Palo Alto Networks Cortex XDR

Palo Alto Networks Cortex XDR is a detection and response app that natively integrates network, endpoint, and cloud data to detect threats and stop sophisticated attacks.

Asset Types Fetched

Devices, Vulnerabilities, Users, Software, Roles, Groups, SaaS Applications, Alerts/Incidents

Before You Begin

Ports

TCP port 80/443

Authentication Method

API Key ID / API Key

APIs

Axonius uses the Cortex XDR APIs.

For details on generating an Advanced Security Level API, see Get Started with Cortex XDR APIs.

Permissions

The value supplied in API Key must be associated with credentials that have permissions for the following in order to fetch assets:

Assets: Network config - View Compliance - View Asset Inventory - View

Endpoint: Endpoint Admin - View, (View/Edit for EC)

📘
Note
To fetch assets from XDR version 4.x and above, or the XSIAM product, you must have the Endpoint Admin - Agent Administrations permission.

Device Control - View, (View/Edit for EC)

Incident Response Investigations Query Center - View Personal Query Library - View Host Insights - View

Connecting the Adapter in Axonius

To connect the adapter in Axonius, provide the following parameters:

Required Parameters

Cortex XDR Domain - The hostname of the Palo Alto Networks Cortex XDR API server. Example: api-CUSTOMER.xdr.us.paloaltonetworks.com
API Key ID and API Key - Specify the API key and the API key ID of an Advanced Security Level API, as generated in Cortex XDR app. A standard API key will not work — this integration requires an Advanced Security level API key. For more details on generating an Advanced Security Level API, see Get Started with Cortex XDR APIs.

Optional Parameters

URL Base Path - Specify the fully qualified domain name (FQDN). For more details, see Get Started with Cortex XDR APIs.
Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.
HTTPS Proxy - Connect the adapter to a proxy instead of directly connecting it to the domain.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Settings

📘
Note
Advanced settings can either apply to all connections for this adapter, or to a specific connection. Refer to Advanced Configuration for Adapters.

Fetch policies - Select whether to fetch policies.
Do not fetch devices with disconnected status - Select to not fetch devices that have the 'Disconnected' status.
Fetch software information - Select whether to fetch information about installed software.
Fetch daemon information - Select this option to fetch daemon information for each device.
Fetch DNS information - Toggle on this option to enrich devices with DNS query information. When you toggle on this option, two additional options are available
- XQL timeframe for DNS records (optional) - Specify the XQL for DNS record Timeframe.
- XQL filter for DNS records - Specify the XQL to filter the included DNS records.
Fetch vulnerability information - Select this option to fetch vulnerability information for devices.
Fetch device users information - Select this option to fetch a list of users per device.
Fetch device serial number - Select this option to fetch the device serial number.
Fetch manual protection pause - Select this option to fetch the manual protection pause field.
Use Cortex XDR in Agent Versions Name - Select this option to use Cortex XDR in the Agent Versions Name.
Fetch Incidents and Alerts - Select this option to fetch incidents and alerts.

Fetch XDRC Devices - Select this option to fetch XCDR devices using the following query:

config timeframe=1d
| dataset = collectoragents
| filter (Status = """Connected""")
| fields *

Fetch listening ports - Select this option to fetch listening ports.

📘
Note
To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.

Related Enforcement Actions

Updated 1 day ago