Research a Known Threat
- An alert from a non-Palo Alto Networks system with information relevant to endpoints or firewalls.
- Information from online articles or other external threat intelligence that provides well-defined characteristics about the threat.
- Users or hosts that have been reported as acting abnormally.
- Use the threat intelligence you have to build
a query using Cortex XDR – Investigation and Response Query Builder.For example, if external threat intelligence indicates a confirmed threat that involves specific files or behaviors, search for those characteristics.
- View the Results of a Query and refine
as needed to filter out noise.See Modify a Query.
- Select an event of interest, and open the Causality View.Review the chain of execution and data, navigate through the processes on the tree, and analyze the information.
- Open the Timeline View to view the sequence of events over time.
- Inspect the information again, and identify any characteristics
you can use to create a BIOC rule.If you can create a BIOC rule, test and tune it, and then save it
- For alerts from Traps sensors, view the original security
event in your Traps management service instance.To pivot to an associated Traps management service instance, you must be assigned a role that enables you to manage the Traps management service instance from the Cortex hub.
- Right-click the alert and View in TMS.
- Drill-down into security event details surrounding the event and modify policy rules or create exceptions as needed.
Cortex XDR – Investigation and Response Detection Sources
Alert Sources To provide a complete picture of threats across your network and endpoints, Cortex XDR – Investigation and Response aggregates alerts from your detection sources. ...
Create a BIOC Rule
Create a BIOC Rule After identifying a threat and its characteristics, you can configure rules for behavioral indicators of compromise (BIOCs). After you enable a ...
Search and Investigate
Search and Investigate Cortex XDR – Investigation and Response Query Builder Cortex XDR – Investigation and Response Query Center Cortex XDR – Investigation and Response Scheduled Queries Research ...
Features Introduced in 2019
Introducing new features in the Cortex XDR – Investigation and Response by month during 2019. ...
Working with BIOCs
Working with BIOCs Behavioral indicators of compromise (BIOCs) enable you to alert and respond to behaviors—tactics, techniques, and procedures. Instead of hashes and other traditional ...
Cortex XDR – Investigation and Response Alerts
Cortex XDR – Investigation and Response Alerts The Alerts page shows a table of all alerts in Cortex XDR – Investigation and Response. The Alerts page consolidates ...
Manage Your Queries
Manage Your Queries From the Query Center , you can view details about and results for all manual and scheduled queries. The Query Center also ...
Manage Global BIOC Rules
Manage Global BIOC Rules Cortex XDR – Investigation and Response checks for the latest update of global BIOC rules. If there are no new global ...
Features Introduced in 2019
Introducing new features in the Traps management service by month during 2019. ...