Before you can use Cortex XDR for advanced detection and response, you must activate the Cortex XDR app and set up related apps and services.
As part of your planning, ensure that you or the person activating your tenant has the appropriate role permissions.
Set up Cortex XDR.
Set up Palo Alto Networks Data Ingestion.
You can configure Cortex XDR to stream data from other Palo Alto Networks products directly to your tenant or via Cortex Data Lake. To stream data directly, you need to first deploy your network devices and then set up your Palo Alto Networks Integrations.
Cortex Data Lake licenses created as a part of existing Cortex XDR Licenses will remain intact until the end of your remaining contract.
(Optional) Configure a mail sender integration
Cortex XDR provides a built-in mail sender integration. An email integration enables the server to send emails and can be used for system notifications and playbooks. However, if you want to use a different email sender, you can configure one during your initial setup.
(Optional) Set Up Cloud Identity Engine (Formally Directory Sync Services (DSS)).
Activate and Set Up a Cloud Identity Engine Instance.
Add the Cloud Identity Engine Instance to Cortex XDR.
Plan your Cortex XDR agent deployment.
Create Cortex XDR agent installation packages.
Define endpoint groups.
Deploy the Cortex XDR agent to your endpoints.
Configure your endpoint security policy.
Perform any remaining setup of your network sensors.
Configure the internal networks that you want Cortex XDR to monitor.
Verify that Cortex XDR is receiving alerts.
If you set up a Directory Sync Service instance, enable Cortex XDR to use it.
Set up your Data Sources and Alert Sensors.
(Optional) Integrate additional threat intelligence.
After 24 hours, enable Cortex XDR Analytics Analysis.
Configure Network Coverage.
(Recommended) Activate Pathfinder to interrogate endpoints that do not have the Cortex XDR agent installed.
Define alert exclusions
Prioritize incidents based on attributes by creating an incident starring policy.
Import or configure rules for known BIOC and IOCs, and create any applicable Correlation Rules.
(Optional) Manage External Dynamic Lists.
(Optional) Set up Outbound Integration.
Integrate with Slack.
Integrate with a Syslog Server.
Integrate with Cortex XDR.
(Optional) Set up Managed Security.