Cortex XSIAM onboarding checklist - Review the steps to deploy and onboard Cortex XSIAM. - Administrator Guide - Cortex XSIAM - Cortex

Cortex XSIAM onboarding checklist - Review the steps to deploy and onboard Cortex XSIAM. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-16

Note

This checklist does not include any specific Cloud Security requirements. If you have a Cortex XSIAM Premium license or another XSIAM license with Cloud Posture Security/Runtime, you should also onboard Cloud Posture Security and Runtime during or after completing this stage. For more information about Cloud Security onboarding, see Cloud service provider (CSP) onboarding.

Deployment checklist

This phase sets up the infrastructure and data pipelines.

Step	Details	See More
1. Activation and initial setup	✓ In the Cortex Gateway, activate Cortex XSIAM and confirm license status. ✓ Enable access to required PANW resources and set up encryption keys (BYOK), if required. ✓ Assign initial administrator and analyst-type user roles (Responder/Investigator), create user groups, and assign roles to those groups (recommended) to a limited number of users initially. You can update this later. ✓ Set up access through the Customer Support Portal or SAML single sign-on.	Activate Cortex XSIAM Enable access to required PANW resources Set up users, groups, and roles Set up authentication
2. Configure content	Use the Data Sources Onboarding wizard to configure the following: ✓ Priority content: Configure network security data, such as Palo Alto Networks Next-Generation Firewalls, and network devices. Configure identity and user data. Install the Cloud Identity Engine (optional and highly recommended), which provides the necessary Active Directory or Microsoft Entra ID/Okta context (user names, group membership, computer names) to map a raw event (for example, an IP address) to a user or asset. ✓ Highly recommended content: Connect cloud audit logs for the most critical providers, such as AWS CloudTrail, Azure Activity Logs, and Google Cloud Audit Logs, directly to Cortex XSIAM. Configure/enable a key Threat Intelligence feed, such as the Unit 42 Intelligence feed, to enrich incoming issues. This ensures that as soon as a log/alert hits the Data Lake, it has the latest malicious context.	What are Cortex XSIAM data sources? Set up Cloud Identity Engine
3. Deploy the XDR agent	✓ Install the XDR agent by creating XDR Agent installation packages for a small, diverse pilot group of endpoints and deploy the agent to a pilot group (phased rollout). Start with small, low-risk endpoints and extend, as required. Gradually expand agent distribution to larger groups that have similar attributes (hardware, software, and users). At the end of two weeks, you can have Cortex XSIAM deployed on up to 100 endpoints. ✓ After testing expected agent behavior and performance, review and select default endpoint security profiles (Exploit, Malware, Restrictions, Agent Settings, Exceptions) to begin protecting your endpoints from threats immediately. Once endpoints are deployed and start collecting data, you can make any necessary adjustments to these rules and policies. ✓ Verify endpoint data collection (logs, alerts, events) is flowing from deployed agents to the XSIAM Data Lake. After deploying the agents to the pilot group, set up data collection to analyze the data. This provides granular event data (process execution, file activity, registry changes, network connections) necessary for EDR/XDR detection and Behavioral Indicators of Compromise (BIOCs).	Create an agent installation package Set up endpoint profiles and exception rules Set up agent settings profiles Configure global agent settings
4. Enable Analytics and Identity Analytics	✓ Enable Cortex XSIAM Analytics engine (if not already enabled). The analytics engine accesses your logs as they are streamed to Cortex XSIAM, including firewall data, and analyzes them as soon as they arrive. Note You need EDR or network logs from at least 30 endpoints over a minimum of 2 weeks, or Cloud audit logs over a minimum of 2 weeks. ✓ Enable Identity Analytics, which focuses on user behavior that is critical since attackers primarily target credentials. It has two main functions: User/Entity Behavior Analytics (UEBA): Profiles users, hosts, and groups based on identity data and flags anomalies like a user logging in from a new country (Impossible Traveler), accessing an unusual database, or transferring a massive file volume outside of their norm. Investigation context: When an issue fires, Identity Analytics ensures that the relevant user profile details, recent activities, and group membership are automatically aggregated and displayed with a user-based Analytics type issue and Analytics BIOC rule Note The Cloud Identity Engine must be set up. ✓ Enable the Identity Threat Detection and Response (ITDR) add-on (optional), which enhances the analytics baseline capabilities to include the Directory Infrastructure. This enables the detection of advanced attacks targeting Domain Controllers and other identity components. In addition, the ITDR module integrates proactive capabilities by using attack surface management to identify and expose identity-related security flaws and vulnerabilities before they can be exploited.	Enable the Analytics Engine and Identity Analytics Identity Analytics Identity Threat Module (ITDR)

Your Cortex XSIAM is now operational and is collecting data.