Configure Cortex® XDR™

Before you can begin using Cortex® XDR™, you must set up your data sources and alert sensors.
Before you can begin using Cortex XDR, you must set up your alert sensors. The more sensors that you integrate with Cortex XDR, the more context you have when a threat is detected. You can also set up Cortex XDR to raise Analytics alerts on network or endpoint data (or both) depending or your Cortex XDR Pro licenses.
The following workflow highlights the tasks that you must perform (in order) to configure Cortex XDR.
  1. Integrating external threat intelligence services enables you to view feeds from sources such as AutoFocus and VirusTotal in the context of your incident investigation.
  2. After you activate Cortex XDR apps and services, wait 24 hours and then configure the Cortex XDR analytics.
    1. Specify the internal networks that you want Cortex XDR to monitor.
    2. (
      Recommended
      ) If you want to use Pathfinder to scan unmanaged endpoints, Activate Pathfinder.
    3. Enable
      Cortex XDR - Analytics
      .
      By default, Cortex XDR - Analytics is disabled. Activating Cortex XDR - Analytics enables the Cortex XDR analytics engine to analyze your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected.
      To create a baseline for enabling Analytics, Cortex XDR requires a minimum set of data; EDR logs from at least 30 endpoints over a minimum of 2 weeks or cloud audit logs over a minimum of 5 days. Once this requirement is met, Cortex XDR allows to enable analytics and begin triggering alerts within a few hours.
      1. In Cortex XDR, select
        Settings ( )
        Configurations
        Cortex XDR - Analytics
        .
        The
        Enable
        option will be grayed out if you do not have the required data set.
      2. When available,
        Enable
        Cortex XDR - Analytics. The analytics engine will immediately begin analyzing your Cortex data for anomalies.
        Creating a baseline can take up to 3 hours.
    4. Enable Identity Analytics.
      By default, Identity Analytics is disabled. Activating Identity Analytics enables the Cortex XDR analytics engine to aggregate and display throughout your investigation user profile information, activity, and alerts associated with a user-based Analytics type alert and Analytics BIOC rule.
      To enable the Identity Analytics, you must first Activate the Cortex XDR Analytics and Set Up Cloud Identity Engine (Formally Directory Sync Services (DSS)).
      After configuring your Cloud Identity Engine instance and Cortex XDR Analytics,
      Enable
      Identity Analytics.
  3. (
    Optional
    ) Palo Alto Networks also automatically delivers behavioral indicators of compromise (BIOCs) rules defined by the Palo Alto Networks threat research team to all Cortex XDR tenants, but you can also import any additional indicators as rules, as needed.
    To alert on specific BIOCs, Create a BIOC Rule. To immediately being alerting on known malicious indicators of compromise (IOCs)—such as known malicious IP addresses—Create an IOC Rule or Create a Correlation Rule.

Recommended For You