Learn more about deployment considerations and onboarding steps.
This stage includes how to plan and prepare the Cortex XSIAM environment.
Note
This topic does not include any specific Cloud Security requirements. If you have a Cortex XSIAM Premium license or another XSIAM license with Cloud Posture Security/Runtime addons, you should also plan and prepare Cloud Posture Security and Runtime during or after completing this stage. For more information about Cloud Security onboarding, see Cloud service provider onboarding.
Before you get started with Cortex XSIAM, consider the following:
Action | Details | See More |
|---|---|---|
Determine the required Log storage | ✓ Determine the amount of log storage you need for your Cortex XSIAM deployment. Discuss with your partner or sales representative to determine whether to purchase additional storage within the Cortex XSIAM tenant. | |
Determine the deployment region | ✓ Determine the region you want to host Cortex XSIAM and any associated services, such as the Directory Sync Service. If you plan to stream data from a Strata Logging Service instance, it must be in the same region as Cortex XSIAM. | |
Review your license and add-ons | ✓ Review your Cortex XSIAM license and consider the addons for your use case, such as Advanced Email Security and Exposure management for complete security protection. | |
Plan the XDR Agent deployment | ✓ The XDR Agent is installed on endpoints for protection and extended detection and response (XDR). The data is collected into the Cortex XSIAM tenant. NoteThe XDR agent is included with the Cortex XSIAM Premium and Enterprise licenses and any other XSIAM license with the Enterprise Runtime Security (XDR) add-on. For Cortex XSIAM Premium or XSIAM licences with the Cloud Runtime Security add-on, the agent is also used to stop attacks running on workloads, including VMs, containers, Kubernetes, and serverless functions. Consider the following: ✓ Determine the necessary bandwidth required to support the number of agents you plan to deploy. ✓ Verify endpoint operating systems and identify third-party security products to ensure they are compatible with Cortex XSIAM. ✓ Create a proof of concept (POC) that simulates your corporate production environment. After the successful completion of the initial POC, we recommend a phased rollout, which enables you to test the agent and its policies on a small scale before deploying them widely. | |
Consider the data sources to use | ✓ Consider the data sources you want to initially ingest, such as Palo Alto Networks firewall/cloud logs, as they provide the most immediate security context and data for Cortex XSIAM's analytics. In Cortex XSIAM, content is organized into content packs, which are either downloaded from the Data Sources catalog or from Marketplace. Start planning what content you require. ✓ Review the steps you need to take in your day-to-day SOC operations, and the required third-party tools/applications. | |
Consider roles and permissions | ✓ Review and plan roles using Role-Based Access Control (RBAC) for your security operations team. Consider user groups and start with the default roles. |