Palo Alto Cortex XDR Proving Ground Lab

46 Launches
Solution Overview

WWT's ATC Palo Alto Cortex XDR Proving Ground Lab exists to provide a consolidated solution built around relevant use cases. This lab seeks to demonstrate the Palo Alto Cortex XDR platform's cloud-based management console application with the ability to investigate and identify the root cause of an alert, perform immediate response actions and prevent breaches using defined Indicators of Compromise (IOCs) and Behavioral Indicators of Compromise (BIOCs).

This lab consists of several servers running common enterprise applications that include Palo Alto Cortex XDR, Splunk and Active Directory (w/DNS). Common log application servers are configured with integrations to emulate normal network activity. Several workstations both Windows 7 and Windows 10 exist across two distinct network locations (Headquarters and Operations). Some of these machines are randomly conducting various attacks which will generate alerts within the Cortex XDR app to explore.

You will access the environment using a Windows-based jumphost from which you can browse web consoles, open RDP/SSH sessions, etc.

Goals & Objectives

The purpose of this lab is to help you develop proficiency in navigating the Cortex XDR platform, management console and examining endpoint agent deployment, alert detection and monitoring capabilities of the XDR solution. This lab makes use of the advanced Cortex XDR's platform monitoring features to view the process of compromising endpoints through several attack techniques.

The lab environment allows you to:

  • Login to the Palo Alto Cortex XDR cloud-based management console application.
  • Navigate the Cortex XDR web interface, view alerts, and examine the workflow.
  • Access the Proving Ground environment.
  • Perform attack techniques to compromise an endpoint.
  • View Cortex XDR advanced monitoring and event logging of compromised endpoints for improved visibility.

Hardware & Software


  • Palo Alto Cortex XDR
  • Splunk Log Collector
  • Palo Alto VM – Series Firewall
  • Active Directory (w/DNS)


  • 1x Windows Jumphost (Windows Server 2016)
  • 1x Splunk Server (CentOS 7)
  • 1x Sentry Server (CentOS 7)
  • 1x Syslog Server (CentOS 6)


  • 4x Windows 10 Client (Windows 10 Enterprise)
  • 3x Windows 7 Client (Windows 7 Enterprise)
  • 3x Red Hat Clients (Red Hat Enterprise Linux 7)
  • 1x Attack Client (Kali Linux)


  • Palo Alto Cortex XDR