Review the steps to deploy and onboard Cortex XDR.
We recommend reviewing the following steps to successfully deploy and onboard Cortex XDR:
Step | Action | Details | See more |
|---|---|---|---|
Step 1: Activate Cortex XDR | Activate and log in to Cortex Gateway |
| |
| |||
Step 2: Pre-installation steps for Cortex XDR agents | Assign user roles | Start assigning roles directly to users or create user groups and assign roles to those groups. | |
Configure how users access Cortex XDR. You can authenticate users by doing one or both of the following:
| |||
Verify endpoint operating systems | Validate endpoint operating systems to ensure they are compatible with Cortex XDR. | ||
Define endpoint groups | (Optional, can be performed post-deployment) Define an endpoint group to apply policy rules and manage specific endpoints. If you set up Cloud Identity Engine, you can also leverage your Active Directory user, group, and computer details in endpoint groups. | ||
Customize endpoint security profiles | Customize your Endpoint Security Profiles and assign them to your endpoints. Cortex XDR provides default security profiles that you can use out-of-the-box to immediately begin protecting your endpoints from threats. Defaults include profiles for exploits, malware, restrictions, agent settings, and exceptions. Review your policy rules and the security profiles assigned to these rules and make any necessary adjustments. | ||
Enable enhanced data collection from endpoints | Cortex XDR provides out-of-the-box exploit and malware protection. However, at minimum, you must enable Data Collection in an Agent Settings profile to leverage endpoint data in Cortex XDR. NoteData collection for Windows endpoints is available with Traps 6.0 and later releases and on endpoints running Windows 7 SP1 and later releases. Data collection on macOS and Linux endpoints are available with Traps 6.1 and later releases.
| ||
Step 3: Install Cortex XDR agents | Plan agent deployment | Plan your agent deployment. | |
Keep Cortex XDR agents and content updated | Recommended strategy and best practices for managing agent and content updates to help reduce the risk of downtime in a production environment, while helping ensure timely delivery of security content and capabilities. | ||
Create installation packages | To reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent, Cortex XDR offers an agent installation and content update distribution package. | ||
Review the Cortex XDR compatibility matrix | Until a Cortex XDR agent release reaches its end-of-life (EoL) status, Palo Alto Networks provides the following support:
| ||
Review Cortex XDR agent compatibility with third-party security products | Check the list of agent versions that Cortex XDR is compatible with. Contact Cortex XDR teams for insights on agent versions that aren't listed. | ||
Deploy agent installation packages | Deploy agent installation packages using a third-party tool such as an SCCM, or manually on the endpoint. | ||
Step 4: Configure and deploy Cortex XDR | Enable Cortex XDR analytics | Set up monitoring for internal networks. | |
Activate Cortex XDR Analytics to enable the analytics engine to analyze your endpoint data to develop a baseline and generate analytics and analytics BIOC issues when anomalies and malicious behaviors are detected. | |||
(Optional but highly recommended) Enable Identity Analytics to aggregate and display user profile details, activities, and issues related to a user-based analytics type issue and Analytics BIOC rule during an investigation. PrerequisiteCloud Identity Engine must be set up. | |||
(Optional but highly recommended) Set up and configure Broker VM | Broker VM is used to proxy all Cortex XDR/Traps agent communication to provide a more predictable flow of traffic to and from the cloud for heartbeats, agent updates, content updates, and more. It is also used to serve as a Syslog collection point for all third-party log ingestion. | ||
(Optional but highly recommended) Install Cloud Identity Engine | Cloud Identity Engine is a complimentary service that enables you to leverage Active Directory user, group, and computer details in Cortex XDR to provide context when you investigate alerts. You can also use Active Directory information in policy configuration and endpoint management of Traps agents. | ||
Install engines | Install an engine on a remote machine to allow communication between the remote machine and Cortex XDR. | ||
Step 5: Define data sources and integrations | Configure data ingestion | To provide you with a more complete and detailed picture of the activity involved in an incident, Cortex XDR can ingest data from a variety of Palo Alto Networks, cloud, and third-party sources. |