Skip to main content

How to integrate Palo Alto Networks account?

Overview

To authenticate with Palo Alto Networks (Cortex XDR/XSOAR), you will need the following information:

  • API Base URL (your Cortex instance URL)
  • API Key ID
  • API Key (secret)

Palo Alto Networks uses API key-based authentication for REST API access.

Step 1: Login to Cortex XDR Console

  1. Sign in to your Cortex XDR console at https://<your-instance>.xdr.paloaltonetworks.com
  2. Ensure you have an account with Administrator or API Administrator role

Step 2: Navigate to API Keys Management

  1. In the Cortex XDR console, go to SettingsConfigurations
  2. Select IntegrationsAPI Keys
  3. Click + New Key to create a new API key

Step 3: Create an API Key

  1. Click + New Key

  2. Fill in the following details:

    • API Key Name: Enter a descriptive name (e.g., "Unizo Integration")
    • Description: Add details about the integration purpose
    • Role: Select the appropriate security level

  3. Select the Security Level (Role):

    Available Roles:

    • Viewer: Read-only access to incidents, alerts, and endpoints
    • Responder: Can update incident status and run basic response actions
    • Investigator: Full investigation capabilities including advanced queries
    • Admin: Full administrative access

    Recommended for EDR/XDR Integration:

    • Minimum: Responder role
    • Full integration: Investigator role

  4. Set Expiration (optional):

    • Choose expiration period or set as non-expiring
    • For production, consider setting expiration and rotating regularly

  5. Click Generate

Step 4: Copy API Credentials

After generation, Palo Alto will display:

  1. API Key ID: A unique identifier for your key
  2. API Key: The secret key value

Important:

  • Copy both values immediately - the API Key is shown only once
  • Store them securely in a secrets manager
  • If lost, you must generate a new key pair

Step 5: Collect Required Values

You now have all the credentials needed for integration:

  1. API Base URL: Your Cortex XDR instance URL

    • Format: https://<instance>.xdr.paloaltonetworks.com
    • Regional examples:
      • US: https://api-<instance>.xdr.us.paloaltonetworks.com
      • EU: https://api-<instance>.xdr.eu.paloaltonetworks.com
      • UK: https://api-<instance>.xdr.uk.paloaltonetworks.com
      • JP: https://api-<instance>.xdr.jp.paloaltonetworks.com

  2. API Key ID: The ID from Step 4

  3. API Key: The secret key from Step 4