1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR Pro Administrator’s Guide
    5. Get Started with Cortex XDR Pro
    6. Configure Cortex XDR

    Configure
    Cortex
    XDR

    Before you can begin using Cortex XDR, you must set up your data sources and alert sensors.
    Before you can begin using
    Cortex
    XDR
    , you must set up your alert sensors. The more sensors that you integrate with
    Cortex
    XDR
    , the more context you have when a threat is detected.
    You can also set up
    Cortex
     to raise Analytics alerts on network or endpoint data (or both) depending or your
    Cortex
    XDR
     Pro licenses.
    The following workflow highlights the tasks that you must perform (in order) to configure
    Cortex
    XDR
    .
    1. Integrating external threat intelligence services enables you to view feeds from sources such as AutoFocus and VirusTotal in the context of your incident investigation.
    2. After you activate
      Cortex
      XDR
       apps and services, wait 24 hours and then configure the
      Cortex
      XDR
       analytics.
      1. Specify the internal networks that you want
        Cortex
        XDR
         to monitor.
      2. (
        Recommended
        ) If you want to use Pathfinder to scan unmanaged endpoints, Activate Pathfinder.
      3. Enable
        Cortex XDR - Analytics
        .
        By default,
        Cortex
        XDR
         - Analytics is disabled. Activating
        Cortex
        XDR
         - Analytics enables the
        Cortex
        XDR
         analytics engine to analyze your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected.
        To create a baseline for enabling Analytics,
        Cortex
        XDR
         requires a minimum set of data; EDR or Network logs from at least 30 endpoints over a minimum of 2 weeks or cloud audit logs over a minimum of 5 days. Once this requirement is met,
        Cortex
        XDR
         allows to enable analytics and begin triggering alerts within a few hours.
        1. In
          Cortex
          XDR
          , select
          Settings
          Configurations
          Cortex XDR - Analytics
          .
          The
          Enable
           option will be grayed out if you do not have the required data set.
        2. When available,
          Enable
          Cortex
          XDR
           - Analytics. The analytics engine will immediately begin analyzing your
          Cortex
           data for anomalies.
          Creating a baseline can take up to 3 hours.
      4. Enable Identity Analytics.
        By default, Identity Analytics is disabled. Activating Identity Analytics enables the
        Cortex
        XDR
         analytics engine to aggregate and display throughout your investigation user profile information, activity, and alerts associated with a user-based Analytics type alert and Analytics BIOC rule.
        To enable the Identity Analytics, you must first Activate the
        Cortex
        XDR
         Analytics and Set Up Cloud Identity Engine (Formally Directory Sync Services (DSS)).
        After configuring your Cloud Identity Engine instance and
        Cortex
        XDR
         Analytics,
        Enable
         Identity Analytics.
    5. (
      Optional
      ) Palo Alto Networks also automatically delivers behavioral indicators of compromise (BIOCs) rules defined by the Palo Alto Networks threat research team to all
      Cortex
      XDR
       tenants, but you can also import any additional indicators as rules, as needed.
      To alert on specific BIOCs, Create a BIOC Rule. To immediately alert on known malicious indicators of compromise (IOCs)—such as known malicious IP addresses—Create an IOC Rule or Create a Correlation Rule.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo