Server Settings - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Set up the Cortex Xpanse environment based on your preferences.

To create a more personalized user experience, Cortex Xpanse enables you to define your Server and Security Settings.

From the Cortex Xpanse management console, navigate to SettingsConfigurationsGeneralServer Settings to define the following:

Define Keyboard Shortcuts

Select the keyboard shortcut for the Cortex Xpanse capabilities.

  • In the Keyboard Shortcuts section, change the default keyboard settings for the following features:

    • Artifact and Asset Views

    The shortcut value must be a keyboard letter, A through Z, and cannot be the same for both shortcuts.

Define Timestamp Format

Select your timestamp format. This format affects the timestamps displayed in the Cortex Xpanse management console, auditing logs, and when exporting files.

  • In the Timestamp Format section, select the timestamp format in which you want to display your Cortex Xpanse data.


    The setting is configured per user and not per tenant.

Define Distribution List Emails

Define a list of email addresses Cortex Xpanse can use as distribution lists. The defined email addresses are used to send product maintenance, updates, and new version notifications. The email addresses are in addition to e-mails registered with your CSP account.

  • In the Email Contacts section, enter the email addresses you want to include in a distribution list. Make sure to select network-mapper-enter.png after each email address.

Define XQL Configuration Settings

The XQL Configuration settings control your XQL queries in the system. To make it easier for you to configure Case Sensitivity across Cortex Xpanse in one central area, you can configure case sensitivity (config_case_sensitive = true | false) is applied throughout the application.

  • In the XQL Configuration section, you can either leave the toggle set to Case Sensitivity (case_sensitive) to ensure field values are evaluated as case sensitive (config case_sensitive = true) throughout the entire application (default) or disable the toggle, so that field values are evaluated as case insensitive (config case_sensitive = false) throughout the application.

Define Incident Mean Time to Resolve (MTTR)

Define the target incident MTTR you want to be applied according to the incident severity.

  • In the Define the Incident target MTTR per incident severity section, enter within how many days and hours you want incidents resolved according to the incident severity Critical, High, Medium, and Low.

    The defined MTTR is used to display the Resolved Incident MTTR dashboard widgets.

Define the Impersonation Role

Define the type of role permissions granted to the Palo Alto Networks Support team when opening support tickets. By default, Palo Alto Networks Support is granted read-only access to your tenant.

  • In the Impersonation Settings section, define the level and duration of the permissions.

    • Select one of the following Role permissions:

      • Read-Only—Default setting, grants read-only access to your tenant.

      • Support related actions—Grants permission for editing exclusion rules.

      • Full role permissions—No limitations are applied, grants full permissions to all actions and content on your tenant.

    • Set the Permission Reset Timeframe.

      If you selected Support related actions or Full role permissions in the Role field, set a specific timeframe for how long these permissions are valid. Select either 7 Days, 30 Days, or No time limitation.

    We recommend that Role permissions are granted only for a specific timeframe, and full administrative permissions is granted only when specifically requested by the support team.