Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Security Operations
Cortex XDR
Cortex® XDR Pro Administrator’s Guide
Investigation and Response
Cortex XDR Rules
Working with BIOCs
Manage Global BIOC Rules

Last Updated:

Jun 28, 2022

Table of Contents

Search the Table of Contents

copyright

Cortex XDR Overview

Cortex XDR Architecture

Cortex XDR Concepts

Cortex XDR Licenses

Features by Cortex XDR License Type

Cortex XDR Endpoint Agent License Allocation

Cortex XDR License Expiration

Cortex XDR License Monitoring

Migrate Your Cortex XDR License

Get Started with Cortex XDR Pro

Setup Overview

Plan Your Cortex XDR Deployment

Deploy your Network Devices

Activate Cortex XDR

Manage User Roles

Permission Management

Access Management

Manage Users

Manage Roles

Manage User Groups

Predefined User Roles for Cortex XDR

XDR Account Admin

Instance Administrator

Deployment Admin

Investigator

Investigation Admin

Responder

Privileged Investigator

Privileged Responder

IT Admin

Privileged IT Admin

Privileged Security Admin

Viewer

Scoped Endpoint Admin

Security Admin

Manage User Scope

Set Up Cloud Identity Engine

Manage Your Log Storage within Cortex XDR

Set up Endpoint Protection

Plan Your Agent Deployment

Enable Access to Cortex XDR

Resources Required to Enable Access to Cortex XDR

Proxy Communication

Configure Your Network Devices

Set up Network Analysis

Configure Cortex XDR

Integrate External Threat Intelligence Services

Set up Your Cortex Environment

Set up Outbound Integration

Use the Interface

Manage Tables

Endpoint Security

Endpoint Security Concepts

Cortex XDR versus Traditional Endpoint Protection

File Analysis and Protection Flow

Endpoint Protection Capabilities

Endpoint Protection Modules

Manage Cortex XDR Agents

Create an Agent Installation Package

Set an Application Proxy for Cortex XDR Agents

Move Cortex XDR Agents Between Managing XDR Servers

Upgrade Cortex XDR Agents

Set aCortex XDR Agent Critical Environment Version

Delete Cortex XDR Agents

Uninstall the Cortex XDR Agent

Set an Alias for an Endpoint

Manage Endpoint Tags

Manage Agent Tokens

Define Endpoint Groups

About Content Updates

Endpoint Security Profiles

Add a New Exploit Security Profile

Processes Protected by Exploit Security Policy

Add a New Malware Security Profile

WildFire® Analysis Concepts

Add a New Restrictions Security Profile

Manage Endpoint Security Profiles

Customizable Agent Settings

Add a New Agent Settings Profile

Configure Global Agent Settings

Endpoint Data Collected by Cortex XDREndpoint Data Collection

Apply Security Profiles to Endpoints

Exceptions Security Profiles

Add a New Exceptions Security Profile

Add a Global Endpoint Policy Exception

Hardened Endpoint Security

Device Control

Host Firewall

Host Firewall for Windows

Host Firewall for macOS

Disk Encryption

Host Inventory

Vulnerability Assessment

Investigation and Response

Cortex XDR Rules

Working with BIOCs

BIOC Rule Details

Create a BIOC Rule

Manage Global BIOC Rules

Working with IOCs

IOC Rule Details

Create an IOC Rule

Working with Correlation Rules

Correlation Rule Details

Create a Correlation Rule

Manage Existing Indicators

Search Queries

Cortex XDR Query Builder

XQL Search

Create an XQL Query

Translate to XQL

Manage Your Personal Query Library

Visualize Query Results

Create a File Query

Create a Process Query

Create a Network Query

Create an Image Load Query

Create a Registry Query

Create an Event Log Query

Create a Network Connections Query

Create an Authentication Query

Query Across All Entities

Query Center

Manage Your Queries

Quick Launcher

Scheduled Queries

Manage Scheduled Queries

Research a Known Threat

Investigate Incidents

Incidents

External Integrations

Manage Incident Starring

Create an Incident Scoring Rule

Triage Incidents

Manage Incidents

Investigate Artifacts and Assets

Investigate an IP Address

Investigate an Asset

Investigate a File and Process Hash

Investigate a User

Investigate Alerts

Alerts

Triage Alerts

Manage Alerts

Alert Exclusions

Add an Alert Exclusion Policy

Causality View

Network Causality View

Cloud Causality View

Timeline View

Analytics Alert View

Investigate Endpoints

Action Center

Manage Endpoint Actions

View Details About an Endpoint

Retrieve Files from an Endpoint

Retrieve Support Logs from an Endpoint

Scan an Endpoint for Malware

Investigate Files

Manage File Execution

Manage Quarantined Files

Review WildFire® Analysis Details

Import File Hash Exceptions

Forensic Data Analysis

Forensics Add-on Options

Response Actions

Initiate a Live Terminal Session

Isolate an Endpoint

Pause Endpoint Protection

Remediate Changes from Malicious Activity

Run Scripts on an Endpoint

Search and Destroy Malicious Files

Manage External Dynamic Lists

Broker VM

Broker VM Overview

Set up Broker VM

Configure the Broker VM

Create a Broker VM Amazon Machine Image (AMI)

Create a Broker VM Azure Image

Set up the Broker VM on Google Cloud Platform (GCP)

Create a Broker VM Image for Alibaba Cloud

Create a Broker VM Image for a Nutanix Hypervisor

Create a Broker VM Image for Ubuntu

Activate the Local Agent Settings

Activate the Syslog Collector

Activate the Apache Kafka Collector

Activate the CSV Collector

Activate the Database Collector

Activate the Files and Folders Collector

Activate the FTP Collector

Activate the NetFlow Collector

Activate the Network Mapper

Activate Pathfinder™

Activate the Windows Event Collector

Activate the Windows Event Collector on Windows Core

Renew WEC Certificates

Manage Your Broker VMs

View Broker VM Details

Edit Your Broker VM Configuration

Collect Broker VM Logs

Reboot a Broker VM

Shut Down a Broker VM

Upgrade a Broker VM

Open a Remote Terminal

Remove a Broker VM

Broker VM Notifications

Cortex XDR Collectors

Collector Machine Requirements and Supported Operating Systems

Resources Required to Enable Access to Cortex XDR Collectors

Configure the Cortex XDR Collector Upgrade Scheduler

Manage XDR Collectors

Create a XDR Collector Installation Package

Install the XDR Collector Installation Package for Windows

Install the XDR Collector on Windows Using the MSI

Install the XDR Collector on Windows Using Msiexec

Install the XDR Collector Installation Package for Linux

XDR Collectors Installation Resource for Windows and Linux

Set an Application Proxy for XDR Collectors

Upgrade XDR Collectors

Uninstall the XDR Collector

Set an Alias for a Collector Machine

Define Collector Machine Groups

About XDR Collector Content Updates

Add a XDR Collector Profile

Ingest Logs from Windows DHCP using Elasticsearch Filebeat

Apply Profiles to Collection Machine Policies

XDR Collector Datasets

External Data Ingestion

External Data Ingestion Vendor Support

Visibility of Logs and Alerts from External Sources in Cortex XDR

Ingest Network Connection Logs

Ingest Network Flow Logs from Amazon S3

Create an Assumed Role for Cortex XDR

Configure Data Collection from Amazon S3 Manually

Ingest Logs from Check Point Firewalls

Ingest Logs from Cisco ASA Firewalls

Ingest Logs from Corelight Zeek

Ingest Logs from Fortinet Fortigate Firewalls

Ingest Logs and Data from a GCP Pub/Sub

Ingest Logs from Microsoft Azure Event Hub

Ingest Network Flow Logs from Microsoft Azure Network Watcher

Ingest Logs and Data from Okta

Ingest Logs from Windows DHCP using Elasticsearch Filebeat

Ingest Logs from Zscaler Cloud Firewall

Ingest Authentication Logs and Data

Ingest Audit Logs from AWS Cloud Trail

Ingest Logs from Microsoft Azure Event Hub

Ingest Logs and Data from a GCP Pub/Sub

Ingest Logs and Data from Google Workspace

Ingest Logs from Microsoft Office 365

Ingest Logs and Data from Okta

Ingest Authentication Logs from PingFederate

Ingest Authentication Logs and Data from PingOne

Ingest Operation and System Logs from Cloud Providers

Ingest Alerts from Prisma Cloud

Ingest Alerts from Prisma Cloud Compute

Ingest Generic Logs from Amazon S3

Ingest Generic Logs from AWS CloudTrail and Amazon CloudWatch

Ingest Logs and Data from a GCP Pub/Sub

Ingest Logs from Google Kubernetes Engine

Ingest Logs from Microsoft Azure Event Hub

Ingest Logs and Data from Okta

Ingest Cloud Assets

Ingest Cloud Assets from AWS

Ingest Cloud Assets from Google Cloud Platform

Ingest Cloud Assets from Microsoft Azure

Additional Log Ingestion Methods for Cortex XDR

Ingest Logs from a Syslog Receiver

Ingest Apache Kafka Events as Datasets

Ingest CSV Files as Datasets

Ingest Database Data as Datasets

Ingest Logs in a Network Share as Datasets

Ingest FTP Files as Datasets

Ingest NetFlow Flow Records as Datasets

Set up an HTTP Log Collector to Receive Logs

Ingest Logs from BeyondTrust Privilege Management Cloud

Ingest Logs from Elasticsearch Filebeat

Ingest Logs from Forcepoint DLP

Ingest Alerts and Assets from PAN IoT Security

Ingest Logs from Proofpoint Targeted Attack Protection

Ingest Data from ServiceNow CMDB

Ingest Report Data from Workday

Ingest External Alerts

Data Management

Dataset Management

Manage Datasets

Create Parsing Rules

Parsing Rules Editor Views

Parsing Rules File Structure and Syntax

INGEST

COLLECT

CONST

RULE

Error Reporting in Parsing Rules

Parsing Rules Raw Dataset

Manage Event Forwarding

Endpoints Event Forwarding - Exported Event Types

Manage Compute Units Usage

Analytics

Analytics Concepts

Asset Management

Network Configuration

Configure Your Network Parameters

Vulnerability Assessment

Manage User Scores

Asset Inventory

All Assets

Specific Assets

Cloud Inventory Assets

All Cloud Assets

Specific Cloud Assets

Manage Your Cloud Inventory Assets

Monitoring

Cortex XDR Dashboard

Dashboard Widgets

Manage Your Widget Library

Predefined Dashboards

Build a Custom Dashboard

Manage Dashboards

Run or Schedule Reports

Monitor Cortex XDRXSIAM Incidents

Monitor Cortex Gateway Management Activity

Monitor Administrative Activity

Monitor Agent Activity

Monitor Agent Operational Status

Log Forwarding

Log Forwarding Data Types

Integrate Slack for Outbound Notifications

Integrate a Syslog Receiver

Configure Notification Forwarding

Cortex XDRXSIAM Log Notification Formats

Management Audit Log Messages

Alert Notification Format

Agent Audit Log Notification Format

Management Audit Log Notification Format

Cortex XDR Log Format for IOC and BIOC Alerts

Cortex XDR Analytics Log Format

Cortex XDR Log Formats

Managed Security

About Managed Security

Cortex XDR Managed Security Access Requirements

Switch to a Different Tenant

Pair a Parent Tenant with Child Tenant

Manage a Child Tenant

Track your Tenant Management

Investigate Child Tenant Data

Create and Allocate Configurations

Create a Security Managed Action

About Managed Threat Hunting

Set up Managed Threat Hunting

Investigate Managed Threat Hunting Reports

copyright
Cortex XDR Overview
Get Started with Cortex XDR Pro
Endpoint Security
Investigation and Response
Broker VM
Cortex XDR Collectors
External Data Ingestion
Data Management
Analytics
- Analytics Concepts
Asset Management
Monitoring
Log Forwarding
Managed Security

Document:Cortex® XDR Pro Administrator’s Guide

Manage Global BIOC Rules

Last Updated:

Jun 28, 2022

Table of Contents

Search the Table of Contents

copyright

Cortex XDR Overview

Cortex XDR Architecture

Cortex XDR Concepts

Cortex XDR Licenses

Features by Cortex XDR License Type

Cortex XDR Endpoint Agent License Allocation

Cortex XDR License Expiration

Cortex XDR License Monitoring

Migrate Your Cortex XDR License

Get Started with Cortex XDR Pro

Setup Overview

Plan Your Cortex XDR Deployment

Deploy your Network Devices

Activate Cortex XDR

Manage User Roles

Permission Management

Access Management

Manage Users

Manage Roles

Manage User Groups

Predefined User Roles for Cortex XDR

XDR Account Admin

Instance Administrator

Deployment Admin

Investigator

Investigation Admin

Responder

Privileged Investigator

Privileged Responder

IT Admin

Privileged IT Admin

Privileged Security Admin

Viewer

Scoped Endpoint Admin

Security Admin

Manage User Scope

Set Up Cloud Identity Engine

Manage Your Log Storage within Cortex XDR

Set up Endpoint Protection

Plan Your Agent Deployment

Enable Access to Cortex XDR

Resources Required to Enable Access to Cortex XDR

Proxy Communication

Configure Your Network Devices

Set up Network Analysis

Configure Cortex XDR

Integrate External Threat Intelligence Services

Set up Your Cortex Environment

Set up Outbound Integration

Use the Interface

Manage Tables

Endpoint Security

Endpoint Security Concepts

Cortex XDR versus Traditional Endpoint Protection

File Analysis and Protection Flow

Endpoint Protection Capabilities

Endpoint Protection Modules

Manage Cortex XDR Agents

Create an Agent Installation Package

Set an Application Proxy for Cortex XDR Agents

Move Cortex XDR Agents Between Managing XDR Servers

Upgrade Cortex XDR Agents

Set aCortex XDR Agent Critical Environment Version

Delete Cortex XDR Agents

Uninstall the Cortex XDR Agent

Set an Alias for an Endpoint

Manage Endpoint Tags

Manage Agent Tokens

Define Endpoint Groups

About Content Updates

Endpoint Security Profiles

Add a New Exploit Security Profile

Processes Protected by Exploit Security Policy

Add a New Malware Security Profile

WildFire® Analysis Concepts

Add a New Restrictions Security Profile

Manage Endpoint Security Profiles

Customizable Agent Settings

Add a New Agent Settings Profile

Configure Global Agent Settings

Endpoint Data Collected by Cortex XDREndpoint Data Collection

Apply Security Profiles to Endpoints

Exceptions Security Profiles

Add a New Exceptions Security Profile

Add a Global Endpoint Policy Exception

Hardened Endpoint Security

Device Control

Host Firewall

Host Firewall for Windows

Host Firewall for macOS

Disk Encryption

Host Inventory

Vulnerability Assessment

Investigation and Response

Cortex XDR Rules

Working with BIOCs

BIOC Rule Details

Create a BIOC Rule

Manage Global BIOC Rules

Working with IOCs

IOC Rule Details

Create an IOC Rule

Working with Correlation Rules

Correlation Rule Details

Create a Correlation Rule

Manage Existing Indicators

Search Queries

Cortex XDR Query Builder

XQL Search

Create an XQL Query

Translate to XQL

Manage Your Personal Query Library

Visualize Query Results

Create a File Query

Create a Process Query

Create a Network Query

Create an Image Load Query

Create a Registry Query

Create an Event Log Query

Create a Network Connections Query

Create an Authentication Query

Query Across All Entities

Query Center

Manage Your Queries

Quick Launcher

Scheduled Queries

Manage Scheduled Queries

Research a Known Threat

Investigate Incidents

Incidents

External Integrations

Manage Incident Starring

Create an Incident Scoring Rule

Triage Incidents

Manage Incidents

Investigate Artifacts and Assets

Investigate an IP Address

Investigate an Asset

Investigate a File and Process Hash

Investigate a User

Investigate Alerts

Alerts

Triage Alerts

Manage Alerts

Alert Exclusions

Add an Alert Exclusion Policy

Causality View

Network Causality View

Cloud Causality View

Timeline View

Analytics Alert View

Investigate Endpoints

Action Center

Manage Endpoint Actions

View Details About an Endpoint

Retrieve Files from an Endpoint

Retrieve Support Logs from an Endpoint

Scan an Endpoint for Malware

Investigate Files

Manage File Execution

Manage Quarantined Files

Review WildFire® Analysis Details

Import File Hash Exceptions

Forensic Data Analysis

Forensics Add-on Options

Response Actions

Initiate a Live Terminal Session

Isolate an Endpoint

Pause Endpoint Protection

Remediate Changes from Malicious Activity

Run Scripts on an Endpoint

Search and Destroy Malicious Files

Manage External Dynamic Lists

Broker VM