Before you can begin using Cortex XDR, you must set up your alert sensors. The more sensors that you integrate with Cortex XDR, the more context you have when a threat is detected. You can also set up Cortex XDR to raise Analytics alerts on network or endpoint data (or both) depending or your Cortex XDR Pro licenses.
The following workflow highlights the tasks that you must perform (in order) to configure Cortex XDR.
- Integrating external threat intelligence services enables you to view feeds from sources such as AutoFocus and VirusTotal in the context of your incident investigation.
- After you activate Cortex XDR apps and services, wait 24 hours and then configure the Cortex XDR analytics.
- Specify the internal networks that you want Cortex XDR to monitor.
- To view existing network segments, select the gear ( ) in the upper right corner and selectAnalytics Network Coverage Status. This page provides a table of the IP address ranges Cortex XDR Analytics monitors, which is pre-populated with the default IPv4 and IPv6 address spaces.Analytics ManagementStatus >
- Add ( ) a new segment and enter the first and last IP address of the range to monitor.
- Specify theAssigned Pathfinder VMto assign a Pathfinder VM to the network segment. If you do not want Pathfinder to scan a particular segment, then leave the field blank.
- (Optional) If you want to further limit Pathfinder scans to specific devices, go to thePathfinderpage and then selectPer Asset Configuration. Use these settings to override the default Pathfinder configuration on a per-asset basis.
- LeaveReserved for VPNblank.
- Save ( ) the network segment. If the Configuration saved notification does not appear, save again.
- (Recommended) If you want to use Pathfinder to supplement the Cortex XDR agent, Set Up Pathfinder.
- Activate Cortex XDR - Analytics.By default, Cortex XDR - Analytics is disabled. Activating Cortex XDR - Analytics enables the Cortex XDR analytics engine to analyze your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected. To create a baseline, Cortex XDR requires a minimum set of data. To satisfy the requirement you must have either EDR logs from a minimum of 30 endpoints or 675MB of network traffic logs from your Palo Alto Networks firewalls in the last 24 hours.
- In Cortex XDR, select the gear ( ) in the upper right corner and then select.SettingsCortex XDR - AnalyticsTheEnableoption will be grayed out if you do not have the required data set.
- When available,EnableCortex XDR - Analytics. The analytics engine will immediately begin analyzing your Cortex data for anomalies.
- (Optional) Palo Alto Networks also automatically delivers behavioral indicators of compromise (BIOCs) rules defined by the Palo Alto Networks threat research team to all Cortex XDR tenants, but you can also import any additional indicators as rules, as needed.
Recommended For You
Recommended videos not found.