Palo Alto Networks Cortex XDR
Cyberwatch can list and monitor all assets protected by a Cortex EDR agent through Cortex XDR.
Prerequisites in Cortex XDR
Cortex XDR role for Cyberwatch
To manage permissions via its API, Cortex XDR uses roles that can be created in the Cortex XDR console from the menu Settings > Configurations > Access Management > Roles.
It is recommended to create a separate role dedicated to Cyberwatch with minimal permissions.
To monitor Cortex XDR agents, Cyberwatch requires the following permissions:
| Category | Permission | Level | Other |
|---|---|---|---|
| Endpoints | Endpoint Administrations | View | |
| Incident Response | Agent Scripts Library | View/Edit | Check Run High-Risk Script and Script Configurations |
Cortex XDR API Key
To communicate with Cortex XDR, Cyberwatch uses an API key that can be created in the Cortex XDR console from the menu Settings > Configurations > Integrations > API Keys. Cyberwatch supports both “Standard” and “Advanced” keys.
Monitoring Cortex XDR Agents from Cyberwatch
Configure your API access
You may configure your credentials from Stored credentials in the lateral menu, then clicking Add. In the form, select type Cortex XDR, then fill in:
- The API URL of Cortex XDR (e.g.
https://api-example.xdr.fa.paloaltonetworks.com). - The API key generated above, its ID, and its security level (standard or advanced).
Do not forget the api- part in the URL!
Create the discovery
- From Discoveries, click Add. Click Cortex XDR in the Local infrastructure category
- Enter the name of the scan
- Select optional groups that will be assigned to the scan
- Choose the source of the scan
- Using the Credentials selector, pick the Cortex XDR account registered in previous steps
- Select Cortex XDR Agent in Automatic registration if you want to automatically enroll discovered agents
- Choose a recurrence. The default value 0 days means the scan will be launched only once
- Click Confirm
When created, the discovery is immediately started as a background task. You may check the state of the task any time from Discoveries.
Newly monitored Cortex XDR agents are found in the agents menu.