* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Announcement](https://www2.paloaltonetworks.com/blog/category/announcement/)
* Cortex XDR: Fortify the S...

# Cortex XDR: Fortify the SOC Against SolarStorm, Variants and Imitators

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F12%2Fcortex-solarstorm-variants-imitators%2F)  
[](https://twitter.com/share?text=Cortex+XDR%3A+Fortify+the+SOC+Against+SolarStorm%2C+Variants+and+Imitators&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F12%2Fcortex-solarstorm-variants-imitators%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F12%2Fcortex-solarstorm-variants-imitators%2F&title=Cortex+XDR%3A+Fortify+the+SOC+Against+SolarStorm%2C+Variants+and+Imitators&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/12/cortex-solarstorm-variants-imitators/&ts=markdown)  
\[\](mailto:?subject=Cortex XDR: Fortify the SOC Against SolarStorm, Variants and Imitators)  
Link copied  
By [Kasey Cross](https://www.paloaltonetworks.com/blog/author/kasey-cross/?ts=markdown "Posts by Kasey Cross")  
Dec 31, 2020  
5 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Cortex Data Lake](https://www.paloaltonetworks.com/blog/tag/cortex-data-lake/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[SolarStorm](https://www.paloaltonetworks.com/blog/tag/solarstorm/?ts=markdown)  
[SolarWinds](https://www.paloaltonetworks.com/blog/tag/solarwinds/?ts=markdown)

![Image for SolarWinds campaign, discussing detection of and defense against SolarStorm](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/12/SW-Landing-Page-image.jpg)

On Dec. 13, the world learned of the now-infamous SolarWinds supply chain attack. The "SolarStorm" threat group infected countless SolarWinds Orion servers with a Trojanized DLL file and eluded detection for months.

While organizations chase down their SolarWinds servers and investigate the impact of the attack, it's important to prepare more broadly for what inevitably comes next. An attack of this level of sophistication, conducted by suspected nation-state operators, highlights a set of tactics, techniques and procedures (TTPs). It's only a matter of time before copycats reverse-engineer and reuse elements of the attack. In addition, the original threat actors behind the attack will undoubtedly update their methods, changing not only indicators of compromise (IOCs) like domain names, but also adversary tactics and tools to evade security controls. Protecting against these unavoidable threats requires a robust and layered defense.

Across our product portfolio, Palo Alto Networks deployed updates to [help customers](https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/) protect against the SolarStorm attack. In this post, we will specifically highlight the updates to our Cortex XDR product that helps SOC teams in the front lines defend against not just the SolarStorm attack but also SolarStorm variants and imitators. The key principle in defeating advanced adversaries is to continuously improve realtime prevention capabilities, and to give teams the right set of tools to detect and hunt threats down fast. By combining multiple layers of defense, from prevention to detection, investigation and response, Cortex XDR helps SOC teams fend off the risk of intrusion at every step.

Here's what we've added to help protect security teams.

## **Block Threats in Realtime With Fortified Endpoint Protection**

Realtime prevention is the first line of defense in any proactive security strategy. When Palo Alto Networks experienced an [attempt to download Cobalt Strike](https://www.paloaltonetworks.com/blog/2020/12/solarwinds-statement-solarstorm/) on one of our IT SolarWinds servers, Cortex XDR successfully prevented the SolarStorm attack by blocking the attempt with our Behavioral Threat Protection capability.

Further analyzing the behaviors associated with the recent attacks, our XDR research team have developed additional protections in the Cortex XDR agent to help keep our customers safe from the SolarStorm group and its imitators. Specifically, we have:

* Introduced new Behavioral Threat Protection rules that identify the unique behaviors of the [SUNBURST backdoor](https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/) file and other malicious DLL files used in the attack.
* Updated our machine learning models for our local analysis engine by including the malicious files in our training database and allowing the models to extract attributes similar to the Trojanized DLL files.
* Added new child process protection rules to prevent legitimate applications from running malicious code identified in the SolarStorm attack.

In addition, the [WildFire](https://www.paloaltonetworks.com/products/secure-the-network/wildfire) malware analysis engine has been updated to block the SUNBURST backdoor files and Cobalt Strike BEACON files associated with SolarStorm. The Cortex XDR agent integrates with WildFire for cloud-based analysis of files.

## **Detect and Hunt Down Intrusions in Near Realtime**

In addition to the prevention controls outlined above, Cortex XDR now includes a comprehensive set of queries in the XQL query library to help hunt down intrusions that bypass prevention controls. Because the SolarStorm threat group targeted the Azure Active Directory (AD) service and attempted to read emails, the queries also identify Azure AD and email-based threats. These queries empower threat hunters to find:

* All endpoints with SolarWinds software installed.
* SolarWinds-infected processes that drop an executable, connect to a non-SolarWinds domain, create or modify a service, or conduct other malicious activity.
* Changes to Azure AD authentication settings, such as disabling single sign-on, adding unverified domains or modifying domain certificates.
* Azure tenants that were granted access to an Azure AD application.
* New or updated Azure AD service accounts.
* New mail read permissions added to a user account.

![Cortex XDR now includes a comprehensive set of SolarStorm-specific queries in the XQL query library to help hunt down, investigate and provide defense against SolarStorm in case of potential intrusions that bypass prevention controls.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/12/a-screenshot-of-a-computer-description-automatica.png)
Figure 1. A sample query uncovers evidence of the SolarWinds attack.

In addition to the queries that expedite threat hunting, a number of detectors were incorporated into Cortex XDR to automatically detect behaviors associated with SolarStorm TTPs that may be deployed by a broader group of adversaries. These automated alerts include:

* Domain federation settings that have been modified.
* Unverified domains added to Azure AD.
* IOCs associated with the SolarStorm attack.

The first two detection rules uncover attempts to compromise authentication controls by analyzing Azure AD audit logs. Since Active Directory is a top target for cunning adversaries the world over, these rules protect against any threat groups deploying such techniques. These rules, combined with Cortex XDR's extensive behavioral analytics capabilities, will rapidly detect anomalies in post-intrusion stages of attacks, including credential abuse, lateral movement and exfiltration.
![Strong defense against SolarStorm includes using detection rules that identify attacks targeting Azure AD, as shown here in the Cortex XDR interface.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/12/word-image-18.png)
Figure 2. Detection rules identify attacks targeting Azure AD.

These alerts and out-of-the-box queries make it easy for security teams to detect and hunt for indications of a breach.

## **Palo Alto Networks: Your Port in the (Solar)Storm**

In responding to SolarStorm, we need to protect against not only the original attack, but also the variants and copycats who try to use similar techniques and tactics. As new details of SolarStorm variants emerge, the Cortex XDR research team will continue to release updates to identify and stop associated threat vectors.

We've also established a [rapid response program](https://www.paloaltonetworks.com/solarstorm-rapid-response) that helps you discover, investigate and recover from a breach if you've been compromised. Visit our SolarStorm resource center to learn more about our two rapid response offerings.

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### A Leader in the 2025 Gartner Magic Quadrant for EPP --- 3 Years Running](https://www2.paloaltonetworks.com/blog/2025/07/named-a-leader-gartner-magic-quadrant/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### Cortex XDR Named 2025 Gartner Customers' Choice for Endpoint Security](https://www2.paloaltonetworks.com/blog/2025/05/cortex-xdr-named-gartner-customers-choice-endpoint-security/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### Palo Alto Networks Helps Secure Black Hat Asia 2025](https://www2.paloaltonetworks.com/blog/2025/03/secure-black-hat-asia-2025/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### MITRE ATT\&CK Evaluations --- Cortex XDR Among Elite in Endpoint Security](https://www2.paloaltonetworks.com/blog/2025/02/mitre-attck-evaluations-cortex-xdr-among-elite-endpoint-security/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)

[#### Cortex XDR Delivers Unmatched 100% Detection in MITRE Evals 2024](https://www2.paloaltonetworks.com/blog/2024/12/historic-results-in-the-2024-mitre-attck-enterprise-evaluations/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex - New Wave of Innovations in Cortex (June 2024 Release)](https://www2.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-wave-of-innovations-in-cortex-june-2024-release/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language