* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* The Hunter Diaries Part 2...

# The Hunter Diaries Part 2 - An Inside Job

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthe-hunter-diaries-part-2-an-inside-job%2F)  
[](https://twitter.com/share?text=The+Hunter+Diaries+Part+2+-+An+Inside+Job&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthe-hunter-diaries-part-2-an-inside-job%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthe-hunter-diaries-part-2-an-inside-job%2F&title=The+Hunter+Diaries+Part+2+-+An+Inside+Job&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/the-hunter-diaries-part-2-an-inside-job/&ts=markdown)  
\[\](mailto:?subject=The Hunter Diaries Part 2 - An Inside Job)  
Link copied  
By [Oded Awaskar](https://www.paloaltonetworks.com/blog/author/oded-awaskar/?ts=markdown "Posts by Oded Awaskar")  
Jun 25, 2021  
11 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[Hunting](https://www.paloaltonetworks.com/blog/tag/hunting/?ts=markdown)  
[Insider](https://www.paloaltonetworks.com/blog/tag/insider/?ts=markdown)  
[Insider Threat](https://www.paloaltonetworks.com/blog/tag/insider-threat/?ts=markdown)  
[MTH](https://www.paloaltonetworks.com/blog/tag/mth/?ts=markdown)  
[Threat Hunting](https://www.paloaltonetworks.com/blog/tag/threat-hunting/?ts=markdown)

### **Overview**

In this post we will try to emphasize the importance of not only looking for MITRE ATT\&CK TTPs in an attempt to flesh out adversaries, but also consider the role corporate employees play as the human element in the cyber-breach equation.

Yes - the employees which were given permissions to, and who we trust with virtually every piece of information within our organization. Those employees can easily be used against the organization, knowingly or inadvertently. Below, we outline popular insider use cases with their matching Cortex XDR XQL queries, which you can implement in your day-to-day hunting routine.

### **Use case #1 - Overly-confident admin users**

Here's a fairly popular use case: an admin needs to access a certain file or service legitimately ,however, their non-admin user has no access to it.

What would the admin do?

1. Go through the bureaucratic path and ask for permissions for their non-admin user.
2. Remotely login to a server located in a different VLAN with their admin user and access the same file or service.
3. Launch an elevated explorer.exe/cmd.exe and perform the task with their admin user on the personal laptop.

We can already envision most of the admins reading this post trying to hide a sly smile on their face while reading option 3.

The real problem with option 3 is that you are now logged in with your admin account on a machine that is more exposed to threats than your Domain Controller for example. Your admin account kerberos ticket now resides within memory and is vulnerable to multiple techniques that can be exploited by threat actors for elevation/lateral movement.

This is why the Cortex Managed Threat Hunting team has created the following query to assist you in locating workstations that are logged in with both admin/non-admin accounts in your organization.

|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| config case\_sensitive = false |//Setting the query to be case-insensitive.  dataset = xdr\_data // Using the xdr dataset |filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START and actor\_effective\_username not contains"system" and actor\_effective\_username not contains "network service" and actor\_effective\_username not contains "local service" and actor\_effective\_username not contains "DWM" and actor\_effective\_username not contains "\_tmp" | fields agent\_hostname as Hostname, actor\_effective\_username as Username | join (dataset = xdr\_data |filter event\_type = PROCESS and causality\_actor\_process\_image\_name ="explorer.exe" and actor\_effective\_username contains "adm") as AdminHosts Hostname = AdminHosts.agent\_hostname | dedup Hostname ,Username | sort asc Hostname, asc Username |

A few notes regarding the query:

1. It is case insensitive.
2. Uses the "join" function to join between hosts where admin users have logged into and other users as well.
3. Drops built in user accounts.
4. De-duplicates the results based on Hostname + username logic.

Tips for query enhancement:

1. Filter out all hosts where admin users are allowed to login. (agent\_hostname != "\*\<Naming convention here\>\*")
2. Make sure to target your admin account naming convention appropriately. (actor\_effective\_username contains "\<Naming convention here\>")

This query will assist you in targeting those admin users who are possibly abusing their admin accounts on their corporate machines rather than using them to perform administrative tasks only.

Our recommendations in this case are as follows:

1. Implement corporate policy where administrative users are to be logged only in dedicated secured VLANs.
2. Educate admin users on WHY this is a real problem to the organization if indeed such a machine is breached.
3. Schedule the query to run every week to map new results from it.

### **Use case #2 - Uploading somewhere?**

Cloud storage is becoming more affordable these days, and most organizations prefer using corporate cloud storage over traditional on-prem ones.

With that said, have you ever thought about a user that is logging into their own cloud account and syncing corporate files to it?

Part of the Cortex Managed Threat Hunting team tasks is to watch for anomalies in terms of uploads that are going into the cloud, essentially leaving the organization with no control of them.

*(Unlike other queries mentioned above, this query would have to include a few manipulations to match your organization)*

|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| config case\_sensitive = false |  dataset = xdr\_data // Using the xdr dataset | filter event\_type = NETWORK and (actor\_process\_image\_name contains "googledrive" or actor\_process\_image\_name contains "onedrive" or actor\_process\_image\_name contains "dropbox" or actor\_process\_image\_name contains "baidu") and (action\_external\_hostname != "") | fields action\_upload, action\_remote\_ip as remote\_ip, action\_external\_hostname as remote\_hostname, actor\_process\_image\_name as process\_name, actor\_causality\_id, actor\_process\_image\_sha256 as sha\_256, agent\_hostname as Hostname, actor\_effective\_username as Username // Selecting the relevant fields | join (dataset = xdr\_data // Using the xdr dataset | filter event\_type = NETWORK and (actor\_process\_image\_name contains "googledrive" or actor\_process\_image\_name contains "onedrive" or actor\_process\_image\_name contains "dropbox" or actor\_process\_image\_name contains "baidu") and (action\_external\_hostname != "") | fields action\_upload, action\_remote\_ip as remote\_ip, action\_external\_hostname as remote\_hostname, actor\_process\_image\_name as process\_name, actor\_causality\_id, actor\_process\_image\_sha256 as sha\_256, agent\_hostname as Hostname, actor\_effective\_username as Username // Selecting the relevant fields | join (dataset = xdr\_data | filter event\_type = NETWORK and (actor\_process\_image\_name contains "googledrive" or actor\_process\_image\_name contains "onedrive" or actor\_process\_image\_name contains "dropbox" or actor\_process\_image\_name contains "baidu") and (action\_external\_hostname != "") | fields action\_upload, action\_remote\_ip as remote\_ip, action\_external\_hostname as remote\_hostname, actor\_process\_image\_name as process\_name, actor\_causality\_id, actor\_process\_image\_sha256 as sha\_256, agent\_hostname as Hostname, actor\_effective\_username as Username // Selecting the relevant fields | comp sum(action\_upload) as total\_upload by process\_name, remote\_hostname, Hostname , Username // Summing the total upload by process + ip + host |filter total\_upload \> 104857600) as Uploading\_Agents Hostname = Uploading\_Agents.Hostname | comp count(Username) as counter by process\_name, remote\_hostname, Hostname // Summing the total upload by process + ip + host | sort asc counter) as Upload\_agent Hostname = Upload\_agent.Hostname | comp sum(action\_upload) as total\_upload by process\_name, remote\_hostname, Hostname , Username // Summing the total upload by process + ip + host | sort desc total\_upload // Sorting by total upload |

A few notes regarding the query:

1. It is case insensitive.
2. Looks for executables of popular cloud services: "Google Drive", "Microsoft OneDrive", "Dropbox" and "Baidu Drive"
3. Outputs a list of all "Hostname\\User" which uploaded data to the cloud.

Tips for query enhancement:

1. Filter out authorized Cloud Client to reduce the amount of false positives.
2. When targeting "Microsoft Onedrive" add the following filter to target upload towards non-corporate account (action\_external\_hostname contains "users.storage.live.com")

Our recommendations in this case are as follows:

1. Block any executables of non-authorized cloud clients to prevent future uploads.
2. Educate users on the risks while uploading corporate data to personal cloud.
3. Schedule the query to run every week to map new results from it.

### **Use case #3 - passwords.xlsx**

Let's face it. When it comes to password management, collectively we have a problem. Not only do we have too many passwords to remember, but those passwords are getting more complex, and more restrictive. It's pretty clear to all of us in the industry that these policies are needed, however, not so much for our users with all the cumbersome requirements around password policies.

Hence in an attempt to keep track of all of them, a user will go on and create an innocent file called "passwords.txt" or "passwords.docx" to store all of their passwords in a single place for future reference. The more sophisticated users will even make password protected files.

The fundamental problem here actually relies on us, the security professionals who failed in educating the user on ***WHY***is it so dangerous to store those credentials in plain text. But I guess properly educating users to Security Awareness is a topic for another post so I'll just say it once:

"Saying ***'Don't'*** to a user is great, Saying ***'Don't'*** to a user and explaining **why**is far better!"

So the user has created this file, yet why is it so risky? It's because this is considered to be low hanging fruit from a threat actor's point of view on their initial access to a machine. A plaintext password can save a whole lot of time for an attacker who attempts to elevate his session or lateral move within the organization.

This is the reason the Cortex Managed Threat Hunting team has created the following query that will assist you with hunting for cleartext passwords containing files within your organization.

|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| *config case\_sensitive = false |* //Setting the query to be case-insensitive.  *dataset = xdr\_data // Using the xdr dataset* *| filter action\_file\_name contains "password" and (action\_file\_name contains ".doc" or action\_file\_name contains ".xls" or action\_file\_name contains ".txt" or action\_file\_name contains ".csv") and action\_file\_path not contains "chrome" and action\_file\_path not contains "firefox"* *and action\_file\_name not contains "~$" and action\_file\_name not contains ".lnk" and action\_file\_name not contains ":Zone.Identifier" and actor\_effective\_username not contains "system" and actor\_process\_image\_name not contains "chrome.exe" and actor\_process\_image\_name not contains "cmd.exe" and actor\_process\_image\_name not contains "java.exe" and actor\_process\_image\_name not contains "searchprotocolhost.exe" and action\_file\_path contains "users"* *|fields action\_file\_name as FileName, action\_file\_path as File\_Path, actor\_effective\_username as User, agent\_hostname as Hostname, actor\_process\_image\_name as Acting\_Process* *| dedup FileName , Hostname* *| sort asc User, asc Hostname* |

A few notes regarding the query:

1. It is case insensitive.
2. Focuses on the following file extensions: .xls, .doc\*. .txt, .csv.
3. Focuses on the local profile folders.
4. Excludes many False Positive results coming from processes and files naming conventions.
5. De-duplicates the results based on Path + hostname logic.

Tips for query enhancement:

1. Adding more file extensions regularly used in your environment. (action\_file\_name contains ".\<file extension here\>")
2. Adding the "password" word in your user's native language.

e.g. (action\_file\_name contains "Passwort" or action\_file\_name contains "Passwörter")

1. Adding home folders which are located on Network Attached Storage devices. (action\_file\_path contains "desktop" or action\_file\_path contains "\<your home folder naming convention \>")

Screenshot of expected results:

![screenshot of expected results](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/06/word-image-86.png)

While this is far from being a sophisticated hunting technique, you would be surprised by the sheer amount of users (including privileged ones!) and files we were able to locate by utilizing this method.

Our recommendations in this case are as follows:

1. Implement a corporate wide password vault solution.
2. Eliminate any use of files containing clear-text passwords.
3. Educate users on the risks associated with using such files.
4. Schedule the query to run every week to map new results from it.

### **Summary**

In conclusion, the Threat Hunters' job is far from being routine and repetitive.

A good threat hunter will always strive to look for anomalies and events that aren't necessarily caught by security products due to their non-malicious nature.

There's nothing wrong with logging into a machine with a Domain Admin account - unless it's a regular workstation furthermore it is recommended that you use a dedicated software to manage privileged accounts of any type.

There's nothing wrong with uploading a file to the cloud - unless it's a private account and not private company information.

There's also nothing wrong with storing passwords on a plain text file (OK, we couldn't find an "Unless" here.) It's **totally wrong** to store passwords in a plain text file no matter what the situation is.

And all of those things are probably unintentionally performed by users in your organization.

We hope the provided XQL queries will assist you in locating and remediating them.

Happy hunting!

### For more information on Managed Threat Hunting:

Download our [**Cortex XDR Managed Threat Hunting Solution Brief**](https://www.paloaltonetworks.com/resources/techbriefs/cortex-xdr-managed-threat-hunting)

[**Download our Cortex XDR Whitepaper**](https://www.paloaltonetworks.com/resources/whitepapers/cortex-xdr)

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Hunt and Investigate Removable Drive Threats with Cortex XDR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/hunt-and-investigate-removable-drive-threats-with-cortex-xdr/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Threat Hunting with Mark of The Web Using Cortex XDR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/threat-hunting-with-mark-of-the-web-using-cortex-xdr/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Linux Threat Hunting with Cortex XDR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/linux-threat-hunting-with-cortex-xdr/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com), [Web Security](https://www.paloaltonetworks.com/blog/category/web-security/?ts=markdown)

[#### Unit 42 Strikes Oil in MITRE Engenuity Managed Services Evaluation](https://origin-researchcenter.paloaltonetworks.com/blog/2022/11/unit-42-mitre-managedservices-2022/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Intercepting the ToolShell Zero-Day Before the Headlines](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/intercepting-the-toolshell-zero-day-before-the-headlines/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language