Set Up Cortex XDR – Analytics

Cortex XDR – Analytics analyzes data from a variety of network, endpoint, and cloud detection sources. For the most complete set of correlated data, you can collect network and cloud data from your Palo Alto Networks firewalls, which are managed by Panorama, use GlobalProtect and GlobalProtect cloud service to monitor VPN traffic from your mobile endpoints, and use either Traps or Pathfinder to collect endpoint data. In situations where Traps cannot collect data, you can use both Traps and Pathfinder.
The following workflow highlights the tasks that you must perform (in order) to configure Cortex XDR – Analytics.
  1. Review that you have all the Cortex XDR – Analytics requirements described in Everything You Need to Configure Cortex XDR – Analytics.
  2. If you have not already done so, assign the Cortex XDR – Analytics User Role to the user(s) who will be setting up the app and Pathfinder.
  3. Configure Firewalls and Panorama to Support Cortex XDR – Analytics.
    This includes enabling firewalls to forward Cortex XDR Analytics-required logs to the Palo Alto Networks Cortex Data Lake.
  4. Log into your Cortex XDR – Analytics app either using the direct link or from the Cortex hub.
  5. Use the ManagementReports to configure email reports.
    Examples of details that reports might include (based on your preferences) are the latest suspicious and confirmed alerts and unverified alerts triggered in the last seven days. You can also configure Cortex XDR – Analytics to send notifications for System Alerts.
  6. Specify the internal networks that you want Cortex XDR – Analytics to monitor.
    1. View existing network segments.
      Select the gear gear.png in the upper right corner and select Status > Network Coverage. This page provides a table of the IP address ranges Cortex XDR Analytics monitors, which is pre-populated with the default IPv4 and IPv6 address spaces.
    2. To add custom network segments, select the gear gear.png in the upper right corner and select Configuration.
    3. Select Networks Segments, add ( add-icon.png ) a new segment, enter the first and last IP address of the range to monitor.
    4. Specify the Assigned Pathfinder VM to assign a Pathfinder VM to the network segment. If you do not want Pathfinder to scan a particular segment, then leave the field blank.
    5. (Optional) If you want to further limit Pathfinder scans to specific devices, go to the Pathfinder page and then select Per Asset Configuration. Use these settings to override the default Pathfinder configuration on a per-asset basis.
    6. Leave the Reserved for VPN blank in the final column. See the following step for adding your GlobalProtect VPN IP address pool to the Cortex XDR – Analytics app as a network segment to monitor.
    7. Save ( save-icon.png ) the network segment.
      If the Configuration saved notification does not appear, save again. config-save-banner.png
  7. If you use GlobalProtect or GlobalProtect cloud service, add the GlobalProtect VPN IP address pool to monitor mobile endpoint VPN traffic.
    1. To enable the Cortex XDR – Analytics app to analyze your VPN traffic, add ( add-icon.png ) a new segment and specify the first and last IP address of your GlobalProtect VPN IP address pool.
    2. Leave the Pathfinder VM assignment blank for GlobalProtect VPN IP address pool network segments.
      The app creates virtual profiles of endpoints from VPN traffic from the username-associated traffic, and Pathfinder cannot scan those virtual profiles.
    3. Identify this network segment as Reserved for VPN.
      Mobile endpoints connect through VPN tunnels and GlobalProtect dynamically assigns their IP addresses from the VPN pool. The Cortex XDR – Analytics app creates virtual entity profiles for network segments that are reserved for VPN.
    4. Save ( save-icon.png ) the network segment.
      If the Configuration saved notification does not appear, save again.
  8. After you have activated Cortex XDR – Analytics, wait about an hour, and then verify that Cortex XDR – Analytics is working by getting reports on the various networks that Cortex XDR – Analytics is monitoring.
    1. To view existing network segments, select the gear gear.png in the upper right corner and select Status >Network Coverage and select IP Ranges Report.
    2. Enter the date and time range for which you want a report, and click Generate.
    3. Verify that the IP ranges match the network segments the firewall sees; the DNS % should be over 50. The DHCP % column should reflect the correct percentage for IP ranges that contain endpoints with dynamic IP addresses
    4. In a deployment with GlobalProtect, verify that the app generates alerts from GlobalProtect VPN traffic data.
      You can identify alerts for mobile endpoints in two ways:
      • From the Triage page, you can identify alerts on mobile endpoints by the Mobile VPN label in the alert name. You can also filter alerts by the Mobile User VPN device type.
      • From the entity detail page you can identify a mobile user or endpoint from the device type and from the alert name.
  9. If you want to use Pathfinder to supplement Traps or choose not to use Traps, continue to Set Up Pathfinder.
  10. If you selected a Directory Sync Service instance during the Cortex XDR activation process, you need to configure Cortex XDR – Analytics to use it.

Related Documentation