Set up Your Environment - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2023-10-30
Last date published
2024-03-28
Category
Administrator Guide
Abstract

Learn more about setting up the Cortex XSIAM environment based on your preferences.

To create a more personalized user experience, Cortex XSIAM enables you to define your Server and Security Settings.

From the Cortex XSIAM management console, navigate to SettingsConfigurationsGeneralServer Settings to define the following:

Define Keyboard Shortcuts
Abstract

Learn more about defining keyboard shortcuts.

Select the keyboard shortcut for the Cortex XSIAM capabilities.

  • In the Keyboard Shortcuts section, change the default settings for:

    • Artifact and Asset Views

    • Quick Launcher

    The shortcut value must be a keyboard letter, A through Z, and cannot be the same for both shortcuts.

Select Timezone
Abstract

Learn more about configuring a specific timezone.

Select your own specific timezone. Selecting a timezone affects the timestamps displayed in the Cortex XSIAM management console, auditing logs, and when exporting files.

  • In the Timezone section, select the timezone in which you want to display your Cortex XSIAM data.

Define Timestamp Format
Abstract

Learn more about setting the timestamp format displayed in the management console, audit logs, and when exporting files.

Select your timestamp format. Selecting a timestamp format affects the timestamps displayed in the Cortex XSIAM management console, auditing logs, and when exporting files.

  • In the Timestamp Format section, select the timestamp format in which you want to display your Cortex XSIAM data.

    Note

    The setting is configured per user and not per tenant.

Define Scoped Server Access
Abstract

Learn more about defining scoped server access.

Select Disabled or Enabled. When Enabled, access restrictions are enforced only to users with an assigned scope. A user can inherit scope permissions from a group or have a scope assigned directly on top of the role assigned from the group.

If enabled, you must select the SBAC Mode, type, which is defined per tenant.

  • Permissive—Enables users with at least one scope tag to access the relevant entity with that same tag.

  • Restrictive—Users must have all the scoped tags that are tagged within the relevant entity of the system.

Note

From version 3.5, if SBAC was enabled for any users before the upgrade, this setting will be enabled by default.

Define Distribution List Emails
Abstract

Learn more about defining a list of email addresses as distribution lists for Cortex XSIAM.

Define a list of email addresses Cortex XSIAM can use as distribution lists. The defined email addresses are used to send product maintenance, updates, and new version notifications. The email addresses are in addition to e-mails registered with your CSP account.

  • In the Email Contacts section, enter the email addresses you want to include in a distribution list. Make sure to select network-mapper-enter.png after each email address you enter.

Define Data Ingestion Monitoring
Abstract

Learn more about the Data Ingestion Monitoring settings under Server Settings.

Define settings for monitoring data ingestion health.

To ensure complete and uninterrupted data ingestion, Cortex XSIAM collects granular data ingestion metrics that provide an insight into the data ingestion pipeline, and uses these metrics to identify disruptions in data collection. In addition, XSIAM monitors the status of collector integrations to ensure that collectors are connected and sending data.

When data ingestion monitoring is enabled, Cortex XSIAM creates the following types of alert:

  • Ingestion alerts, which are based on the data ingestion metrics and indicate disruptions in data collection.

  • Collection alerts, which are based on error statuses in collection integrations and indicate that a collector is not connected.

You can select Display notifications, to receive UI notifications for these alerts. The notifications include links to the Data Ingestion Health page, filtered for the specific alerts. You can also view alerts from SettingsData Ingestion Health.

To ensure you and your colleagues stay informed about disruptions in data collection, you can also Configure Notification Forwarding to forward your data ingestion and collection alerts to an email distribution list, Syslog server, or Slack channel.

If you disable data ingestion monitoring, Cortex XSIAM continues to collect metrics, but alerts are not created.

You can also use data ingestion health metrics in Cortex Query Language queries and to create correlation rules with your own data ingestion logic. For more information, see Monitoring Data Ingestion Health.

Define XQL Configuration Settings
Abstract

Learn more about defining Cortex Query Language (XQL) configuration settings, which control your XQL queries.

The XQL Configuration settings control your Cortex Query Language (XQL) queries in the system. To make it easier for you to configure Case Sensitivity across Cortex XSIAM in one central area, you can configure case sensitivity (config case_sensitive = true | false) is applied throughout the application. By default, this setting is set to false and field values are evaluated as case insensitive. This setting overwrites any other default configuration except for BIOCs, which will remain case insensitive no matter what this configuration is set to.

Define Incident Mean Time to Resolve (MTTR)
Abstract

Learn more about defining the target incident Mean Time to Resolve (MTTR) applied according to the incident severity.

Define the target incident MTTR you want to be applied according to the incident severity.

  • In the Define the Incident target MTTR per incident severity section, enter within how many days and hours you want incidents resolved according to the incident severity Critical, High, Medium, and Low.

    The defined MTTR is used to display the Resolved Incident MTTR dashboard widgets.

Define the Impersonation Role
Abstract

Learn more about the type of role permissions granted to the Palo Alto Networks Support team when opening support tickets.

Define the type of role permissions granted to the Palo Alto Networks Support team when opening support tickets. By default, Palo Alto Networks Support is granted read-only access to your tenant.

  • In the Impersonation Settings section, define the level and duration of the permissions.

    • Select one of the following Role permissions:

      • Read-Only—Default setting, grants read-only access to your tenant.

      • Support related actions—Grants permissions to tech support file collection, dump file collection, investigation query, Correlation Rule, BIOC and IOC rule editing, alert starring, exclusion, and exception editing.

      • Full role permissions—No limitations are applied, grants full permissions to all actions and content on your tenant.

    • Set the Permission Reset Timeframe.

      If you selected Support related actions or Full role permissions in the Role field, set a specific timeframe for how long these permissions are valid. Select either 7 Days, 30 Days, or No time limitation.

    We recommend that Role permissions are granted only for a specific timeframe, and full administrative permissions is granted only when specifically requested by the support team.

Set up Session Security Settings
Abstract

Learn more about setting up session security settings.

The session security settings include:

  • Session Expiration—Enables you to define the number of hours after which the user login session will expire, and automatic logout for user inactivity. You can also define expiration time for the Cortex XSIAM dashboard.

  • Allowed Sessions—Enables you to define approved domains and approved IP address ranges through which access to Cortex XSIAM should be allowed.

    To ensure tenant stability, some of Palo Alto Networks' monitoring tools require external IP address access. When Approved IP ranges are Enabled, access to Palo Alto managed monitoring tools are allowed by default.

  • User Expiration—Enables you to deactivate an inactive user, and also set the user deactivation trigger period.

  • Approved Domains—Enables you to specify one or more domain names that can be used in your distribution lists.

  • Approved IP Ranges—If enabled, specify the IP address ranges from which you want to allow user access (login) to Cortex XSIAM. You can also choose to limit API access from specific IP addresses.

  1. From the Cortex XSIAM management console, select SettingsConfigurationsSecurity Settings.

  2. Under Session Expiration, define the following:

    1. User Login Expiration—Select the number of session hours (1 - 24 hours) after which the user login should expire.

    2. Enable Auto Logout—If desired, enable automatic logout, and then select the required period of user inactivity (10 - 30 minutes).

    3. Dashboard Expiration—Select either 7 Days or As user login expiration (hours) to define the timing of the dashboard expiration.

  3. Under Allowed Sessions, define the following:

    1. Approved Domains—Select Enabled or Disabled. If enabled, specify the domains from which you want to allow the user access to Cortex XSIAM . You can add or remove domains as necessary.

    2. Approved IP Ranges—Select Enabled or Disabled. If enabled, specify the IP ranges from which you want to allow the user access to Cortex XSIAM . You can add or remove IP CIDR addresses as necessary.

  4. Under User Expiration, define if you want to Deactivate Inactive User. By default, user expiration is Disabled, when Enabled enter the number of days after which inactive users should be deactivated.

  5. Under Approved Domains, specify one or more domain names that users in your organization can use. For example, when generating a report, ensure the reports are not sent to email addresses outside your organization.

  6. Under Approved IP Ranges, specify one or more IP address ranges that can be used to access Palo Alto Networks managed monitoring tools. You can also select whether to limit API access to specific IP addresses.

  7. Save.

Define Password Protection for Download Files
Abstract

Learn more about applying password protection to retrieve files downloaded from an endpoint via an incident investigation.

Enables you to apply a password protection to retrieved files downloaded from an endpoint during an incident investigation. Password protection prevents users from executing malicious files.

Note

Administrator permissions required.

When enabled, a password is required when opening the retrieved file. Enter the password suspicious.

The password protection is supported for:

  • Download files from a Live Terminal Session

  • Download files from alerts