Palo Alto Authorized Global Training Partner Logo

Cortex XSOAR Training

Automation and Orchestration 
(EDU-380)

Schedule

Palo Alto Networks Authorized Global Training Partner Logo

Award-winning live online course

Experienced Instructors

Virtual Labs Access

Video Recordings

The “Cortex XSOAR Automation and Orchestration” (EDU-380) course covers the following content:

Course Overview

  • Welcome and introductions
  • Intended audience and course focus
  • Course objectives, modules, and exam
  • Certification information and Beacon tasks
  • Lab topology

Core Functionality and Feature Sets

Extended security orchestration, automation, and response

  • Product pillars
  • High-level flow logic
  • Use case development

Cortex XSOAR Initial Discovery Lab

  • Log in to the lab environment.
  • Create two new user accounts.
  • Explore the War Room.
  • Explore the Marketplace and install content packs.
  • Explore the web interface of Cortex XSOAR.

XSOAR Integrations

Event sources, investigation resources, and response targets

  • Integration concepts
  • Types of integrations
  • Installation and configuration
  • Integration controls

Integrations Lab

  • Configure the basic integrations
  • Configure the urlscan.io integration
  • Configure the VirusTotal integration
  • Configure custom integrations
  • Test the integrations
  • Review the indicators
  • Prepare for the next lab

Playbooks

Point-and-click scripting  . . . and beyond

  • Engineer resources
  • Playbook functions
  • Indicator extraction

Incidents Investigation Lab

  • Select an incident
  • Case Info tab
  • Investigation tab
  • War Room tab
  • Work Plan tab
  • Mark as Evidence
  • Collaboration
  • Evidence Board tab

Classification & Mapping

Apply an Incident Type.

Write event data to XSOAR fields.

  • Process flow
  • Integration configuration and generation
  • Classification
  • Mapping

Classification and Mapping Lab

  • Create an Incident Classifier
  • Create a new Incident Mapper
  • Map data to the Detected IPs field
  • Map data to the Detected User field
  • Map data to the File MD5 field
  • Test the Mapping Rule

Layout Builder

Display data that analysts want to see in a format that’s easy to use.

  • Layouts and system logic
  • Access to the Layout Builder
  • Using the Layout Builder
  • Best practices

Incidents Layout Configuration Lab

  • Create a new incident type
  • Create a new field
  • Define the Incident Layout
  • Update the new Incident Layout
  • Test the layout

Solution Architecture

Multiserver configurations for cloud hosting, dev‑prod, and high availability

  • Basic topologies
  • Scalability
  • Dev-prod
  • Log files

Docker

How XSOAR uses it and how you can customize its use

  • Docker basics
  • System use of Docker
  • Hardening and use of custom images

Pre-Process Rules Lab

  • Create the pre-processing rule
  • Verify the results

Automation Development & Debugging

Automation scripts perform narrowly defined, focused tasks

  • Automation concepts
  • Writing automations

Build a Playbook Lab

  • Create a new incident
  • Create a custom playbook
  • Test the playbook in the Work Plan
  • Continue the playbook creation

The Marketplace and Content Management

Content packs, what is inside them, and what may be outside . . .

  • Platform content and the Marketplace
  • Custom content

Indicators and Threat Intelligence Management

Take command of observable indicators and threat intel feeds

  • Indicator management
  • Auto extraction
  • Threat Intelligence Management

Add SaaS Applications to a Firewall Allow List Lab

  • Configure the Office 365 feed
  • Configure the Instance Execute External setting
  • Configuration of Palo Alto Networks firewall integration
  • Populate and test the PANW EDL Service integration
  • (Optional) Configure the firewall to get the EDL

Block and/or Alert on Observable Known Threats Lab

  • Configure threat-feed integrations
  • Create a job for indicator analysis
  • Business-partner and internal lists
  • Test the functionality of the list
  • Configure the PANW EDL Service to get configured Threat Feeds
  • Verify that the EDL operates as expected
  • Configure the firewall to get the EDL (Optional)

Jobs and Job Scheduling

A job is a scheduled one-time or recurring incident

  • Job concepts
  • Create and edit jobs
  • Monitor and manage jobs

Lists Lab

  • Set up the webserver
  • Create a list
  • Create a playbook
  • Test your playbook

Jobs Lab

  • Create a new job

Users and Role-Based Access Controls (RBAC)

Use RBAC settings to limit access to system functions

  • Local User Accounts
  • Network User Accounts
  • RBAC Settings
  • Troubleshooting

Users and RBAC Lab

  • Create roles
  • Assign roles
  • Create a playbook to assign roles
  • Assign a default playbook to incident types
  • Review your classification and pre-processing rules
  • Test your role assignment

Users and RBAC Lab

  • Create roles
  • Assign roles
  • Create a playbook to assign roles
  • Assign a default playbook to incident types
  • Review your classification and pre-processing rules
  • Test your role assignment

Custom Widgets and Shifts Lab

  • Create some new users
  • Create shift roles
  • Create an automation script for a widget
  • Create a new dashboard and add a widget

Integration Development

Bring your own integration! (BYOI)

  • BYOI concepts
  • Best practices
Palo Alto Training Excellence Award
Palo Alto Networks Online Training

Experience & Passion

The difference is made by our instructors who have many years of field experience which they bring with them into the classroom

Palo Alto Authorized Global Training Partner Logo

“All of my guys enjoyed and valued this course to the maximum.
You will simply love it”

Kamil Golombek at PWC

Kamil Golombek

NIS Cyber Defence Security Perimeter EMEA