Cortex XSIAM onboarding checklist - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Review the steps to deploy and onboard Cortex XSIAM.


We recommend reviewing the following steps to successfully deploy and onboard Cortex XSIAM:




See more

Step 1: Activate Cortex XSIAM

Activate and log in to the Cortex Gateway

  1. Follow the instructions in the activation email and sign in to the Cortex Gateway.

  2. Confirm license type.

See topic

  1. Enable access to Cortex XSIAM communication servers, storage buckets, and resources.

See topic

Step 2: Pre-installation steps for Cortex XDR agents

Assign user roles

Start assigning roles directly to users or create user groups and assign roles to those groups.

See topic

Configure how users access Cortex XSIAM. You can authenticate users by doing one or both of the following:

  • User authentication through the Customer Support Portal

  • SAML single sign-on in the Cortex XSIAM tenant

See topic

Verify endpoint operating systems

Validate endpoint operating systems to ensure they are compatible with Cortex XSIAM.

See topic

Define endpoint groups

(Optional, can be performed post-deployment) Define an endpoint group to apply policy rules and manage specific endpoints. If you set up Cloud Identity Engine, you can also leverage your Active Directory user, group, and computer details in endpoint groups.

See topic

Customize endpoint security profiles

Customize your Endpoint Security Profiles and assign them to your endpoints.

Cortex XSIAM provides default security profiles that you can use out-of-the-box to immediately begin protecting your endpoints from threats. Defaults include profiles for exploits, malware, restrictions, agent settings, and exceptions.

Review your policy rules and the security profiles assigned to these rules and make any necessary adjustments.

See topic

Enable enhanced data collection from endpoints

Cortex XSIAM provides out-of-the-box exploit and malware protection. However, at minimum, you must enable Data Collection in an Agent Settings profile to leverage endpoint data in Cortex XSIAM.


Data collection for Windows endpoints is available with Traps 6.0 and later releases and on endpoints running Windows 7 SP1 and later releases. Data collection on macOS and Linux endpoints are available with Traps 6.1 and later releases.

  1. Enable data collection in an Agent Settings profile to leverage endpoint data in Cortex XSIAM and use features such as Analytics or Host Insights.

  2. Attach the Agent Settings profile to a policy rule in order to apply it to selected endpoints.

  3. Set global agent configurations that apply to all the endpoints in your network.

See topic

See topic

See topic

Step 3: Install Cortex XDR agents

Plan agent deployment

Plan your agent deployment.

See topic

Create installation packages

To reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent, Cortex XSIAM offers an agent installation and content update distribution package.

See topic

Review the Cortex XDR compatibility matrix

Until a Cortex XDR agent release reaches its end-of-life (EoL) status, Palo Alto Networks provides the following support:

  • Microsoft operating systems are supported for three years beyond the end of Microsoft support

  • Other operating system vendors are supported until they reach end-of-life.

  • Cortex XDR agents for macOS and 32-bit Windows are not FedRamp compliant.

See topic

Review Cortex XDR agent compatibility with third-party security products

Check the list of agent versions that Cortex XSIAM is compatible with. Contact Cortex XSIAM teams for insights on agent versions that aren't listed.

See topic

Deploy agent installation packages

Deploy agent installation packages using a third-party tool such as an SCCM, or manually on the endpoint.

See topic

Step 4: Configure and deploy Cortex XSIAM

Enable Cortex XSIAM analytics

Set up monitoring for internal networks.

See topic

Activate Cortex XSIAM Analytics to enable the analytics engine to analyze your endpoint data to develop a baseline and raise analytics and analytics BIOC alerts when anomalies and malicious behaviors are detected.

See topic

(Optional but highly recommended) Enable Identity Analytics to aggregate and display user profile details, activities, and alerts related to a user-based analytics type alert and Analytics BIOC rule during an investigation.


Cloud Identity Engine must be set up.

(Optional but highly recommended) Set up and configure Broker VM

Broker VM is used to proxy all Cortex XDR/Traps agent communication to provide a more predictable flow of traffic to and from the cloud for heartbeats, agent updates, content updates, and more. It is also used to serve as a Syslog collection point for all third-party log ingestion.

See topic

(Optional but highly recommended) Activate Pathfinder

Pathfinder is used to examine network hosts, servers, and workstations for malicious or risky software.

See topic

(Optional but highly recommended) Install Cloud Identity Engine

Cloud Identity Engine is a complimentary service that enables you to leverage Active Directory user, group, and computer details in Cortex XSIAM to provide context when you investigate alerts. You can also use Active Directory information in policy configuration and endpoint management of Traps agents.

See topic

Automation and feed integrations

Add and configure integrations such as messaging, authentication, and feeds to use in Cortex XSIAM.

See topic

Install engines

Install an engine on a remote machine to allow communication between the remote machine and Cortex XSIAM.

See topic

Cortex Marketplace

Install content packs in Marketplace for your use case.

See topic

Step 5: Define data sources

Configure data ingestion

To provide you with a more complete and detailed picture of the activity involved in an incident, Cortex XSIAM can ingest data from a variety of Palo Alto Networks and third-party sources.

  • Configure Palo Alto Networks integrations for streaming data and ingesting logs.

  • Configure external data ingestion to ingest data from third-party sources.

See topic

See topic

Step 6: Perform health checks

Prevention policies

Update policies and profiles and ensure that all action modes are set to Block.

See topic

Monitor operational status

Verify that Cortex XDR agents are protecting endpoints according to predefined security policies and profiles.

See topic

Test sample malware

Use a malware PE, MacOSX, or APK test file, to test end-to-end WildFire sample processing.

See topic

Validate detectors for alerts and incidents

Check alerts and their associated alert sources.

Validate that all the configurations on the policy level and on the agent deployment level meet the requirements to generate alerts and incidents on Cortex XSIAM.

For example, check the following:

  • Cortex XDR agent generates WildFire malware alerts.

  • NFGW alerts are listed by PAN NGFW.

Validate log ingestion from external integrations

Verify what datasets are being created.

The Dataset Management page enables you to manage your datasets and understand your overall data storage duration for different retention periods and datasets based on your Hot and Cold Storage licenses, and retention add-ons to extend your storage. 

See topic