1. Home
Location
    Techdocs Logo Techdocs Logo
    • Documentation Home
    • Palo Alto Networks
    • Support
    • Live Community
    • Knowledge Base
    1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR Prevent Administrator’s Guide
    PDF Cover Image
    Download PDF
    Last Updated:
    Thu Aug 04 00:12:42 PDT 2022

    Table of Contents


    Search the Table of Contents
    Cortex® XDR™ Overview
    Cortex® XDR™ Prevent Architecture
    about-cortex-xdr-protection
    Cortex XDR Licenses
    Features by Cortex XDR License Type
    Cortex Endpoint Agent License Allocation
    Cortex XDR License Expiration
    Cortex XDR License Monitoring
    Get Started with Cortex® XDR™ Prevent
    Set up Cortex XDR Prevent Overview
    Plan Your Deployment
    Migrate from Traps Endpoint Security Manager to Cortex XDR
    Differences between Endpoint Security Manager and Cortex XDR
    Manage User Roles
    Permission Management
    Access Management
    Manage Users
    Manage Roles
    Manage User Groups
    Manage Single Sign-On
    Predefined User Roles for Cortex XDR
    XDR Account Admin
    Instance Administrator
    Deployment Admin
    Investigator
    Investigation Admin
    Responder
    Privileged Investigator
    Privileged Responder
    IT Admin
    Privileged IT Admin
    Privileged Security Admin
    Viewer
    Scoped Endpoint Admin
    Security Admin
    Manage User Scope
    Activate
    Set Up Cloud Identity Engine
    Manage Your Log Storage within Cortex XDR
    Set up Endpoint Protection
    Plan Your Agent Deployment
    Enable Access to Cortex XDR
    Resources Required to Enable Access to Cortex XDR
    Proxy Communication
    Integrate External Threat Intelligence Services
    Configure Cortex® XDR™
    Set up Your Cortex Environment
    Set up Outbound Integration
    Use the Cortex XDR Interface
    Manage Tables
    Endpoint Security
    Communication Between Cortex® XDR™ and Agents
    Manage Cortex XDR Agents
    Create an Agent Installation Package
    Set an Application Proxy for Cortex XDR Agents
    Move Cortex XDR Agents Between Managing XDR Servers
    Upgrade Cortex XDR Agents
    Set a Cortex XDR Agent Critical Environment Version
    Delete Cortex XDR Agents
    Uninstall the Cortex XDR Agent
    Set an Alias for an Endpoint
    Manage Endpoint Tags
    Manage Agent Tokens
    Retrieve Support File Password
    Define Endpoint Groups
    File Analysis and Protection Flow
    About Content Updates
    Endpoint Protection Capabilities
    Endpoint Protection Modules
    Endpoint Security Profiles
    Add a New Exploit Security Profile
    Processes Protected by Exploit Security Policy
    Add a New Malware Security Profile
    WildFire® Analysis Concepts
    Add a New Restrictions Security Profile
    Manage Endpoint Security Profiles
    Customizable Agent Settings
    Add a New Agent Settings Profile
    Endpoint Data Collected by Cortex XDREndpoint Data Collection
    Configure Global Agent Settings
    Apply Security Profiles to Endpoints
    Exceptions Security Profiles
    Add a New Exceptions Security Profile
    Add a Global Endpoint Policy Exception
    Hardened Endpoint Security
    Device Control
    Host Firewall
    Host Firewall for Windows
    Host Firewall for macOS
    Disk Encryption
    Investigation and Response
    Investigate Incidents
    Incidents
    Manage Incident Starring
    Triage Incidents
    Manage Incidents
    Investigate Alerts
    Alerts
    Triage Alerts
    Manage Alerts
    Alert Exclusions
    Add an Alert Exclusion Policy
    Causality View
    Investigate Endpoints
    Action Center
    Manage Endpoint Actions
    View Details About an Endpoint
    Retrieve Files from an Endpoint
    Retrieve Support Logs from an Endpoint
    Scan an Endpoint for Malware
    Investigate Files
    Manage File Execution
    Manage Quarantined Files
    Review WildFire® Analysis Details
    Import File Hash Exceptions
    Response Actions
    Isolate an Endpoint
    Pause Endpoint Protection
    Initiate a Live Terminal Session
    Broker VM
    Broker VM Overview
    Set up Broker VM
    Configure the Broker VM
    Create a Broker VM Amazon Machine Image (AMI)
    Create a Broker VM Azure Image
    Set up the Broker VM on Google Cloud Platform (GCP)
    Create a Broker VM Image for Alibaba Cloud
    Create a Broker VM Image for a Nutanix Hypervisor
    Create a Broker VM Image for Ubuntu
    Activate the Local Agent Settings
    Manage Your Broker VMs
    View Broker VM Details
    Edit Your Broker VM Configuration
    Collect Broker VM Logs
    Reboot a Broker VM
    Shut Down a Broker VM
    Upgrade a Broker VM
    Open a Remote Terminal
    Remove a Broker VM
    Broker VM Notifications
    Monitoring
    Cortex XDR Dashboard
    Dashboard Widgets
    Predefined Dashboards
    Build a Custom Dashboard
    Manage Dashboards
    Run or Schedule Reports
    Monitor Cortex XDR Incidents
    Monitor Cortex Gateway Management Activity
    Monitor Administrative Activity
    Monitor Agent Activity
    Monitor Agent Operational Status
    Log Forwarding
    Log Forwarding Data Types
    Integrate Slack for Outbound Notifications
    Integrate a Syslog Receiver
    Syslog Server Test Message Errors
    Configure Notification Forwarding
    Cortex XDR Log Notification Formats
    Management Audit Log Messages
    Alert Notification Format
    Agent Audit Log Notification Format
    Management Audit Log Notification Format
    Cortex XDR Log Formats
    Managed Security
    About Managed Security
    Cortex XDR Managed Security Access Requirements
    Switch to a Different Tenant
    Pair a Parent Tenant with Child Tenant
    Manage a Child Tenant
    Track your Tenant Management
    Investigate Child Tenant Data
    Create and Allocate Configurations
    Create a Security Managed Action
    • Cortex® XDR™ Overview
      • Cortex® XDR™ Prevent Architecture
      • about-cortex-xdr-protection
      • Cortex XDR Licenses
        • Features by Cortex XDR License Type
        • Cortex Endpoint Agent License Allocation
        • Cortex XDR License Expiration
        • Cortex XDR License Monitoring
    • Get Started with Cortex® XDR™ Prevent
      • Set up Cortex XDR Prevent Overview
      • Plan Your Deployment
        • Migrate from Traps Endpoint Security Manager to Cortex XDR
        • Differences between Endpoint Security Manager and Cortex XDR
      • Manage User Roles
        • Permission Management
        • Access Management
          • Manage Users
          • Manage Roles
          • Manage User Groups
          • Manage Single Sign-On
        • Predefined User Roles for Cortex XDR
          • XDR Account Admin
          • Instance Administrator
          • Deployment Admin
          • Investigator
          • Investigation Admin
          • Responder
          • Privileged Investigator
          • Privileged Responder
          • IT Admin
          • Privileged IT Admin
          • Privileged Security Admin
          • Viewer
          • Scoped Endpoint Admin
          • Security Admin
        • Manage User Scope
      • Activate
      • Set Up Cloud Identity Engine
      • Manage Your Log Storage within Cortex XDR
      • Set up Endpoint Protection
        • Plan Your Agent Deployment
        • Enable Access to Cortex XDR
          • Resources Required to Enable Access to Cortex XDR
        • Proxy Communication
        • Integrate External Threat Intelligence Services
      • Configure Cortex® XDR™
        • Set up Your Cortex Environment
      • Set up Outbound Integration
      • Use the Cortex XDR Interface
        • Manage Tables
    • Endpoint Security
      • Communication Between Cortex® XDR™ and Agents
      • Manage Cortex XDR Agents
        • Create an Agent Installation Package
        • Set an Application Proxy for Cortex XDR Agents
        • Move Cortex XDR Agents Between Managing XDR Servers
        • Upgrade Cortex XDR Agents
        • Set a Cortex XDR Agent Critical Environment Version
        • Delete Cortex XDR Agents
        • Uninstall the Cortex XDR Agent
        • Set an Alias for an Endpoint
        • Manage Endpoint Tags
        • Manage Agent Tokens
          • Retrieve Support File Password
      • Define Endpoint Groups
      • File Analysis and Protection Flow
      • About Content Updates
      • Endpoint Protection Capabilities
      • Endpoint Protection Modules
      • Endpoint Security Profiles
        • Add a New Exploit Security Profile
          • Processes Protected by Exploit Security Policy
        • Add a New Malware Security Profile
          • WildFire® Analysis Concepts
        • Add a New Restrictions Security Profile
        • Manage Endpoint Security Profiles
      • Customizable Agent Settings
        • Add a New Agent Settings Profile
        • Endpoint Data Collected by Cortex XDREndpoint Data Collection
        • Configure Global Agent Settings
      • Apply Security Profiles to Endpoints
      • Exceptions Security Profiles
        • Add a New Exceptions Security Profile
        • Add a Global Endpoint Policy Exception
      • Hardened Endpoint Security
        • Device Control
        • Host Firewall
          • Host Firewall for Windows
          • Host Firewall for macOS
        • Disk Encryption
    • Investigation and Response
      • Investigate Incidents
        • Incidents
        • Manage Incident Starring
        • Triage Incidents
        • Manage Incidents
      • Investigate Alerts
        • Alerts
        • Triage Alerts
        • Manage Alerts
        • Alert Exclusions
          • Add an Alert Exclusion Policy
        • Causality View
      • Investigate Endpoints
        • Action Center
          • Manage Endpoint Actions
        • View Details About an Endpoint
        • Retrieve Files from an Endpoint
        • Retrieve Support Logs from an Endpoint
        • Scan an Endpoint for Malware
      • Investigate Files
        • Manage File Execution
        • Manage Quarantined Files
        • Review WildFire® Analysis Details
        • Import File Hash Exceptions
      • Response Actions
        • Isolate an Endpoint
        • Pause Endpoint Protection
        • Initiate a Live Terminal Session
    • Broker VM
      • Broker VM Overview
      • Set up Broker VM
        • Configure the Broker VM
          • Create a Broker VM Amazon Machine Image (AMI)
          • Create a Broker VM Azure Image
          • Set up the Broker VM on Google Cloud Platform (GCP)
          • Create a Broker VM Image for Alibaba Cloud
          • Create a Broker VM Image for a Nutanix Hypervisor
          • Create a Broker VM Image for Ubuntu
        • Activate the Local Agent Settings
      • Manage Your Broker VMs
        • View Broker VM Details
        • Edit Your Broker VM Configuration
        • Collect Broker VM Logs
        • Reboot a Broker VM
        • Shut Down a Broker VM
        • Upgrade a Broker VM
        • Open a Remote Terminal
        • Remove a Broker VM
      • Broker VM Notifications
    • Monitoring
      • Cortex XDR Dashboard
        • Dashboard Widgets
        • Predefined Dashboards
        • Build a Custom Dashboard
        • Manage Dashboards
        • Run or Schedule Reports
      • Monitor Cortex XDR Incidents
      • Monitor Cortex Gateway Management Activity
      • Monitor Administrative Activity
      • Monitor Agent Activity
      • Monitor Agent Operational Status
    • Log Forwarding
      • Log Forwarding Data Types
      • Integrate Slack for Outbound Notifications
      • Integrate a Syslog Receiver
        • Syslog Server Test Message Errors
      • Configure Notification Forwarding
      • Cortex XDR Log Notification Formats
        • Management Audit Log Messages
        • Alert Notification Format
        • Agent Audit Log Notification Format
        • Management Audit Log Notification Format
        • Cortex XDR Log Formats
    • Managed Security
      • About Managed Security
      • Cortex XDR Managed Security Access Requirements
      • Switch to a Different Tenant
      • Pair a Parent Tenant with Child Tenant
      • Manage a Child Tenant
        • Track your Tenant Management
        • Investigate Child Tenant Data
        • Create and Allocate Configurations
        • Create a Security Managed Action

    Cortex® XDR Prevent Administrator’s Guide


    PDF Cover Image
    Download PDF
    Last Updated:
    Thu Aug 04 00:12:42 PDT 2022

    Table of Contents


    Search the Table of Contents
    Cortex® XDR™ Overview
    Cortex® XDR™ Prevent Architecture
    about-cortex-xdr-protection
    Cortex XDR Licenses
    Features by Cortex XDR License Type
    Cortex Endpoint Agent License Allocation
    Cortex XDR License Expiration
    Cortex XDR License Monitoring
    Get Started with Cortex® XDR™ Prevent
    Set up Cortex XDR Prevent Overview
    Plan Your Deployment
    Migrate from Traps Endpoint Security Manager to Cortex XDR
    Differences between Endpoint Security Manager and Cortex XDR
    Manage User Roles
    Permission Management
    Access Management
    Manage Users
    Manage Roles
    Manage User Groups
    Manage Single Sign-On
    Predefined User Roles for Cortex XDR
    XDR Account Admin
    Instance Administrator
    Deployment Admin
    Investigator
    Investigation Admin
    Responder
    Privileged Investigator
    Privileged Responder
    IT Admin
    Privileged IT Admin
    Privileged Security Admin
    Viewer
    Scoped Endpoint Admin
    Security Admin
    Manage User Scope
    Activate
    Set Up Cloud Identity Engine
    Manage Your Log Storage within Cortex XDR
    Set up Endpoint Protection
    Plan Your Agent Deployment
    Enable Access to Cortex XDR
    Resources Required to Enable Access to Cortex XDR
    Proxy Communication
    Integrate External Threat Intelligence Services
    Configure Cortex® XDR™
    Set up Your Cortex Environment
    Set up Outbound Integration
    Use the Cortex XDR Interface
    Manage Tables
    Endpoint Security
    Communication Between Cortex® XDR™ and Agents
    Manage Cortex XDR Agents
    Create an Agent Installation Package
    Set an Application Proxy for Cortex XDR Agents
    Move Cortex XDR Agents Between Managing XDR Servers
    Upgrade Cortex XDR Agents
    Set a Cortex XDR Agent Critical Environment Version
    Delete Cortex XDR Agents
    Uninstall the Cortex XDR Agent
    Set an Alias for an Endpoint
    Manage Endpoint Tags
    Manage Agent Tokens
    Retrieve Support File Password
    Define Endpoint Groups
    File Analysis and Protection Flow
    About Content Updates
    Endpoint Protection Capabilities
    Endpoint Protection Modules
    Endpoint Security Profiles
    Add a New Exploit Security Profile
    Processes Protected by Exploit Security Policy
    Add a New Malware Security Profile
    WildFire® Analysis Concepts
    Add a New Restrictions Security Profile
    Manage Endpoint Security Profiles
    Customizable Agent Settings
    Add a New Agent Settings Profile
    Endpoint Data Collected by Cortex XDREndpoint Data Collection
    Configure Global Agent Settings
    Apply Security Profiles to Endpoints
    Exceptions Security Profiles
    Add a New Exceptions Security Profile
    Add a Global Endpoint Policy Exception
    Hardened Endpoint Security
    Device Control
    Host Firewall
    Host Firewall for Windows
    Host Firewall for macOS
    Disk Encryption
    Investigation and Response
    Investigate Incidents
    Incidents
    Manage Incident Starring
    Triage Incidents
    Manage Incidents
    Investigate Alerts
    Alerts
    Triage Alerts
    Manage Alerts
    Alert Exclusions
    Add an Alert Exclusion Policy
    Causality View
    Investigate Endpoints
    Action Center
    Manage Endpoint Actions
    View Details About an Endpoint
    Retrieve Files from an Endpoint
    Retrieve Support Logs from an Endpoint
    Scan an Endpoint for Malware
    Investigate Files
    Manage File Execution
    Manage Quarantined Files
    Review WildFire® Analysis Details
    Import File Hash Exceptions
    Response Actions
    Isolate an Endpoint
    Pause Endpoint Protection
    Initiate a Live Terminal Session
    Broker VM
    Broker VM Overview
    Set up Broker VM
    Configure the Broker VM
    Create a Broker VM Amazon Machine Image (AMI)
    Create a Broker VM Azure Image
    Set up the Broker VM on Google Cloud Platform (GCP)
    Create a Broker VM Image for Alibaba Cloud
    Create a Broker VM Image for a Nutanix Hypervisor
    Create a Broker VM Image for Ubuntu
    Activate the Local Agent Settings
    Manage Your Broker VMs
    View Broker VM Details
    Edit Your Broker VM Configuration
    Collect Broker VM Logs
    Reboot a Broker VM
    Shut Down a Broker VM
    Upgrade a Broker VM
    Open a Remote Terminal
    Remove a Broker VM
    Broker VM Notifications
    Monitoring
    Cortex XDR Dashboard
    Dashboard Widgets
    Predefined Dashboards
    Build a Custom Dashboard
    Manage Dashboards
    Run or Schedule Reports
    Monitor Cortex XDR Incidents
    Monitor Cortex Gateway Management Activity
    Monitor Administrative Activity
    Monitor Agent Activity
    Monitor Agent Operational Status
    Log Forwarding
    Log Forwarding Data Types
    Integrate Slack for Outbound Notifications
    Integrate a Syslog Receiver
    Syslog Server Test Message Errors
    Configure Notification Forwarding
    Cortex XDR Log Notification Formats
    Management Audit Log Messages
    Alert Notification Format
    Agent Audit Log Notification Format
    Management Audit Log Notification Format
    Cortex XDR Log Formats
    Managed Security
    About Managed Security
    Cortex XDR Managed Security Access Requirements
    Switch to a Different Tenant
    Pair a Parent Tenant with Child Tenant
    Manage a Child Tenant
    Track your Tenant Management
    Investigate Child Tenant Data
    Create and Allocate Configurations
    Create a Security Managed Action
    • Cortex® XDR™ Overview
      • Cortex® XDR™ Prevent Architecture
      • about-cortex-xdr-protection
      • Cortex XDR Licenses
        • Features by Cortex XDR License Type
        • Cortex Endpoint Agent License Allocation
        • Cortex XDR License Expiration
        • Cortex XDR License Monitoring
    • Get Started with Cortex® XDR™ Prevent
      • Set up Cortex XDR Prevent Overview
      • Plan Your Deployment
        • Migrate from Traps Endpoint Security Manager to Cortex XDR
        • Differences between Endpoint Security Manager and Cortex XDR
      • Manage User Roles
        • Permission Management
        • Access Management
          • Manage Users
          • Manage Roles
          • Manage User Groups
          • Manage Single Sign-On
        • Predefined User Roles for Cortex XDR
          • XDR Account Admin
          • Instance Administrator
          • Deployment Admin
          • Investigator
          • Investigation Admin
          • Responder
          • Privileged Investigator
          • Privileged Responder
          • IT Admin
          • Privileged IT Admin
          • Privileged Security Admin
          • Viewer
          • Scoped Endpoint Admin
          • Security Admin
        • Manage User Scope
      • Activate
      • Set Up Cloud Identity Engine
      • Manage Your Log Storage within Cortex XDR
      • Set up Endpoint Protection
        • Plan Your Agent Deployment
        • Enable Access to Cortex XDR
          • Resources Required to Enable Access to Cortex XDR
        • Proxy Communication
        • Integrate External Threat Intelligence Services
      • Configure Cortex® XDR™
        • Set up Your Cortex Environment
      • Set up Outbound Integration
      • Use the Cortex XDR Interface
        • Manage Tables
    • Endpoint Security
      • Communication Between Cortex® XDR™ and Agents
      • Manage Cortex XDR Agents
        • Create an Agent Installation Package
        • Set an Application Proxy for Cortex XDR Agents
        • Move Cortex XDR Agents Between Managing XDR Servers
        • Upgrade Cortex XDR Agents
        • Set a Cortex XDR Agent Critical Environment Version
        • Delete Cortex XDR Agents
        • Uninstall the Cortex XDR Agent
        • Set an Alias for an Endpoint
        • Manage Endpoint Tags
        • Manage Agent Tokens
          • Retrieve Support File Password
      • Define Endpoint Groups
      • File Analysis and Protection Flow
      • About Content Updates
      • Endpoint Protection Capabilities
      • Endpoint Protection Modules
      • Endpoint Security Profiles
        • Add a New Exploit Security Profile
          • Processes Protected by Exploit Security Policy
        • Add a New Malware Security Profile
          • WildFire® Analysis Concepts
        • Add a New Restrictions Security Profile
        • Manage Endpoint Security Profiles
      • Customizable Agent Settings
        • Add a New Agent Settings Profile
        • Endpoint Data Collected by Cortex XDREndpoint Data Collection
        • Configure Global Agent Settings
      • Apply Security Profiles to Endpoints
      • Exceptions Security Profiles
        • Add a New Exceptions Security Profile
        • Add a Global Endpoint Policy Exception
      • Hardened Endpoint Security
        • Device Control
        • Host Firewall
          • Host Firewall for Windows
          • Host Firewall for macOS
        • Disk Encryption
    • Investigation and Response
      • Investigate Incidents
        • Incidents
        • Manage Incident Starring
        • Triage Incidents
        • Manage Incidents
      • Investigate Alerts
        • Alerts
        • Triage Alerts
        • Manage Alerts
        • Alert Exclusions
          • Add an Alert Exclusion Policy
        • Causality View
      • Investigate Endpoints
        • Action Center
          • Manage Endpoint Actions
        • View Details About an Endpoint
        • Retrieve Files from an Endpoint
        • Retrieve Support Logs from an Endpoint
        • Scan an Endpoint for Malware
      • Investigate Files
        • Manage File Execution
        • Manage Quarantined Files
        • Review WildFire® Analysis Details
        • Import File Hash Exceptions
      • Response Actions
        • Isolate an Endpoint
        • Pause Endpoint Protection
        • Initiate a Live Terminal Session
    • Broker VM
      • Broker VM Overview
      • Set up Broker VM
        • Configure the Broker VM
          • Create a Broker VM Amazon Machine Image (AMI)
          • Create a Broker VM Azure Image
          • Set up the Broker VM on Google Cloud Platform (GCP)
          • Create a Broker VM Image for Alibaba Cloud
          • Create a Broker VM Image for a Nutanix Hypervisor
          • Create a Broker VM Image for Ubuntu
        • Activate the Local Agent Settings
      • Manage Your Broker VMs
        • View Broker VM Details
        • Edit Your Broker VM Configuration
        • Collect Broker VM Logs
        • Reboot a Broker VM
        • Shut Down a Broker VM
        • Upgrade a Broker VM
        • Open a Remote Terminal
        • Remove a Broker VM
      • Broker VM Notifications
    • Monitoring
      • Cortex XDR Dashboard
        • Dashboard Widgets
        • Predefined Dashboards
        • Build a Custom Dashboard
        • Manage Dashboards
        • Run or Schedule Reports
      • Monitor Cortex XDR Incidents
      • Monitor Cortex Gateway Management Activity
      • Monitor Administrative Activity
      • Monitor Agent Activity
      • Monitor Agent Operational Status
    • Log Forwarding
      • Log Forwarding Data Types
      • Integrate Slack for Outbound Notifications
      • Integrate a Syslog Receiver
        • Syslog Server Test Message Errors
      • Configure Notification Forwarding
      • Cortex XDR Log Notification Formats
        • Management Audit Log Messages
        • Alert Notification Format
        • Agent Audit Log Notification Format
        • Management Audit Log Notification Format
        • Cortex XDR Log Formats
    • Managed Security
      • About Managed Security
      • Cortex XDR Managed Security Access Requirements
      • Switch to a Different Tenant
      • Pair a Parent Tenant with Child Tenant
      • Manage a Child Tenant
        • Track your Tenant Management
        • Investigate Child Tenant Data
        • Create and Allocate Configurations
        • Create a Security Managed Action

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo