Review the steps to deploy and onboard Cortex XDR.
We recommend reviewing the following steps to successfully deploy and onboard Cortex XDR:
Step | Action | Details | See more |
---|---|---|---|
Step 1: Activate Cortex XDR | Activate and log in to Cortex Gateway |
| |
| |||
Step 2: Pre-installation steps for Cortex XDR agents | Assign user roles | Start assigning roles directly to users or create user groups and assign roles to those groups. | |
Configure how users access Cortex XDR. You can authenticate users by doing one or both of the following:
| |||
Verify endpoint operating systems | Validate endpoint operating systems to ensure they are compatible with Cortex XDR. | ||
Define endpoint groups | (Optional, can be performed post-deployment) Define an endpoint group to apply policy rules and manage specific endpoints. If you set up Cloud Identity Engine, you can also leverage your Active Directory user, group, and computer information in endpoint groups. | ||
Customize endpoint security profiles | Customize your Endpoint Security Profiles and assign them to your endpoints. Cortex XDR provides default security profiles that you can use out-of-the-box to immediately begin protecting your endpoints from threats. Defaults include profiles for exploits, malware, restrictions, agent settings, and exceptions. Review your policy rules and the security profiles assigned to these rules and make any necessary adjustments. | ||
Enable enhanced data collection from endpoints | NoticeEnhanced data collection requires a Cortex XDR Pro per Endpoint license. Cortex XDR provides out-of-the-box exploit and malware protection. However, at minimum, you must enable Data Collection in an Agent Settings profile to leverage endpoint data in Cortex XDR. NoteData collection for Windows endpoints is available with Traps 6.0 and later releases and on endpoints running Windows 7 SP1 and later releases. Data collection on macOS and Linux endpoints are available with Traps 6.1 and later releases.
| ||
Step 3: Install Cortex XDR agents | Plan agent deployment | Plan your agent deployment. | |
Create installation packages | To reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent, Cortex XDR offers an agent installation and content update distribution package. | ||
Review the Cortex XDR compatibility matrix | Until a Cortex XDR agent release reaches its end-of-life (EoL) status, Palo Alto Networks provides the following support:
| ||
Review Cortex XDR agent compatibility with third-party security products | Check the list of agent versions that Cortex XDR is compatible with. Contact Cortex XDR teams for insights on agent versions that aren't listed. | ||
Deploy agent installation packages | Deploy agent installation packages using a third-party tool such as an SCCM, or manually on the endpoint. | ||
Step 4: Configure and deploy Cortex XDR | Enable Cortex XDR Analytics | Set up monitoring for internal networks. | |
Activate Cortex XDR - Analytics to enable the analytics engine to analyze your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected. | |||
(Optional but highly recommended) Enable Identity Analytics to aggregate and display user profile details, activities, and alerts related to a user-based analytics type alert and Analytics BIOC rule during an investigation. DangerCloud Identity Engine must be set up. | |||
(Optional but highly recommended) Install Broker VM | Broker VM is used to proxy all Cortex XDR/Traps agent communication to provide a more predictable flow of traffic to and from the cloud for heartbeats, agent updates, content updates and more. It is also used to serve as a Syslog collection point for all third-party log ingestion. | ||
(Optional but highly recommended) Activate Pathfinder | Pathfinder is used to examine network hosts, servers, and workstations for malicious or risky software. | ||
(Optional but highly recommended) Install Cloud Identity Engine | Cloud Identity Engine is a complimentary service that enables you to leverage Active Directory user, group, and computer details in Cortex XDR to provide context when you investigate alerts. You can also use Active Directory information in policy configuration and endpoint management of Traps agents. | ||
Step 5: Define data sources | Configure data ingestion | NoticeIngestion of logs and data requires a Cortex XDR Pro per GB license. To provide you with a more complete and detailed picture of the activity involved in an incident, Cortex XDR can ingest data from a variety of Palo Alto Networks and third-party sources.
| |
Step 6: Perform health checks | Prevention policies | Update your policies and profiles action mode to Block for each module. | |
Monitor operational status | Verify that Cortex XDR agents are protecting endpoints according to predefined security policies and profiles. | ||
Test sample malware | Use a malware PE, MacOSX, or APK test file, to test end-to-end WildFire sample processing. | ||
Validate detectors for alerts and incidents | Check alerts and their associated alert sources. Validate that all the configurations on the policy level and on the agent deployment level meet the requirements to generate alerts and incidents on Cortex XDR. For example, check the following:
| ||
Validate log ingestion from external integrations | Verify what datasets are being created. The Dataset Management page enables you to manage your datasets and understand your overall data storage duration for different retention periods and datasets based on your Hot and Cold Storage licenses, and retention add-ons to extend your storage. |