Everything You Need to Configure Cortex XDR

Review the prerequisites for setting up Cortex XDR apps.
The following prerequisites cover everything you need to know before activating Cortex XDR apps and setting up related services. Review these requirements carefully before you Activate Cortex XDR Apps.
Cortex XDR Requirements
Description
User Roles
To activate Cortex XDR apps, you must be assigned either the Account Administrator or App Administrator roles for each of the following apps and services in Cortex hub:
  • Cortex Data Lake
  • Cortex XDR – Analytics
  • Cortex XDR – Investigation and Response
  • Traps
If you do not have the appropriate roles for all four apps and services when you activate Cortex XDR, activation will fail.
Auth Code
After you purchase a Cortex XDR license through your sales representative, Palo Alto Networks sends you an email that includes an authorization (auth) code. Use this auth code to activate the following apps in the Palo Alto Networks Cortex Hub:
  • Cortex XDR – Analytics app
  • Cortex XDR – Investigation and Response app
  • Traps management service app
These apps are all included with your purchase of Cortex XDR.
If you do not already have a Cortex Data Lake instance, you will also receive a separate auth code to activate it.
Cortex XDR – Analytics
Existing Magnifier Auth Code
If you are an existing Cortex XDR – Analytics customer, Palo Alto Networks automatically converts your auth code to associate with the new Cortex XDR license:
  • Activated Magnifier instance—If you already have an active Magnifier instance, Palo Alto Networks automatically migrates your data to the new Cortex Platform by April, 2019. The new license provides the same size allocation as your original license. After your license is migrated, you can use your original auth code to activate the Cortex XDR – Investigation and Response and Traps apps which are also included with the new license.
  • Unactivated Magnifier instance—If you have not activated your Magnifier instance, Palo Alto Networks automatically associates your auth code with the new Cortex XDR license. When you go to activate the app using the auth code, you can activate all Cortex XDR apps.
Cortex XDR – Analytics User Role
Account Administrator or App Administrator role for the Cortex XDR – Analytics app in the Cortex hub. See Manage Roles.
Network Requirements
If the network that Cortex XDR – Analytics is monitoring has more than one subnet, make sure that the subnets do not contain duplicate IP addresses.
Firewall and Panorama Requirements
Pathfinder Requirements
Pathfinder is optional but highly recommended even if you already use Traps advanced threat protection to protect your endpoints.
Requirements to Set Up Pathfinder:
  • Hardware to support Pathfinder virtual machine (2 core, 8 GB RAM, 128 GB disk).
  • VMware ESXi or Hyper-V.
  • An internal DNS server.
  • Pathfinder requires Local Administrator permissions for all endpoints. For more information, see this Microsoft procedure.
  • Pathfinder requires the following ports to be open for communication with the devices it scans:
    • RPC Endpoint Mapper (port 135)
    • NetBIOS over TCP/IP Name Services (port 137)
    • NetBIOS over TCP/IP Session Services (port 139)
    • SMB over TCP/IP (port 445)
  • Pathfinder requires port 443 to be open to communicate with the Cortex XDR – Analytics app.
  • Pathfinder requires port 444 to be open. It uses the FQDNs on port 444 to perform query and validity checks as part of the process to pair with the Cortex XDR – Analytics app.
  • All devices that Pathfinder scans must provide the following services:
    • WMI Service
    • Eventlog Service
    • PowerShell
Directory Sync Service
Directory Sync Service is optional, but strongly recommended. It allows Cortex XDR – Analytics to add more details to Cortex XDR – Analytics alerts and triage screens.
To use Directory Sync, you must activate the service and install an agent locally on your network that is configured to read from your Active Directory installation.
You can Set Up Directory Sync Service at any time, so it isn't strictly necessary for you to have Directory Sync installed before you continue with Cortex XDR – Analytics configuration.
Cortex XDR – Investigation and Response
User Role
Account Administrator or App Administrator role for the Cortex XDR – Investigation and Response app in the Cortex hub. See Manage Roles.
Traps
User Role
Account Administrator or App Administrator role for the Traps app in the Cortex hub. See Manage Roles.
Directory Sync Service
Directory Sync Service is optional, but strongly recommended. It enables you to leverage your user directory when you configure policies in Traps management service.
To use Directory Sync, you must activate the service and install an agent locally on your network that is configured to read from your Active Directory installation.
You can Set Up Directory Sync Service at any time, so it isn't strictly necessary for you to have Directory Sync installed before you continue with Traps configuration.

Related Documentation