Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Security Operations
Cortex XDR
Cortex® XDR Prevent Administrator’s Guide

Last Updated:

Thu Aug 04 00:12:42 PDT 2022

Table of Contents

Search the Table of Contents

Cortex® XDR™ Overview

Cortex® XDR™ Prevent Architecture

about-cortex-xdr-protection

Cortex XDR Licenses

Features by Cortex XDR License Type

Cortex Endpoint Agent License Allocation

Cortex XDR License Expiration

Cortex XDR License Monitoring

Get Started with Cortex® XDR™ Prevent

Set up Cortex XDR Prevent Overview

Plan Your Deployment

Migrate from Traps Endpoint Security Manager to Cortex XDR

Differences between Endpoint Security Manager and Cortex XDR

Manage User Roles

Permission Management

Access Management

Manage Users

Manage Roles

Manage User Groups

Manage Single Sign-On

Predefined User Roles for Cortex XDR

XDR Account Admin

Instance Administrator

Deployment Admin

Investigator

Investigation Admin

Responder

Privileged Investigator

Privileged Responder

IT Admin

Privileged IT Admin

Privileged Security Admin

Viewer

Scoped Endpoint Admin

Security Admin

Manage User Scope

Activate

Set Up Cloud Identity Engine

Manage Your Log Storage within Cortex XDR

Set up Endpoint Protection

Plan Your Agent Deployment

Enable Access to Cortex XDR

Resources Required to Enable Access to Cortex XDR

Proxy Communication

Integrate External Threat Intelligence Services

Configure Cortex® XDR™

Set up Your Cortex Environment

Set up Outbound Integration

Use the Cortex XDR Interface

Manage Tables

Endpoint Security

Communication Between Cortex® XDR™ and Agents

Manage Cortex XDR Agents

Create an Agent Installation Package

Set an Application Proxy for Cortex XDR Agents

Move Cortex XDR Agents Between Managing XDR Servers

Upgrade Cortex XDR Agents

Set a Cortex XDR Agent Critical Environment Version

Delete Cortex XDR Agents

Uninstall the Cortex XDR Agent

Set an Alias for an Endpoint

Manage Endpoint Tags

Manage Agent Tokens

Retrieve Support File Password

Define Endpoint Groups

File Analysis and Protection Flow

About Content Updates

Endpoint Protection Capabilities

Endpoint Protection Modules

Endpoint Security Profiles

Add a New Exploit Security Profile

Processes Protected by Exploit Security Policy

Add a New Malware Security Profile

WildFire® Analysis Concepts

Add a New Restrictions Security Profile

Manage Endpoint Security Profiles

Customizable Agent Settings

Add a New Agent Settings Profile

Endpoint Data Collected by Cortex XDREndpoint Data Collection

Configure Global Agent Settings

Apply Security Profiles to Endpoints

Exceptions Security Profiles

Add a New Exceptions Security Profile

Add a Global Endpoint Policy Exception

Hardened Endpoint Security

Device Control

Host Firewall

Host Firewall for Windows

Host Firewall for macOS

Disk Encryption

Investigation and Response

Investigate Incidents

Incidents

Manage Incident Starring

Triage Incidents

Manage Incidents

Investigate Alerts

Alerts

Triage Alerts

Manage Alerts

Alert Exclusions

Add an Alert Exclusion Policy

Causality View

Investigate Endpoints

Action Center

Manage Endpoint Actions

View Details About an Endpoint

Retrieve Files from an Endpoint

Retrieve Support Logs from an Endpoint

Scan an Endpoint for Malware

Investigate Files

Manage File Execution

Manage Quarantined Files

Review WildFire® Analysis Details

Import File Hash Exceptions

Response Actions

Isolate an Endpoint

Pause Endpoint Protection

Initiate a Live Terminal Session

Broker VM

Broker VM Overview

Set up Broker VM

Configure the Broker VM

Create a Broker VM Amazon Machine Image (AMI)

Create a Broker VM Azure Image

Set up the Broker VM on Google Cloud Platform (GCP)

Create a Broker VM Image for Alibaba Cloud

Create a Broker VM Image for a Nutanix Hypervisor

Create a Broker VM Image for Ubuntu

Activate the Local Agent Settings

Manage Your Broker VMs

View Broker VM Details

Edit Your Broker VM Configuration

Collect Broker VM Logs

Reboot a Broker VM

Shut Down a Broker VM

Upgrade a Broker VM

Open a Remote Terminal

Remove a Broker VM

Broker VM Notifications

Monitoring

Cortex XDR Dashboard

Dashboard Widgets

Predefined Dashboards

Build a Custom Dashboard

Manage Dashboards

Run or Schedule Reports

Monitor Cortex XDR Incidents

Monitor Cortex Gateway Management Activity

Monitor Administrative Activity

Monitor Agent Activity

Monitor Agent Operational Status

Log Forwarding

Log Forwarding Data Types

Integrate Slack for Outbound Notifications

Integrate a Syslog Receiver

Syslog Server Test Message Errors

Configure Notification Forwarding

Cortex XDR Log Notification Formats

Management Audit Log Messages

Alert Notification Format

Agent Audit Log Notification Format

Management Audit Log Notification Format

Cortex XDR Log Formats

Managed Security

About Managed Security

Cortex XDR Managed Security Access Requirements

Switch to a Different Tenant

Pair a Parent Tenant with Child Tenant

Manage a Child Tenant

Track your Tenant Management

Investigate Child Tenant Data

Create and Allocate Configurations

Create a Security Managed Action

Cortex® XDR™ Overview
Get Started with Cortex® XDR™ Prevent
Endpoint Security
Investigation and Response
Broker VM
Monitoring
Log Forwarding
Managed Security

Cortex® XDR Prevent Administrator’s Guide

PDF Cover Image

Last Updated:

Thu Aug 04 00:12:42 PDT 2022

Table of Contents

Search the Table of Contents

Cortex® XDR™ Overview

Cortex® XDR™ Prevent Architecture

about-cortex-xdr-protection

Cortex XDR Licenses

Features by Cortex XDR License Type

Cortex Endpoint Agent License Allocation

Cortex XDR License Expiration

Cortex XDR License Monitoring

Get Started with Cortex® XDR™ Prevent

Set up Cortex XDR Prevent Overview

Plan Your Deployment

Migrate from Traps Endpoint Security Manager to Cortex XDR

Differences between Endpoint Security Manager and Cortex XDR

Manage User Roles

Permission Management

Access Management

Manage Users

Manage Roles

Manage User Groups

Manage Single Sign-On

Predefined User Roles for Cortex XDR

XDR Account Admin

Instance Administrator

Deployment Admin

Investigator

Investigation Admin

Responder

Privileged Investigator

Privileged Responder

IT Admin

Privileged IT Admin

Privileged Security Admin

Viewer

Scoped Endpoint Admin

Security Admin

Manage User Scope

Activate

Set Up Cloud Identity Engine

Manage Your Log Storage within Cortex XDR

Set up Endpoint Protection

Plan Your Agent Deployment

Enable Access to Cortex XDR

Resources Required to Enable Access to Cortex XDR

Proxy Communication

Integrate External Threat Intelligence Services

Configure Cortex® XDR™

Set up Your Cortex Environment

Set up Outbound Integration

Use the Cortex XDR Interface

Manage Tables

Endpoint Security

Communication Between Cortex® XDR™ and Agents

Manage Cortex XDR Agents

Create an Agent Installation Package

Set an Application Proxy for Cortex XDR Agents

Move Cortex XDR Agents Between Managing XDR Servers

Upgrade Cortex XDR Agents

Set a Cortex XDR Agent Critical Environment Version

Delete Cortex XDR Agents

Uninstall the Cortex XDR Agent

Set an Alias for an Endpoint

Manage Endpoint Tags

Manage Agent Tokens

Retrieve Support File Password

Define Endpoint Groups

File Analysis and Protection Flow

About Content Updates

Endpoint Protection Capabilities

Endpoint Protection Modules

Endpoint Security Profiles

Add a New Exploit Security Profile

Processes Protected by Exploit Security Policy

Add a New Malware Security Profile

WildFire® Analysis Concepts

Add a New Restrictions Security Profile

Manage Endpoint Security Profiles

Customizable Agent Settings

Add a New Agent Settings Profile

Endpoint Data Collected by Cortex XDREndpoint Data Collection

Configure Global Agent Settings

Apply Security Profiles to Endpoints

Exceptions Security Profiles

Add a New Exceptions Security Profile

Add a Global Endpoint Policy Exception

Hardened Endpoint Security

Device Control

Host Firewall

Host Firewall for Windows

Host Firewall for macOS

Disk Encryption

Investigation and Response

Investigate Incidents

Incidents

Manage Incident Starring

Triage Incidents

Manage Incidents

Investigate Alerts

Alerts

Triage Alerts

Manage Alerts

Alert Exclusions

Add an Alert Exclusion Policy

Causality View

Investigate Endpoints

Action Center

Manage Endpoint Actions

View Details About an Endpoint

Retrieve Files from an Endpoint

Retrieve Support Logs from an Endpoint

Scan an Endpoint for Malware

Investigate Files

Manage File Execution

Manage Quarantined Files

Review WildFire® Analysis Details

Import File Hash Exceptions

Response Actions

Isolate an Endpoint

Pause Endpoint Protection

Initiate a Live Terminal Session

Broker VM

Broker VM Overview

Set up Broker VM

Configure the Broker VM

Create a Broker VM Amazon Machine Image (AMI)

Create a Broker VM Azure Image

Set up the Broker VM on Google Cloud Platform (GCP)

Create a Broker VM Image for Alibaba Cloud

Create a Broker VM Image for a Nutanix Hypervisor

Create a Broker VM Image for Ubuntu

Activate the Local Agent Settings

Manage Your Broker VMs

View Broker VM Details

Edit Your Broker VM Configuration

Collect Broker VM Logs

Reboot a Broker VM

Shut Down a Broker VM

Upgrade a Broker VM

Open a Remote Terminal

Remove a Broker VM

Broker VM Notifications

Monitoring

Cortex XDR Dashboard

Dashboard Widgets

Predefined Dashboards

Build a Custom Dashboard

Manage Dashboards

Run or Schedule Reports

Monitor Cortex XDR Incidents

Monitor Cortex Gateway Management Activity

Monitor Administrative Activity

Monitor Agent Activity

Monitor Agent Operational Status

Log Forwarding

Log Forwarding Data Types

Integrate Slack for Outbound Notifications

Integrate a Syslog Receiver

Syslog Server Test Message Errors

Configure Notification Forwarding

Cortex XDR Log Notification Formats

Management Audit Log Messages

Alert Notification Format

Agent Audit Log Notification Format

Management Audit Log Notification Format

Cortex XDR Log Formats

Managed Security

About Managed Security

Cortex XDR Managed Security Access Requirements

Switch to a Different Tenant

Pair a Parent Tenant with Child Tenant

Manage a Child Tenant

Track your Tenant Management

Investigate Child Tenant Data

Create and Allocate Configurations

Create a Security Managed Action

Cortex® XDR™ Overview
Get Started with Cortex® XDR™ Prevent
Endpoint Security
Investigation and Response
Broker VM
Monitoring
Log Forwarding
Managed Security

© 2022 Palo Alto Networks, Inc. All rights reserved.