Palo Alto ATC Logo
  1. Training
  2. Palo Alto Networks
  3. Palo Alto Networks EDU-262

Palo Alto Networks EDU-262

Cortex XDR: Investigation and Response for Cortex XDR 3.1

Palo Alto ATC Logo

Please note: In the English-language online format (dates are marked with an English flag in this case), the course lasts four days from 8:30-12:00 (Irish Time).

In this course, you will learn how to use the Cortex XDR management console messages to investigate attacks. It explains causality chains, detectors in the Analytics Engine, alerts versus logs, log stitching, and the concepts of causality and analytics.

You will learn how to analyze alerts using the causality and timeline views and how to use advanced response actions such as remediation suggestions, the EDL service and remote script execution. Several modules focus on how to use the collected data. You will create simple search queries in one module and XDR rules in another. The course demonstrates the use of special investigation views to visualize artifact-related data, such as IP and hash views. It also provides an introduction to the XDR Query Language (XQL). The course concludes with Cortex XDR's capabilities for collecting external data, including using the Cortex XDR API to receive external alerts.

Course Contents

  • Cortex XDR Incidents
  • Causality and Analytics Concepts
  • Causality Analysis of Alerts
  • Advanced Response Actions
  • Building Search Queries
  • Building XDR Rules
  • Investigation Views
  • Introduction to XQL
  • External Data Collection
Request in-house training now

Target Group

Cybersecurity analysts and engineers as well as specialists for security operations.

Knowledge Prerequisites

Participants must have attended the course EDU-260 (Cortex XDR: Prevention and Deployment).

Complementary and Continuative Courses

For customers using Cortex XDR Prevent, the recommended course is Cortex XDR: Prevention and Deployment (EDU-260), while customers using Cortex XDR Pro should take both Cortex XDR: Prevention and Deployment (EDU-260) and Cortex XDR: Investigation and Response (EDU-262). 

Classroom training

Do you prefer the classic training method? A course in one of our Training Centers, with a competent trainer and the direct exchange between all course participants? Then you should book one of our classroom training dates!

Hybrid training

Hybrid training means that online participants can additionally attend a classroom course. The dynamics of a real seminar are maintained, and the online participants are able to benefit from that. Online participants of a hybrid course use a collaboration platform, such as WebEx Training Center or Saba Meeting. To do this, a PC with browser and Internet access is required, as well as a headset and ideally a Web cam. In the seminar room, we use specially developed and customized audio- and video-technologies. This makes sure that the communication between all persons involved works in a convenient and fault-free way.

Online training

You wish to attend a course in online mode? We offer you online course dates for this course topic. To attend these seminars, you need to have a PC with Internet access (minimum data rate 1Mbps), a headset when working via VoIP and optionally a camera. For further information and technical recommendations, please refer to.

Tailor-made courses

You need a special course for your team? In addition to our standard offer, we will also support you in creating your customized courses, which precisely meet your individual demands. We will be glad to consult you and create an individual offer for you.
Request in-house training now
PDF SymbolYou can find the complete description of this course with dates and prices ready for download at as PDF.

Please note: In the English-language online format (dates are marked with an English flag in this case), the course lasts four days from 8:30-12:00 (Irish Time).

In this course, you will learn how to use the Cortex XDR management console messages to investigate attacks. It explains causality chains, detectors in the Analytics Engine, alerts versus logs, log stitching, and the concepts of causality and analytics.

You will learn how to analyze alerts using the causality and timeline views and how to use advanced response actions such as remediation suggestions, the EDL service and remote script execution. Several modules focus on how to use the collected data. You will create simple search queries in one module and XDR rules in another. The course demonstrates the use of special investigation views to visualize artifact-related data, such as IP and hash views. It also provides an introduction to the XDR Query Language (XQL). The course concludes with Cortex XDR's capabilities for collecting external data, including using the Cortex XDR API to receive external alerts.

Course Contents

  • Cortex XDR Incidents
  • Causality and Analytics Concepts
  • Causality Analysis of Alerts
  • Advanced Response Actions
  • Building Search Queries
  • Building XDR Rules
  • Investigation Views
  • Introduction to XQL
  • External Data Collection
Request in-house training now

Target Group

Cybersecurity analysts and engineers as well as specialists for security operations.

Knowledge Prerequisites

Participants must have attended the course EDU-260 (Cortex XDR: Prevention and Deployment).

Complementary and Continuative Courses

For customers using Cortex XDR Prevent, the recommended course is Cortex XDR: Prevention and Deployment (EDU-260), while customers using Cortex XDR Pro should take both Cortex XDR: Prevention and Deployment (EDU-260) and Cortex XDR: Investigation and Response (EDU-262). 

Classroom training

Do you prefer the classic training method? A course in one of our Training Centers, with a competent trainer and the direct exchange between all course participants? Then you should book one of our classroom training dates!

Hybrid training

Hybrid training means that online participants can additionally attend a classroom course. The dynamics of a real seminar are maintained, and the online participants are able to benefit from that. Online participants of a hybrid course use a collaboration platform, such as WebEx Training Center or Saba Meeting. To do this, a PC with browser and Internet access is required, as well as a headset and ideally a Web cam. In the seminar room, we use specially developed and customized audio- and video-technologies. This makes sure that the communication between all persons involved works in a convenient and fault-free way.

Online training

You wish to attend a course in online mode? We offer you online course dates for this course topic. To attend these seminars, you need to have a PC with Internet access (minimum data rate 1Mbps), a headset when working via VoIP and optionally a camera. For further information and technical recommendations, please refer to.

Tailor-made courses

You need a special course for your team? In addition to our standard offer, we will also support you in creating your customized courses, which precisely meet your individual demands. We will be glad to consult you and create an individual offer for you.
Request in-house training now

PDF SymbolYou can find the complete description of this course with dates and prices ready for download at as PDF.
ExperTeach Identifier: P262
Duration & Prices
Prices excl. V.A.T.
Classes in Germany
2 days
€ 1,795
Online training
2 days
€ 1,795
Date City
20250626 2 3 06/26/-06/27/25 Hybrid Training Symbol Deutsche Flagge Frankfurt
20250626 2 3 06/26/-06/27/25 Hybrid Training Symbol Deutsche Flagge Live Online
20251106 2 3 11/06/-11/07/25 Hybrid Training Symbol Deutsche Flagge Frankfurt
20251106 2 3 11/06/-11/07/25 Hybrid Training Symbol Deutsche Flagge Live Online
No suitable date?
Please just ask us for your preferred date!

Hybrid Training Symbol Hybrid Training

Deutsche Flagge Trainer language German