Dear all,
first of all, it was my fault.
In fact, the installation itself was much easier than described in the documentation.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-an-XDR-...
All information is there.
But I was very confused by the structure of this section and information that where useless for me.
What worked for me:
- I created an XDR Collector installer under Settings > Configurations > XDR Collectors > Installers
- Gave a name
- Selected the OS (Windows)
- Selected the Version (newest)
- I downloaded and installed the XDR Collector on the corresponding server. The server was then visible under Settings > Configurations > XDR Collectors > Administration.
I checked if that "Filebeat Status" is "Active".
- Under Settings > Configurations > XDR Collectors > Profiles, I created a new Filebeat profile:
- Right clicked the Windows Filebeat Default profile and clicked Save as new
- Gave a name and description
- Clicked below in Select template... and select DHCP
- Clicked Add and Create
- I did the same with the Windows Settings Default profile and adjusted it. There I only set Enable under Collector Auto-Upgrade
- Under Settings > Configurations > XDR Collectors > Policies I created a new policy:
- Selected + Add Policy
- Gave a name and description
- Select the platform (Windows)
- Selected the new Filebeat and Collector settings profile that I created under point 3. and 4.
- Clicked Next
- Selected the corresponding endpoint
- Clicked Next
- Clicked Done
- Clicked Save
- After some minutes I went to the Query Builder, selected XQL Search and used this command:
dataset = microsoft_dhcp_raw
and saw the long awaited data.
I hope that maybe this will help someone else as well.
Regards,
Peter
