Set up Endpoint Protection - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about deploying the Cortex XDR agent on the endpoint to enable its protection.

The Cortex XDR agent monitors endpoint activity and collects endpoint data that Cortex XSIAM uses to raise alerts. Before you can begin collecting endpoint data, you must deploy the XDR agent and configure the endpoint policy.

Review Where can I install the Cortex XDR agent for supported versions and operating systems.

To use endpoint management functions in Cortex XSIAM you must be assigned an administrative role in the hub.

  1. Verify the status of your Cortex XSIAM tenant.

    1. From the hub, click the gear icon next to your name.

    2. In the area, review the STATUS for the tenant you just activated.

      When Cortex XSIAM tenant is available, the status changes to the green check mark.

  2. Plan Your Deployment.

  3. Setup Access Services.

  4. (Optional) Set up Broker VM communication.

  5. Install the Cortex XSIAM agent on your endpoints.

    Install the agent software directly on an endpoint or use a software deployment tool of your choice (such as JAMF or GPO) to distribute and install the software on multiple endpoints.

    1. Create an Agent Installation Package.

    2. Install the Cortex XSIAM agent.

      For instructions by the operating system, see the Cortex XDR Agent Administrator's Guide or the Traps Agent Administrator’s Guide if you use an earlier version.

  6. Define Endpoint Groups to which you can apply endpoint security policy.

  7. Customize your Endpoint Security Profiles and assign them to your endpoints.

    Cortex XSIAM provides out-of-the-box exploit and malware protection. However, at minimum, you must enable Data Collection in an Agent Settings profile to leverage endpoint data in Cortex XSIAM apps. Data collection for Windows endpoints is available with Traps 6.0 and later releases and on endpoints running Windows 7 SP1 and later releases. Data collection on macOS and Linux endpoints are available with Traps 6.1 and later releases.

  8. (Optional) Configure Device Control profiles to restrict file execution on USB-connected devices.

  9. Verify that the Cortex XSIAM agent can connect to your Cortex XSIAM instance.

    If successful, Cortex XSIAM displays a Connected status. In your Cortex XSIAM console, navigate to EndpointsAll Endpoints to view the status of all your agents.

  10. Configure the internal networks that you want Cortex XSIAM to monitor.

    1. From the Cortex XSIAM management console, navigate to AssetsNetwork ConfigurationIP Address Ranges.

    2. Define your IP Address Ranges.

      This page provides a table of the IP address ranges Cortex XSIAM Analytics monitors, which is pre-populated with the default IPv4 and IPv6 address spaces.

    3. Define your Domain Names.

  11. If you have a Cortex XDR Pro per GB license, proceed to Set up Network Analysis. Otherwise, proceed to Set up your Data Sources and Alert Sensors.