Cortex XDR onboarding checklist - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-09
Category
Administrator Guide
Abstract

Review the steps to deploy and onboard Cortex XDR.

XDR_Onboard_Flow.png

We recommend reviewing the following steps to successfully deploy and onboard Cortex XDR:

Step

Action

Details

See more

Step 1: Activate Cortex XDR

Activate and log in to Cortex Gateway

  1. Follow the instructions in the activation email and sign in to Cortex Gateway.

  2. Confirm license type.

See topic

  1. Enable access to Cortex XDR communication servers, storage buckets, and resources.

See topic

Step 2: Pre-installation steps for Cortex XDR agents

Assign user roles

Start assigning roles directly to users or create user groups and assign roles to those groups.

See topic

Configure how users access Cortex XDR. You can authenticate users by doing one or both of the following:

  • User authentication through the Customer Support Portal

  • SAML single sign-on in the Cortex XDR tenant

See topic

Verify endpoint operating systems

Validate endpoint operating systems to ensure they are compatible with Cortex XDR.

See topic

Define endpoint groups

(Optional, can be performed post-deployment) Define an endpoint group to apply policy rules and manage specific endpoints. If you set up Cloud Identity Engine, you can also leverage your Active Directory user, group, and computer information in endpoint groups.

See topic

Customize endpoint security profiles

Customize your Endpoint Security Profiles and assign them to your endpoints.

Cortex XDR provides default security profiles that you can use out-of-the-box to immediately begin protecting your endpoints from threats. Defaults include profiles for exploits, malware, restrictions, agent settings, and exceptions.

Review your policy rules and the security profiles assigned to these rules and make any necessary adjustments.

See topic

Enable enhanced data collection from endpoints

Notice

Enhanced data collection requires a Cortex XDR Pro per Endpoint license.

Cortex XDR provides out-of-the-box exploit and malware protection. However, at minimum, you must enable Data Collection in an Agent Settings profile to leverage endpoint data in Cortex XDR.

Note

Data collection for Windows endpoints is available with Traps 6.0 and later releases and on endpoints running Windows 7 SP1 and later releases. Data collection on macOS and Linux endpoints are available with Traps 6.1 and later releases.

  1. Enable data collection in an Agent Settings profile to leverage endpoint data in Cortex XDR and use features such as Analytics or Host Insights.

  2. Attach the Agent Settings profile to a policy rule in order to apply it to selected endpoints.

  3. Set global agent configurations that apply to all the endpoints in your network.

See topic

See topic

See topic

Step 3: Install Cortex XDR agents

Plan agent deployment

Plan your agent deployment.

See topic

Create installation packages

To reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent, Cortex XDR offers an agent installation and content update distribution package.

See topic

Review the Cortex XDR compatibility matrix

Until a Cortex XDR agent release reaches its end-of-life (EoL) status, Palo Alto Networks provides the following support:

  • Microsoft operating systems are supported for three years beyond the end of Microsoft support

  • Other operating system vendors are supported until they reach end-of-life.

  • Cortex XDR agents for macOS and 32-bit Windows are not FedRamp compliant.

See topic

Review Cortex XDR agent compatibility with third-party security products

Check the list of agent versions that Cortex XDR is compatible with. Contact Cortex XDR teams for insights on agent versions that aren't listed.

See topic

Deploy agent installation packages

Deploy agent installation packages using a third-party tool such as an SCCM, or manually on the endpoint.

See topic

Step 4: Configure and deploy Cortex XDR

Enable Cortex XDR Analytics

Set up monitoring for internal networks.

See topic

Activate Cortex XDR - Analytics to enable the analytics engine to analyze your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected.

See topic

(Optional but highly recommended) Enable Identity Analytics to aggregate and display user profile details, activities, and alerts related to a user-based analytics type alert and Analytics BIOC rule during an investigation.

Danger

Cloud Identity Engine must be set up.

(Optional but highly recommended) Install Broker VM

Broker VM is used to proxy all Cortex XDR/Traps agent communication to provide a more predictable flow of traffic to and from the cloud for heartbeats, agent updates, content updates and more. It is also used to serve as a Syslog collection point for all third-party log ingestion.

See topic

(Optional but highly recommended) Activate Pathfinder

Pathfinder is used to examine network hosts, servers, and workstations for malicious or risky software.

See topic

(Optional but highly recommended) Install Cloud Identity Engine

Cloud Identity Engine is a complimentary service that enables you to leverage Active Directory user, group, and computer details in Cortex XDR to provide context when you investigate alerts. You can also use Active Directory information in policy configuration and endpoint management of Traps agents.

See topic

Step 5: Define data sources

Configure data ingestion

Notice

Ingestion of logs and data requires a Cortex XDR Pro per GB license.

To provide you with a more complete and detailed picture of the activity involved in an incident, Cortex XDR can ingest data from a variety of Palo Alto Networks and third-party sources.

  • Configure Palo Alto Networks integrations for streaming data and ingesting logs.

  • Configure external data ingestion to ingest data from third-party sources.

See topic

See topic

Step 6: Perform health checks

Prevention policies

Update your policies and profiles action mode to Block for each module.

See topic

Monitor operational status

Verify that Cortex XDR agents are protecting endpoints according to predefined security policies and profiles.

See topic

Test sample malware

Use a malware PE, MacOSX, or APK test file, to test end-to-end WildFire sample processing.

See topic

Validate detectors for alerts and incidents

Check alerts and their associated alert sources.

Validate that all the configurations on the policy level and on the agent deployment level meet the requirements to generate alerts and incidents on Cortex XDR.

For example, check the following:

  • Cortex XDR agent generates WildFire malware alerts.

  • NFGW alerts are listed by PAN NGFW.

Validate log ingestion from external integrations

Verify what datasets are being created.

The Dataset Management page enables you to manage your datasets and understand your overall data storage duration for different retention periods and datasets based on your Hot and Cold Storage licenses, and retention add-ons to extend your storage. 

See topic