Set Up Cortex XDR

Before you can begin using Cortex XDR and the Cortex XDR analytics engine, you must set up your network, cloud, and/or endpoint sensors.
Before you can begin using Cortex XDR and the Cortex XDR analytics engine, you must set up your network, cloud, and/or endpoint sensors. The more sensors that you integrate with Cortex XDR, the more context you have when a threat is detected. For the most complete set of correlated data, you can set up Cortex XDR to raise alerts on network and cloud data from your Panorama-managed Palo Alto Networks firewalls, VPN traffic from your mobile endpoints protected by GlobalProtect and Prisma Access, and endpoint data collected by either Traps or Pathfinder.
The following workflow highlights the tasks that you must perform (in order) to configure Cortex XDR.
  1. Review that you have all the Cortex XDR requirements described in Everything You Need to Configure Cortex XDR.
  2. If you have not already done so, assign the Cortex XDR roles to the users who will set up and manage the app.
    If the user will also manage Cortex XDR analytics features, ensure the user also is assigned the appropriate role for Cortex XDR – Analytics.
  3. Configure the Cortex XDR analytics engine.
    1. This includes enabling firewalls to forward Cortex XDR-required logs to the Palo Alto Networks Cortex Data Lake.
    2. Specify the internal networks that you want Cortex XDR to monitor.
      1. Log in to your Cortex XDR app either using the direct link or from the Cortex XDR tile on the hub.
      2. To view existing network segments, select the gear ( gear.png ) in the upper right corner and select
        Analytics Management
        Status >
        Network Coverage. This page provides a table of the IP address ranges Cortex XDR Analytics monitors, which is pre-populated with the default IPv4 and IPv6 address spaces.
      3. To add custom network segments, select
        Configuration
        and then Networks Segments.
      4. Add ( add-icon.png ) a new segment and enter the first and last IP address of the range to monitor.
      5. Specify the
        Assigned Pathfinder VM
        to assign a Pathfinder VM to the network segment. If you do not want Pathfinder to scan a particular segment, then leave the field blank.
      6. (
        Optional
        ) If you want to further limit Pathfinder scans to specific devices, go to the
        Pathfinder
        page and then select
        Per Asset Configuration
        . Use these settings to override the default Pathfinder configuration on a per-asset basis.
      7. Leave
        Reserved for VPN
        blank. See the following step for adding your GlobalProtect VPN IP address pool to the Cortex XDR app as a network segment to monitor.
      8. Save ( save-icon.png ) the network segment. If the Configuration saved notification does not appear, save again.
    3. If you use GlobalProtect or Prisma Access, add the GlobalProtect VPN IP address pool for mobile endpoint VPN traffic that you want to monitor.
      1. To enable the Cortex XDR app to analyze your VPN traffic, add ( add-icon.png ) a new segment and specify the first and last IP address of your GlobalProtect VPN IP address pool.
      2. Leave the Pathfinder VM assignment blank for GlobalProtect VPN IP address pool network segments. The app creates virtual profiles of endpoints from VPN traffic from the username-associated traffic, and Pathfinder cannot scan those virtual profiles.
      3. Identify this network segment as
        Reserved for VPN
        . GlobalProtect dynamically assigns IP addresses from the IP pool to the mobile endpoints that connect to your network. The Cortex XDR analytics engine creates virtual entity profiles for network segments that are reserved for VPN.
      4. Save ( save-icon.png ) the network segment. If the Configuration saved notification does not appear, save again.
    4. After you have configured the analytics engine, wait about an hour, and then verify that Cortex XDR  is receiving alerts on the various networks that the analytics engine is monitoring.
      1. To view existing network segments, select
        gear.png
        Analytics Management
        Status
        and then select Network Coverage.
      2. Select the report duration, or enter a custom date and time range, and click
        Generate
        .
      3. Verify that the IP ranges match the network segments the firewall sees; the
        DNS %
        should be over 50. The
        DHCP %
        column should reflect the correct percentage for IP ranges that contain endpoints with dynamic IP addresses.
      4. In a deployment with GlobalProtect or Prisma Access, verify that the app generates alerts on VPN traffic.
    5. If you want to use Pathfinder to supplement Traps or choose not to use Traps, Set Up Pathfinder.
    6. If you selected a Directory Sync Service instance during the Cortex XDR activation process, configure Cortex XDR to use it.
    7. Activate Cortex XDR - Analytics.
      By default, Cortex XDR - Analytics is disabled. Activating Cortex XDR - Analytics enables the Cortex XDR analytics engine to analyze data from your sensors to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected. To create a baseline, Cortex XDR requires a minimum set of data. To satisfy the requirement you must have either EDR logs from a minimum of 30 endpoints or 675MB of network traffic logs from your Palo Alto Networks firewalls in the last 24 hours.
      1. In Cortex XDR, select the gear ( gear.png ) in the upper right corner and then select
        Settings
        Cortex XDR - Analytics
        .
        The
        Enable
        option will be grayed out if you do not have the required data set.
        cortex-analytics-enable.png
      2. When available,
        Enable
        Cortex XDR - Analytics. The analytics engine will immediately begin analyzing your Cortex data for anomalies.
  4. (
    Optional
    ) Palo Alto Networks also automatically delivers behavioral indicators of compromise (BIOCs) rules defined by the Palo Alto Networks threat research team to all Cortex XDR tenants, but you can also import any additional rules, as needed.
    To alert on specific BIOCs, import BIOC rules. To immediately being alerting on known malicious indicators of compromise (IOCs)—such as known malicious IP addresses—import IOC rules.

Related Documentation