Palo Alto - Cortex Integration
Last updated
Was this helpful?
Last updated
Was this helpful?
The CyberCyte portal can integrate with Palo Alto for further analysis and investigations. To integrate, please follow these steps:
Please navigate to "Settings & Reporting" -> "Integration Settings" -> "Credential Settings". Click on the "+ Credential" button to create a new credential. Select the "Palo Alto Cortex API Credential" as a "Credential Type". The Client ID, Client Secret and Base URL should be provided by user, they are unique variables. These uniqe variables can be get it from Palo Alto platform.
Please navigate to "Settings & Reporting" -> "Integration Settings" -> "Integration Management". Click on the "+Integration" button to create a new CrowdStrike repository and select the "Palo Alto Cortex XDR" as Type and fill the rest of the blank fields like below. The "Credentail" section is explained in the previous step. Please enable the integration and edit the sync interval, by default we recommend 15 minutes.
Please navigate to "Rules & Policies" -> "Policy Management" -> Click on the "+ Policy" button. Please select the module named "Asset" and type named "Palo Alto Cortex XDR Health Analysis Policy". After the selection, required fields will appeared. Please fill in the blanks with required values, demonstration is provided below:
If XDR agent is not running on users devices, CyberCyte can detect that and install it or attempt to repair the agent. The users can define custom installation command for these actions.
Also, users can enable EDR, DLP and host firewall on the Palo Alto HypverVisor. The HyperVisor integration will be explained in the next page.
The results can be observed from under the "Threat Hunting" -> "Analysis & Investigation" -> "Threat Analytics" -> "Palo Alto Cortex XDR Alerts / Incidents".
Also, please navigate to "Threat Hunting" -> "Assets" -> "Palo Alto Cortex XDR Analysis" to analyze the Palo Alto Cortex XDR events on the CyberCyte portal.
