Cortex
XDR
Pro Setup Overview

To set up Cortex XDR, you must activate the app and related apps and services.
Before you can use
Cortex
for advanced detection and response, you must activate the
Cortex
XDR
app and set up related apps and services.
You must perform the setup activities as shown in the following image. Some steps are required only if you have the corresponding license type.
  1. As part of your planning, ensure that you or the person who is activating
    Cortex
    apps has the appropriate roles.
  2. (
    Cortex
    XDR
    Pro per TB license only)
    Deploy your Network Devices.
  3. You can configure
    Cortex
    XDR
    to take logs from other Palo Alto Networks products already logging to an existing Cortex Data Lake. Otherwise, you will Activate a new Data Lake as part of the
    Cortex
    XDR
    tenant activation when setting up
    Cortex
    XDR
    in the
    Cortex
    Gateway.
  4. (
    Optional
    ) Set Up Cloud Identity Engine (Formally Directory Sync Services (DSS))
    1. Activate and Set Up a Cloud Identity Engine Instance.
    2. Add the Cloud Identity Engine Instance to
      Cortex
      XDR
      .
  5. (
    Cortex
    XDR
    Pro per Endpoint only)
    Set up Endpoint Protection.
    1. Plan your
      Cortex
      XDR
      agent deployment.
    2. Create
      Cortex
      XDR
      agent installation packages.
    3. Define endpoint groups.
    4. Deploy the
      Cortex
      XDR
      agent to your endpoints.
    5. Configure your endpoint security policy.
  6. (
    Cortex
    XDR
    Pro per TB license only)
    Configure your Network Devices.
  7. (
    Cortex
    XDR
    Pro per TB license only)
    Set up Network Analysis.
    1. Perform any remaining setup of your network sensors.
    2. Configure the internal networks that you want
      Cortex
      XDR
      to monitor.
    3. Verify that
      Cortex
      XDR
      is receiving alerts.
    4. If you set up a Directory Sync Service instance, enable
      Cortex
      XDR
      to use it.
    1. (
      Optional
      ) Integrate additional threat intelligence.
    2. After 24 hours, enable
      Cortex
      XDR
      Analytics Analysis.
      1. Configure Network Coverage.
      2. (
        Recommended
        ) Activate Pathfinder to interrogate endpoints that do not have the
        Cortex
        XDR
        agent installed.
    3. Define alert exclusions
    4. Prioritize incidents based on attributes by creating an incident starring policy.
    5. Import or configure rules for known BIOC and IOCs, and create any applicable Correlation Rules.
    6. (
      Optional
      ) Manage External Dynamic Lists
      - Requires a Cortex XDR Pro per TB license
      .
    • Integrate with Slack.
    • Integrate with a Syslog Server.
    • Integrate with Cortex XSOAR.
  8. (
    Optional
    ) Set up Managed Security.

Recommended For You