This 3-day, intermediate-level course focuses on the initial setup, configuration, and management of the Cortex XDR platform.
Core Course Content:
Cortex XDR Architecture: Overview of the components and how data is collected and processed in the cloud management console.
Management Console: Navigating the console, understanding reporting functions, and deploying agents.
Agent Deployment: Creating installation packages, defining endpoint groups, and deploying agents on Windows, macOS, and Linux endpoints.
Profiles and Policy Rules: Creating security policies and managing profiles for various security needs.
Threat Prevention: Configuring and managing Exploit and Malware Prevention profiles, including behavioral threat analysis capabilities.
Alert Management & Tuning: Investigating alerts, prioritizing them, and tuning security profiles using exceptions and exclusions to reduce noise.
Response Actions: Performing and tracking basic response actions via the Action Center.
Broker VM: Overview and deployment of the on-premises Broker VM component to facilitate local agent settings and integrations.
Troubleshooting & Deployment: Basic agent and deployment troubleshooting, including working with the Customer Support Portal.
Cortex XDR: Investigation and Response (EDU-262)
This 2-day, advanced-level course targets security analysts and incident responders who use the collected data to find and respond to threats.
Core Course Content:
Incident Management: Investigating and managing security incidents on the Incidents page, including scoring, assignment, and closure.
Causality and Analytics: Understanding causality chains, log stitching, and the underlying analytics engine concepts.
Analysis Views: Analyzing alerts and artifacts using specialized views like the Causality Analysis, Timeline, IP, and Hash Views.
Advanced Response Actions: Utilizing advanced response capabilities, such as remote script execution and the EDL service.
Search and Query: Building on-demand and scheduled search queries in the Query Center.
XDR Rules: Creating and managing custom behavioral indicator of compromise (BIOC) and traditional indicator of compromise (IOC) rules.
XQL Introduction: Writing XQL (Cortex XDR Query Language) queries to search datasets in the Cortex Data Lake and visualize results.
External Data Collection: Working with third-party data ingestion capabilities, including using the Cortex XDR API to receive external alerts.
Target Audience and Prerequisites
Target Audience: The EDU-260 is for engineers and administrators, while EDU-262 is for SOC analysts, threat hunters, and incident responders.
Prerequisites: Familiarity with general networking and security concepts is required for EDU-260. EDU-262 requires completion of EDU-260 or equivalent hands-on experience.
Completion of these courses is recommended for professionals seeking the Palo Alto Networks Certified Cortex XDR Pro Administrator certification.
