Cortex XDR: Prevention, Analysis, and Response (EDU-260)

• The technical curriculum developed and authorized by Palo Alto Networks and delivered by Palo Alto Networks Authorized Training Partners helps provide the knowledge and expertise that prepare you to protect our digital way of life. Our trusted certifications validate your knowledge of the Palo Alto Networks product portfolio and your ability to help prevent successful cyberattacks and safely enable applications.

Module 1 – Getting Started with Endpoint Protection

• Cortex XDR management console
• Main Elements
• Filtering
• Layout
• Agent installations
• Overview
• Create Installer and install
• Agent Console
• cytool
• Endpoints and endpoint groups
• Endpoint Administration
• Endpoint Group Administration
• Policy rules and profiles
• Policy Management Overview
• Profile types
• Agent settings
• Lab
• Create a Cortex XDR agent installation package for Windows
• Install Cortex XDR agent to a Windows endpoint
• Create static and dynamic endpoint groups
• Clone the default Agents Settings Profile and modify the settings
• Clone the default policy rule and modify the settings

Module 2 – Working with Cortex Apps

• Working with the Cortex apps
• Overview
• Customer Support Portal
• HUB
• Activation of Cortex XDR
• Lab
• Access the Cortex hub and explore the homepage
• Verify your Cortex XDR instance and your Cortex XDR application roles
• Access the Cortex XDR management console

Module 3 – Cortex XDR Family Overview

• Cyberattack vectors
• Cortex XDR features
• Cortex XDR offerings
• Lab
• Lab Overview
• Generate a PowerShell script, a payload, to demonstrate a reverse shell attack

Module 4 – Malware Protection

• Restrictions and Malware Profiles overview
• Restrictions Profiles
• Malware profiles overview flow
• Malware profiles flow
• Malware protection modules and their configurations
• Portable Executable and DLL Examination
• Office Files with Macros Examination – profile
• Behavioral Threat Protection
• Ransomware Protection
• Child Process Protection
• Endpoint Scanning
• Password Theft Protection
• Lab
• Create Restrictions Profiles and change the settings
• Create Malware Profiles and change the settings
• Work with Ransomware Protection
• Work with Behavioral Threat Protection

Module 5 – Exploit Protection

• Application exploit prevention
• Exploitation techniques and defence mechanisms
• Exploit protection modules and Exploit Profiles
• Overview
• Exploit Profiles
• Exploit protection in action
• Lab
• Initiate exploit attacks from Metasploit
• Describe the structure of a command-and-control server from the perspective of the attacker
• Create Exploit Profiles and change various settings

Module 6 – Exceptions and Response Actions

• Exceptions
• Global vs profile exceptions
• Process Exceptions
• Support Exceptions
• Behavioural & Digital Signer
• Actions overview
• Response actions
• Actions from Action Center
• Actions from Endpoint Administration
• Actions from Alerts Analysis
• Script Execution
• Lab
• Create process exceptions and hash exceptions
• Import security exceptions
• Terminate suspicious processes
• Isolate endpoints, and then cancel isolations
• Quarantine and then restore files
• Work with Action Center to perform actions and track action progress
• Using the browser’s developer console, verify the role of the
sign-in user
• Upload your custom Python script and then remotely execute it on the endpoint
• Work with the Live Terminal

Module 7 – Behavioral Threat Analysis

• Detection and Response use case
• Incident Analysis vs Data Research
• Incident Analysis
• Data Research
• Behavioral threat analysis
• Causality Analysis Engine
• Analytics Engine
• Lab
• Configure upload of the EED
• Analyze alerts with and without EED and compare the results
• Manage (stop, start, and query) the EED from the endpoint
• Trace the Agent log for the EED uploads

Module 8 – Cortex XDR Rules

• Working with BIOC rules
• Working with IOC rules and rules exceptions
• Lab
• Explore the BIOC and IOC pages
• Describe BIOC and IOC tables after examining the columns (field)
• Create and manage BIOC rules
• Create and manage IOC rules
• Create rules exceptions

Module 9 – Incident Management

• Alerts
• Overview
• Alert Actions
• Stitched vs non-stitched
• Incidents
• Incident List and actions
• Incident View
• Incident Administration
• External alerts
• Alert exclusion and starring policies
• Lab
• Manage incidents including change status and assign investigators
• Prioritize and close incidents
• View the incident details including alert breakdown, key assets and key artefacts
• Use the Cortex XDR API to send an external alert to Cortex XDR
• Create and manage alert starring policies
• Create and manage alert exclusion policies

Module 10 – Alert Analysis Views

• Motivation for advanced alert analysis
• Analyzing alerts in the Causality View
• Analyzing alerts in the Timeline View
• Lab
• Investigate alerts in the Causality view
• Investigate alerts in the Timeline view

Module 11 – Search and Investigate

• Building queries on raw data sets
• Managing scheduled and non-scheduled queries
• Lab
• Build search queries of any type
• Work on the results table
• Manage queries in the Query Center
• Work with scheduled queries

Module 12 – Basic Troubleshooting

• Troubleshooting methodologies and resources
• Troubleshooting tools for the Cortex XDR agent
• cytool
• Agent Identification
• trapsd.log
• Working with Technical Support
• retrieve and analyse support file
• Lab
• Set the log level of the Cortex XDR agent
• Add a trusted signer and verify the signer in the registry
• Retrieve a Support File

• Participants must be familiar with enterprise product deployment, networking, and security concepts.