Module 1 – Getting Started with Endpoint Protection
• Cortex XDR management console
• Main Elements
• Filtering
• Layout
• Agent installations
• Overview
• Create Installer and install
• Agent Console
• cytool
• Endpoints and endpoint groups
• Endpoint Administration
• Endpoint Group Administration
• Policy rules and profiles
• Policy Management Overview
• Profile types
• Agent settings
• Lab
• Create a Cortex XDR agent installation package for Windows
• Install Cortex XDR agent to a Windows endpoint
• Create static and dynamic endpoint groups
• Clone the default Agents Settings Profile and modify the settings
• Clone the default policy rule and modify the settings
Module 2 – Working with Cortex Apps
• Working with the Cortex apps
• Overview
• Customer Support Portal
• HUB
• Activation of Cortex XDR
• Lab
• Access the Cortex hub and explore the homepage
• Verify your Cortex XDR instance and your Cortex XDR application roles
• Access the Cortex XDR management console
Module 3 – Cortex XDR Family Overview
• Cyberattack vectors
• Cortex XDR features
• Cortex XDR offerings
• Lab
• Lab Overview
• Generate a PowerShell script, a payload, to demonstrate a reverse shell attack
Module 4 – Malware Protection
• Restrictions and Malware Profiles overview
• Restrictions Profiles
• Malware profiles overview flow
• Malware profiles flow
• Malware protection modules and their configurations
• Portable Executable and DLL Examination
• Office Files with Macros Examination – profile
• Behavioral Threat Protection
• Ransomware Protection
• Child Process Protection
• Endpoint Scanning
• Password Theft Protection
• Lab
• Create Restrictions Profiles and change the settings
• Create Malware Profiles and change the settings
• Work with Ransomware Protection
• Work with Behavioral Threat Protection
Module 5 – Exploit Protection
• Application exploit prevention
• Exploitation techniques and defence mechanisms
• Exploit protection modules and Exploit Profiles
• Overview
• Exploit Profiles
• Exploit protection in action
• Lab
• Initiate exploit attacks from Metasploit
• Describe the structure of a command-and-control server from the perspective of the attacker
• Create Exploit Profiles and change various settings
Module 6 – Exceptions and Response Actions
• Exceptions
• Global vs profile exceptions
• Process Exceptions
• Support Exceptions
• Behavioural & Digital Signer
• Actions overview
• Response actions
• Actions from Action Center
• Actions from Endpoint Administration
• Actions from Alerts Analysis
• Script Execution
• Lab
• Create process exceptions and hash exceptions
• Import security exceptions
• Terminate suspicious processes
• Isolate endpoints, and then cancel isolations
• Quarantine and then restore files
• Work with Action Center to perform actions and track action progress
• Using the browser’s developer console, verify the role of the
sign-in user
• Upload your custom Python script and then remotely execute it on the endpoint
• Work with the Live Terminal
Module 7 – Behavioral Threat Analysis
• Detection and Response use case
• Incident Analysis vs Data Research
• Incident Analysis
• Data Research
• Behavioral threat analysis
• Causality Analysis Engine
• Analytics Engine
• Lab
• Configure upload of the EED
• Analyze alerts with and without EED and compare the results
• Manage (stop, start, and query) the EED from the endpoint
• Trace the Agent log for the EED uploads
Module 8 – Cortex XDR Rules
• Working with BIOC rules
• Working with IOC rules and rules exceptions
• Lab
• Explore the BIOC and IOC pages
• Describe BIOC and IOC tables after examining the columns (field)
• Create and manage BIOC rules
• Create and manage IOC rules
• Create rules exceptions
Module 9 – Incident Management
• Alerts
• Overview
• Alert Actions
• Stitched vs non-stitched
• Incidents
• Incident List and actions
• Incident View
• Incident Administration
• External alerts
• Alert exclusion and starring policies
• Lab
• Manage incidents including change status and assign investigators
• Prioritize and close incidents
• View the incident details including alert breakdown, key assets and key artefacts
• Use the Cortex XDR API to send an external alert to Cortex XDR
• Create and manage alert starring policies
• Create and manage alert exclusion policies
Module 10 – Alert Analysis Views
• Motivation for advanced alert analysis
• Analyzing alerts in the Causality View
• Analyzing alerts in the Timeline View
• Lab
• Investigate alerts in the Causality view
• Investigate alerts in the Timeline view
Module 11 – Search and Investigate
• Building queries on raw data sets
• Managing scheduled and non-scheduled queries
• Lab
• Build search queries of any type
• Work on the results table
• Manage queries in the Query Center
• Work with scheduled queries
Module 12 – Basic Troubleshooting
• Troubleshooting methodologies and resources
• Troubleshooting tools for the Cortex XDR agent
• cytool
• Agent Identification
• trapsd.log
• Working with Technical Support
• retrieve and analyse support file
• Lab
• Set the log level of the Cortex XDR agent
• Add a trusted signer and verify the signer in the registry
• Retrieve a Support File