Palo Alto Cortex XDR

What is Palo Alto Cortext XDR? #

Palo Alto Cortex XDR is an extended detection and response (XDR) platform that that integrates data from multiple sources, including networks, cloud environments, applications, and endpoints. This allows for more effective threat hunting, faster incident response times, and improved overall security posture.

Why Should You Use the Palo Alto Cortex XDR Connector? #

The Palo Alto Cortex XDR connector provides visibility into the assets and alerts in your environment. You can use this visibility to:

  • ensure assets are managed per your security policies

  • derive relationships between assets, users, applications, and data

How Does This Connector Work? #

Lucidum executes read-only requests to the Palo Alto Cortex XDR REST API and ingests only meta-data about Palo Alto Cortex XDR devices. Lucidum does not retrieve any data stored on your assets.

Configuring the Connector in Lucidum #

Field

Description

Example

URL

The URL of Palo Alto Cortex XDR API (after ‘https://api-‘).

For details, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Get-Started-with-APIs

lucidum.xdr.us.paloaltonetworks.com

API Key

API key for a Palo Alto Cortex XDR account. The API Key must be of type Advanced and have the permissions/role specified in the sections below.

For details, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Get-Started-with-APIs

Time Frame

Specify the look-back time frame, in days. The default value is is to look back 10 days.

10

API Key ID

API key for a Palo Alto Cortex XDR account. The API Key must be of type Advanced and have the permissions/role specified in the sections below.

For details, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Get-Started-with-API

Source Documentation #

Creating Credentials #

To generate an API Key:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Get-Started-with-APIs

Required Permissions #

The Viewer role and the Privilege Responder role includes the required permissions. You can also create a custom role.

Component

Permissions

Assets > Asset Inventory

View

Assets > Compliance

View

Assets >  Network Config

View

Endpoint > Device Control

View

Endpoint > Endpoint Admin

View

Incident Response > Host Insights

View

Incident Response > Investigations

View

Incident Response > Personal Query Library

View

Incident Response > Query Center

View

API Documentation #

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Preface