Before you can begin using Cortex® XDR™, you must set
up your data sources and alert sensors.
Before you can begin using Cortex XDR, you
must set up your alert sensors. The more sensors that you integrate
with Cortex XDR, the more context you have when a threat is detected.
You can also set up Cortex XDR to raise Analytics alerts on network
or endpoint data (or both) depending or your Cortex XDR Pro licenses.
following workflow highlights the tasks that you must perform (in
order) to configure Cortex XDR.
By default, Cortex XDR - Analytics is disabled. Activating
Cortex XDR - Analytics enables the Cortex XDR analytics engine to
analyze your endpoint data to develop a baseline and raise Analytics
and Analytics BIOC alerts when anomalies and malicious behaviors
To create a baseline for enabling Analytics,
Cortex XDR requires a minimum set of data; EDR logs from at least
30 endpoints over a minimum of 2 weeks. Once this requirement is
met, Cortex XDR allows to enable analytics and begin triggering
alerts within a few hours.
In Cortex XDR, select
Cortex XDR - Analytics
will be grayed out if you do not have the required data set.
- Analytics. The analytics engine will immediately begin analyzing
your Cortex data for anomalies.
) Palo Alto Networks also automatically
delivers behavioral indicators of compromise (BIOCs) rules defined
by the Palo Alto Networks threat research team to all Cortex XDR
tenants, but you can also import any additional indicators as rules,
To alert on specific BIOCs, Create a BIOC Rule. To immediately
being alerting on known malicious indicators of compromise (IOCs)—such
as known malicious IP addresses—Create an IOC Rule.