Activate - Administrator Guide - Cortex XSIAM - Cortex

Activate - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product

Cortex XSIAM

Creation date

2024-02-26

Last date published

2024-04-21

Note

The sizing calculator is managed on the hub.

Activating a Cortex XSIAM tenant is a one-time task you’ll need to perform when you first start using Cortex XSIAM. After you’ve activated your Cortex XSIAM tenant—and completed all the steps described in the Setup Overview section—you’ll only need to repeat the activation if you want to add additional Cortex XSIAM tenants.

The following are prerequisites to activate Cortex XSIAM:

Locate the email that contains your activation information.
Ensure you have CSP Super User role permissions to your existing administrator accounts. This role cannot be removed or changed through the Gateway.

To activate your Cortex XSIAM tenant:

Navigate to the activation link you received in the email and sign in to begin activation in the Cortex Gateway.
Note
As a first user with CSP Super User permissions to access the Gateway, you are automatically granted Account Admin permissions to the Gateway. With these permissions, you are able to activate Cortex XSIAM tenants, create new roles, and assign permissions to users allocated to your tenant.
The Gateway displays tenants Available for Activation and Available Tenants.
In the Available for Activation section, you can view all the tenants allocated to your CSP account that are ready for activation. You can review the tenant details, such as license type, number of endpoints, Strata Logging Service, and purchase date.
The Available Tenants section lists tenants that have already been activated. If you have more than one CSP account, the tenants are displayed according to the CSP account name.
In the Available for Activation section, locate the tenant you want to activate according to the serial number and Activate to launch the Tenant Activation wizard.
In Tenant Activation → Select Support Account, ensure the tenant you want to activate is allocated to the correct CSP account. You can expand Cortex XSIAM to view the tenants associated with the CSP account.
Note
If you manage multiple company CSP accounts, make sure you select the specific account to which you want to allocate the Cortex XSIAM tenant before proceeding with activation. Once activated, the tenant will be associated with the account, and cannot be moved.
Strata Logging Service licenses created as a part of existing Cortex XSIAM Licenses will remain intact until the end of your remaining contract.
In Tenant Activation → Define Tenant Settings, define the following tenant details.
- Tenant Name—Give your Cortex XSIAM app instance an easily-recognizable name. Choose a name that has 59 or fewer characters and is unique across your company account.
- Region—Select a region in which you want to set up your Cortex XSIAM instance. Setting up a new or existing Strata Logging Service instance can only be in the scope of the same region.
- Tenant Subdomain—Give your Cortex XSIAM instance an easy-to-recognize name that is used to access the tenant directly using the full URL (https://<subdomain>.xdr.<region>.paloaltonetworks.com).
  Note
  Note this is a public FQDN, so be careful with sensitive information such as the company name.
- Review and agree to the terms and conditions of the Privacy policy, Term of Use, EULA.
Activate your tenant.
Activation can take up to an hour. Cortex XSIAM sends a notification to your email when the tenant has completed the activation process.
Select Back to main gateway and in the Available Tenant section, search for your tenant name. Hover over a tenant to display the Tenant Status and License Details. When the tenant displays an Active status, select the tenant name to confirm you can successfully access the Cortex XSIAM management console.
(Optional) You can choose to change your tenant subdomain or tenant name following activation.
Hover over the tenant you want to update and select the ellipsis. Choose either Change Tenant Subdomain or Change Tenant Name to open the corresponding dialog.
Continue to assign user roles and permissions.

All data stored by Cortex XSIAM is encrypted at rest using a dedicated key management system. Cortex XSIAM provides strict key access controls and auditing, and encrypts user data at rest according to AES-256 encryption standards. We recommend all our customers use this default system.

When creating new tenants, you can import your own encryption keys and use them to encrypt your Cortex XSIAM data at rest using the same key management systems used by Cortex XSIAM by default.

To bring your own keys (BYOK), you must generate a key and encrypt it twice using two separate wrapping keys provided to you by Cortex XSIAM to create two wrapped keys. A wrapping key is used to encrypt another key to store it or transmit it securely over an insecure channel.

Note

You can only bring your own keys when creating new tenants.

To activate your Cortex XSIAM tenant using your own keys:

Create a Technical Case with the following specifications:
Select your product under AI-Driven Security Operations Platform as Cortex XSIAM.
Confirm the Issue Category as Server (Cloud).
Select Provide Additional Information.
Under Custom Technology Analysis, for Problem Concentration, select Activation.
You will receive a notification about when you can continue with the tenant activation.
After you receive the notification, navigate to the activation link you received in the email and sign in to begin activation in the Cortex Gateway.
Note
As a first user with CSP Super User permissions to access the Gateway, you are automatically granted Account Admin permissions to the Gateway. With these permissions, you are able to activate Cortex XSIAM tenants, create new roles, and assign permissions to users allocated to your tenant.
The Gateway displays tenants Available for Activation and Available Tenants.
In the Available for Activation section, you can view all the tenants allocated to your CSP account that are ready for activation. You can review the tenant details, such as license type, number of endpoints, Strata Logging Service, and purchase date.
The Available Tenants section lists tenants that have already been activated. If you have more than one CSP account, the tenants are displayed according to the CSP account name.
In the Available for Activation section, locate the tenant you want to activate according to the serial number and Activate to launch the Tenant Activation wizard.
In Tenant Activation → Select Support Account, ensure the tenant you want to activate is allocated to the correct CSP account. You can expand Cortex XSIAM to view the tenants associated with the CSP account.
Note
If you manage multiple company CSP accounts, make sure you select the specific account to which you want to allocate the Cortex XSIAM tenant before proceeding with activation. Once activated, the tenant will be associated with the account, and cannot be moved.
Strata Logging Service licenses created as a part of existing Cortex XSIAM Licenses will remain intact until the end of your remaining contract.
In Tenant Activation → Define Tenant Settings, define the following tenant details.
- Tenant Name—Give your Cortex XSIAM app instance an easily-recognizable name. Choose a name that has 59 or fewer characters and is unique across your company account.
- Region—Select a region in which you want to set up your Cortex XSIAM instance. Setting up a new or existing Strata Logging Service instance can only be in the scope of the same region.
- Tenant Subdomain—Give your Cortex XSIAM instance an easy-to-recognize name that is used to access the tenant directly using the full URL (https://<subdomain>.xdr.<region>.paloaltonetworks.com).
  Note
  Note this is a public FQDN, so be careful with sensitive information such as the company name.
- Make sure Enable Palo Alto Networks managed data encryption keys is selected.
Review and agree to the terms and conditions of the Privacy policy, Term of Use, EULA.
Activate your tenant.
Activation can take up to an hour. Cortex XSIAM sends a notification to your email when the tenant has completed the activation process.
(Optional) You can choose to change your tenant subdomain or tenant name following activation.
Hover over the tenant you want to update and select the ellipsis. Choose either Change Tenant Subdomain or Change Tenant Name to open the corresponding dialog.
After the activation, add the updated tenant details to the support ticket. To get your tenant details, click your user name in the navigation menu on the bottom left, and under About, Copy to clipboard.
You will receive two wrapping keys which are valid for up to three days. After three days, you need to request new wrapping keys.
Generate a 32-byte encryption key in an OpenSSL editor with the following command. You can do this manually or using your key management tool.
openssl rand 32 <FILENAME>
This is the key that will be used for all encryption and decryption operations of your data. The key must be 32 bytes, in binary format, and not encoded.
Using the first wrapping key you received, wrap the key you generated in step 10. For wrapping the keys, use the following commands in an OpenSSL editor with the CKM_RSA_AES_KEY_WRAP scheme. For more information about key wrapping, see the Google Cloud Key Management documentation.
```
openssl pkeyutl \  
-encrypt \  
-pubin \  
-inkey <WRAPPING_KEY_FULL_PATH> \  
-in <YOUR_32_BYTE_KEY_FULL_PATH> \ 
-out <TARGET_WRAPPED_KEY_FULL_PATH> \  
-pkeyopt rsa_padding_mode:oaep \  
-pkeyopt rsa_oaep_md:sha256 \  
-pkeyopt rsa_mgf1_md:sha256
```
Using the second wrapping key you received, wrap the key you generated in step 10, as above. You now have two wrapped keys.
Send the two wrapped keys to Cortex Support within 24 hours from when you received the wrapping keys.
The Cortex XSIAM team creates your tenant using your shared keys to encrypt all your tenant data and notifies you when the tenant is ready.
Continue to assign user roles and permissions.