Palo Alto Networks Configuration
Cortex XDR (with Traps)
Cortext XDR version 1.2
Traps Management Service version 2.1
Traps agent version 184.108.40.20673 (content 46-7775)
Cortex XDR is a cloud-based detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks. When customers purchase Cortex XDR it includes Traps within the subscription to provide a single product to address the converging Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) market.
Palo Alto Networks Traps stops threats and coordinates enforcement with network and cloud security to prevent successful cyber-attacks. Traps blocks known and unknown malware, exploits, and ransomware by observing attack techniques and behaviors.
Cortex XDR leverages custom rules and behavioral analytics to identify unknown and highly evasive threats targeting your network. Machine learning and AI models uncover threats from any source, including managed and unmanaged devices. Cortex XDR speeds alert triage and incident response by providing a complete picture of each threat and revealing the root cause automatically. Tight integration with enforcement points lets you respond to threats quickly as well as apply the knowledge gained from investigations to detect similar attacks in the future.
To provide a complete picture of the events and activity surrounding an event, Cortex XDR correlates network, endpoint, and cloud data across your sensors and enforcement points. The act of correlating logs from different sources is referred to as log stitching. For example, if your firewalls detect malicious network activity, the app can correlate that activity with endpoint logs to observe the impact of the activity and identify the cause of the behavior.
Log stitching streamlines detection and reduces response time by eliminating the need for manual analysis across different data sensors.
The addition of other Palo Alto Networks sensors and enforcements points such as the Next-generation Firewall extends Cortex XDR into other detection and response markets within one product, including Network Traffic Analysis (NTA), User Entity Behavior Analytics (UEBA) and of course EDR.
Firewall, NTA, and UEBA were not part of Round 1 of ATT&CK Evaluations.
Causality Analysis Engine
The Causality Analysis Engine™ is the heart of Cortex XDR. The Causality Analysis Engine correlates activity from all detection sensors to establish a sequence of events, or causality chains, that identifies the root cause of every alert or threat. The Causality Analysis Engine also identifies a complete forensic timeline of events that helps you to determine the scope and damage of an attack, and provide immediate response.
- Palo Alto Networks Traps was configured in detect only mode with prevention disabled per request by MITRE