Set Up the Tenant - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Setting up Cortex XSOAR, including activation, managing users and roles, engines, etc.

This topic provides an overview of the deployment process, including best practices.

  1. Activate the Tenant

    Activating a Cortex XSOAR tenant is a one-time task you’ll need to perform before using Cortex XSOAR. You only need to repeat the activation if you want to add additional Cortex XSOAR tenants.

  2. Configure roles

    Cortex XSOAR comes out-of-the-box with the following roles:

    • Admin

    • Analyst

    • Read-Only

    For out-of-the-box roles, you can view the permissions and create duplicates. You can create role-based access for users. Roles define permissions for users, such as creating, editing, and viewing incidents, viewing default dashboards, and creating playbooks and scripts.

    The most common updates to the out-of-the-box analyst role when deploying a new system include:

    • Removing the permission to delete incidents.

    • Removing the permissions to install and contribute Marketplace content.

    • Configuring default dashboards, queries, and shifts.

  3. Set up user access

    You can set up user access using SSO or by creating users through the Customer Support Portal (CSP).

    SSO is the recommended method to authenticate and authorize users, as it allows for multi-factor-authentication. We strongly recommended implementing MFA and the appropriate conditional access policies at the identity provider. You can integrate with any IdP that is supported by SAML 2.0.

    You can also create users in the CSP. Although these users have access to the Cortex Gateway, only Account Admins can update roles and permissions including access to the Cortex XSOAR tenant.

    After adding users, you can assign these users to pre-existing roles by importing a CSV file in the tenant.


    Any user who has a CSP account can access the Cortex Gateway.

  4. Define server settings

    Create a more personalized user experience, by setting keyboard shortcuts, timezone, timestamp format, etc.

  5. Configure session security settings

    Define how long a user can be logged in, for which domains/IP ranges they can log into Cortex XSOAR, deactivate inactive users, allow domains, etc.

  6. (Optional) Configure a mail sender integration

    Cortex XSOAR provides a built-in mail sender integration. An email integration enables the tenant to send emails and can be used for system notifications and playbooks. However, if you want to use a different email sender, you can configure one during your initial setup.

  7. Install Slack Content Pack

  8. Set up credentials in Cortex XSOAR

    Enables you to simplify and compartmentalize administrative tasks, and enables you to save credentials without exposing usernames, passwords, or certificates.

  9. Set up an engine

    Engines are installed in a remote network and allow communication between the remote network and the Cortex XSOAR tenant. You can run scripts and integration commands on an engine.

  10. Set up a Remote Repository

    Set up development and production environments by syncing content using a private content repository.

  11. (Multi-Tenant) Create a Child TenantCreate a Child Tenant

    After you have activated the Main Tenant, if you have a Multi-tenant license, you can create child tenants in the Cortex Gateway. For more information, see Introduction to Cortex XSOAR Multi-Tenant.Introduction to Cortex XSOAR Multi-Tenant


You can integrate Cortex Data Lake with Cortex XSOAR, which provides cloud-based, centralized log storage and aggregation for your on-prem, virtual (private cloud and public cloud) firewalls, Prisma Access, and cloud-delivered services such as Cortex XDR. You can activate this using the PANW Hub. For more information about the hub, see Getting Started with the PANW Hub.

To use Cortex Data Lake in Cortex XSOAR, install the Cortex Data Lake Content Pack to run queries for critical threat logs, social applications, threat logs, etc. You can also Install the PAN-OS to Cortex Data Lake Monitoring content pack to monitor the PAN-OS FW log in a recurring job.

For more information about Cortex Data Lake, see Getting Started with Cortex Data Lake.