This instructor-led course teaches you how to use the Incidents pages ofthe Cortex XDR management console to investigate attacks. It explains causality chains, detectors in the Analytics Engine, alerts versus logs, log stitching, and the concepts of causality and analytics.
You will learn howto analyze alerts using the Causality andTimeline Views and how to use advanced response actions, such as remediation suggestions, the EDL service, and remote script execution.
Multiple modules focus on how to leverage the collected data. You will create simple search queries in one module and XDR rules in another. The course demonstrate how to use specialized investigation views to visualize artifact-related data, such as IP and Hash Views. Additionally, it provides an introduction to XDRQuery Language (XQL). The course concludes with Cortex XDRexternal-datacollection capabilities, including the use of Cortex XDR APIto receive external alerts.

• Cybersecurity analysts and engineers
• Security operations specialists

Participants must have completedEDU-260 (Cortex XDR: Prevention and
Deployment).

1 – Cortex XDR Incidents
2 – Causality and Analytics Concepts
3 – Causality Analysis of Alerts
4 – Advanced Response Actions
5 – Building SearchQueries
6 – Building XDR Rules
7 – Cortex XDR Assets
8 – Introduction to XQL
9 – External Data Collection

• Level: Advanced
• Duration: 2 days
• Format: Lecture and hands-on labs
• Platform support: Cortex XDR Pro per Endpoint

The technical curriculum developed and authorized by Palo Alto Networks and delivered by Palo Alto Networks Authorized Training Partners helps provide the knowledge and expertise that prepare you to protect our digital way of life. Our trusted certifications validate your knowledge of the Palo AltoNetworks product portfolio and your ability to help prevent successful cyberattacks, safely enable applications, and automate effective responses to security events