Palo Alto Networks Cortex Cloud

Palo Alto Networks Cortex Cloud is a cloud security platform that provides application security, cloud posture management, runtime protection, and threat detection across code, cloud, and SOC environments.

Use Cases the Adapter Solves

  • Identify vulnerable cloud assets: Discover virtual machines and containers with known CVEs and assess their severity to prioritize remediation efforts.
  • Monitor compliance posture: Track compliance findings across your cloud infrastructure to ensure adherence to security standards and regulatory requirements.
  • Gain visibility into cloud security exposures: Detect and analyze security issues affecting your cloud assets to reduce attack surface and improve overall security posture.

Asset Types Fetched

  • Devices, Containers, Compliance Findings

Endpoint to Asset Type Mapping:

Data SourceAPI EndpointAxonius Asset Type
Virtual MachinesPOST /public_api/v1/assetsDevices
ContainersPOST /public_api/v1/assetsContainers
Vulnerability IssuesPOST /public_api/v1/issue/searchCloud Security Exposures
Compliance IssuesPOST /public_api/v1/issue/searchCompliance Findings

Data Retrieved through the Adapter

Devices

  • Asset Name, Asset Strong ID, Asset ID
  • Cloud Provider, Cloud Region, Asset Type

Containers

  • Container Name, Asset Strong ID, Asset ID
  • Cloud Provider, Cloud Region, Asset Class

Cloud Security Exposures

  • CVE ID, CVE Description, CVE Severity
  • CVSS Score, Status, Solution Fix

Compliance Findings

  • Finding Name, Compliance Severity, Compliance Status
  • Detection Rule ID, Description, Remediation

Before You Begin

Required Ports

  • TCP port 443 (HTTPS)

Authentication Methods

API Key Authentication

The adapter authenticates using an API Key and API Key ID, supporting two authentication methods:

  • Standard Authentication - Uses the API Key directly in the Authorization header, no timestamp / nonce / signing required.
  • Advanced Authentication Method - Generates a signature using the API Key with timestamp and nonce for enhanced security. The mandatory headers are:
    • x-xdr-auth-id - numeric API Key ID
    • x-xdr-timestamp - current UTC time in milliseconds
    • x-xdr-nonce - random 64-character alphanumeric string, unique per request
    • Authorization - hex-encoded SHA256(API_KEY + NONCE + TIMESTAMP).

APIs

Axonius uses the Cortex Cloud Platform APIs. The following endpoints are called:

  • POST /public_api/v1/assets - Retrieves asset inventory data for virtual machines and containers
  • POST /public_api/v1/issue/search - Retrieves vulnerability and compliance issues

Required Permissions

The API user must have the appropriate permissions to access the Cortex Cloud APIs. The exact permission names should be confirmed with your Palo Alto Networks administrator, as specific role-based permissions are required for:

  • Asset Inventory Access - Read access to virtual machine and container assets
  • Issue Management Access - Read access to vulnerability and compliance findings

Note: The exact permission names should be confirmed with your Palo Alto Networks administrator or Palo Alto Networks support, as the API documentation is not publicly available.

Supported From Version

Supported from Axonius version 9.0

Setting Up Palo Alto Networks Cortex Cloud to Work with Axonius

To set up the Palo Alto Networks Cortex Cloud adapter, you need to first generate an API Key and API Key ID from the Cortex Cloud console:

  1. Log in to the Palo Alto Networks Cortex Cloud console.
  2. Navigate to Settings > Configurations > Integrations > API Keys.
  3. Click New Key to generate a new API key.
  4. Copy the API Key ID and API Key for use in Axonius.
  5. Note your tenant-specific API domain (e.g., https://api-tenant.xdr.us.paloaltonetworks.com)

Connecting the Adapter in Axonius

  1. Navigate to the Adapters page, search for Palo Alto Networks Cortex Cloud, and click on the adapter tile.
  2. Click Add Connection.

To connect the adapter in Axonius, provide the following parameters:

Required Parameters

  1. Host Name or IP Address - Base domain for the API, should contain a prefix of http:// or https://. Do not add any specific endpoints after the domain. Example: https://api-tenant.xdr.us.paloaltonetworks.com
  2. API Key - The API Key generated from the Cortex Cloud console.
  3. API Key ID - The API Key ID associated with the API Key.
  4. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

Optional Parameters

  1. Use Advanced Authentication Method - Enable this option to use the advanced authentication method that generates a signature with timestamp and nonce for enhanced security.
  2. HTTPS Proxy - Connect the adapter to a proxy instead of directly connecting it to the domain.
  3. HTTPS Proxy User Name - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.
  4. HTTPS Proxy Password - The password to use when connecting to the server using the HTTPS Proxy.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.