Palo Alto Networks Cortex XDR Integration

Note: This integration requires Cisco XDR Advantage or Cisco XDR Premier licensing tier.

Palo Alto Networks Cortex XDR is an Extended Detection and Response (XDR) solution that includes an Endpoint Detection and Response (EDR) offering. Leveraging Palo Alto Networks EDR alerts enables you to query security detections of observables including IP addresses, process names, file names, file paths, MD5 hashes, SHA-256 hashes, registry keys, hostnames, and Cortex agent IDs. Enabling this integration also provides a target in Cisco XDR automation for automated workflows.

Note: Integration with Cortex XDR requires a Cortex XDR Pro per endpoint license.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Palo Alto Networks Cortex Cloud integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Palo Alto Networks Cortex Cloud integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Palo Alto Networks Cortex XDR integration in Cisco XDR.

You can perform the following tasks after you integrate Palo Alto Networks Cortex XDR with Cisco XDR:

  • Investigations - Start a new investigation into any combination of IP addresses, process names, file names, file paths, MD5 hashes, SHA-256 hashes, registry keys, hostnames, and Cortex agent IDs, and the results will include any records of them found in your Palo Alto Networks Cortex XDR. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Palo Alto Networks Cortex XDR has recent information. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to access actions in Palo Alto Networks Cortex XDR. Available actions include adding files to blocklists, quarantining or unquarantining endpoints, performing malware scans on endpoints. You can also install Palo Alto Networks Cortex XDR workflows from the Automation Exchange to add more actions to the Pivot menu.

  • Assets - View assets as reported by Palo Alto Networks Cortex XDR. For more information, including how to filter the view to only the reports from Palo Alto Networks Cortex XDR, see Devices.

  • Automation:

    • Atomic Actions - The atomic actions for Palo Alto Networks Cortex XDR can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for Palo Alto Networks Cortex XDR can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The Palo Alto Networks Cortex XDR target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

    • Playbooks - An Automation system workflow that uses Palo Alto Networks Cortex XDR and is included in the Cisco Managed Incident Playbook can be used to contain incident: assets (devices), contain incident: file hashes, and validate eradicated hosts and unquarantine assets. See Containment and Recovery on the Response page.