Set up your Data Sources and Alert Sensors - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about setting up your data sources and alert sensors.

Before you can begin using Cortex XSIAM, you must set up your alert sensors. The more sensors that you integrate with Cortex XSIAM, the more context you have when a threat is detected.

You can also set up to raise Analytics alerts on network or endpoint data (or both) depending on your Cortex XSIAM Pro licenses.

The following workflow highlights the tasks that you must perform (in order) to configure Cortex XSIAM.

  1. Integrate External Threat Intelligence Services.

    Integrating external threat intelligence services enables you to view feeds from sources such as AutoFocus and VirusTotal in the context of your incident investigation.

  2. After you activate Cortex XSIAM apps and services, wait 24 hours and then configure the Cortex XSIAM analytics.

    1. Specify the internal networks that you want Cortex XSIAM to monitor.

    2. (Recommended) If you want to use Pathfinder to scan unmanaged endpoints, Activate Pathfinder.

    3. Enable Cortex XDR - Analytics.

      By default, Cortex XSIAM - Analytics is disabled. Activating Cortex XSIAM - Analytics enables the Cortex XSIAM analytics engine to analyze your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected.

      To create a baseline for enabling Analytics, Cortex XSIAM requires a minimum set of data; EDR or Network logs from at least 30 endpoints over a minimum of 2 weeks, or cloud audit logs over a minimum of 5 days. Once this requirement is met, Cortex XSIAM allows you to enable analytics and begin triggering alerts within a few hours.

      1. In Cortex XSIAM , select SettingsConfigurationsCortex XDR - Analytics.

        The Enable option will be grayed out if you do not have the required data set.

      2. When available, Enable Cortex XSIAM - Analytics. The analytics engine will immediately begin analyzing your data for anomalies.


        Creating a baseline can take up to 3 hours.

    4. Enable Identity Analytics.

      By default, Identity Analytics is disabled. Activating Identity Analytics enables the Cortex XSIAM analytics engine to aggregate and display throughout your investigation user profile information, activity, and alerts associated with a user-based Analytics type alert and Analytics BIOC rule.

      To enable the Identity Analytics, you must first Activate the Cortex XSIAM Analytics and Set Up Cloud Identity Engine (Formally Directory Sync Services (DSS)).

      After configuring your Cloud Identity Engine instance and Cortex XSIAM Analytics, Enable Identity Analytics.

  3. Add an Alert Exclusion Rule.

  4. Manage Incident Starring.

  5. (Optional) Palo Alto Networks also automatically delivers behavioral indicators of compromise (BIOCs) rules defined by the Palo Alto Networks threat research team to all Cortex XSIAM tenants, but you can also import any additional indicators as rules, as needed.

    To alert on specific BIOCs, Create a BIOC Rule. To immediately alert on known malicious indicators of compromise (IOCs)—such as known malicious IP addresses—Create an IOC Rule or Create a Correlation Rule .