Set up Your
Cortex
Environment

You can set up the Cortex XDR environment based on your preferences.
To create a more personalized user experience,
Cortex
XDR
enables you to define your
Server
and
Security Settings
.
From the
Cortex
XDR
management console, navigate to
Settings
Configurations
General
Server Settings
to define the following:

Define Keyboard Shortcuts

Select the keyboard shortcut for the
Cortex
XDR
capabilities.
  • In the
    Keyboard Shortcuts
    section, change the default settings for:
    • Quick Launcher
    The shortcut value must be a keyboard letter, A through Z.

Select Timezone

Select your own specific timezone. Selecting a timezone affects the timestamps displayed in the
Cortex
XDR
management console, auditing logs, and when exporting files.
  • In the
    Timezone
    section, select the timezone in which you want to display your
    Cortex
    XDR
    data.

Define Timestamp Format

Select your timestamp format. Selecting a timezone affects the timestamps displayed in the
Cortex
XDR
management console, auditing logs, and when exporting files.
  • In the
    Timestamp Format
    section, select the timestamp format in which you want to display your
    Cortex
    XDR
    data.
    The setting is configured per user and not per tenant.

Define Distribution List Emails

Define a list of email addresses
Cortex
XDR
can use as distribution lists. The defined email addresses are used to send product maintenance, updates, and new version notifications. The email addresses are in addition to e-mails registered with your CSP account.
  • In the
    Email Contacts
    section, enter email addresses you want to include in a distribution list. Make sure to select after each email address.

Define XQL Configuration Settings

The
XQL Configuration
settings control your XQL queries in the system. To make it easier for you to configure Case Sensitivity across
Cortex
XDR
in one central area, you can configure whether Case Sensitivity (config case_sensitive = true | false) is applied throughout the application. This setting overwrites any other default configuration except for BIOCs, which will remain case insensitive no matter what this configuration is set to.
  • In the
    XQL Configuration
    section, you can either leave the toggle set to
    Case Sensitivity (case_sensitive)
    to ensure field values are evaluated as case sensitive (
    config case_sensitive = true
    ) throughout the entire application (default) or disable the toggle, so that field values are evaluated as case insensitive (
    config case_sensitive = false
    ) throughout the application.
    This setting overwrites any other default configuration except for BIOCs, which will remain case insensitive no matter what this configuration is set to.

Define Incident Mean Time to Resolve (MTTR)

Define the target incident MTTR you want applied according to the incident severity.
  • In the
    Define the Incident target MTTR per incident severity
    section, enter within how many days and hours you want incidents resolved according to the incident severity
    Critical
    ,
    High
    ,
    Medium
    , and
    Low
    .
    The defined MTTR is used to display the Resolved Incident MTTR dashboard widgets.

Define the Impersonation Role

Define the type of role permissions granted to Palo Alto Networks Support team when opening support tickets. By default, Palo Alto Networks Support is granted read-only access to your tenant.
  • In the
    Impersonation Settings
    section, define the level and duration of the permissions.
    • Select one of the following
      Role
      permissions:
      • Read-Only
        —Default setting, grants read only access to your tenant.
      • Support related actions
        —Grants permissions to tech support file collection, dump file collection, investigation query, BIOC and IOC rule editing, alert starring, exclusion and exception editing.
      • Full role permissions
        —No limitations are applied, grants full permissions to all actions and content on your tenant.
    • Set the
      Permission Reset Timeframe
      .
      If you selected
      Support related actions
      or
      Full role permissions
      in the
      Role
      field, set a specific timeframe for how long these permissions are valid. Select either
      7 Days
      ,
      30 Days
      , or
      No time limitation
      .
    We recommend that Role permissions are granted only for a specific timeframe, and full administrative permissions is granted only when specifically requested by the support team.

Set up Session Security Settings

The session security settings include:
  • Session Expiration
    —Enables you to define the number of hours after which the user login session will expire. You can also define a one-week expiration time for the
    Cortex
    XDR
    dashboard.
  • Allowed Sessions
    —Enables you to define approved domains and approved IP ranges through which access to
    Cortex
    XDR
    should be allowed.
  • User Expiration
    —Enables you to deactivate an inactive user, and also set the user deactivation trigger period.
  • Allowed Domains
    —Enables you to specify one or more domain names that can be used in your distribution lists.
  • From the
    Cortex
    XDR
    management console, select
    Settings
    Configurations
    Security Settings
    .
  • Under
    Session Expiration
    , define the following:
    1. User Login Expiration
      —Select the amount of session hours after which the user login should expire.
    2. Dashboard Expiration
      —Select either
      7 Days
      or
      As user login expiration (1 hour)
      to define the timing of the dashboard expiration.
  • Under
    Allowed Sessions
    , define the following:
    1. Approved Domains
      —Select
      Enabled
      or
      Disabled
      . If enabled, specify the domains from which you want to allow user access to
      Cortex
      XDR
      . You can add or remove domains as necessary.
    2. Approved IP Ranges
      —Select
      Enabled
      or
      Disabled
      . If enabled, specify the IP ranges from which you want to allow user access to
      Cortex
      XDR
      . You can add or remove IP CIDR addresses as necessary.
  • Under
    User Expiration
    , define if you want to
    Deactivate Inactive User
    . By default, user expiration is
    Disabled
    , when
    Enabled
    enter the number of days after which inactive users should be deactivated.
  • Under
    Allowed Domains
    , specify one or more domain names that users in your organization can be used in your distribution list. For example, when generating a report, ensure the reports are not sent to email addresses outside your organization.
  • Save
    .

Recommended For You