Professional Documents
Culture Documents
Cortex XDR Setup Guide: September 2019
Cortex XDR Setup Guide: September 2019
September 2019
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2019-2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
September 25, 2019
5
6 CORTEX XDR™ SETUP GUIDE | Set Up Cortex XDR
© 2019 Palo Alto Networks, Inc.
Cortex XDR Configuration Overview
With Cortex XDR you can integrate and raise alerts on all your network, endpoint, and cloud data. For the
most complete set of correlated data, you can collect network and cloud logs from your Palo Alto Networks
firewalls, mobile VPN traffic logs from GlobalProtect or Prisma Access, and use either Traps or Pathfinder
to collect endpoint data. However, you can also use Cortex XDR apps with any of these data sensors
individually.
The following workflow highlights the tasks that you must perform (in order) to configure the Cortex XDR
app. Each individual task focuses on setting up critical components (for example, the Cortex Data Lake, the
Cortex XDR apps, and Traps).
STEP 1 | Confirm that you have Everything You Need to Configure Cortex XDR.
STEP 2 | Assign roles to the users who will activate Cortex XDR apps.
STEP 3 | Use the Palo Alto Networks hub to Activate Cortex XDR.
During activation you can also activate a new Cortex Data Lake instance and set up a Directory Sync
Service instance.
User Roles To activate Cortex XDR apps, you must be assigned either the Account
Administrator or App Administrator roles for each of the following apps
and services in the Palo Alto Networks hub:
• Cortex XDR
• Cortex XDR – Analytics
• Traps
• Cortex Data Lake—If you are associating an existing Cortex Data
Lake instance with Cortex XDR, you only need a role of Instance
Administrator or higher to manage logging storage. However, if
you are activating a new instance, you must be assigned an App
Administrator role or higher to activate the new instance and manage
logging storage quota.
If you do not have the appropriate roles for all apps and services when
you activate Cortex XDR, activation will fail.
For more information on managing administrative access, see Manage
Roles.
Auth Code After you purchase a Cortex XDR license through your sales
representative, Palo Alto Networks sends you an email that includes an
authorization (auth) code. Use this auth code to activate the following
apps in the hub:
• Cortex XDR app including the Cortex XDR analytics engine
(represented in the hub as Cortex XDR - Analytics)
• Traps management service app
These apps are included with your purchase of Cortex XDR.
If you do not have an existing Cortex Data Lake instance, you will also
receive a separate auth code that you can use to activate Cortex Data
Lake during the Cortex XDR activation process.
Network Requirements If the network that Cortex XDR analytics engine is monitoring has more
than one subnet, make sure that the subnets do not contain duplicate IP
addresses.
Firewall and Panorama Firewalls and Panorama are optional as detection sensors for the Cortex
Requirements XDR analytics engine. If you intend to Configure Firewalls and Panorama
to Support Cortex XDR:
• Palo Alto Networks firewalls and Panorama must be set up with the
Palo Alto Networks Cortex Data Lake.
Specifically for Analytics alerts, firewalls must be configured to send
Traffic logs to the Cortex Data Lake.
Pathfinder Requirements Pathfinder is optional but highly recommended even if you already use
Traps to protect and collect data from your endpoints.
Requirements to Set Up Pathfinder:
• Hardware to support Pathfinder virtual machine (2 core, 8 GB RAM,
128 GB disk).
• VMware ESXi or Hyper-V.
• An internal DNS server.
• Pathfinder requires Local Administrator permissions for all endpoints.
For more information, see this Microsoft procedure.
• Pathfinder requires the following ports to be open for
communication with the devices it scans:
• RPC Endpoint Mapper (port 135)
• NetBIOS over TCP/IP Name Services (port 137)
• NetBIOS over TCP/IP Session Services (port 139)
• SMB over TCP/IP (port 445)
• Pathfinder requires port 443 to be open to communicate with the
Cortex XDR app.
• Pathfinder requires port 444 to be open. It uses the FQDNs on port
444 to perform query and validity checks as part of the process to
pair with the Cortex XDR app.
• All devices that Pathfinder scans must provide the following services:
• WMI Service
• Eventlog Service
• PowerShell
Directory Sync Service Directory Sync Service is optional, but strongly recommended. It allows
the Cortex XDR analytics engine to add additional user details to
Analytics alerts and, if used with Traps, allows you to leverage your user
directory when you configure policies in Traps management service.
To use the Directory Sync Service, you must activate the service and
install an agent locally on your network. You can Set Up Directory
Sync Service at any time, so it isn’t strictly necessary for you to
have Directory Sync installed before you continue with Cortex XDR
configuration.
STEP 2 | If you manage multiple company accounts, verify your company account name before
proceeding with activation.
The hub will activate Cortex XDR and the included apps and services for the selected account.
STEP 4 | Enter the Auth Code that Palo Alto Networks provided with your Cortex XDR license and
Continue.
STEP 5 | Provide details about the Cortex XDR app you’re activating.
STEP 8 | When your app is available, log in to your Cortex XDR app to confirm that you can successfully
access the Cortex XDR app interface.
You cannot exceed 100% log storage allocation. If your total allocated quota is already
at 100% for other non-Cortex XDR apps or services, reduce the quota for those apps or
services to free up storage.
1. If you purchased quota for firewall logs, allocate quota to the Firewall log type.
To use the same Cortex Data Lake instance for both firewall logs and Traps logs, you must first
associate Panorama with the Cortex Data Lake instance before you can allocate quota for firewall
logs.
2. Review your storage allocation for the Traps log type.
While the distribution of Traps logs depends on your storage needs, a good starting point is to
allocate Traps logs as recommended for Traps management service. It is also recommended to review
the status of your Cortex Data Lake instance after about two weeks of data collection and make
adjustments as needed.
3. Review your storage allocation for the Cortex XDR and Cortex XDR – Analytics log types.
Because Cortex XDR and analytics alerts do not require a lot of storage, you typically need to allocate
less than 1% of your total allocated storage for each.
STEP 2 |
Click the gear > Manage Apps in the upper-right corner.
STEP 3 | Locate the Directory Sync Service instance that you want to use with Cortex XDR apps. Make
a note of the instance's name, which appears in the left-most column.
If you have more than one instance, make sure you choose the instance that is in the same region as the
Cortex Data Lake instance you are using with your apps.
STEP 4 | Pair the Directory Sync Service instance with your Cortex XDR – Analytics instance.
1. Scroll down until you find your Cortex XDR – Analytics instance in the Cortex XDR section.
2. Click on its name in the left-most column.
3. In the resulting pop-up configuration screen, select the desired Directory Sync Service instance, and
then click OK.
STEP 1 | Review that you have all the Cortex XDR requirements described in Everything You Need to
Configure Cortex XDR.
STEP 2 | If you have not already done so, assign the Cortex XDR roles to the users who will set up and
manage the app.
If the user will also manage Cortex XDR analytics features, ensure the user also is assigned the
appropriate role for Cortex XDR – Analytics.
2. When available, Enable Cortex XDR - Analytics. The analytics engine will immediately begin
analyzing your Cortex data for anomalies.
STEP 4 | (Optional) Palo Alto Networks also automatically delivers behavioral indicators of compromise
(BIOCs) rules defined by the Palo Alto Networks threat research team to all Cortex XDR
tenants, but you can also import any additional rules, as needed.
To alert on specific BIOCs, import BIOC rules. To immediately being alerting on known malicious
indicators of compromise (IOCs)—such as known malicious IP addresses—import IOC rules.
• Verify that the firewall logs are being forwarded to the Cortex Data Lake.
1. From Panorama, select Monitor > Logs and select a log type to view.
2. To verify that the logs you are seeing are from the Cortex Data Lake, run the following CLI command
on the firewall:
-----------------------------------------------------------------------------------------------------------------------------
Type Last Log Created Last Log Fwded Last Seq Num Fwded Last Seq Num Acked Total Logs Fwded
-----------------------------------------------------------------------------------------------------------------------------
> CMS 0
Not Sending to CMS 0
> CMS 1
Not Sending to CMS 1
Look for the ‘Log collection log forwarding agent’ is active and connected to
<IP_address> line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving
logs.
• Use the ACC on Panorama and firewalls to monitor network activity. Check for applications
like SMBv2, ms-rdp, DNS, and Kerberos to verify that the firewalls have visibility into internal
network traffic.
You can also use Monitor > Manage Custom Reports and generate Run Now reports on summary logs.
You cannot generate scheduled reports or generate reports on detailed logs stored on the Cortex Data
Lake.
Set Up Pathfinder
Pathfinder™ is a highly recommended, but optional, component that Cortex XDR™ uses to examine
network hosts, servers, and workstations for malicious or risky software. When paired with Pathfinder,
Cortex XDR supports all the Analytics alerts described in the Cortex XDR Analytics Alert Reference.
To enable Pathfinder to investigate your network endpoints, you must install one or more Pathfinder virtual
machines (VMs) on your network. The Pathfinder VMs use Remote Procedure Calls (RPCs) to examine
endpoints, so that you don’t need to locally install kernel drivers or other software agents on each host. The
steps to set up Pathfinder include deploying the Pathfinder VM and pairing Pathfinder with the app.
STEP 1 | Start by confirming that you have Everything You Need to Configure Cortex XDR, and only set
up Pathfinder after you Activate Cortex XDR.
STEP 2 | Download the latest Pathfinder software from the Palo Alto Networks Software Updates page
and deploy the Pathfinder VMware or Hyper-V virtual machine (VM).
If you deploy a Hyper-V VM, follow the wizard, and specify generation 1. For both virtual machines,
make sure the VM has at least 8 GBs of startup memory. Do not use dynamic memory and select the
same subnet connection as Pathfinder.
STEP 6 | Return to the top-level Pathfinder VM console screen, and select the pair menu. Record the
Pathfinder VM ID (you will use this in the next step).
You can confirm that Pathfinder is connected to Cortex XDR by using connectivity
from the Pathfinder VM console.
STEP 10 | Configure the credentials for Pathfinder to use to authenticate to the devices it examines.
To configure these credentials locally on the Pathfinder VM, navigate to the Pathfinder Console menu,
and select Credentials. Otherwise, you can configure them in the Cortex XDR app:
1.
In the Cortex XDR app, click > Analytics Management > Configuration.
STEP 11 | Enable the Pathfinder VM to scan your network devices or limit the Pathfinder VM to scan
certain network ranges or specific devices.
It’s recommended to assign the Pathfinder VM to scan all network ranges; however, you can assign
different Pathfinder VMs to scan different network ranges or in certain environments, like a lab
environment, you can choose to limit Pathfinder scans to certain devices.
1.
In the Cortex XDR app, click > Analytics Management > Configuration.
2. Select Network Segments and, if you haven’t done so already, configure the IP ranges (network
assets) that Cortex XDR monitors.
3. On the Network Segments page, use the final column (Assigned Pathfinder VM) for each table row
to assign a Pathfinder VM to the network segment. If you do not want Pathfinder to scan a particular
segment, then do not identify a Pathfinder VM for that segment's table row.
4. (Optional) If you want to further limit Pathfinder scans to specific devices, go to the Pathfinder
page and then select Per Asset Configuration. Use these settings to override the default Pathfinder
configuration on a per-asset basis.
• Specify an internal NTP server to sync the Pathfinder clock, or an external NTP server that is
different from the pre-configured NTP servers.
1. Open the Pathfinder VM console and select NTP Server.
3. For an NTP server that is external to your network, ensure that the perimeter firewall is configured to
allow the traffic between Pathfinder and the NTP server.
When Traps management service tenant is available, the status changes to the green check mark.
STEP 3 | Access your Traps management service tenant for the first time.
There are two ways to access your Traps management service tenant: Return to the hub (https://
apps.paloaltonetworks.com/) and select your tenant from Traps management service tile; or go directly
to the web address for your tenant (https://<subdomain>.traps.paloaltonetworks.com).
STEP 6 | If you haven’t done so already, allocate logging storage in Cortex Data Lake for Traps and
Endpoint Data collection.
Manage Logging Storage for Cortex XDR.