Palo Alto Cortex XDR
Strengthen your endpoint security with JupiterOne's Palo Alto Cortex XDR integration. Our guide offers detailed instructions on setting up the integration and utilizing its comprehensive data model to gain visibility into your device and endpoint security data. Learn how the integration can help you detect potential security threats and streamline your security operations.
- Installation guide
- Palo Alto Cortex XDR data model
Installation
You will need to create an API key on Palo Alto Cortex XDR platform and get the "API Key ID" and "URL". See their documentation for more information.
To install the Palo Alto Cortex XDR integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Palo Alto Cortex XDR. Click New Instance to begin configuring the integration.
Creating a Palo Alto Cortex XDR instance requires the following:
The Account Name used to identify the Palo Alto Cortex XDR account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled.Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration.Your Cortex XDR URL, API Key, API Key Id.
1) Navigate to your Cortex XDR Gateway and sign in.
2) Choose the tenant you want to ingest.
3) On the bottom left of the screen, open Settings > Configurations.
4) Navigate to API Keys.
5) Create a new API Key. Select security level Standard and the appropiate role:
- To ingest Users, User Groups and Roles it's required that you use the
Instance Administratorrole. - If not,
Vieweris enough. 6) Once the API Key is created, copy the code. On the table, the API Key Id should be visible and at the top right the XDR URL is available.
Click Create once all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Data Model
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Account | palo_alto_account | Account |
| Alert | palo_alto_alert | Finding |
| Endpoint Agent | palo_alto_endpoint_sensor | HostAgent |
| Endpoint Policy | palo_alto_endpoint_policy | ControlPolicy |
| Incident | palo_alto_incident | Finding |
| Role | palo_alto_role | AccessRole |
| Service | palo_alto_endpoint_protection | Service |
| User | palo_alto_user | User |
| User Group | palo_alto_user_group | UserGroup |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
palo_alto_account | HAS | palo_alto_endpoint_protection |
palo_alto_endpoint_policy | HAS | palo_alto_endpoint_protection |
palo_alto_endpoint_sensor | IDENTIFIED | palo_alto_alert |
palo_alto_endpoint_sensor | ASSIGNED | palo_alto_endpoint_policy |
palo_alto_endpoint_sensor | IDENTIFIED | palo_alto_incident |
palo_alto_incident | HAS | palo_alto_alert |
palo_alto_user | HAS | palo_alto_role |
palo_alto_user_group | HAS | palo_alto_role |
palo_alto_user_group | HAS | palo_alto_user |