Research a Known Threat

This topic describes what steps you can take to investigate a lead. A lead can be:
  • An alert from a non-Palo Alto Networks system with information relevant to endpoints or firewalls.
  • Information from online articles or other external threat intelligence that provides well-defined characteristics about the threat.
  • Users or hosts that have been reported as acting abnormally.
  1. Use the threat intelligence you have to build a query using Cortex XDR – Investigation and Response Query Builder.
    For example, if external threat intelligence indicates a confirmed threat that involves specific files or behaviors, search for those characteristics.
  2. View the Results of a Query and refine as needed to filter out noise.
  3. Select an event of interest, and open the Causality View.
    Review the chain of execution and data, navigate through the processes on the tree, and analyze the information.
  4. Open the Timeline View to view the sequence of events over time.
  5. Inspect the information again, and identify any characteristics you can use to create a BIOC rule.
    If you can create a BIOC rule, test and tune it, and then save it
  6. For alerts from Traps sensors, view the original security event in your Traps management service instance.
    To pivot to an associated Traps management service instance, you must be assigned a role that enables you to manage the Traps management service instance from the Cortex hub.
    1. Right-click the alert and View in TMS.
    2. Drill-down into security event details surrounding the event and modify policy rules or create exceptions as needed.

Related Documentation