Configure
Cortex
XDR

Before you can begin using Cortex XDR, you must set up your data sources and alert sensors.
Before you can begin using
Cortex
XDR
, you must set up your alert sensors. The more sensors that you integrate with
Cortex
XDR
, the more context you have when a threat is detected.
You can also set up
Cortex
to raise Analytics alerts on network or endpoint data (or both) depending or your
Cortex
XDR
Pro licenses.
The following workflow highlights the tasks that you must perform (in order) to configure
Cortex
XDR
.
  1. Integrating external threat intelligence services enables you to view feeds from sources such as AutoFocus and VirusTotal in the context of your incident investigation.
  2. After you activate
    Cortex
    XDR
    apps and services, wait 24 hours and then configure the
    Cortex
    XDR
    analytics.
    1. Specify the internal networks that you want
      Cortex
      XDR
      to monitor.
    2. (
      Recommended
      ) If you want to use Pathfinder to scan unmanaged endpoints, Activate Pathfinder.
    3. Enable
      Cortex XDR - Analytics
      .
      By default,
      Cortex
      XDR
      - Analytics is disabled. Activating
      Cortex
      XDR
      - Analytics enables the
      Cortex
      XDR
      analytics engine to analyze your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected.
      To create a baseline for enabling Analytics,
      Cortex
      XDR
      requires a minimum set of data; EDR or Network logs from at least 30 endpoints over a minimum of 2 weeks or cloud audit logs over a minimum of 5 days. Once this requirement is met,
      Cortex
      XDR
      allows to enable analytics and begin triggering alerts within a few hours.
      1. In
        Cortex
        XDR
        , select
        Settings
        Configurations
        Cortex XDR - Analytics
        .
        The
        Enable
        option will be grayed out if you do not have the required data set.
      2. When available,
        Enable
        Cortex
        XDR
        - Analytics. The analytics engine will immediately begin analyzing your
        Cortex
        data for anomalies.
        Creating a baseline can take up to 3 hours.
    4. Enable Identity Analytics.
      By default, Identity Analytics is disabled. Activating Identity Analytics enables the
      Cortex
      XDR
      analytics engine to aggregate and display throughout your investigation user profile information, activity, and alerts associated with a user-based Analytics type alert and Analytics BIOC rule.
      To enable the Identity Analytics, you must first Activate the
      Cortex
      XDR
      Analytics and Set Up Cloud Identity Engine (Formally Directory Sync Services (DSS)).
      After configuring your Cloud Identity Engine instance and
      Cortex
      XDR
      Analytics,
      Enable
      Identity Analytics.
  3. (
    Optional
    ) Palo Alto Networks also automatically delivers behavioral indicators of compromise (BIOCs) rules defined by the Palo Alto Networks threat research team to all
    Cortex
    XDR
    tenants, but you can also import any additional indicators as rules, as needed.
    To alert on specific BIOCs, Create a BIOC Rule. To immediately alert on known malicious indicators of compromise (IOCs)—such as known malicious IP addresses—Create an IOC Rule or Create a Correlation Rule.

Recommended For You