Palo Alto Cortex XDR Palo Alto Cortex XDR

Collect Palo Alto Cortex XDR alerts, incidents and investigations

The Palo Alto Cortex XDR connector allows you to integrate your threat detection and response data into OverSOC.

Overview

The Palo Alto Cortex XDR connector enables you to collect the following information:

  • Endpoint inventory
  • XDR alerts and incidents
  • Active investigations

Prerequisites

  • Access to Palo Alto Cortex XDR
  • API keys configured in Cortex XDR
  • Appropriate permissions for API access

Information to provide in OverSOC

FieldDescription
API Key ID*Cortex XDR API key ID
API Key*Cortex XDR API key
API URL*Cortex XDR API URL (e.g., https://api-{region}.xdr.paloaltonetworks.com)

Configuration

Generate Cortex XDR API keys

  1. Log in to your Palo Alto Cortex XDR console.
  2. Navigate to Settings > Configuration > API Keys.
  3. Click Create New API Key.
  4. Select the Advanced tab for more options.
  5. Assign a descriptive name (e.g., OverSOC Connector).
  6. Configure the required permissions:
    • Incident management: Read
    • Alert management: Read
    • Endpoint administration: Read
  7. Click Save and note the API Key ID and API Key.
  8. Also note the API URL corresponding to your region.

Configure the connector in OverSOC

  1. In OverSOC, go to Data Sources Settings > Sources.
  2. Select Palo Alto Cortex XDR and click Configure.
  3. Fill in the API Key ID, API Key, and API URL.
  4. Click Save Configuration.

Required Permissions

The API keys must have the following minimum permissions:

  • Incident management: Read incidents and alerts
  • Alert management: XDR alert access
  • Endpoint administration: Read endpoint inventory
Previous← Tenable Nessus