Maximize Security with Cortex XDR Cloud Identity Agent

Table of Contents

1. Introduction
2. Installing and Configuring the Cloud Identity Directory Sync Agent
3. Using the Cloud Identity Engine with Cortex XDR
4. Preparing for Configuration
   • Installing the Cloud Identity Engine Directory Sync Agent
   • Creating a Service Account in Active Directory
5. Setting Up the Cloud Identity Engine
   • Accessing the Cloud Identity Engine Application
   • Adding a New Directory
   • Setting Up the On-Premise Directory
   • Downloading the Agent Certificate
   • Installing the Agent Certificate
   • Configuring LDAP Connection
   • Testing Connectivity to Active Directory
   • Saving and Committing Changes
   • Starting the Engine
6. Monitoring the Sync Process
   • Viewing Agent Logs
   • Checking Sync Status
7. Connecting the Cloud Identity Engine to Cortex XDR
   • Accessing Cortex XDR Settings
   • Configuring Cloud Identity Engine Integration
   • Checking Connection Status
8. Creating Dynamic Policy Groups
   • Creating a Group for Domain Controllers
   • Assigning Policies to the Group
   • Enabling Identity Analytics
9. Common Issues and Troubleshooting
   • Incorrect Installation of Keys
   • Unable to Retrieve Netbios Value from AD
10. Conclusion
11. Additional Resources
12. FAQ

Installing and Configuring the Cloud Identity Directory Sync Agent

In this article, we will guide You through the process of installing and configuring the Cloud Identity Directory Sync Agent, as well as utilizing the Cloud Identity Engine with Cortex XDR. The Cloud Identity Engine allows you to sync user and object information from various sources, providing additional data to Palo Alto Networks products like Cortex XDR.

Preparing for Configuration

Before you begin the configuration process, there are a few steps you need to take. Firstly, you should have a designated location to install and run the Cloud Identity Engine Directory Sync Agent. It is recommended to install it on a server, but not directly on your domain controller. The server must be able to reach the Cloud Identity Engine Sync URL and your domain controller(s).

You will also need to Create a service account in your Active Directory environment for the agent to use for running queries. Make note of the distinguished name for the account.

Setting Up the Cloud Identity Engine

To get started with the configuration process, visit apps.paloaltonetworks.com and click on the Cloud Identity Engine application. If you don't see the app in the Blue ribbon bar, look under the "Explore Apps from Palo Alto Networks" header.

Once you are in the Cloud Identity Engine app, click on "Add New Directory," and then click on "Setup" under the "On-Premise Directory" section. Download the agent and obtain a certificate by providing a certificate name and password. Download the certificate.

To view additional documentation for the installation process, click on "Get Started" under the "Install" section.

Installing the Cloud Identity Engine Directory Sync Agent

After downloading the certificate file and the installer, copy them to the server where you want to install the agent. Begin the installation process by installing the certificate. Double-click on the certificate file, and when the certificate wizard loads, select "Local Machine" and click "Next." Ensure that the file path is correct and click "Next." Enter the password you selected for the certificate and leave the other options as they are. Select "Place certificates in the following store," choose "Personal" as the certificate store, and click "Next." Confirm your options and click "Finish."

Once the certificate installation is successful, run the installer. After the installer is complete, click on "Cloud Identity Agent" to launch the application. Enter your Cloud Identity Engine URL from the documentation, in the form of agent-directory-sync.region.paloaltonetworks.com.

Configuring LDAP Connection

Next, click on "LDAP Configuration." Copy and paste the distinguished name for your service account and provide the service account password. Select the protocol you wish to connect to the domain controller with, commonly LDAP or LDAPS. Add your domain controllers under the "Servers" section, one at a time. Use the "Test Connectivity to AD" feature to ensure your configuration is correct.

Once you have made all the necessary changes and are ready to proceed, click "Save." When the save button turns gray, click "Commit."

Monitoring the Sync Process

To monitor the sync process of the Cloud Identity Engine, you can click on the "Monitoring" tab to view the agent logs. The initial synchronization process may take up to six hours. Once the synchronization process begins, you will see your domain under the "On-Premise" header, with the sync status displayed as "In Progress." Keep in mind that it may take up to six hours for the initial synchronization to complete. Once synchronization is successful, the sync status will change to "Success" with a green check mark, and you will be able to view all the objects that were Synced.

Connecting the Cloud Identity Engine to Cortex XDR

To connect the Cloud Identity Engine to Cortex XDR, log in to your Cortex XDR tenant and go to "Settings" and then "Configurations." Select "Cloud Identity Engine" under "Integrations" and choose your Cloud Identity Engine instance from the drop-down menu. Click "Add Directory Sync Service." Once the connection is properly established and data is being received, you will see a green check mark beside the name of the Cloud Identity Engine service.

Please note that after successfully configuring your Cloud Identity Engine in Cortex XDR, it may take an additional 24 hours for data to be populated within Cortex XDR.

Creating Dynamic Policy Groups

Once your Cloud Identity Engine is syncing, you can proceed to create groups for dynamic policy assignment. Let's say we want to create a policy group for domain controllers. In the Cloud Identity Engine application, go to "Settings" and then "Configurations." Select "Cortex XDR Analytics" and enable the slider beside "Identity Analytics" to activate it.

Common Issues and Troubleshooting

Here are a few common issues that may occur when configuring the Cloud Identity Agent:

1. Incorrect Installation of Keys: If you see a log entry saying "Error: No client certificate found, resetting the sync agent" in the monitoring section, please ensure that the certificate was installed correctly. Reinstall the certificate, selecting "Local Computer" for the store location and "Personal" for the certificate store.

2. Unable to Retrieve Netbios Value from AD: When adding active directory servers to the LDAP configuration, you may encounter a message saying "Unable to retrieve Netbios value from AD." Make sure the domain entered in the domain box for the server matches the domain for your Active Directory environment. Typos are a common cause of this issue.

Conclusion

In conclusion, the Cloud Identity Engine is a powerful tool that allows you to sync user and object information from various sources, enhancing the functionality of Palo Alto Networks products like Cortex XDR. By following the steps outlined in this article, you can successfully install and configure the Cloud Identity Directory Sync Agent, connect it to Cortex XDR, and utilize its features for dynamic policy assignment and identity analytics.

Additional Resources

For more information and detailed documentation on the Cloud Identity Engine and its integration with Cortex XDR, please refer to the following resources:

• [Link to Documentation 1]
• [Link to Documentation 2]
• [Link to Documentation 3]

FAQ

Q: Can I install the Cloud Identity Agent directly on my domain controller? A: It is not recommended to install the agent directly on your domain controller. It is advisable to install it on a separate server that can reach both the Cloud Identity Engine Sync URL and your domain controller(s).

Q: How long does the initial synchronization process take? A: The initial synchronization process may take up to six hours to complete. Please be patient during this period.

Q: How can I monitor the sync process of the Cloud Identity Engine? A: You can view the agent logs and check the sync status under the "Monitoring" tab in the Cloud Identity Engine application.

Q: What is the purpose of Identity Analytics? A: Identity Analytics is a feature that can be enabled in Cortex XDR to analyze identity data from the Cloud Identity Engine and provide valuable insights for security purposes.

Q: What should I do if I encounter issues during the installation or configuration process? A: If you encounter any issues or need further assistance, please refer to the additional resources provided in this article or visit our live community, where you can find helpful how-to videos and interact with other users.

Q: How long does it take for data to be populated within Cortex XDR after configuring the Cloud Identity Engine? A: After successfully configuring the Cloud Identity Engine in Cortex XDR, it may take up to 24 hours for data to be populated within Cortex XDR. Please allow sufficient time for the process to complete.