Set up Network Analysis

With a Cortex XDR Pro per TB license you must set up your network sensors and define network coverage for your internal networks.
  1. Set up your network sensors.
    1. If you use unmanaged Palo Alto Networks firewalls, and did not configure log-forwarding on your firewalls before activating Cortex XDR, Start Sending Logs to Cortex Data Lake.
    2. If you have external (non-Palo Alto Networks) network sensors, you can set up a syslog collector to receive alerts or logs from them. If you send external alerts, Cortex XDR can include any them in relevant incidents for a more complete picture of the activity involved. If you send logs and alerts from external sources such as Check Point firewalls, Cortex XDR can apply analytics analysis and raise analytics alerts on the external logs and include the external alerts in incidents for additional context.
    3. (
      Optional
      ) If you use Okta or Azure AD, you can Ingest Authentication Logs and Data into authentication stories. After you set up log collection, you can search for authentication data using the Query Builder.
    4. (
      Optional
      ) If you want to use Pathfinder to examine network hosts, servers, and workstations for malicious or risky software, Set Up Pathfinder. If you want to use Pathfinder to supplement the Cortex XDR agent or choose not to use Cortex XDR for endpoint protection, Set Up Pathfinder.
  2. Configure the internal networks that you want Cortex XDR to monitor.
    1. Log in to your Cortex XDR app either using the direct link or from the Cortex XDR tile on the hub.
    2. To view existing network segments, select the gear ( gear.png ) in the upper right corner and select
      Analytics Management
      Status >
      Analytics Network Coverage Status. This page provides a table of the IP address ranges Cortex XDR Analytics monitors, which is pre-populated with the default IPv4 and IPv6 address spaces.
    3. To add custom network segments, select
      Configuration
      and then Analytics Network Coverage Status.
    4. Add ( add-icon.png ) a new segment and enter the first and last IP address of the range to monitor.
    5. Specify the
      Assigned Pathfinder VM
      to assign a Pathfinder VM to the network segment. If you do not want Pathfinder to scan a particular segment, then leave the field blank.
    6. (
      Optional
      ) If you want to further limit Pathfinder scans to specific devices, go to the
      Pathfinder
      page and then select
      Per Asset Configuration
      . Use these settings to override the default Pathfinder configuration on a per-asset basis.
    7. Leave
      Reserved for VPN
      blank. See the following step for adding your GlobalProtect VPN IP address pool to the Cortex XDR app as a network segment to monitor.
    8. Save ( save-icon.png ) the network segment. If the Configuration saved notification does not appear, save again.
  3. If you use GlobalProtect or Prisma Access, add the GlobalProtect VPN IP address pool for the VPN traffic that you want to monitor.
    1. To enable the Cortex XDR app to analyze your VPN traffic, add (
      +
      ) a new segment and specify the first and last IP address of your GlobalProtect VPN IP address pool.
    2. Leave the Pathfinder VM assignment blank for GlobalProtect VPN IP address pool network segments. The app creates virtual profiles of endpoints from VPN traffic from the username-associated traffic, and Pathfinder cannot scan those virtual profiles.
    3. Identify this network segment as
      Reserved for VPN
      . GlobalProtect dynamically assigns IP addresses from the IP pool to the mobile endpoints that connect to your network. The Cortex XDR analytics engine creates virtual entity profiles for network segments that are reserved for VPN.
    4. Save ( save-icon.png ) the network segment. If the Configuration saved notification does not appear, save again.
  4. After you have configured the analytics engine, wait about an hour, and then verify that Cortex XDR is receiving alerts on the various networks that the analytics engine is monitoring.
    1. To view existing network segments, select
      gear.png
      Analytics Management
      Status
      and then select Analytics Network Coverage Status.
    2. Select the report duration, or enter a custom date and time range, and click
      Generate
      .
    3. Verify that the IP ranges match the network segments the firewall sees; the
      DNS %
      should be over 50. The
      DHCP %
      column should reflect the correct percentage for IP ranges that contain endpoints with dynamic IP addresses.
    4. In a deployment with GlobalProtect or Prisma Access, verify that the app generates alerts on VPN traffic.
  5. If you want to use Pathfinder to interrogate endpoints for risky or malicious software, Set Up Pathfinder.
    If you also use Cortex XDR Pro per Endpoint, you can use Pathfinder to supplement endpoint detection using the Cortex XDR agent.
  6. If you selected a Directory Sync Service instance during the Cortex XDR activation process, configure Cortex XDR to use it.

Recommended For You