EDU-260 Cortex XDR: Prevention and Deployment
EDU-260 EDU-260 Cortex XDR: Prevention and Deployment
- Duration: 3 days
- Price: $2200 USD
This course is three days of instructor-led training that will help you to:
- Differentiate the architecture and components of Cortex XDR
- Describe the threat prevention concepts for endpoint protection
- Work with the Cortex XDR management console
- Differentiate exploit and malware attacks and describe how Cortex XDR blocks them
- Perform appropriate response actions
- Describe the Cortex XDR causality analysis and analytics concepts
- Triage and investigate alerts, and manage incidents
- Manage Cortex XDR rules and investigate threats through the Query Center
Cybersecurity analysts and security operations specialists
Participants must be familiar with enterprise security concepts.
- Getting Started With Endpoint Protection
- Cortex XDR management console
- Main Elements
- Filtering
- Layout
- Agent installations
- Overview
- Create Installer and install
- Agent Console
- cytool
- Endpoints and endpoint groups
- Endpoint Administration
- Endpoint Group Administration
- Policy rules and profiles
- Policy Management Overview
- Profile types
- Agent settings
- Lab
- Create a Cortex XDR agent installation package for Windows
- Install Cortex XDR agent to a Windows endpoint
- Create static and dynamic endpoint groups
- Clone the default Agents Settings Profile and modify the settings
- Clone the default policy rule and modify the settings
- Cortex XDR management console
- Working with the Cortex Apps
- Working with the Cortex apps
- Overview
- Customer Support Portal
- HUB
- Activation of Cortex XDR
- Lab
- Access the Cortex hub and explore the homepage
- Verify your Cortex XDR instance and your Cortex XDR application roles
- Access the Cortex XDR management console
- Working with the Cortex apps
- Cortex XDR Family Overview
- Cyberattack vectors
- Cortex XDR features
- Cortex XDR offerings
- Lab
- Lab Overview
- Generate a PowerShell script, a payload, to demonstrate a reverse shell attack
- Malware Protection
- Restrictions and Malware Profiles overview
- Restrictions Profiles
- Malware profiles overview flow
- Malware profiles flow
- Malware protection modules and their configurations
- Portable Executable and DLL Examination
- Office Files with Macros Examination – profile
- Behavioral Threat Protection
- Ransomware Protection
- Child Process Protection
- Endpoint Scanning
- Password Theft Protection
- Lab
- Create Restrictions Profiles and change the settings
- Create Malware Profiles and change the settings
- Work with Ransomware Protection
- Work with Behavioral Threat Protection
- Restrictions and Malware Profiles overview
- Exploit Protection
- Application exploit prevention
- Exploitation techniques and defence mechanisms
- Exploit protection modules and Exploit Profiles
- Overview
- Exploit Profiles
- Exploit protection in action
- Lab
- Initiate exploit attacks from Metasploit
- Describe the structure of a command-and-control server from the perspective of the attacker
- Create Exploit Profiles and change various settings
- Exceptions and Response Actions
- Exceptions
- Global vs profile exceptions
- Process Exceptions
- Support Exceptions
- Behavioural & Digital Signer
- Actions overview
- Response actions
- Actions from Action Center
- Actions from Endpoint Administration
- Actions from Alerts Analysis
- Script Execution
- Lab
- Create process exceptions and hash exceptions
- Import security exceptions
- Terminate suspicious processes
- Isolate endpoints, and then cancel isolations
- Quarantine and then restore files
- Work with Action Center to perform actions and track action progress
- Using the browser’s developer console, verify the role of the sign-in user
- Upload your custom Python script and then remotely execute it on the endpoint
- Work with the Live Terminal
- Exceptions
- Behaviroal Threat Analysis
- Detection and Response use case
- Incident Analysis vs Data Research
- Incident Analysis
- Data Research
- Behavioral threat analysis
- Causality Analysis Engine
- Analytics Engine
- Lab
- Configure upload of the EED
- Analyze alerts with and without EED and compare the results
- Manage (stop, start, and query) the EED from the endpoint
- Trace the Agent log for the EED uploads
- Detection and Response use case
- Cortex XDR Rules
- Working with BIOC rules
- Working with IOC rules and rules exceptions
- Lab
- Explore the BIOC and IOC pages
- Describe BIOC and IOC tables after examining the columns (field)
- Create and manage BIOC rules
- Create and manage IOC rules
- Create rules exceptions
- Incident Management
- Alerts
- Overview
- Alert Actions
- Stitched vs non-stitched
- Incidents
- Incident List and actions
- Incident View
- Incident Administration
- External alerts
- Alert exclusion and starring policies
- Lab
- Manage incidents including change status and assign investigators
- Prioritize and close incidents
- View the incident details including alert breakdown, key assets and key artefacts
- Use the Cortex XDR API to send an external alert to Cortex XDR
- Create and manage alert starring policies
- Create and manage alert exclusion policies
- Alerts
- Alert Analysis Views
- Motivation for advanced alert analysis
- Analyzing alerts in the Causality View
- Analyzing alerts in the Timeline View
- Lab
- Investigate alerts in the Causality view
- Investigate alerts in the Timeline view
- Search and Investigate
- Building queries on raw data sets
- Managing scheduled and non-scheduled queries
- Lab
- Build search queries of any type
- Work on the results table
- Manage queries in the Query Center
- Work with scheduled queries
- Basic Troubleshooting
- Troubleshooting methodologies and resources
- Troubleshooting tools for the Cortex XDR agent
- cytool
- Agent Identification
- log
- Working with Technical Support
- retrieve and analyse support file
- Lab
- Set the log level of the Cortex XDR agent
- Add a trusted signer and verify the signer in the registry
- Retrieve a Support File
- Level: Intermediate
- Format: Lecture and hands-on labs
- Platform support: Palo Alto Networks Cortex XDR Pro per
endpoint and Pro per TB