Review the steps to deploy and onboard Cortex XSIAM.
We recommend reviewing the following steps to successfully deploy and onboard Cortex XSIAM:
Step | Action | Details | See more |
---|---|---|---|
Step 1: Activate Cortex XSIAM | Activate and log in to Cortex Gateway |
| |
| |||
Step 2: Pre-installation steps for Cortex XDR agents | Assign user roles | Start assigning roles directly to users or create user groups and assign roles to those groups. | |
Configure how users access Cortex XSIAM. You can authenticate users by doing one or both of the following:
| |||
Verify endpoint operating systems | Validate endpoint operating systems to ensure they are compatible with Cortex XSIAM. | ||
Define endpoint groups | (Optional, can be performed post-deployment) Define an endpoint group to apply policy rules and manage specific endpoints. If you set up Cloud Identity Engine, you can also leverage your Active Directory user, group, and computer details in endpoint groups. | ||
Customize endpoint security profiles | Customize your Endpoint Security Profiles and assign them to your endpoints. Cortex XSIAM provides default security profiles that you can use out-of-the-box to immediately begin protecting your endpoints from threats. Defaults include profiles for exploits, malware, restrictions, agent settings, and exceptions. Review your policy rules and the security profiles assigned to these rules and make any necessary adjustments. | ||
Enable enhanced data collection from endpoints | Cortex XSIAM provides out-of-the-box exploit and malware protection. However, at minimum, you must enable Data Collection in an Agent Settings profile to leverage endpoint data in Cortex XSIAM. NoteData collection for Windows endpoints is available with Traps 6.0 and later releases and on endpoints running Windows 7 SP1 and later releases. Data collection on macOS and Linux endpoints are available with Traps 6.1 and later releases.
| ||
Step 3: Install Cortex XDR agents | Plan agent deployment | Plan your agent deployment. | |
Create installation packages | To reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent, Cortex XSIAM offers an agent installation and content update distribution package. | ||
Review the Cortex XDR compatibility matrix | Until a Cortex XDR agent release reaches its end-of-life (EoL) status, Palo Alto Networks provides the following support:
| ||
Review Cortex XDR agent compatibility with third-party security products | Check the list of agent versions that Cortex XSIAM is compatible with. Contact Cortex XSIAM teams for insights on agent versions that aren't listed. | ||
Deploy agent installation packages | Deploy agent installation packages using a third-party tool such as an SCCM, or manually on the endpoint. | ||
Step 4: Configure and deploy Cortex XSIAM | Enable Cortex XSIAM analytics | Set up monitoring for internal networks. | |
Activate Cortex XSIAM Analytics to enable the analytics engine to analyze your endpoint data to develop a baseline and raise analytics and analytics BIOC alerts when anomalies and malicious behaviors are detected. | |||
(Optional but highly recommended) Enable Identity Analytics to aggregate and display user profile details, activities, and alerts related to a user-based analytics type alert and Analytics BIOC rule during an investigation. DangerCloud Identity Engine must be set up. | |||
(Optional but highly recommended) Set up and configure Broker VM | Broker VM is used to proxy all Cortex XDR/Traps agent communication to provide a more predictable flow of traffic to and from the cloud for heartbeats, agent updates, content updates, and more. It is also used to serve as a Syslog collection point for all third-party log ingestion. | ||
(Optional but highly recommended) Activate Pathfinder | Pathfinder is used to examine network hosts, servers, and workstations for malicious or risky software. | ||
(Optional but highly recommended) Install Cloud Identity Engine | Cloud Identity Engine is a complimentary service that enables you to leverage Active Directory user, group, and computer details in Cortex XSIAM to provide context when you investigate alerts. You can also use Active Directory information in policy configuration and endpoint management of Traps agents. | ||
Automation and feed integrations | Add and configure integrations such as messaging, authentication, and feeds to use in Cortex XSIAM. | ||
Install engines | Install an engine on a remote machine to allow communication between the remote machine and Cortex XSIAM. | ||
Cortex Marketplace | Install content packs in Marketplace for your use case. | ||
Step 5: Define data sources | Configure data ingestion | To provide you with a more complete and detailed picture of the activity involved in an incident, Cortex XSIAM can ingest data from a variety of Palo Alto Networks and third-party sources.
| |
Step 6: Perform health checks | Prevention policies | Update policies and profiles and ensure that all action modes are set to Block. | |
Monitor operational status | Verify that Cortex XDR agents are protecting endpoints according to predefined security policies and profiles. | ||
Test sample malware | Use a malware PE, MacOSX, or APK test file, to test end-to-end WildFire sample processing. | ||
Validate detectors for alerts and incidents | Check alerts and their associated alert sources. Validate that all the configurations on the policy level and on the agent deployment level meet the requirements to generate alerts and incidents on Cortex XSIAM. For example, check the following:
| ||
Validate log ingestion from external integrations | Verify what datasets are being created. The Dataset Management page enables you to manage your datasets and understand your overall data storage duration for different retention periods and datasets based on your Hot and Cold Storage licenses, and retention add-ons to extend your storage. |