Set up Network Analysis - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about setting up your network sensors and defining network coverage for your internal networks.

With a Cortex XSIAM license, you must set up your network sensors and define network coverage for your internal networks.

  1. Set up your network sensors.

    1. If you use unmanaged Palo Alto Networks firewalls and did not configure log-forwarding on your firewalls before activating Cortex XSIAM, start sending logs to Cortex XSIAM.

    2. (Optional) Set up External Data Ingestion.

      If you have external (non-Palo Alto Networks) network sensors, you can set up a Syslog collector to receive alerts or logs from them. If you send external alerts, Cortex XSIAM can include any of them in relevant incidents for a more complete picture of the activity involved. If you send logs and alerts from external sources such as Check Point firewalls, Cortex XSIAM can apply analytics analysis and raise analytics alerts on the external logs and include the external alerts in incidents for additional context.

    3. (Optional) If you use a third-party authentication service, you can Ingest Authentication Logs and Data into authentication stories. After you set up log collection, you can search for authentication data using the Query Builder.

    4. (Optional) If you want to use Pathfinder to examine unmanaged network hosts, servers, and workstations for malicious or risky software, Activate Pathfinder.

  2. Configure the internal networks that you want Cortex XSIAM to monitor.

    1. From the Cortex XSIAM management console, navigate to AssetsNetwork Configuration.

    2. Define your IP Address Ranges.

      This page provides a table of the IP address ranges Cortex XSIAM Analytics monitors, which is pre-populated with the default IPv4 and IPv6 address spaces.

    3. Define your Domain Names.

  3. If you use GlobalProtect or Prisma Access, add the GlobalProtect VPN IP address pool for the VPN traffic that you want to monitor.

    1. To enable the Cortex XSIAM app to analyze your VPN traffic, add (+) a new segment and specify the first and last IP address of your GlobalProtect VPN IP address pool.

    2. Identify this network segment as Reserved for VPN. GlobalProtect dynamically assigns IP addresses from the IP pool to the mobile endpoints that connect to your network. The Cortex XSIAM analytics engine creates virtual entity profiles for network segments that are reserved for VPN.

    3. Save (save-icon.png) the network segment. If the Configuration saved notification does not appear, save again.

  4. If you selected a Cloud Identity Engine (Directory Sync instance) during the Cortex XSIAM activation process, Set Up Cloud Identity Engine.