1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR Prevent Administrator’s Guide
    5. Get Started with Cortex® XDR™ Prevent
    6. Configure Cortex® XDR™
    7. Set up Your Cortex Environment

    Set up Your
    Cortex
     Environment

    You can set up the Cortex XDR environment based on your preferences.
    To create a more personalized user experience,
    Cortex
    XDR
     enables you to define your
    Server
     and
    Security Settings
    .
    From the
    Cortex
    XDR
     management console, navigate to
    Settings
    Configurations
    General
    Server Settings
     to define the following:

    Define Keyboard Shortcuts

    Select the keyboard shortcut for the
    Cortex
    XDR
     capabilities.
    • In the
      Keyboard Shortcuts
       section, change the default settings for:
      • Quick Launcher
      The shortcut value must be a keyboard letter, A through Z.

    Select Timezone

    Select your own specific timezone. Selecting a timezone affects the timestamps displayed in the
    Cortex
    XDR
     management console, auditing logs, and when exporting files.
    • In the
      Timezone
       section, select the timezone in which you want to display your
      Cortex
      XDR
       data.

    Define Timestamp Format

    Select your timestamp format. Selecting a timezone affects the timestamps displayed in the
    Cortex
    XDR
     management console, auditing logs, and when exporting files.
    • In the
      Timestamp Format
       section, select the timestamp format in which you want to display your
      Cortex
      XDR
       data.
      The setting is configured per user and not per tenant.

    Define Distribution List Emails

    Define a list of email addresses
    Cortex
    XDR
     can use as distribution lists. The defined email addresses are used to send product maintenance, updates, and new version notifications. The email addresses are in addition to e-mails registered with your CSP account.
    • In the
      Email Contacts
       section, enter email addresses you want to include in a distribution list. Make sure to select after each email address.

    Define XQL Configuration Settings

    The
    XQL Configuration
     settings control your XQL queries in the system. To make it easier for you to configure Case Sensitivity across
    Cortex
    XDR
     in one central area, you can configure whether Case Sensitivity (config case_sensitive = true | false) is applied throughout the application. This setting overwrites any other default configuration except for BIOCs, which will remain case insensitive no matter what this configuration is set to.
    • In the
      XQL Configuration
       section, you can either leave the toggle set to
      Case Sensitivity (case_sensitive)
       to ensure field values are evaluated as case sensitive (
      config case_sensitive = true
      ) throughout the entire application (default) or disable the toggle, so that field values are evaluated as case insensitive (
      config case_sensitive = false
      ) throughout the application.
      This setting overwrites any other default configuration except for BIOCs, which will remain case insensitive no matter what this configuration is set to.

    Define Incident Mean Time to Resolve (MTTR)

    Define the target incident MTTR you want applied according to the incident severity.
    • In the
      Define the Incident target MTTR per incident severity
       section, enter within how many days and hours you want incidents resolved according to the incident severity
      Critical
      ,
      High
      ,
      Medium
      , and
      Low
      .
      The defined MTTR is used to display the Resolved Incident MTTR dashboard widgets.

    Define the Impersonation Role

    Define the type of role permissions granted to Palo Alto Networks Support team when opening support tickets. By default, Palo Alto Networks Support is granted read-only access to your tenant.
    • In the
      Impersonation Settings
       section, define the level and duration of the permissions.
      • Select one of the following
        Role
         permissions:
        • Read-Only
          —Default setting, grants read only access to your tenant.
        • Support related actions
          —Grants permissions to tech support file collection, dump file collection, investigation query, BIOC and IOC rule editing, alert starring, exclusion and exception editing.
        • Full role permissions
          —No limitations are applied, grants full permissions to all actions and content on your tenant.
      • Set the
        Permission Reset Timeframe
        .
        If you selected
        Support related actions
         or
        Full role permissions
         in the
        Role
         field, set a specific timeframe for how long these permissions are valid. Select either
        7 Days
        ,
        30 Days
        , or
        No time limitation
        .
      We recommend that Role permissions are granted only for a specific timeframe, and full administrative permissions is granted only when specifically requested by the support team.

    Set up Session Security Settings

    The session security settings include:
    • Session Expiration
      —Enables you to define the number of hours after which the user login session will expire. You can also define a one-week expiration time for the
      Cortex
      XDR
       dashboard.
    • Allowed Sessions
      —Enables you to define approved domains and approved IP ranges through which access to
      Cortex
      XDR
       should be allowed.
    • User Expiration
      —Enables you to deactivate an inactive user, and also set the user deactivation trigger period.
    • Allowed Domains
      —Enables you to specify one or more domain names that can be used in your distribution lists.
    • From the
      Cortex
      XDR
       management console, select
      Settings
      Configurations
      Security Settings
      .
    • Under
      Session Expiration
      , define the following:
      1. User Login Expiration
        —Select the amount of session hours after which the user login should expire.
      2. Dashboard Expiration
        —Select either
        7 Days
         or
        As user login expiration (1 hour)
         to define the timing of the dashboard expiration.
    • Under
      Allowed Sessions
      , define the following:
      1. Approved Domains
        —Select
        Enabled
         or
        Disabled
        . If enabled, specify the domains from which you want to allow user access to
        Cortex
        XDR
        . You can add or remove domains as necessary.
      2. Approved IP Ranges
        —Select
        Enabled
         or
        Disabled
        . If enabled, specify the IP ranges from which you want to allow user access to
        Cortex
        XDR
        . You can add or remove IP CIDR addresses as necessary.
    • Under
      User Expiration
      , define if you want to
      Deactivate Inactive User
      . By default, user expiration is
      Disabled
      , when
      Enabled
       enter the number of days after which inactive users should be deactivated.
    • Under
      Allowed Domains
      , specify one or more domain names that users in your organization can be used in your distribution list. For example, when generating a report, ensure the reports are not sent to email addresses outside your organization.
    • Save
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo