom of this article) Ready to learn more? Watch our next webinar:  How to Perform Response Actions via Action Center and Cortex XDR API     Have a question?  Post it on our Discussions forum Cortex XDR 

Cortex XDR Action Center This webinar provides an overview of the Action Center and demonstrates examples of how to perform response actions and leverage Cortex XDR API. Watch the full webinar, and download the scripts shared through the demo below:   Useful resources: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Action-Center https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Response-Actions https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Response-Action-APIs Get familiarized with Cortex API with our previous webinar: Intro to Cortex XDR API    

Endpoint Administration Part 2 Missed Endpoint Administration Part 1? Click HERE to watch This webinar covers the Cortex XDR agent-related administration task, including agent architecture, Linux agent, and demos.       Useful commands: =========================== On Windows - https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/troubleshoot-cortex-xdr-for-windows/cytool =========================== - Run CMD as administrator - Change directory to Cortex XDR binary folder - un command 'cd "C:\Program Files\Palo Alto Networks\Traps" ' - Enter the Supervisor Password (=Uninstall Password) for privileged commands   Drivers & Services cytool runtime query Persistent DB's cytool persist list Registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cyvera Computer\HKEY_LOCAL_MACHINE\SYSTEM\Cyvera File System C:\Program Files\Palo Alto Networks\Traps C:\ProgramData\Cyvera\ cytool protect query cytool protect disable TSF C:\Users\<Username>\AppData\Roaming\PaloAltoNetworks\Traps\support Agent Debug logs To set Log Level: cytool log level_set 7 all To collect Log 'cytool log collect' return log level back to default cytool log level_set 6 all   Procump If we are seeing the virtual memory exhaustion for cyveraserver.exe occur daily at a certain time procdump -ma PID, where 4572 is the PID number of active cyveraserver.exe   =============== Linux: =============== For user space mode (minimum supported kernel version is v5) uname -an cat /proc/version dmesg | grep Linux lsb_release -a su cd /opt/traps/bin ./cytool /? Processes Protected by Cortex XDR ./cytool enum info Websocket ./cytool websocket query Checkin ./cytool Checkin Last Time Checkin ./cytool last_checkin Cortex XDR Processes ./cytool runtime query Agent files and directories  (for logs, edr, download, etc) cat /opt/traps/config/common.xml Cortex XDR or Traps configuration cat /opt/traps/config/trapsd.xml Connectivity ./cytool connectivity_test Agent version cat /opt/traps/version.txt Agent ID cat /etc/traps/agent.id Distribution ID cat /opt/traps/config/trapsd.xml | grep -i distribution_id cat /opt/traps/config/db_backup/distribution_id.txt   Reconnect ./cytool reconnect ./cytool reconnect force XXX (replace XXX with the distribution ID) Proxy IP address Configured cat /opt/traps/config/trapsd.xml | grep -i proxy_list To restart Cortex XDR processes (This does not survive reboot) ./cytool runtime query ./cytool runtime stop all ./cytool runtime start all ./cytool runtime restart all ./cytool runtime query   To change Cortex XDR processes behaviour at OS startup ./cytool startup query ./cytool startup disable all ./cytool startup enable all ./cytool startup query To check the protection status of the agent ./cytool security query To query, disable and enable event_collection ./cytool event_collection query ./cytool event_collection disable ./cytool event_collection enable ./cytool event_collection query To check Linux Operation Mode (Empty: kernel module not installed or user space, otherwise, Kernel operation mode) lsmod | grep traps Resource Utilization top -s ps -ef | grep pmd ps aux | grep pmd When has pmd being running systemctl status traps_pmd   Verify the agent was installed on the endpoint dpkg -l | grep cortex-agent rpm -qa | grep cortex-agent logs /var/log/traps/pmd.log ./cytool log collect sudo strace -ff -o cytool_tsf /opt/traps/bin/cytool log collect =============== Adaptive Policy: cytool adaptive_collection /? cytool adaptive_collection query Disable Adaptive Policy cytool adaptive_policy interval 0 ===============   If you have any questions about the topic presented, please post them on our discussion page.  Cortex XDR   

Watch this Cortex XDR  webinar to learn about incidents resources followed by demos;  We discussed prioritizing incidents, handling them depending on the incidents/alerts' sources, and guiding SOC analysts with immediate threat response or threat hunting experience.   Stay tuned for our June webinar invites!

This Cortex Customer Success webinar, Dashboards and Reporting, will give you essential insight on data points and empower you to respond quickly. Including a demo to show how to use your dashboards to their full potential.

Join us for our Cortex Customer Success webinar, Asset Management. This webinar will demo and review unmanaged asset discovery, host inventory, and vulnerability assessment.

Prioritize incidents efficiently with XDR Incident Scoring Rules!

Watch this webinar to learn about XQL API usage, requirements, previous limitations it addresses, common issues, and use cases.

Learn how to Protect Kubernetes Clusters with XDR and get a brief overview of our EA Program, XDR 3.1, and our new certification!

Learn about the benefits of Managed Threat Hunting with Cortex XDR from Palo Alto Network experts.