Setup Overview - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about setting up Cortex XSIAM by activating the app and related apps and services.

Before you can use Cortex XSIAM for advanced detection and response, you must activate the Cortex XSIAM app and set up related apps and services.

Perform the setup activities in the steps below.

  1. Plan Your Deployment.

    As part of your planning, ensure that you or the person activating your tenant has the appropriate role permissions.

  2. Set up Cortex XSIAM.

    1. Activate

    2. Assign User Roles and Permissions

    3. Allocate Log StorageLicense Retention

  3. Set up Palo Alto Networks Data Ingestion.

    You can configure Cortex XSIAM to stream data from other Palo Alto Networks products directly to your tenant. To stream data directly, you need to first deploy your network devices and then set up your Palo Alto Networks Integrations.

  4. (Optional) Configure a mail sender integration

    Cortex XSIAM provides a built-in mail sender integration. An email integration enables the server to send emails and can be used for system notifications and playbooks. However, if you want to use a different email sender, you can configure one during your initial setup.

  5. (Optional) Set Up Cloud Identity Engine.

    1. Activate and Set Up a Cloud Identity Engine Instance.

    2. Add the Cloud Identity Engine Instance to Cortex XSIAM.

  6. Set up Endpoint Protection.

    1. Plan your agent deployment.

    2. Create agent installation packages.

    3. Define endpoint groups.

    4. Deploy the agent to your endpoints.

    5. Configure your endpoint security policy.

  7. Set up your Data Sources and Alert Sensors the following:

    1. (Optional) Integrate additional threat intelligence.

    2. After 24 hours, enable Cortex XSIAM Analytics Analysis.

      1. Configure Network Coverage.

      2. (Recommended) Activate Pathfinder to interrogate endpoints that do not have the Cortex XSIAM agent installed.

    3. Define alert exclusions

    4. Prioritize incidents based on attributes by creating an incident starring policy.

    5. Import or configure rules for known BIOC and IOCs, and create any applicable Correlation Rules.

    6. (Optional) Manage External Dynamic Lists

  8. (Optional) Set up Outbound Integration.

    • Integrate with Slack.

    • Integrate with a Syslog Server.

    • Integrate with Cortex XSIAM.

  9. (Optional) Set up Managed Security.

  10. (Optional) Set up a Cortex XSIAM development tenant.

  11. Use the Interface.