Configure XDR

Before you can begin using Cortex XDR, you must set up your alert sensors. The more sensors that you integrate with Cortex XDR, the more context you have when a threat is detected. You can also set up Cortex XDR to raise Analytics alerts on network or endpoint data (or both) depending or your Cortex XDR Pro licenses.
The following workflow highlights the tasks that you must perform (in order) to configure Cortex XDR.
  1. Integrating external threat intelligence services enables you to view feeds from sources such as AutoFocus and VirusTotal in the context of your incident investigation.
  2. After you activate Cortex XDR apps and services, wait 24 hours and then configure the Cortex XDR analytics.
    1. Specify the internal networks that you want Cortex XDR to monitor.
      1. Log in to your Cortex XDR app either using the direct link or from the Cortex XDR tile on the hub.
      2. To view existing network segments, select the gear ( gear.png ) in the upper right corner and select
        Analytics Management
        Status >
        Analytics Network Coverage Status. This page provides a table of the IP address ranges Cortex XDR Analytics monitors, which is pre-populated with the default IPv4 and IPv6 address spaces.
      3. To add custom network segments, select
        and then Network Segments Configuration.
      4. Add ( add-icon.png ) a new segment and enter the first and last IP address of the range to monitor.
      5. Specify the
        Assigned Pathfinder VM
        to assign a Pathfinder VM to the network segment. If you do not want Pathfinder to scan a particular segment, then leave the field blank.
      6. (
        ) If you want to further limit Pathfinder scans to specific devices, go to the
        page and then select
        Per Asset Configuration
        . Use these settings to override the default Pathfinder configuration on a per-asset basis.
      7. Leave
        Reserved for VPN
      8. Save ( save-icon.png ) the network segment. If the Configuration saved notification does not appear, save again.
    2. (
      ) If you want to use Pathfinder to supplement the Cortex XDR agent, Set Up Pathfinder.
    3. Activate Cortex XDR - Analytics.
      By default, Cortex XDR - Analytics is disabled. Activating Cortex XDR - Analytics enables the Cortex XDR analytics engine to analyze your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected. To create a baseline, Cortex XDR requires a minimum set of data. To satisfy the requirement you must have either EDR logs from a minimum of 30 endpoints or 675MB of network traffic logs from your Palo Alto Networks firewalls in the last 24 hours.
      1. In Cortex XDR, select the gear ( gear.png ) in the upper right corner and then select
        Cortex XDR - Analytics
        option will be grayed out if you do not have the required data set.
      2. When available,
        Cortex XDR - Analytics. The analytics engine will immediately begin analyzing your Cortex data for anomalies.
  3. (
    ) Palo Alto Networks also automatically delivers behavioral indicators of compromise (BIOCs) rules defined by the Palo Alto Networks threat research team to all Cortex XDR tenants, but you can also import any additional indicators as rules, as needed.
    To alert on specific BIOCs, Create a BIOC Rule. To immediately being alerting on known malicious indicators of compromise (IOCs)—such as known malicious IP addresses—Create an IOC Rule.

Recommended For You