Palo Alto Authorized Global Training Partner Logo

Cortex XDR Training

Prevention, Analysis and Response (EDU-260)

Palo Alto Networks Authorized Global Training Partner Logo

Award-winning live online course

Experienced Instructors

Virtual Labs Access

Video Recordings

Get a taste for the course by watching the video in this blog post where one of our instructors was teaching a sample module on Cortex XDR Incident Management at Palo Alto Networks Ignite conference.


The “Cortex XDR: Prevention, Analysis, and Response” (EDU-260) course covers the following content:

Getting Started with Endpoint Protection

Cortex XDR management console

  • Main Elements
  • Filtering
  • Layout

Agent installations

  • Overview
  • Create Installer and install
  • Agent Console
  • cytool

Endpoints and endpoint groups

  • Endpoint Administration
  • Endpoint Group Administration

Policy rules and profiles

  • Policy Management Overview
  • Profile types
  • Agent settings


  • Create a Cortex XDR agent installation package for Windows
  • Install Cortex XDR agent to a Windows endpoint
  • Create static and dynamic endpoint groups
  • Clone the default Agents Settings Profile and modify the settings
  • Clone the default policy rule and modify the settings

Working with the Cortex Apps

Working with the Cortex apps

  • Overview
  • Customer Support Portal
  • HUB

Activation of Cortex XDR


  • Access the Cortex hub and explore the homepage
  • Verify your Cortex XDR instance and your Cortex XDR application roles
  • Access the Cortex XDR management console

Cortex XDR Family Overview

Cyberattack vectors


Cortex XDR features


Cortex XDR offerings



  • Lab Overview
  • Generate a PowerShell script, a payload, to demonstrate a reverse shell attack

Malware Protection

Restrictions and Malware Profiles overview

  • Restrictions Profiles
  • Malware profiles overview flow
  • Malware profiles flow

Malware protection modules and their configurations

  • Portable Executable and DLL Examination
  • Office Files with Macros Examination – profile
  • Behavioral Threat Protection
  • Ransomware Protection
  • Child Process Protection
  • Endpoint Scanning
  • Password Theft Protection


  • Create Restrictions Profiles and change the settings
  • Create Malware Profiles and change the settings
  • Work with Ransomware Protection
  • Work with Behavioral Threat Protection

Exploit Protection

Application exploit prevention


Exploitation techniques and defence mechanisms


Exploit protection modules and Exploit Profiles

  • Overview
  • Exploit Profiles
  • Exploit protection in action


  • Initiate exploit attacks from Metasploit
  • Describe the structure of a command-and-control server from the perspective of the attacker
  • Create Exploit Profiles and change various settings

Exceptions and Response Actions


  • Global vs profile exceptions
  • Process Exceptions
  • Support Exceptions
  • Behavioural & Digital Signer

Actions overview


Response actions

  • Actions from Action Center
  • Actions from Endpoint Administration
  • Actions from Alerts Analysis

Script Execution



  • Create process exceptions and hash exceptions
  • Import security exceptions
  • Terminate suspicious processes
  • Isolate endpoints, and then cancel isolations
  • Quarantine and then restore files
  • Work with Action Center to perform actions and track action progress
  • Using the browser’s developer console, verify the role of the sign-in user
  • Upload your custom Python script and then remotely execute it on the endpoint
  • Work with the Live Terminal

Behavioral Threat Analysis

Detection and Response use case

  • Incident Analysis vs Data Research
  • Incident Analysis
  • Data Research

Behavioral threat analysis


Causality Analysis Engine


Analytics Engine



  • Configure upload of the EED
  • Analyze alerts with and without EED and compare the results
  • Manage (stop, start, and query) the EED from the endpoint
  • Trace the Agent log for the EED uploads

Cortex XDR Rules

Working with BIOC rules


Working with IOC rules and rules exceptions



  • Explore the BIOC and IOC pages
  • Describe BIOC and IOC tables after examining the columns (field)
  • Create and manage BIOC rules
  • Create and manage IOC rules
  • Create rules exceptions

Incident Management


  • Overview
  • Alert Actions
  • Stitched vs non-stitched


  • Incident List and actions
  • Incident View
  • Incident Administration

External alerts


Alert exclusion and starring policies



  • Manage incidents including change status and assign investigators
  • Prioritize and close incidents
  • View the incident details including alert breakdown, key assets and key artefacts
  • Use the Cortex XDR API to send an external alert to Cortex XDR
  • Create and manage alert starring policies
  • Create and manage alert exclusion policies

Alert Analysis Views

Motivation for advanced alert analysis

Analyzing alerts in the Causality View

Analyzing alerts in the Timeline View


  • Investigate alerts in the Causality view
  • Investigate alerts in the Timeline view

Search and Investigate

Building queries on raw data sets

Managing scheduled and non-scheduled queries


  • Build search queries of any type
  • Work on the results table
  • Manage queries in the Query Center
  • Work with scheduled queries

Basic Troubleshooting

Troubleshooting methodologies and resources


Troubleshooting tools for the Cortex XDR agent

  • cytool
  • Agent Identification
  • trapsd.log

Working with Technical Support

  • retrieve and analyse support file


  • Set the log level of the Cortex XDR agent
  • Add a trusted signer and verify the signer in the registry
  • Retrieve a Support File
Palo Alto Training Excellence Award
Palo Alto Networks Online Training

Experience & Passion

The difference is made by our instructors who have many years of field experience which they bring with them into the classroom

Palo Alto Authorized Global Training Partner Logo

“All of my guys enjoyed and valued this course to the maximum.
You will simply love it”

Kamil Golombek at PWC

Kamil Golombek

NIS Cyber Defence Security Perimeter EMEA