[![Palo Alto](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/static/logo-lockup-7412ecf0965003657af5a6de71849663.svg)](https://www.paloaltonetworks.com/cortex/cortex-xdr "Palo Alto")  
![Green lines](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/static/974a7f79d062bb8f7c54acfd2ecc62c1/64b70/fg-pattern-tl.png)![Green lines](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/static/64a2d3d04265461f6418fee85ff2be7c/c8fc9/fg-pattern-br.png)  
![slack error](fallback.jpg)

##### Cortex XDR

# Transcend the Boundaries of Endpoint Security

Today, you're a cybersecurity analyst hard at work and getting things done. Your vacation starts tomorrow, so you have your fingers crossed for an uneventful day. And things are trending that way... until

Let's use Cortex XDR to find out what happened, and then generate a report on your company's security posture.

# Review Your Security Incidents

First, you look at the Incident Management dashboard, which provides a centralized view of all ongoing security incidents, along with their status, severity and other details.

You see an incident that requires attention,so you click to open it.  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

# Dig Deeper into Incident Details

From the Incident Overview page, you gather additional facts:

* ![tick](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/tick.svg) The incident score for severity
* ![tick](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/tick.svg) Compromised assets
* ![tick](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/tick.svg) Data sources for raised alerts
* ![tick](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/tick.svg) Automated responses already performed  
  Speak to an expert  
  Metrics derived from Palo Alto Networks SOC.

# Dig Deeper into Incident Details

To generate this incident, Cortex XDR created enriched records of activity by stitching events from multiple sources, establishing the connection between hosts, identities, network traffic, and more to broaden incident context.

Hundreds of machine learning models looked for anomalous activity within stitched data, generating new detection alerts.

Cortex XDR then grouped related alerts into a single incident, painting a comprehensive picture of the attack and reducing the number of alerts that you need to review manually by 98%.  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

# Identify Compromised Assets

Within the incident, you notice that a Windows PC and an internet-facing server hosted in the cloud may have been compromised.  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

# Check the MITRE ATT\&CK^®^ Framework

You also see the attack mapped to the **MITRE ATT\&CK^®^** Framework, providing a standardized taxonomy for categorizing and describing cyber threats and attack techniques. By automatically mapping an attack to this framework, Cortex XDR gives you a complete view of all related activity.  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

# Investigate with Alerts \& Insights

Your critical alerts confirm the Windows PC has been compromised.

Down the list, you see that the cloud-hosted server has a medium-severity alert. In the alert, you discover that a brute-force attack was attempted, and failed.

Now, it is time to isolate the compromised Windows PC to stop the attack from progressing any further.  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

# Stop the Attack in its Tracks

Isolating an endpoint helps contain the spread of malware and other threats.

By disconnecting the compromised endpoint from the network, you prevent the threat from propagating to other devices or systems, limiting the scope and impact of the incident.  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

# Search for and Destroy Malware

Now it's time to search for and destroy the ransomware file.

Using the live terminal, you can execute commands and scripts remotely on endpoints to facilitate rapid remediation without needing physical access to the affected devices.  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

# Pulling Back the Curtain

So why wasn't this attack blocked by the endpoint agent?

For the purposes of this demonstration, we set the Endpoint Policy to report only, allowing the attack to progress, while notifying us of its progress. This is also a reminder to always follow the best practices while configuring policies.

Now, let's set the policy to block, and keep moving!  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

# Identify Security Gaps and Ensure Alignment with Regulatory Standards

With a good handle on this ransomware incident, you remember that a cloud asset was involved in a brute force attempt earlier on. With this in mind, you initiate work on some proactive security measures to enhance your cloud security.

The Cloud Compliance capabilities of Cortex XDR performs Center for Internet Security (CIS) benchmarking compliance checks on cloud resources. This helps to identify potential security gaps, mitigate risks, and avoid regulatory fines or penalties.

You notice that the compliance is only at 74%, which you decide is important to include in your final report.  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

# Assess Vulnerabilities in a Single Dashboard

Since you discovered a compromised PC during your investigation, you use Vulnerability Assessment to check for potential vulnerabilities that may have been unpatched and exploited.

You see that the compromised PC you flagged has several vulnerabilities that contributed to the ransomware attack, giving you the information you need to start patching.  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

# Concise, Easy Reporting

It's time to generate reports for your manager in a concise format. You can select from a number of pre-built templates or create custom reports.

You generate reports about your investigation, including the Incident Management, Cloud Compliance, and Vulnerability Assessment.

Click a row to generate a report  
REPORT ID  
TIME GENERATED  
NAME  
DESCRIPTION  
492  
Apr 12th 2024 00:46:39  
Cloud Inventory Report  
Provides a breakdown of the top incidents and hosts in the organizations and an overview of the top incidents.  
493  
Apr 12th 2024 00:46:07  
Risk Management Report  
Provides an overview of the Vulnerability Assessment status of all endpoints and applications.  
488  
Apr 12th 2024 13:15:22  
Incident Management Report  
Provides a breakdown of the top incidents and hosts in the organizations and an overview of the top incidents.  
489  
Apr 12th 2024 13:15:05  
Cloud Compliance Report  
Provides an overview of the CIS Benchmark compliance status  
490  
Apr 12th 2024 13:14:45  
Vulnerability Assessment Report  
Provides an overview of the Vulnerability Assessment status of all endpoints and applications.  
491  
Apr 12th 2024 13:14:10  
Cloud Inventory Report  
Provides a breakdown of all cloud assets by account, type, and location, alongside the number of assets over time (refreshes every 2 hours)  
492  
Apr 12th 2024 00:46:39  
Risk Management Report  
Provides an overview of identity-related risks, trends, and statistics.  
493  
Apr 12th 2024 00:46:07  
Risk Management Report  
Provides a breakdown of all cloud assets by account, type, and location, alongside the number of assets over time (refreshes every 2 hours)  
492  
Apr 12th 2024 00:46:39  
Cloud Inventory Report  
PProvides an overview of identity-related risks, trends, and statistics.  
493  
Apr 12th 2024 00:46:07  
Risk Management Report  
Provides a breakdown of all cloud assets by account, type, and location, alongside the number of assets over time (refreshes every 2 hours)  
![report]()![close](data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNDgiIGhlaWdodD0iNDgiIHZpZXdCb3g9IjAgMCA0OCA0OCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTE0Ljk0NTMgMTMuMzE2NEwyMy41MjM0IDIxLjk0MTRMMzIuMTAxNiAxMy4zNjMzQzMyLjUyMzQgMTIuODk0NSAzMy4yMjY2IDEyLjg5NDUgMzMuNjk1MyAxMy4zNjMzQzM0LjExNzIgMTMuNzg1MiAzNC4xMTcyIDE0LjQ4ODMgMzMuNjk1MyAxNC45MTAyTDI1LjA3MDMgMjMuNTM1MkwzMy42NDg0IDMyLjExMzNDMzQuMTE3MiAzMi41MzUyIDM0LjExNzIgMzMuMjM4MyAzMy42NDg0IDMzLjY2MDJDMzMuMjI2NiAzNC4xMjg5IDMyLjUyMzQgMzQuMTI4OSAzMi4xMDE2IDMzLjY2MDJMMjMuNDc2NiAyNS4wODJMMTQuODk4NCAzMy42NjAyQzE0LjQ3NjYgMzQuMTI4OSAxMy43NzM0IDM0LjEyODkgMTMuMzUxNiAzMy42NjAyQzEyLjg4MjggMzMuMjM4MyAxMi44ODI4IDMyLjUzNTIgMTMuMzUxNiAzMi4wNjY0TDIxLjkyOTcgMjMuNDg4M0wxMy4zNTE2IDE0LjkxMDJDMTIuODgyOCAxNC40ODgzIDEyLjg4MjggMTMuNzg1MiAxMy4zNTE2IDEzLjMxNjRDMTMuNzczNCAxMi44OTQ1IDE0LjQ3NjYgMTIuODk0NSAxNC45NDUzIDEzLjMxNjRaIiBmaWxsPSJibGFjayIvPgo8L3N2Zz4K)  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

## Surf's Up!

Congratulations. You successfully investigated and resolved the ransomware attack. The investigation revealed a:

* ![tick](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/tick.svg) Brute force attack attempt on a cloud asset
* ![tick](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/tick.svg) PC with an unpatched vulnerability
* ![tick](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/tick.svg) A security policy set to report only, allowing the attack to progress.

Fortunately, you quickly isolated the compromised endpoint and eliminated the ransomware file without physical access to the PC.

Reports detailing the entire incident have been generated. And now you're beachbound in t-minus 1 hour.  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

## There's No Time Like More Time

Cortex XDR frees security analysts to focus on what they do best. Security Operations can leverage Cortex XDR to:

* ![tick](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/tick.svg) Prevent threats like ransomware on endpoints and cloud workloads
* ![tick](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/tick.svg) Accelerate MTTD (mean time to detect) to machine-speed
* ![tick](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/tick.svg) Rapidly respond to the root cause of attacks

Get more security done with Cortex XDR.  
![surf 1](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/surf-1.svg)

98% reduction in alerts  
![surf 2](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/surf-2.svg)

8x faster investigations  
![surf 3](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xdr-product-tour/icons/surf-3.svg)

100% prevention and detection with no configuration changes in MITRE Engenuity 2023  
Speak to an expert  
Metrics derived from Palo Alto Networks SOC.

### Request Your Personal Cortex XDR Demo

## Talk to you soon!

#### We'll reach out to schedule your personal 30-minute demo. We'll explore how to find fewer alerts, build end-to-end automation and enable smarter security operations with the Cortex portfolio.