Use the Cortex® XDR™ Interface

The Cortex XDR management console interface includes a range of tools and options that enable you to comprehensively monitor and manage your network security.
Cortex XDR provides an easy-to-use interface that you can access from the hub. By default, Cortex XDR displays the Incident Management Dashboard when you log in. If desired, you can change the default dashboard or Build a Custom Dashboard that displays when you log in.
Each SAML login session is valid for 8 hours.
Depending on your license and assigned role, you can explore and the following areas in the app.
From this menu, you can manage your dashboards and run reports.
From this menu you can investigate a lead or hunt for threats. You can access the
Query Builder
to search logs from your Palo Alto Networks sensors, or the
Query Center
to view the status of all queries, and
Scheduled Queries
to view the status and modify the frequency of reoccurring queries.
You can also view all incidents, prioritize incidents, and set alert exceptions.
From this menu, you can respond to identified threats and take action. With a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license, you can view the Action Center where you can initiate investigation and response actions such as isolating an endpoint or initiating a live terminal session to investigate processes and files locally.
From this menu, you can also add malicious domains and IP addresses to an external dynamic list (
) enforceable on your Palo Alto Networks firewall.
With a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license, you can manage your endpoints and endpoint security policy from this menu.
From this menu, you can configure additional add-on security services such as Device Control. Device Control requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.
With a Cortex XDR Pro per TB license, you can define indicators of known threats to enable Cortex XDR to raise alerts when detected. As you investigate and research threats and uncover specific indicators and behaviors associated with a threat, you can create rules to detect and alert you when the behavior occurs.
With a Cortex XDR Pro license, you can access additional Cortex XDR modules available for your tenant:
  • Host Insights
  • Forensics
From this menu, you can define your network parameters and view a list of all the assets in your network.
With a Managed Threat Hunting license and a Cortex XDR Pro for Endpoint license with a minimum of 500 endpoints, you can view your Manged Threat Hunting Reports and communicate directly with the Managed Threat Hunting team.
Quick Launcher
Open an in-context shortcut that you can use to search for information, perform common investigation tasks, or initiate response actions from any place in the Cortex XDR app
Settings and management
From the gear icon, you can view a log of actions initiated by Cortex XDR analysts, configure Cortex XDR settings to integrate with other apps and services, and manage settings for the analytics engine.
View Cortex XDR notifications such as when a query completes.
From the User, see who is logged into Cortex XDR. Right click and select:
  • About
    to view additional version and tenant ID information.
  • What’s New
    to view selected new features available for your license type.
  • Hide / Show Guide Center
    to toggle between displaying the Guide Center icon.
  • Log Out
    to terminate connection with your Cortex XDR Management Console.
Access a list of apps allocated to your hub account.
The following topics describe additional management actions you can perform on page results:

Recommended For You