Setting up Cortex XSOAR, including activation, managing users and roles, engines, etc.
This topic provides an overview of the deployment process, including best practices.
Activating a Cortex XSOAR tenant is a one-time task you’ll need to perform before using Cortex XSOAR. You only need to repeat the activation if you want to add additional Cortex XSOAR tenants.
Cortex XSOAR comes out-of-the-box with the following roles:
For out-of-the-box roles, you can view the permissions and create duplicates. You can create role-based access for users. Roles define permissions for users, such as creating, editing, and viewing incidents, viewing default dashboards, and creating playbooks and scripts.
The most common updates to the out-of-the-box analyst role when deploying a new system include:
Removing the permission to delete incidents.
Removing the permissions to install and contribute Marketplace content.
Configuring default dashboards, queries, and shifts.
SSO is the recommended method to authenticate and authorize users, as it allows for multi-factor-authentication. We strongly recommended implementing MFA and the appropriate conditional access policies at the identity provider. You can integrate with any IdP that is supported by SAML 2.0.
You can also create users in the CSP. Although these users have access to the Cortex Gateway, only Account Admins can update roles and permissions including access to the Cortex XSOAR tenant.
After adding users, you can assign these users to pre-existing roles by importing a CSV file in the tenant.
Any user who has a CSP account can access the Cortex Gateway.
Create a more personalized user experience, by setting keyboard shortcuts, timezone, timestamp format, etc.
Define how long a user can be logged in, for which domains/IP ranges they can log into Cortex XSOAR, deactivate inactive users, allow domains, etc.
(Optional) Configure a mail sender integration
Cortex XSOAR provides a built-in mail sender integration. An email integration enables the tenant to send emails and can be used for system notifications and playbooks. However, if you want to use a different email sender, you can configure one during your initial setup.
Enables you to simplify and compartmentalize administrative tasks, and enables you to save credentials without exposing usernames, passwords, or certificates.
Engines are installed in a remote network and allow communication between the remote network and the Cortex XSOAR tenant. You can run scripts and integration commands on an engine.
Set up development and production environments by syncing content using a private content repository.
(Multi-Tenant) Create a Child Tenant
After you have activated the Main Tenant, if you have a Multi-tenant license, you can create child tenants in the Cortex Gateway. For more information, see Introduction to Cortex XSOAR Multi-Tenant.
You can integrate Cortex Data Lake with Cortex XSOAR, which provides cloud-based, centralized log storage and aggregation for your on-prem, virtual (private cloud and public cloud) firewalls, Prisma Access, and cloud-delivered services such as Cortex XDR. You can activate this using the PANW Hub. For more information about the hub, see Getting Started with the PANW Hub.
To use Cortex Data Lake in Cortex XSOAR, install the Cortex Data Lake Content Pack to run queries for critical threat logs, social applications, threat logs, etc. You can also Install the PAN-OS to Cortex Data Lake Monitoring content pack to monitor the PAN-OS FW log in a recurring job.
For more information about Cortex Data Lake, see Getting Started with Cortex Data Lake.