ULTIMATE

TEST DRIVE
Security Operating Platform
Workshop Guide

Last update 20190320

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 1
Table of Contents
How to Use This Guide 4
Activity 0 – Initiate the UTD Workshop 5
Task 1 – Log In to Your Ultimate Test Drive Class Environment 5
Task 2 - Understand the UTD Environment Setup 6
Task 3 - Enable Internet Access on the Next-Generation Firewall 7
Task 4 – Install Traps Agent on Protected Client 8

Activity 1 – Conduct a Ransomware Attack 9

Task 1 - Brief Overview of Ransomware Attack Sequence 9
Task 2 - Check Attacker VM Status 10
Task 3 - Compromise Victim System via Exploit 11
Task 4 - Attacker to Upload and Execute the Ransomware on Victim 12
Task 5 - Execute Ransomware on the Victim Client 14
Task 6 - Test Ransomware on the Protected Client 16

Activity 2 – Protection with the Next-Generation Firewall 17

Task 1 - Review the Port-Based Policy for the Victim 17
Task 2 - Review the Policy for the Protected Client 19
Task 3 - Re-Run the Ransomware on the Protected Client Without URL Filtering 20
Task 4 - Re-Run the Ransomware Attack on the Protected Client 23
Task 5 - Remove the Next-Generation Firewall Protection from the Protected Client 24

Activity 3 - Advanced Endpoint Protection – Traps 26

Task 1 - Review the Traps Client Console 26
Task 2 - Explore the Traps Management Service 27

Activity 4 - Prevent Unknown Threat with WildFire Threat Intelligence Cloud 32

Task 1 - Enable WildFire on the Next-Generation Firewall 32
Task 2 - Review WildFire on Traps 33
Task 3 - Download and Execute a Zero-Day Malware Sample File 33
Task 4 - Review WildFire Submission and Verdict on Traps 34
Task 6 - Review WildFire Submission and Verdict on the Firewall 36

Activity 5 - Protecting SaaS Applications with Aperture 38

Task 1 - Sanctioned SaaS Applications 38
Task 2 - SaaS Application Security with Aperture 39
Task 3 - Aperture Dashboard 40
Task 4 - WildFire Analysis by Aperture and SaaS Risk Assessment Report 43

Activity 6 - Threat Intelligence with AutoFocus 45

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 2
Task 1 - AutoFocus Overview – Demo Video 45
Task 2 - AutoFocus Integration with the Firewall 46

Activity 7 – Introduction to Cortex Data Lake/Logging Service 49

Task 1 – Log into Network Security Management: Panorama 49
Task 2 – Check the Panorama cloud services plugin and the Cloud Services status 50
Task 3 – Forwarding Logs to Cortex Data Lake/Logging Service with Template and Device Object 50

Activity 8 – Cortex XDR 53

Task 1 – Introduction to Cortex Hub 53
Task 2 – Cortex XDR Analytics Review 54
Task 3 – Cortex XDR Investigation and Response Review 55

Activity 9 - Feedback on Ultimate Test Drive 56

Task 1 – Take the online survey 56

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 3
How to Use This Guide
The activities outlined in this Ultimate Test Drive Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any
potential issues with the UTD environment. This guide is meant to be used in conjunction with the
information and guidance provided by your facilitator.

Notes:
This workshop covers only basic topics and is not a substitute for training classes conducted by Palo Alto
Networks Authorized Training Centers. Please contact your partner or regional sales manager for more
information on available training and how to register for one near you.
Unless specified, the Google® Chrome™ web browser will be used to perform any tasks outlined in the
following activities (Chrome is pre-installed on the student desktop of the workshop PC).

Terminology:
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each tab, found in the left-hand column of each screen.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 4
Activity 0 – Initiate the UTD Workshop
In this activity, you will:

• Log in to the Ultimate Test Drive Workshop from your laptop.

• Learn the layout of the environment and its various components.

• Enable the firewall to facilitate connectivity.

Task 1 – Log In to Your Ultimate Test Drive Class Environment

Step 1: Verify that your laptop is equipped with a modern browser that supports HTML 5.0. We
recommend using the latest version of Firefox®, Chrome, or Internet Explorer®/Edge®.

Step 2: Open a browser window and navigate to the class URL. If you have an invitation email, you will
find the class URL and passphrase there. Otherwise, your instructor will provide them.

Enter your email address and the class passphrase.

Step 3: Complete the registration form and click Login at the bottom.

Step 4: Once you have logged in, the system will create a unique UTD environment for you. Please note
that this process may take a while, as indicated by the green progress bar at the top of the screen.

Once the environment has been created, the system will display a welcome page. Click Start Using This
Environment to begin.

This will display a list of all virtual systems that constitute the UTD environment.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 5
Take note of the shortcut menu at the top of your browser window. You will use this menu throughout the
workshop to switch between the available desktops.

Task 2 - Understand the UTD Environment Setup

This UTD environment consists of the following components:

A. Security Admin: This is the main workstation for you, the security administrator, which you will
use to modify the settings for different components of the platform, including the next-generation
firewall, Traps management service, Panorama and others.

B. Victim: This is a Windows® 7 virtual machine, on which you will carry out the exercises in our
workshop. This virtual machine is not protected by a firewall nor an endpoint solution. You will
use this system as the victim of the ransomware attacks in our workshop.

C. Protected Client: This Windows 7 virtual system is similar to the Victim, but protected by the
Palo Alto Networks Security Operating Platform, including the next-generation firewall and Traps.

D. Attacker: This virtual machine is a Kali Linux system that hosts Metasploit®, a penetration testing
tool. You will use this platform to take on the role of the attacker in our workshop exercises.

E. VM-Series Security Platform: This system is a Palo Alto Networks virtual next-generation
firewall.

Review the diagram below to better understand the UTD environment setup.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 6
Task 3 - Enable Internet Access on the Next-Generation Firewall
Step 1: Click the Security Admin tab to access that desktop in your browser. Click the Security Admin
icon to launch the browser. The NGFW login page should already be loaded, if not, click the NGFW
bookmark.

Log in to the firewall with the following name and password:

Name: student
Password: utd135

Step 2: Go to the Network tab. In the Interface node, click on ethernet1/1.

Step 3: Click the Advanced tab. Click the Link State drop-down menu to the right of the dialog box,
select up, then click OK to close the window. Click the Commit button in the top right-hand corner to
confirm the changes. Click Commit again in the Commit window to activate the configuration changes.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 7
Step 4: Once the process has completed, you will see that the Link State of ethernet1/1 has turned
green now that the interface is up.

Task 4 – Install Traps Agent on Protected Client

Step 1: Click the Protect Client tab to access that desktop in your browser.

Step 2: Double-click the “Install Traps” icon on the desktop to launch the Traps Agent installer.

Step 3: The Traps agent will automatically install. Once completed, double-click the icon in the system
tray to bring up the Traps agent console.

End of Activity 0

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 8
Activity 1 – Conduct a Ransomware Attack
In this activity, you will:

• Become the attacker and launch a ransomware attack on the Victim system.

• Experience how the Victim system is compromised through a spear phishing attack.

• Launch a ransomware attack on the Protected Client.

Task 1 - Brief Overview of Ransomware Attack Sequence

A typical ransomware attack involves two main stages:

• Compromise a victim system via exploit.

• Deliver and execute ransomware.

We will conduct a ransomware attack in this activity from both the attacker and victim perspectives. The
attacker hosts a website that delivers an exploit to the victim’s system. When the victim clicks a link in a
phishing email, he or she is redirected to the attacker’s website, where a Flash® Player exploit
compromises the victim’s system.

Once the victim’s system is compromised, the attacker uploads ransomware to the victim’s machine and
executes it.

This process is depicted in the figure below.

In the next few tasks in this activity, you will play the roles of both the attacker and the victim and see the
ransomware in action.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 9
Task 2 - Check Attacker VM Status
Step 1: Click the Attacker tab to access that desktop in your browser.

Once you launch the Attacker VM, you will see a terminal window open on the desktop. (Login root /
toor).

Step 2: In the terminal window, type the following command and press the Enter/Return key:

root@kali:~# ./demo-attack

This will start the exploit program and configure the Attacker VM to listen for incoming connections and
serve the Flash Hacking Team zero-day exploit to the Victim VM. This process may take a while, so
please be patient.

When configuration is completed, the terminal should display the following prompt:

msf exploit(adobe_flash_hacking_team_uaf) >

The Attacker system is now ready and online, waiting for a connection from the Victim system.

Step 3: Enter “sessions” into the prompt to list the active sessions:

msf exploit(adobe_flash_hacking_team_uaf) > sessions

There should be no active sessions on the Attacker VM.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 10
Task 3 - Compromise Victim System via Exploit
In this task, you take on the role of the victim. As the victim, you have received a spear phishing email,
which includes a hidden link to the attacker’s listener service. You will click the link, and the VM will be
compromised by the exploit delivered by the attacker’s listener service.

Step 1: Go to the Victim desktop. Click the Victim tab to open the Victim VM.

Microsoft Outlook® will be open and running on the desktop. An email with the subject line “Someone has
your password” is displayed in the preview pane. This looks like a legitimate email from Google, informing
you that someone is trying to access your device. The email suggests you review the device to ensure
your password is safe.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 11
Step 2: Click the Review Your Devices Now link in the email. This will open Internet Explorer and, after
a short delay, display a webpage that resembles the Google account login page.

If you see the Google page, the Attacker system has successfully compromised the Victim system. In the
next task, you will resume the role of the attacker and continue the next stage of the attack.

Note: You should not need the credentials for the user associated with the Victim VM. However, if
the system does present you with a login screen, click the icon associated with the user “Jen” and
use the password “Password1”.

Task 4 - Attacker to Upload and Execute the Ransomware on Victim

In this task, you will return to the role of the Attacker and continue the next stage of the attack by
uploading and executing ransomware on the Victim system.

Step 1: Go back to the Attacker VM. You should see the Metasploit listener service received a request,
sent a SWF file in reply, and opened a “Meterpreter” session to the Victim VM.

Note: If you have been disconnected

from the Attacker desktop, click the
Reconnect link above the desktop
display area to re-establish your
connection.

Step 2: To verify the session between the Attacker and Victim is open, use the “sessions” command to list
the active sessions (hit Enter/Return to get the command prompt):

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 12
msf exploit(adobe_flash_hacking_team_uaf) > sessions

An open session indicates that the Attacker has an active, direct connection to the Victim VM, which can
be used to further compromise the system.

Note the Id of the active session connected to the Victim VM. This is the “Session Id” you will need to
enter in the next step. It should be session “1”.

Note: this number may be different if you refreshed the browser on the Victim VM at any point.

Step 3: Initiate an interactive session with the Victim by entering “sessions –i <id>” at the Metasploit
prompt. Remember to substitute your “Session Id” for the number “1” in this command if you have a
different ID number.

msf exploit(adobe_flash_hacking_team_uaf) > sessions –i 1

This will initiate the interactive session, display the message “Starting interaction with 1…” and change
the prompt to a Meterpreter prompt.

At this point, you have connected to the Victim VM and can execute any number of available commands
to exploit the system. For a list of available commands, type “?” and press Enter/Return at the
Meterpreter prompt (We will not explore the available Meterpreter commands in this exercise.). The
Attacker VM has taken control on the Victim VM at this point.

Step 4: The Attacker VM will now upload the ransomware executable file (happy.exe) to the Victim VM.
Enter the following command at the prompt:

meterpreter > cd /Temp

meterpreter > dir (the directory should be empty)

meterpreter > upload happy.exe

You should see messages confirming that “happy.exe” has been successfully uploaded to the Victim VM.
You can enter > “dir” to check that the file has been uploaded.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 13
The Attacker VM is now ready to launch a ransomware attack on the Victim VM.

Note: The Petya ransomware is used in in this exercise.

Task 5 - Execute Ransomware on the Victim Client

For this task, you must be prepared to quickly switch over to the browser tab for the Victim VM as soon as
you (as the attacker) have executed the ransomware. This ransomware acts very quickly to infect a
system, and if you remain in the Attacker environment, you will miss some of its actions.

Step 1: In the Attacker terminal window, enter the following command at the Meterpreter prompt (be
prepared to switch to the Victim VM as soon as possible):

meterpreter > execute -f happy.exe -H

Step 2: Quickly switch to the Victim tab. Once the ransomware executes on the Victim VM, it will
simulate a “blue screen of death” that typically accompanies a Windows system crash and reboot the
Victim VM.

The ransomware will simulate the process of checking the disk on the Victim VM (the CHKDSK process).
However, the counter that indicates the progress will never stop counting.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 14
Step 3: Click on the Send Ctrl-Alt-Delete button on the left side of Victim VM window.

The Victim VM will display a flashing, red and grey “skull and cross bones” image and prompt the user to
“PRESS ANY KEY!”

Step 4: Click inside the “skull and cross bones” image and press the space bar. This should change the
image to a ransomware warning page, with a list of demands and instructions to submit payment in order
to unlock the system.

Congratulations! You are at once an attacker and a victim.

You will no longer be able to use this Victim VM. Return to the Attacker desktop.

Step 5: On the Attacker desktop, end the Meterpreter session using the exit command:

meterpreter > exit

Step 6: This will return you to the Metasploit prompt. Execute the sessions command again to see if
there are any other open sessions. You should see none, as the Victim system has been compromised.

Note: Leave the Attacker browser tab open. We will return to it in the next activity.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 15
Task 6 - Test Ransomware on the Protected Client
In this task, we repeat the same attack on the Protected Client VM and see what happens.

Step 1: Click the Protected Client tab. Click the Outlook icon . You will see the same email in the
Outlook window. Also note the Traps window behind it, which we will use in Activity 3.

Step 2: Click the Review Your Device Now link in the phishing email, as you did on the Victim VM.

You should see a “Web Page Blocked” message. It looks like the Protected Client is protected against
compromise from the Stage 1 attack.

You can also see on the Attacker VM that no session was set up for exploit delivery.

In the next activity, we will take a closer look at how the next-generation firewall prevents the Protected
Client from the Stage 1 attack.

End of Activity 1

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 16
Activity 2 – Protection with the Next-Generation
Firewall
In this activity, you will:

• Access the firewall and see how it helps to prevent a ransomware attack.

• Learn about the various layer of protections provided by the Palo Alto Networks next-
generation firewall.

• Witness Traps preventing a ransomware attack.

Task 1 - Review the Port-Based Policy for the Victim

In this task, you will access the firewall using the Security Admin VM to review how the next-generation
firewall prevented the first stage of attack on the Protected Client VM in the last activity. The firewall
policies configured in this lab are designed to highlight the traffic between the Victim, Attacker and
Protected Client VMs. Policies for an actual network are likely to be different.

Step 1: Open Security Admin tab.

The next few steps will give a quick walkthrough of the next-generation firewall GUI. If this is your first
time using a Palo Alto Networks next-generation firewall, you may want to read carefully.

The Dashboard tab widgets show you the important information about the firewall, as the software
version, the operational status of each interface, resource utilization, and more. All of the available
widgets are displayed by default, but each administrator can remove and add individual widgets, as
needed.

Step 2: Click on the ACC tab. This takes you to the Application Command Center, where you can get a
look at the applications and threats the firewall sees.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 17
The Policies tab is where all firewall policies are configured. There are various policies, from Security
policies that configure all firewall policies to NAT or Decryption policies that define other functions of the
next-generation firewall. Feel free to examine the different policy nodes on the left.

Step 3: Click on the Security node. The first policy, Victim to Attacker, is configured with a port-based
firewall policy. Click on Victim to Attacker to open the Security Policy Rule configuration window. Make
sure the Source is set to Victim and the destination is set to Attacker.

Step 4: Victim to Attacker is described as a port-based policy because it allows all applications to run on
ports 80, 443 and 8080. Review the Application and Service/URL Category tabs to confirm the policy
configuration.

While port 80 and 443 are open for both HTTP and SSL traffic, port 8080 is often opened for internal web
servers supporting internal webpages.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 18
Step 5: Go to the Actions tab and note that Profile Setting is set to None, meaning no next-generation
protection is applied on this policy. This explains why the firewall did not provide any protection to the
Victim VM. Close the policy window.

Task 2 - Review the Policy for the Protected Client

Let’s look at the policy for the Protected Client VM and see how it is different.

Step 1: Click on the Protected Client to Attacker policy to open the Security Policy Rule configuration
window. Note that source and destination are set to Protected Client and Attacker.

Step 2: Go to the Application tab. Note that only selected applications (web-browsing, SSL and Flash)
are allowed.

Step 3: Go to the Service/URL Category tab. Note that application-default is selected, so those
applications are only allowed to run on the default ports. Note that you do not need to know which ports

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 19
are needed for the applications selected. The Palo Alto Networks next-generation firewall keeps track of
the default port for each application.

Step 4: Go to the Actions tab. Note that protection profiles are configured for Antivirus, Vulnerability
Protection, Anti-Spyware, URL Filtering, Data Filtering and WildFire Analysis. These enable many
protections offered by the firewall.

Step 5: Change the URL Filtering protection to None. Let’s see if disabling URL Filtering will let the
Attacker VM exploit the Protected Client. Click OK to close the policy window.

Step 6: Click the Commit button in the top right-hand corner to confirm the changes. Click Commit again
in the Commit window to activate the configuration changes.

Task 3 - Re-Run the Ransomware on the Protected Client Without URL

Filtering
Let’s revisit the phishing email on the Protected Client to see if removing URL Filtering protection will
allow the attacker to exploit the system.

Step 1: Go back to the Protected Client and close the Web Page Blocked window. Then click on the
Review Your Devices Now link in the phishing email again.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 20
This time, the Google page will be allowed to open, which shows that the Protected Client VM is not
protected by URL Filtering. Let’s go to the Attacker VM and see if the exploit succeeds.

Step 2: Go to the Attacker browser tab. Note there is no listener session open. Hit enter to get back to
the prompt. Enter “sessions” to see if there are any open sessions. There should be none.

This indicates the Attacker VM was not successful in exploiting the Protected Client VM.

Step 3: Go to back to the Security Admin VM. Go to the firewall and review the traffic logs under
Monitor > Logs > Traffic. At the bottom, click Resolve hostname to enable it.

Step 4: Let’s review the traffic logs. Under the Source column, click on Protected Client. This will
populate the search window with the Protected Client VM’s source address. Then, under the Destination
column, click on Attacker to add the Attacker VM’s destination address to the filter.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 21
Step 5: Click on the Apply Filter icon (an arrow pointing to the right) to apply the filter string.

Note that the traffic from the Protected Client VM on port 8080 is blocked by the firewall.

Does this mean all traffic on port 8080 is blocked? Let’s go to the firewall policy and find out.

Step 6: Go to the Policies tab > Security node and look at the Internal-Web-Servers-on-8080 policy.
This policy only allows web browsing applications on port 8080 for all internal web servers supported in
the policy. Since the Attacker VM is not in the Internal-Web-Servers-on-8080 group, traffic from the
Protected Client VM is blocked.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 22
Step 7: Let’s allow the Attacker on this policy and see if we can compromise the Protected Client VM.
Click on the Internal-Web-Servers-on-8080 policy. In the Destination tab, add Attacker to the
Destination Address.

This policy is meant to allow only web browsing on the internal web servers, but if we also want to enable
Flash to run on the internal web servers, we will need to add Flash to this policy to allow it.

Step 8: Go to the Application tab and add Flash to this policy.

Step 9: Click the Commit button in the upper righthand corner to confirm the changes.

Task 4 - Re-Run the Ransomware Attack on the Protected Client

Now that we have removed a few more layers of protection from the firewall, let’s test the ransomware
attack again.

Step 1: Go back to the Protected Client and close the Google login window. Next, click the Review Your
Devices Now link in the phishing email. You should see the Google login page open again.

Step 2: Go to the Attacker VM and look at the Metasploit terminal. Metasploit will be trying to send the
Flash exploit, but it will not have completed the process.

Step 3: Hit Enter/Return in the Metasploit prompt, then enter the “sessions” command to look for open
sessions. You should not see any, meaning Metasploit still failed to deliver the Flash exploit.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 23
Step 4: Go to the Security Admin VM, and back to the firewall GUI. Click on the Monitor tab, then the
Traffic node. The filter you entered in the last activity should be still there. You will also see the logs for
the Flash application from the Protected Client VM. Flash is being allowed but the session is ended
because threat was detected.

Step 5: Go to the Threat logs to review more about the threat that was detected. You can see that, once
again, the next-generation firewall protected the Protected Client VM from the attack.

Task 5 - Remove the Next-Generation Firewall Protection from the

Protected Client
Palo Alto Networks next-generation firewalls provide many layers of protection to prevent attacks. Here
are some of the layers applied to the Protected Client VM:

• URL Filtering to block access to exploit kit URLs.

• Vulnerability protection against exploits.

• Antivirus detection to prevent malware transfer.

• App-ID to explicitly deny unknown TCP port traffic.

We will not go through every layer, but we will disable all next-generation firewall protection by putting the
Protected Client VM to the same port-based policy as the Victim VM.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 24
Step 1: From Security Admin, Go to Policies > Security > Victim-to-Attacker policy > Source tab and
add the Protected Client to this port-based policy.

Step 2: Commit the changes. You may see some warnings messages. It is usually a bad idea to ignore
them, but for the purposes of this lab, that is what we are going to do.

Step 3: Go to the Protected Client and close the Google page. Next, go to the phishing email and click
on the Review Your Devices Now link again. The webpage will open, but after a moment, you will see a
Traps notification.

Even though you have removed all next-generation firewall protections from the Protected Client VM, it is
still protected by Traps advanced endpoint protection. We will see how Traps works to prevent the
ransomware attack on the Protected Client in the next activity.

Before we look at Traps, feel free to back to the Attacker VM and check for an open attack session to the
Protected Client VM. Use the “sessions” command in the Metasploit prompt, and you should see no
open sessions.

End of Activity 2

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 25
Activity 3 - Advanced Endpoint Protection – Traps
In this activity, you will:

• See how Traps advanced endpoint protection prevents the ransomware attack.

• Witness Traps preventing the ransomware attack.

Task 1 - Review the Traps Client Console

In this task, you will access and review the Traps client on the Protected Client VM.

Step 1: Traps successfully detected and prevented the Flash exploit session from the Attacker VM in the
last activity. Click OK to close the Traps Prevention Alert window.

Step 2: If the Traps client console is not open, click the Traps icon on the Windows taskbar at the
bottom of the desktop. This should display the Traps client console, which will read “Advanced Endpoint
Protection is Enabled.”

Note the date and time of the last check-in, indicated in the bottom left of the Traps client console.

Step 3: Click the Check In Now link to connect to the Traps management service and retrieve any

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 26
updated security policies. These updates are normally done on a set heartbeat schedule.

The link will change momentarily to Connecting. Once the Traps client has completed the check-in
process, it will return to Check In Now.

Step 4: Click on Advanced… next to the Status tab to open the other tabs.

Step 5: Go to the Events tab, where you can see the details about the protection event triggered by the
exploit hosted by the Attacker VM.

Traps is a lightweight client that is centrally managed by the Traps management service. We will review
this in the next task.

Task 2 - Explore the Traps Management Service

In this task, we will log in to the Traps management service and review the different types of protections
offered by Traps.

Step 1: Go to the Security Admin VM, open a new tab and click on the Traps management service
bookmark.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 27
Step 2: Click “LOGIN” on the Single Sign On page to be logged in with the supplied credentials. Note:
you will be using a read-only account.

On the Dashboard, you can get a quick glance of all connected Traps clients. The Dashboard provides a
high-level view about the status of the Traps agents managed by your Traps management service.

Step 3: Click on the Security Events node to review the events when the Traps agent identifies an
attempt to run a malicious file or process. Traps agents report security events when the file or process
matches your applied policy rules (either default policy rules or custom rules you define). When the event
occurs, Traps applies the action specified in the applied security profile, either block the malicious activity,
or allow and report the malicious activity.

The Traps management service ranks all events in order of severity, so you can quickly and easily see
the most important events when you log in to the Traps management service. You can then drill down into
the security events to determine if a security event is a real threat and, if so, you can remediate it. In
some cases, you may determine that a security event does not pose a real threat and can create an
exception for it.

Note: In your lab environment, all the VMs are cloned, this includes the Protected Client. The Traps agent
is also cloned, all events will show the same Endpoint name.
Step 4: Click a Security Event to get additional details, WildFire verdicts, any defined Exceptions,

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 28
Comments and History.

You can learn a great deal from the record displayed in the table, such as the user, OS, process and
module associated with each security event prevented by Traps.

Step 5: Traps provides multiple prevention methods, each of which include multiple purpose-built
prevention techniques tuned for maximum performance and accuracy.

These malware prevention capabilities include:

• WildFire Inspection and Analysis

• Static Analysis
• Execution Restrictions
• Trusted Publisher Identification
• Admin Override Policies
• Malware Quarantine

Please ask your instructor for more in-depth discussion of the malware prevention capabilities of Traps.

Step 6: Click the Profiles node to view the security profiles available to Windows, macOS, Linux and
Android.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 29
Traps management service provides default security profiles that you can use out of the box to begin
protecting your endpoints from threats immediately. While security rules enable you to block or allow files
to run on your endpoints, security profiles help you customize and reuse settings across different groups
of endpoints.
• Exploit – Exploit profiles block attempts to exploit system flaws in browsers, and in the operating
system. For example, Exploit profiles help protect against exploit kits, illegal code execution, and
other attempts to exploit process and system vulnerabilities. Exploit profiles are supported for
Windows, Mac, and Linux platforms.
• Malware – Malware profiles protect against the execution of malware including trojans, viruses,
worms, and grayware. Malware profiles serve two main purposes: to define how to treat behavior
common with malware such as ransomware or script-based attacks, and to define how to treat known
malware and unknown files. Malware profiles are supported for all platforms.
• Restriction – Restrictions profiles limit where executables can run on the endpoint. For example, you
can restrict files from running from specific local folders or from removable media. Restriction profiles
are supported for Windows platforms.
• Agent Settings – Agent Settings profiles enable you to customize settings that apply to the Traps
app such as the disk space quota for log retention. For Mac and Windows platforms, you can also
customize user interface options for the Traps console such as accessibility and notifications.

Click on a Profile name to further explore the details for a given profile.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 30
Step 7: Click the Policy Rules node to view the assigned Profiles based on operating system type.

The Traps management service provides out-of-the-box protection for all registered endpoints with a
default security policy for each type of platform. To fine-tune your security policy, you customize settings
in a security profile and attach that profile to a policy rule. Each policy rule that you create must apply to
one or more endpoints, endpoint groups, or Active Directory (AD) objects.

End of Activity 3

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 31
Activity 4 - Prevent Unknown Threat with WildFire
Threat Intelligence Cloud
WildFire™ cloud-based threat analysis service is the industry’s most advanced analysis and
prevention engine for highly evasive zero-day malware and exploits. A unique, multi-method
approach combines dynamic and static analysis, machine learning techniques, and
groundbreaking bare metal analysis to detect and prevent even the most evasive threats.

In this activity, you will:

• Learn about WildFire and how it works with the next-generation firewall and Traps.

Task 1 - Enable WildFire on the Next-Generation Firewall

Step 1: On the Security Admin VM, log in to the NGFW GUI.

Step 2: Go to Policies > Security and select the policy named Protected Client to Internet. In the
Actions tab, under Profile Setting, change WildFire Analysis from None to default. This will enable
WildFire Analysis on this policy. Click OK to close the window.

Click Commit to confirm the changes.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 32
Task 2 - Review WildFire on Traps
Step 1: In the Security Admin VM, click on the Traps management service tab.

Step 2: Select the Profiles node and then click the win malware default profile.

Review the Examine Portable Executables and DLLs section. WildFire is enabled by Action Mode.
Also note that Block files with unknown verdict is enabled. This will prevent any file that does not have
an already known WildFire verdict from executing.

Task 3 - Download and Execute a Zero-Day Malware Sample File

Step 1: On the Protected Client, open Internet Explorer.

Step 2: Go to http://wildfire.paloaltonetworks.com/publicapi/test/pe or click the WildFire test file

bookmark in the bookmarks bar.

Step 3: The browser will automatically download a “wildfire-test-pe-file.exe” sample file. Check your
Downloads folder to confirm the download.

Step 4: Double-click wildfire-test-pe-file.exe to execute it.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 33
Step 5: Even though this is a sample file and does not contain any exploit methods, Traps prevents it
from executing because WildFire does not recognize the file. This behavior is controlled by the Block
files with unknown verdict setting in the previous task.

Task 4 - Review WildFire Submission and Verdict on Traps

Step 1: In the Security Admin VM, click on the Traps management service tab. Select the Security
Events node and then click the WildFire Malware event.

This will bring up details for the event.

Scroll down to see all the collected information.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 34
You can see that WildFire module blocked the execution of the process and has a current verdict of
unknown.

Step 2: Click the WildFire tab.

As seen from the Details tab, WildFire has not seen this file before, so the current verdict is unknown. The
executable has been uploaded and is in the process of being examined.

Note: It may take around 5 – 10 minutes for a verdict to be returned. You may process to the next task
and return to this step later.

Once a verdict has been returned, the WildFire column will show this file is malicious.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 35
Task 6 - Review WildFire Submission and Verdict on the Firewall
Step 1: In the firewall GUI, click the Monitor tab, then click the WildFire Submissions node. Not only did
the Traps management service submit the executable when it was executed by the Traps client, but it
was also seen and submitted by the next-generation firewall through the download process. Note that this
can also take 5-10 minutes before the entry shows up.

Step 2: Expand the latest entry in the Logs, click the magnifying glass

Step 3: Note the Verdict of the WildFire analysis. It will be shown as “malicious.”

Step 4: Review the WildFire Analysis Report on the firewall by clicking on the WildFire Analysis Report
tab. Here, you will see detailed information about this malicious file.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 36
WildFire will store this verdict and the full results of the analysis in the Threat Intelligence Cloud, making it
available to all Palo Alto Networks next-generation firewalls that subscribe to the WildFire service,
anywhere in the world.

End of Activity 4

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 37
Activity 5 - Protecting SaaS Applications with
Aperture
In this activity, you will:

• See how Aperture protects your Sanctioned SaaS applications.

• Witness how Aperture and the Next-Generation Firewall work hand-in-hand.

Sanctioned applications are those allowed by your corporate IT team. The Aperture service connects to
the sanctioned SaaS application using the SaaS application’s API. This API integration allows Aperture
service to discover and scan all assets retroactively when you first connect the SaaS application.

In this task, you will review how to configure sanction applications in the next generation firewall and how
Aperture™ SaaS security service can protect the sanctioned application and prevent malicious files from
spreading in your SaaS environment.

Task 1 - Sanctioned SaaS Applications

Step 1: On the Security Admin VM, NGFW tab, go to the Monitor tab. Under PDF Reports, select SaaS
Application Usage.

Step 4: Open the SaaS Application Report and click Run Now.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 38
Step 5: Review the report.

Task 2 - SaaS Application Security with Aperture

Step 1: In the Security Admin VM, open a new tab and use the Aperture (SaaS) bookmark to open the
Aperture login page in the browser.

Step 2: Log in to Aperture using the account:

[email protected]

Step 3: Use the saved name and password to log in to the Aperture console. The account you will use in
this lab is a read-only account, but we can use it to demonstrate many powerful features in the next task.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 39
Step 4: Your instructor will to tell you more about Aperture. You can also watch this introduction video on
Aperture to learn more about the service:

https://www.youtube.com/watch?v=sGksNF3mONE

Task 3 - Aperture Dashboard

Step 1: Once logged in to the Aperture console, you will be on the Dashboard tab. As this is a demo
account, there is only one application connected. Click on 1 cloud app near the top of the Dashboard to
see more details about the application protected by Aperture.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 40
Aperture supports a large and growing number of SaaS applications. Aperture Administrator can easily
add applications to be protected by the service.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 41
Step 2: As the Aperture service starts scanning the sanctioned SaaS applications, the Dashboard
presents a summary of the scan in six widgets: Assets, Content Types, Incidents, Users, Policy Violations
and Collaborators. Scroll down the Dashboard to see all the widgets.

Assets widget —The Assets widget displays the top violations by exposure, (public, external,
company, and internal) and the file types associated with the exposure.

Content Types widget — The Content Types widget displays the six predefined data pattern
groups and the total amount of content in the cloud. Click > to drill down into the details by
content category.

Incidents widget —The Incidents widget displays the number of the active incidents detected
against data pattern and policy rule violations for each content type.

Step 3: Selecting WildFire rule in the Incidents widget. You will jump to the Incident tab and filter the
incidents triggered by the Wildfire rule.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 42
Task 4 - WildFire Analysis by Aperture and SaaS Risk Assessment
Report
Step 1: Click an item in the Incident window,

Step 2: Click on any risk to view a detailed report. You will find more information about the detected risk,
which applications it was found in and its level of exposure.

Note: Since this is a demo account shared by all lab users, you will see many
WildFire sample files uploaded here. Aperture scanning is not instantaneous, so you
may not immediately be able to see the sample you have uploaded.

Step 3: Go to the Reports tab and open the pre-generated sample SaaS Risk Assessment Report.
From here, you can also generate a SaaS Risk Assessment Report. Note that you are logged in as a
read-only user so the generate report option is not available.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 43
Ask your instructor for more information about how Aperture works with next-generation firewalls to
protect your SaaS applications.

End of Activity 5

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 44
Activity 6 - Threat Intelligence with AutoFocus
Security teams, inundated by alerts and threat data, have too little time to follow up on every
event, let alone investigate advanced, targeted attacks. The issue isn’t a lack of information, but
rather the inability to surface high-impact threats and drive automated prevention from existing
intelligence. AutoFocus enables you to distinguish the most important threats from everyday
commodity attacks. Instead of seeing only that a malicious event has occurred, you immediately
know the context of an attack, such as the malware family, campaign or malicious actor targeting
your organization. AutoFocus will alert your security team about high-priority events, enabling
you to take swift action to mitigate their impact.

In this activity, you will:

• Learn more about how AutoFocus can help your security team gain visibility into known
and unknown threats.

• Learn how to integrate the Next-Generation Firewall with AutoFocus.

Task 1 - AutoFocus Overview – Demo Video

Watch this short video on how AutoFocus™ contextual threat intelligence service helps security teams
identify and prevent targeted attacks. We will explain the key concepts of AutoFocus and the benefits the
service provides.

https://www.youtube.com/watch?v=ysKBua3Bs4w

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 45
Task 2 - AutoFocus Integration with the Firewall
Step 1: AutoFocus is integrated with the PAN-OS® security operating system. If you have an AutoFocus
subscription on your Palo Alto Networks account, all PAN-OS devices in your account can benefit. Go to
the Device tab. Near the bottom of the sidebar, click Licenses. Notice the availability of AutoFocus
Device License.

Step 2: At the top of the sidebar, go to Setup > Management tab. Identify the AutoFocus window and
check that it is Enabled.

Step 3: Once AutoFocus is enabled on the next-generation firewall, you can query AutoFocus directly
from the firewall. Go to the Monitor tab. In the sidebar, click Logs > WildFire Submissions.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 46
Step 4: Mouse over a file in the File Name column and click the black arrow that appears, then click on
AutoFocus to run the query.

The AutoFocus Intelligence Summary will open. It may take a short time to complete the query.

You will find useful information in this summary, such as the number of sessions Palo Alto Networks has
seen submitted with this file and the number of matching hashes.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 47
AutoFocus is offered as a hosted security service that can be extended to Palo Alto Networks next-
generation firewalls and integrated with other third-party threat intelligence services. It is the primary
analysis tool used by Unit 42, the Palo Alto Networks threat intelligence team, to identify new threats,
correlate global data, identify connections between malicious samples, and build adversary or campaign
profiles.

Please ask your instructor if you would like to learn more about AutoFocus.

End of Activity 6

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 48
Activity 7 – Introduction to Cortex Data Lake/Logging
Service
Palo Alto Networks Cortex Data Lake, previously known as Logging Service, is a cloud-based
offering for context-rich enhanced network logs generated by our security offerings, including
those of our Next-Generation Firewalls, GlobalProtect cloud service and Traps. The Cortex Data
Lake/Logging Service is the cornerstone of the Palo Alto Networks Cortex platform (previously
known as Application Framework), which provides a scalable ecosystem of security applications
that can apply advanced analytics in concert with Palo Alto Networks enforcement points to
prevent the most advanced attacks. In this activity, we will take a look how to enable Cortex Data
Lake/Logging Service on the Palo Alto Networks firewall and begin your journey to the Cortex
platform/Application Framework.

To enable the Next-Generation Firewalls to send logs to the Cortex Data Lake/Logging Service,
they need to be managed by a Panorama device that is licensed with Premium Support and with
Cortex Data Lake/Logging Service. This lab will show you the configuration screens and their
settings related to the NGFW and Panorama.

Task 1 – Log into Network Security Management: Panorama

Step 1: From the Security Admin VM, open a new browser tab and open the Panorama bookmark.
Accept the self-signed certificate warning. Login to Panorama with the username of student and the
password of utd246.

Step 2: In your Panorama, across the upper right, navigate to the Panorama tab, then on the bottom left
the Licenses node. Check that the Premium Support license and the Logging Service license exists.

Step 3: In your Panorama, navigate to the Panorama tab > Managed Devices node > Summary sub-
node and check that the Firewall is a managed device. You will see your NGFW device here.

Note this step and the following step verifies that Managed Firewalls inherit the Logging Service license
from Panorama.

Step 4: In your Panorama, navigate to the Panorama tab > Device Deployment node > and Licenses
sub-node to check that the Firewall is licensed for the Logging Service.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 49
Task 2 – Check the Panorama cloud services plugin and the Cloud
Services status
Step 1: In your Panorama, navigate to the Panorama tab > Plugins node and check that the
cloud_services plugin is uploaded and installed. Note, since you have a read-only account, this screen
will not load.

Note that these plugins are normally downloaded from the Customer Support Portal.

Step 2: In your Panorama, navigate to the Panorama tab > Cloud Services node > Status sub-node
and check Status color and the amount of Storage Used by Logging Service, and the estimated Log
Retention. For this lab environment, the number you see may fluctuate.

Note that the screenshot above is only possible because the Panorama has a cloud services plugin
installed and authenticated with Palo Alto Networks using a One Time Password generated through the
Support Portal. These steps were performed prior to this lab.

Task 3 – Forwarding Logs to Cortex Data Lake/Logging Service with

Template and Device Object
Note that the steps below can be performed either by using the Panorama or by using the Firewall
configuration screens. The steps will show the screens on Panorama. Make sure the Device
Group is always on “Logging Service”

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 50
Step 1: Click on Templates > Device and select the Setup node.

Step 2: Navigate to the Management tab scroll down to Logging Service and view the configuration.
Both Enable Logging Service and Enable Enhanced Application Logging are enabled, and the
Region is americas.

Note that enhanced application logs are new as of PAN-OS 8.1 and enable the Firewall to send DHCP
logs, DNS logs, and additional HTTP headers directly to Logging Service, without saving them to disk.
Cortex XDR and other applications in the Cortex platform/App Framework use these logs for analytics.

Step 3: Navigate to the Objects tab > Log Forwarding node and view the Log Forwarding Profile
named Logging_Service_Profile.

Step 4: Navigate to the Objects tab > Security Profiles > URL Filtering node and view the
URL_Alert_All object. Make sure Device Group is set to Logging_Service.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 51
Step 5: Navigate to the Policies tab > Security node > Post Rules subnode and check that
Example_policy rule has the correct Action for Log Setting. The Log Forwarding option should be set
to Logging_Service_Profile and the Profile Setting for URL Filtering should be set to URL_Alert_All.

This is all you need. Any rule set to use the Logging Service profile will send logs to the Cortex Data
Lake/Logging Service.

End of Activity 7

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 52
Activity 8 – Cortex XDR
Security teams are constantly challenged to prevent data breaches. The issues originate from too
many alerts, too few security analysts, narrowly-focused tools, lack of integration, and time. The
more they react, the further behind they get. Palo Alto Networks has developed a breakthrough
approach to SOC visibility, investigation and speedy resolution called XDR. XDR stands for
detection and response, where the “X” represents across any data source, be it network,
endpoint, or cloud. XDR brings visibility to the security team across all aspects of the
infrastructure, breaking down silos and presenting a holistic picture of the organization’s activity
in order to improve security operations and posture. From a business perspective, XDR enables
organizations to prevent successful cyberattacks as well as simplify and strengthen security
processes. This, in turn, enables them to better serve users and accelerate digital transformation
initiatives—because when users, data and applications are protected, companies can focus on
strategic priorities. With XDR, you can uncover stealthy threats with behavior analytics,
investigate events, and hunt down threats with powerful search tools.

Task 1 – Introduction to Cortex Hub

Step 1: From your laptop, use a browser and navigate to the Palo Alto Networks Cortex Hub (previously
known as App Portal). The URL is https://apps.paloaltonetworks.com If you already have an account,
you can log in using the credentials for your Palo Alto Networks Customer Support Portal.

Cortex Hub consists of the Cloud Services Portal, APIs, and Infrastructure services. The Cortex Hub
includes Palo Alto Networks delivered apps, as well as many partner-delivered apps. Cortex brings true
openness and extensibility to the platform—allowing customers to leverage the most innovative security
technologies as a seamless extension of the Palo Alto Networks platform.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 53
Task 2 – Cortex XDR Analytics Review
Behavioral analytics are essential for stopping attacks. Machine learning enables you to detect low and
slow behaviors accurately and automatically, which is not possible with static rules that look for known
patterns and are not accurate for behavioral detection. XDR obtains data from multiple sources (network,
endpoint and cloud) and stitches them together to create a picture of what is happening.

XDR behavioral analytics enable security teams to detect and stop advanced attacks. XDR analyzes
endpoint, network and cloud data with machine learning. XDR accurately identifies behavior anomalies
that indicate an attack. XDR focuses on network-based attack behaviors and, using XDR Pathfinder
endpoint analysis, can determine which endpoint processes are responsible for attacks. This integrated
endpoint analysis helps security analysts identify which apps or tools, such as PowerShell or WMI, were
used for attacks.

XDR analyzes data stored in the Cortex Data Lake Service (data from Palo Alto Networks endpoints, the
cloud, and the next-generation firewalls), including information on users, devices and applications. XDR
examines multiple logs, including Enhanced Application Logs, which provide data specifically designed
for analytics, allowing XDR to track attributes that are nearly impossible to ascertain from traditional threat
logs or high-level network flow data.

The analysis that XDR performs is based on a combination of unsupervised and supervised machine-
learning techniques. XDR uses unsupervised machine learning to model user and device behavior,
perform peer-group analysis, and cluster devices into relevant groups of behavior. Based on these
profiles, XDR detects anomalies compared to past behavior and peer behavior. XDR also monitors
multiple characteristics of network traffic to classify each device by type, such as a desktop computer,
mobile device or mail server. XDR also learns which users are IT administrators or normal users. With
supervised machine learning, XDR recognizes deviations from expected behavior based on the type of
user or device, reducing false positives manually.

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 54
Task 3 – Cortex XDR Investigation and Response Review
Achieving 100% prevention is extremely difficult for any organization. Security Operation Centers go out
and purchase many niche security products today, with the disadvantage of trying to track and manage
so many alerts coming in from different platforms and tools. It can take days to weeks for one SOC
engineer to investigate a single suspicious activity or alert, which may lead to nothing in the end.

XDR Investigation and Response provides deep root-cause analysis to show the chain of events all tied
together in one place. Traps sends security event data and EDR logs, and the firewall sends firewall and
threat logs to the Cortex Data Lake, where XDR can use the data. By stitching the data together, you
have one coherent story on what happened, including the entire chain of events that occurred. From this
we can obtain a causality (taken from the term cause and effect), which is basically the chain of execution
related to the alert, including all involved processes. Causality continuously and automatically analyzes
data to identify the chains of events associated with any process, host, user, connection, or file to reveal
the attack-chain behind every threat. It visualizes the causality of events, automating the dot-connection
process that an investigator would otherwise have to do manually. The result will be a full root-cause
analysis of why an alert was raised (both detection and prevention alerts), what the potential damage
might be, and many notable items that require attention. After you understand the cause, you can then
respond and adapt to the alert.

See more at https://www.paloaltonetworks.com/products/xdr

End of Activity 8

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 55
Activity 9 - Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive event. We hope you enjoyed the presentation and
the labs that we have prepared for you. Please take a few minutes to complete the online survey
form to tell us what you think about this event.

Task 1 – Take the online survey

Step 1: In your lab environment, click on the “Survey” tab.

Step 2: Please complete the survey, and let us know what you think about this event.

End of Activity 9

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 56
 Lab Setup

Firewall VM-Series

Interface: Int Type: IP Address: Connects to Zone:

Management - 10.30.21.1
Ethernet 1/1 L3 172.16.2.1 "Untrust"
Ethernet 1/2 L3 10.80.2.1 "Intranet"
Ethernet 1/3 L3 192.168.21.1 “Trust”
Ethernet 1/4 Tap “Tap”

UTD-SOP 1.1 © 2019 Palo Alto Networks, Inc. | Confidential and Proprietary 57