Cortex XDR Cheat Sheet
Overview
Palo Alto Networks Cortex XDR is an extended detection and response (XDR) platform that integrates endpoint, network, cloud, and third-party data to detect, investigate, and respond to sophisticated cyber threats. It combines endpoint protection (EPP) with EDR capabilities, using behavioral analytics and machine learning to identify threats that signature-based tools miss. Cortex XDR correlates alerts from multiple data sources into unified incidents, dramatically reducing alert fatigue and accelerating investigation timelines.
The platform provides a powerful investigation console with root cause analysis, automated threat hunting, host-level forensics, and response actions including isolating endpoints, killing processes, and quarantining files. Its Pathfinder engine uses causal analysis to stitch together the full attack chain from initial access to impact, giving analysts a complete picture of multi-stage attacks. Cortex XDR also includes vulnerability assessment and device control capabilities for proactive security posture management.
Installation
Agent Deployment
# Download agent from Cortex XDR console
# Settings > Agent Installation > Download Agent
# Linux agent installation
chmod +x cortex-xdr-agent-installer.sh
sudo ./cortex-xdr-agent-installer.sh --dist-id DISTRIBUTION_ID \
--dist-server https://distributions.traps.paloaltonetworks.com
# Windows (MSI) — via command line
msiexec /i cortex-xdr-agent.msi /quiet /norestart \
DIST_SERVER=https://distributions.traps.paloaltonetworks.com \
DIST_ID=DISTRIBUTION_ID
# macOS
sudo installer -pkg cortex-xdr-agent.pkg -target /
# Verify agent status (Linux)
/opt/traps/bin/cytool checkin
# Check agent connectivity
/opt/traps/bin/cytool infoAgent Configuration via Policy
# Verify agent is connected
/opt/traps/bin/cytool runtime query
# Check agent version
/opt/traps/bin/cytool version
# Force policy update
/opt/traps/bin/cytool checkin --force
# View current policy
/opt/traps/bin/cytool policy show
# Agent diagnostic logs
/opt/traps/bin/cytool log collect --output /tmp/xdr-diagnostics.tar.gzCore Commands — XDR API
Authentication
# Cortex XDR API uses API keys with different security levels
# Standard: API Key + API Key ID
# Advanced: API Key + API Key ID + Nonce + Timestamp (HMAC)
export XDR_API_URL="https://api-YOUR_TENANT.xdr.paloaltonetworks.com"
export XDR_API_KEY="your-api-key"
export XDR_API_KEY_ID="your-api-key-id"
# Standard authentication header
# Headers: x-xdr-auth-id: API_KEY_ID, Authorization: API_KEY
# Advanced authentication (generates HMAC)
generate_advanced_auth() {
local NONCE=$(openssl rand -hex 32)
local TIMESTAMP=$(date +%s%3N)
local AUTH_STRING="${XDR_API_KEY}${NONCE}${TIMESTAMP}"
local AUTH_HASH=$(echo -n "$AUTH_STRING" | openssl dgst -sha256 | awk '{print $2}')
echo "-H 'x-xdr-auth-id: ${XDR_API_KEY_ID}' -H 'x-xdr-nonce: ${NONCE}' -H 'x-xdr-timestamp: ${TIMESTAMP}' -H 'Authorization: ${AUTH_HASH}'"
}Incident Management
# Get incidents
curl -X POST "$XDR_API_URL/public_api/v1/incidents/get_incidents" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"filters": [
{"field": "status", "operator": "eq", "value": "new"},
{"field": "severity", "operator": "in", "value": ["high", "critical"]}
],
"sort": {"field": "creation_time", "keyword": "desc"},
"search_from": 0,
"search_to": 50
}
}'
# Get incident details
curl -X POST "$XDR_API_URL/public_api/v1/incidents/get_incident_extra_data" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"incident_id": "INC-12345"
}
}'
# Update incident status
curl -X POST "$XDR_API_URL/public_api/v1/incidents/update_incident" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"incident_id": "INC-12345",
"update_data": {
"status": "under_investigation",
"assigned_user_mail": "analyst@company.com",
"severity": "high",
"comment": "Investigating suspicious PowerShell activity"
}
}
}'Alert Management
# Get alerts
curl -X POST "$XDR_API_URL/public_api/v1/alerts/get_alerts_multi_events" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"filters": [
{"field": "severity", "operator": "in", "value": ["high", "critical"]},
{"field": "creation_time", "operator": "gte", "value": 1716000000000}
],
"search_from": 0,
"search_to": 100
}
}'
# Get alert by ID with full event data
curl -X POST "$XDR_API_URL/public_api/v1/alerts/get_alerts_multi_events" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"filters": [
{"field": "alert_id", "operator": "in", "value": ["ALERT-123"]}
]
}
}'Endpoint Management
# Get all endpoints
curl -X POST "$XDR_API_URL/public_api/v1/endpoints/get_endpoint" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"filters": [
{"field": "endpoint_status", "operator": "in", "value": ["connected"]}
],
"search_from": 0,
"search_to": 100
}
}'
# Isolate an endpoint
curl -X POST "$XDR_API_URL/public_api/v1/endpoints/isolate" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"filters": [
{"field": "endpoint_id_list", "operator": "in", "value": ["endpoint-id-123"]}
]
}
}'
# Unisolate an endpoint
curl -X POST "$XDR_API_URL/public_api/v1/endpoints/unisolate" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"filters": [
{"field": "endpoint_id_list", "operator": "in", "value": ["endpoint-id-123"]}
]
}
}'
# Scan endpoint
curl -X POST "$XDR_API_URL/public_api/v1/endpoints/scan" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"filters": [
{"field": "endpoint_id_list", "operator": "in", "value": ["endpoint-id-123"]}
]
}
}'Configuration
XQL Query Examples
-- XQL (XDR Query Language) for threat hunting
-- Find suspicious PowerShell execution
dataset = xdr_data
| filter event_type = PROCESS and action_process_image_name = "powershell.exe"
| filter action_process_command_line contains "-enc" or
action_process_command_line contains "downloadstring" or
action_process_command_line contains "bypass"
| fields agent_hostname, action_process_command_line, actor_process_image_name, _time
| sort desc _time
| limit 100
-- Detect lateral movement via remote services
dataset = xdr_data
| filter event_type = NETWORK and
(action_remote_port in (445, 135, 3389, 5985, 5986))
| fields agent_hostname, action_remote_ip, action_remote_port,
actor_process_image_name, _time
| comp count() as connection_count by agent_hostname, action_remote_ip
| filter connection_count > 10
| sort desc connection_count
-- Find persistence mechanisms
dataset = xdr_data
| filter event_type = REGISTRY and
action_registry_key_name contains "CurrentVersion\\Run"
| fields agent_hostname, action_registry_key_name, action_registry_value_name,
action_registry_data, actor_process_image_name, _time
| sort desc _time
-- Detect data exfiltration (large uploads)
dataset = xdr_data
| filter event_type = NETWORK and action_total_upload > 104857600
| fields agent_hostname, action_remote_ip, action_total_upload,
actor_process_image_name, _time
| sort desc action_total_upload
| limit 50
-- Find unsigned process execution
dataset = xdr_data
| filter event_type = PROCESS and
action_process_signature_status != "signed"
| fields agent_hostname, action_process_image_path,
action_process_signature_status, action_file_sha256, _time
| comp count() as exec_count by action_process_image_path
| sort desc exec_countResponse Actions via API
# Run script on endpoint
curl -X POST "$XDR_API_URL/public_api/v1/scripts/run_script" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"script_uid": "script-uid-here",
"timeout": 600,
"filters": [
{"field": "endpoint_id_list", "operator": "in", "value": ["endpoint-123"]}
],
"parameters_values": {}
}
}'
# Get script execution results
curl -X POST "$XDR_API_URL/public_api/v1/scripts/get_script_execution_results" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"action_id": "action-id-here"
}
}'
# Quarantine a file
curl -X POST "$XDR_API_URL/public_api/v1/endpoints/quarantine" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"filters": [
{"field": "endpoint_id_list", "operator": "in", "value": ["endpoint-123"]}
],
"file_path": "C:\\Users\\user\\malware.exe",
"file_hash": "sha256hashhere"
}
}'Advanced Usage
XSOAR Integration
# Trigger XSOAR playbook from Cortex XDR alert
curl -X POST "$XDR_API_URL/public_api/v1/incidents/update_incident" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"incident_id": "INC-12345",
"update_data": {
"status": "under_investigation"
}
}
}'
# Bulk IOC management (add indicators)
curl -X POST "$XDR_API_URL/public_api/v1/indicators/insert_or_update" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"request_data": {
"indicator": "malicious-domain.com",
"type": "DOMAIN_NAME",
"severity": "HIGH",
"comment": "Associated with APT campaign",
"reputation": "BAD",
"expiration_date": 1735689600000
}
}'Automated Threat Hunting
#!/bin/bash
# automated-hunt.sh — Run XQL queries and alert on findings
XDR_API="$XDR_API_URL"
run_xql_query() {
local query="$1"
local description="$2"
RESULT=$(curl -s -X POST "$XDR_API/public_api/v1/xql/start_xql_query" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d "{
\"request_data\": {
\"query\": \"$query\",
\"timeframe\": {
\"from\": $(($(date +%s) - 86400))000,
\"to\": $(date +%s)000
}
}
}")
QUERY_ID=$(echo "$RESULT" | jq -r '.reply')
sleep 30
RESULTS=$(curl -s -X POST "$XDR_API/public_api/v1/xql/get_query_results" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d "{\"request_data\": {\"query_id\": \"$QUERY_ID\"}}")
COUNT=$(echo "$RESULTS" | jq '.reply.number_of_results')
if [ "$COUNT" -gt 0 ]; then
echo "ALERT: $description — $COUNT results found"
fi
}
run_xql_query \
"dataset=xdr_data | filter event_type=PROCESS and action_process_image_name='powershell.exe' and action_process_command_line contains '-enc'" \
"Encoded PowerShell Execution"
run_xql_query \
"dataset=xdr_data | filter event_type=NETWORK and action_remote_port=4444" \
"Suspicious Reverse Shell Port"Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| Agent not connecting | Firewall blocking communication | Allow outbound 443 to *.xdr.paloaltonetworks.com |
| Policy not applying | Agent cache stale | Force checkin: /opt/traps/bin/cytool checkin --force |
| High CPU from agent | Content update scanning | Exclude known-good directories from scanning |
| API 401 Unauthorized | API key expired or invalid | Regenerate API key in Settings > API Keys |
| XQL query timeout | Query too broad | Add time filters and narrow scope |
| Isolation not working | Agent version too old | Update agent to latest version |
| Missing endpoint data | Agent in limited mode | Check agent license and policy assignment |
| False positives | Behavioral rule too broad | Create exception in Security Profiles |
# Agent diagnostics (Linux)
/opt/traps/bin/cytool info
/opt/traps/bin/cytool runtime query
/opt/traps/bin/cytool log collect --output /tmp/diag.tar.gz
# Check agent connectivity
/opt/traps/bin/cytool connectivity check
# View agent service status
sudo systemctl status traps_pmd
# Test API connectivity
curl -s -X POST "$XDR_API_URL/public_api/v1/endpoints/get_endpoint" \
-H "x-xdr-auth-id: $XDR_API_KEY_ID" \
-H "Authorization: $XDR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"request_data": {"search_from": 0, "search_to": 1}}'