Research a Known Threat - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-10-01
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Cortex XDR enables you to investigate any threat, also referred to as a lead, which has been detected.

This topic describes what steps you can take to investigate a lead. A lead can be:

  • An alert from a non-Palo Alto Networks system with information relevant to endpoints or firewalls.

  • Information from online articles or other external threat intelligence provides well-defined characteristics of the threat.

  • Users or hosts that have been reported as acting abnormally.

  1. Use the threat intelligence you have to build a query using the Query Builder.

    For example, if external threat intelligence indicates a confirmed threat that involves specific files or behaviors, search for those characteristics.

  2. View the Results of a Query and refine as needed to filter out noise.Manage Your Queries

  3. Select an event of interest, and open the Causality View.

    Review the chain of execution and data, navigate through the processes on the tree, and analyze the information.

  4. Open the Timeline View to view the sequence of events over time.

  5. Inspect the information again, and identify any characteristics you can use to Create a BIOC Rule or Create a Correlation Rule.

    If you can create a BIOC or Correlation Rule, test and tune it as needed.