Set up your Data Sources and Alert Sensors - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Learn more about setting up your data sources and alert sensors.

Before you can begin using Cortex XDR, you must set up your alert sensors. The more sensors that you integrate with Cortex XDR, the more context you have when a threat is detected.

You can also set up to raise Analytics alerts on network or endpoint data (or both) depending on your Cortex XDR Pro licenses.


Cortex XDR Pro per Endpoint agents without the XTH add-on can enable Analytics and Identity Analytics, however, due to the limits and filters applied to the data collected results will differ from agents with the XTH add-on. See the Cortex XDR Analytics Alert Reference guide for a complete list of supported sensors.

The following workflow highlights the tasks that you must perform (in order) to configure Cortex XDR.

  1. Integrate External Threat Intelligence Services.

    Integrating external threat intelligence services enables you to view feeds from sources such as AutoFocus and VirusTotal in the context of your incident investigation.

  2. After you activate Cortex XDR apps and services, wait 24 hours and then configure the Cortex XDR analytics.

    1. Specify the internal networks that you want Cortex XDR to monitor.Configure Your Network Parameters

    2. (Recommended) If you want to use Pathfinder to scan unmanaged endpoints, Activate Pathfinder.

    3. Enable Cortex XDR - Analytics.

      By default, Cortex XDR - Analytics is disabled. Activating Cortex XDR - Analytics enables the Cortex XDR analytics engine to analyze your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected.

      To create a baseline for enabling Analytics, Cortex XDR requires a minimum set of data; EDR or Network logs from at least 30 endpoints over a minimum of 2 weeks, or cloud audit logs over a minimum of 5 days. Once this requirement is met, Cortex XDR allows you to enable analytics and begin triggering alerts within a few hours.

      1. In Cortex XDR , select SettingsConfigurationsCortex XDR - Analytics.

        The Enable option will be grayed out if you do not have the required data set.

      2. When available, Enable Cortex XDR - Analytics. The analytics engine will immediately begin analyzing your data for anomalies.


        Creating a baseline can take up to 3 hours.

    4. Enable Identity Analytics.

      By default, Identity Analytics is disabled. Activating Identity Analytics enables the Cortex XDR analytics engine to aggregate and display throughout your investigation user profile information, activity, and alerts associated with a user-based Analytics type alert and Analytics BIOC rule.

      To enable the Identity Analytics, you must first Activate the Cortex XDR Analytics and Set Up Cloud Identity Engine (Formally Directory Sync Services (DSS)).

      After configuring your Cloud Identity Engine instance and Cortex XDR Analytics, Enable Identity Analytics.

  3. Add an Alert Exclusion Rule.

  4. Manage Incident Starring.

  5. (Optional) Palo Alto Networks also automatically delivers behavioral indicators of compromise (BIOCs) rules defined by the Palo Alto Networks threat research team to all Cortex XDR tenants, but you can also import any additional indicators as rules, as needed.

    To alert on specific BIOCs, Create a BIOC Rule. To immediately alert on known malicious indicators of compromise (IOCs)—such as known malicious IP addresses—Create an IOC Rule or Create a Correlation Rule .