PAN Cortex XDR

About this document

This document provides step-by-step instructions for configuring the PAN Cortex XDR integration in SAFE.

Introduction

This integration allows you to pull EDR findings from Cortex XDR, contributing to Likelihood calculations. SAFE Admins can configure this integration from the "PAN Cortex XDR" card available on the Integrations page.

Prerequisites

• To configure this integration, you must have one of the following Cortex XDR licenses:

  • Cortex XDR Prevent

  • Cortex XDR Pro per Endpoint

  • Cortex XDR Pro per GB

  Note: Assets must already be onboarded and actively assessed within Cortex XDR.

• User Permissions

  You’ll need access to a Cortex XDR user account with either:

  • Admin role, or

  • Sufficient permissions to generate read-only API keys

    If you don’t have the necessary permissions, please get in touch with your Cortex XDR administrator for assistance.

Generate connection details

To integrate SAFE with PAN Cortex XDR, we need 3 details:

• Cortex XDR API URL

• API Key ID

• API Key value

Below are steps that can be followed to generate these details:

Before You Begin:

To proceed with the integration, API credentials must be generated for a Cortex XDR user.

You can choose to either:

• Use an existing generic Cortex XDR portal user (or create a new one) specifically for SAFE, or

• Use their own user account to generate the required credentials.

The steps below can be followed once you log in to the Cortex XDR portal.

1. Log in to the Cortex XDR portal.

2. From the bottom left user profile menu, go to Settings > Configurations.

3. Scroll down to configuration for API Keys and click on it.
   

4. Click the + New Key button.

5. Choose Security level as Advanced and Role as Viewer from the drop down.

6. Click the Generate button.
   

7. Copy the API key displayed on the screen.

8. On the next screen, copy the ID for the key created just now and the API URL from the top right button.

Configure PAN Cortex XDR in SAFE

Follow the steps below to configure PAN Cortex XDR in SAFE:

1. Go to the Integrations page and click the "PAN Cortex XDR" card.

2. Click the Configure button.

3. Enter the connection details generated above:

   1. Cortex XDR API URL

   2. Secret API Key

   3. API Key value

4. (Optional) Use the Tags field to filter and pull only a specific subset of assets from Cortex XDR.

   Enter tags as a comma-separated list.

   Example: myCloudAssetsTag1, myIoTAssetsTag2, Tag3

5. (Optional) Uncheck the Update Existing Assets Metadata checkbox if you do not want SAFE to overwrite existing asset metadata (such as asset names) with data from Cortex XDR.

6. (Optional) Check the Auto Onboard New Assets checkbox if you want SAFE to automatically onboard new assets from Cortex XDR that aren't already present in SAFE.

   Uncheck this option to limit the integration to pulling findings only for existing assets in SAFE.

7. Click the Test Connection button to validate the integration settings.

8. Once the connection is successfully validated, click the Save button.

9. After saving the configuration, click the Sync Now button to initiate an immediate sync (outside of the scheduled auto-sync cycle).

   

Support for endpoint tags from Cortex XDR

1. Go to Settings > Custom Fields in your SAFE instance.

2. Create a new custom field with the exact name:

   cortexXdr-tags

3. After the next sync, SAFE will automatically populate this field with endpoint tag values from Cortex XDR.

The custom field name must exactly match cortexXdr-tags for the tags to be ingested correctly.

View Result

To view the assets and the assessment result:

1. The PAN Cortext XDR integration page displays the Finding View and Asset View.

2. The Finding view will contain all the findings pulled from PAN Cortex XDR.

3. Asset view will list all the assets pulled/updated from PAN Cortex XDR.

4. Alternatively, you can navigate to Technology and filter the asset list to finding source equals PAN Cortex XDR and Onboarding source equals security.safe.cortex.xdr.

FAQs

What exact data is pulled from Cortex XDR into SAFE?

SAFE pulls in “endpoints” and their “Alerts” from PAN Cortex XDR into SAFE.

Is there any filter applied to data pulled from Cortex XDR?

Yes. There are two filters applied to Alerts pulled from Cortex XDR:

• The Resolution status of Alerts fetched from Cortex XDR should be “New” or “Under Investigation”.
  

• The alert source should be “XDR BIOC” or “XDR IOC.”
  

I marked an Alert as resolved in Cortex XDR, but still see that alert in SAFE. Why?

SAFE’s PAN Cortex XDR integration triggers two types of syncs:

• Full Sync: This type of sync acts as a full refresh of data imported from the Cortex XDR tool. If new findings are present, they will be added, or if existing alerts are resolved, they will be removed from SAFE.  This sync triggers once every 7 days.

• Incremental Sync: This type of sync involves pulling only the delta change from Cortex XDR since the last incremental/full sync run. Incremental sync as per Auto Sync schedule provided, if the scheduled interval is less than 7

Therefore, whenever an alert is resolved in Cortex XDR, then the same will be updated in SAFE after the next full sync trigger.

How do I know what type of sync is executing or getting executed?

The type of sync is always mentioned in the integration stats card.