The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Palo Alto Networks  > Carbanak+FIN7 Configuration


Palo Alto Networks Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

Cortex XDR

  • Palo Alto Networks Cortex XDR Server 2.9 (content 156)
  • Cortex XDR Agent version 7.3.1
  • Palo Alto Firewall PA-VM 10.0.2

Product Description

Cortex XDR - Extended Detection and Response

Cortex XDR is the industry’s first extended detection and response platform that natively integrates network, endpoint, cloud, and third-party data to stop sophisticated attacks. Cortex XDR has been designed from the ground up to help organizations secure your digital assets and users while simplifying operations. Using behavioral analytics, it identifies unknown and highly evasive threats targeting your network. Machine learning and AI models uncover threats from multiple sources, including managed and unmanaged devices.

Cortex XDR helps you accelerate investigations by providing a complete picture of each alert. It stitches different types of data together and reveals the root cause and timeline of alerts, allowing analysts of all experience levels to perform triage. Tight integration with enforcement points lets you respond to threats anywhere in your organization or restore hosts to a clean state easily.

Cortex XDR Protects You at Every Stage of Security Operations

Attackers continually innovate. To outpace them, security teams must implement a repeatable process to proactively block attacks with best-in-class prevention and to discover and stop active threats. Cortex XDR gives you the tools to accomplish four iterative steps:

  • Prevent
  • Automatically detect
  • Rapidly investigate
  • Respond and adapt

This framework provides everything you need to secure your organization today and in the future.

Achieve Closed-Loop Prevention, Detection, and Response

Ironclad security starts with great prevention. To this end, Cortex XDR delivers best-in-class prevention to stop exploits, malware, ransomware, and fileless attacks. ­Designed for minimal endpoint impact, the lightweight Cortex XDR agent blocks attacks while simultaneously collecting event data for Cortex XDR.

The Cortex XDR agent offers a complete prevention stack, starting with the broadest set of exploit protection modules available to block the exploits that lead to malware infections. Every file is examined by an adaptive AI-driven local analysis engine that’s always learning to counter new attack techniques. A Behavioral Threat Protection engine examines the behavior of multiple, related processes to uncover attacks as they occur.

Combining multiple methods of prevention, our next-generation antivirus (NGAV) stands apart in its ability to protect endpoints. It integrates with the Palo Alto Networks WildFire® malware prevention service to analyze suspicious files in the cloud and coordinate protection across all Palo Alto Networks security products. You Can Quickly Deploy The Unified, cloud-delivered agent to your endpoints to instantly start blocking advanced attacks and collecting data for detection and response.

Palo Alto Networks provides a complete portfolio of network, endpoint, and cloud security offerings that prevent attacks by combining the latest breakthroughs in security, automation, and analytics. Cortex XDR integrates with these world-leading technologies, including our Next-Generation Firewalls, Prisma® Access, and an array of third-party tools, enabling you to prevent advanced attacks while also collecting data for detection and response.

Product Configuration

Product Configuration Detection Evaluation

  • Palo Alto Networks Cortex XDR Agent was configured in detect only mode with prevention disabled per request by MITRE (Linux and Windows).
  • Palo Alto Networks Next-Generation Firewall was configured in Report only mode with prevention disabled per request by MITRE.

Product Configuration Protection Evaluation

  • Palo Alto Networks Cortex XDR Agent was configured with the default policy settings, with the following modifications:
    • In the Windows Malware profile we enabled “quarantine malicious files” for “Portable Executable and DLL Examination” and “Behavioral Threat Protection.”
    • In the Linux Malware profile we enabled “treat grayware as malware” for “ELF Files Examination” and we enabled “quarantine malicious files” in the “Local File Threat Examination.”
  • The Palo Alto Networks Next-generation Firewall was configured with default policy settings.