Set up Your Environment - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about setting up the Cortex XSIAM environment based on your preferences.

To create a more personalized user experience, Cortex XSIAM enables you to define your Server and Security Settings.


Keyboard shortcuts, timezone, and timestamp format are not set universally and only apply to the user who sets them.

From the Cortex XSIAM management console, navigate to SettingsConfigurationsGeneralServer Settings to define the following:

Server Setting


Keyboard Shortcuts

Enables you to change the default shortcut settings.  The shortcut value must be a keyboard letter, A through Z, and cannot be the same for both shortcuts.


Select a specific timezone. The timezone affects the timestamps displayed in Cortex XSIAM, auditing logs, and when exporting files.

Timestamp Format

The format in which to display Cortex XSIAM data. The format affects the timestamps displayed in Cortex XSIAM, auditing logs, and when exporting files.

This setting is configured per user and not per tenant.

Email Contacts

A list of email addresses  Cortex XSIAM can use as distribution lists. The defined email addresses are used to send product maintenance, updates, and new version notifications. These addresses are in addition to email addresses registered with your Customer Support Portal account.

Password Protection (for downloaded files)

Enable password protection to prevent executing malicious files that were downloaded from an endpoint during incident investigation.

Administrator permissions required.

Google Maps Key

Enter the Google Maps API key to display the physical location of an entity on a Google map.

Scoped Server Access

Enforces access restrictions on users with an assigned scope. A user can inherit scope permissions from a group, or have a scope assigned directly on top of the role assigned from the group.

If enabled, you must select the SBAC Mode, which is defined per tenant:

  • Permissive: Enables users with at least one scope tag to access the relevant entity with that same tag.

  • Restrictive: Users must have all the scoped tags that are tagged within the relevant entity of the system.

Data Ingestion Monitoring (Beta)

Data ingestion health monitors the availability and overall health of data collection and provides notifications and alerts.

When data ingestion monitoring is enabled, Cortex XSIAM creates the following types of alerts:

  • Ingestion alerts: Based on the data ingestion metrics and indicate disruptions in data collection

  • Collection alerts: Based on error statuses in collection integrations and indicate that a collector is not connected

If you disable data ingestion monitoring, Cortex XSIAM continues to collect metrics, but alerts are not created.

Related information
  • Configure notification forwarding to forward your data ingestion and collection alerts to an email distribution list, syslog receiver, or Slack channel. For more information, see Configure Notification Forwarding.

  • Use data ingestion health metrics in Cortex Query Language queries, and to create correlation rules with your own data ingestion logic. For more information, see Monitoring Data Ingestion Health.

XQL Configuration

Enables setting case sensitivity across Cortex XSIAM.

By default, this setting is set to false and field values are evaluated as case insensitive. This setting overwrites any other default configuration except for BIOCs, which will remain case insensitive no matter what this configuration is set to.

Define the incidents target MTTR per incident severity

Determines within how many days and hours you want incidents resolved according to the incident severity Critical, High, Medium, and Low.

The defined MTTR is used to display the Resolved Incident MTTR dashboard widgets.

Impersonation Role

The type of role permissions granted to the Palo Alto Networks Support team when opening support tickets. We recommend that role permissions are granted only for a specific time frame, and full administrative permissions are granted only when specifically requested by the Support team.

Role permissions include:

  • Read-only: Default setting; grants read-only access to your tenant.

  • Support-related actions: Grants permissions to tech support file collection, dump file collection, investigation query, correlation rule, BIOC and IOC rule editing, alert starring, exclusion, and exception editing

  • Full role permissions: No limitations are applied; grants full permissions to all actions and content on your tenant

Permission Reset Timeframe: Determines how long role permissions are valid.

Prisma Cloud Compute Tenant Pairing


Requires a Cortex XSIAM or Cortex XDR Pro license

To enable the capabilities of the Cloud Security Agent, the Prisma Cloud Compute tenant must be paired with an existing Cortex XSIAM tenant. Pairing is one-to-one, with the two tenants being in the same region.

For more information, see Pairing Prisma Cloud Compute with Cortex XSIAM.

Custom Content

  • Export all custom content: Exports custom content, such as playbooks and scripts as a content bundle, which you can import to another Cortex XSIAM tenant.

  • Upload custom content: Imports custom content created from another Cortex XSIAM tenant.


Create timer fields that display in the alerts table and alert layouts. For more information, see Configure timer fields.

Set up Session Security Settings

Learn more about setting up session security settings.

The session security settings include:

  • Session Expiration—Enables you to define the number of hours after which the user login session will expire, and automatic logout for user inactivity. You can also define expiration time for the Cortex XSIAM dashboard.

  • Allowed Sessions—Enables you to define approved domains and approved IP address ranges through which access to Cortex XSIAM should be allowed.

    To ensure tenant stability, some of Palo Alto Networks' monitoring tools require external IP address access. When Approved IP ranges are Enabled, access to Palo Alto managed monitoring tools are allowed by default.

  • User Expiration—Enables you to deactivate an inactive user, and also set the user deactivation trigger period.

  • Approved Domains—Enables you to specify one or more domain names that can be used in your distribution lists.

  • Approved IP Ranges—If enabled, specify the IP address ranges from which you want to allow user access (login) to Cortex XSIAM. You can also choose to limit API access from specific IP addresses.

  1. From the Cortex XSIAM management console, select SettingsConfigurationsSecurity Settings.

  2. Under Session Expiration, define the following:

    1. User Login Expiration—Select the number of session hours (1 - 24 hours) after which the user login should expire.

    2. Enable Auto Logout—If desired, enable automatic logout, and then select the required period of user inactivity (10 - 30 minutes).

    3. Dashboard Expiration—Select either 7 Days or As user login expiration (hours) to define the timing of the dashboard expiration.

  3. Under Allowed Sessions, define the following:

    1. Approved Domains—Select Enabled or Disabled. If enabled, specify the domains from which you want to allow the user access to Cortex XSIAM . You can add or remove domains as necessary.

    2. Approved IP Ranges—Select Enabled or Disabled. If enabled, specify the IP ranges from which you want to allow the user access to Cortex XSIAM . You can add or remove IP CIDR addresses as necessary.

  4. Under User Expiration, define if you want to Deactivate Inactive User. By default, user expiration is Disabled, when Enabled enter the number of days after which inactive users should be deactivated.

  5. Under Approved Domains, specify one or more domain names that users in your organization can use. For example, when generating a report, ensure the reports are not sent to email addresses outside your organization.

  6. Under Approved IP Ranges, specify one or more IP address ranges that can be used to access Palo Alto Networks managed monitoring tools. You can also select whether to limit API access to specific IP addresses.

  7. Save.