Palo Alto Cortex XDR

This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Palo Alto Cortex XDR.

The Dropzone AI Platform integrates with Palo Alto Cortex XDR to monitor endpoints, gather data from cloud, network and identity sources, as well as analyze alerts.

Create an API Key

Palo Alto Cortex XDR requires an API key to enable. You’ll need access to a Cortex XDR user account with either an Admin role or sufficient permissions to generate read-only API keys. If you don’t have the necessary permissions, please get in touch with your Cortex XDR administrator for assistance.

To obtain an API Key, do the following:

As an Admin, login to your Palo Cortex XDR Instance
In the bottom left corner, navigate to Settings > Configurations

In the searchbar, input "API Keys," then click "API Keys"

In the upper right, click "+ New Key"

Under "Role," assign the API Key the Privileged Investigator role

Under "Comment," name the API key something memorable, such as "Dropzone AI"
Select your desired Security Level: Advanced or Standard.

The Advanced API key hashes the key using a nonce, a random string, and a timestamp to prevent replay attacks. cURL does not support this but is suitable with scripts. To integrate with Cortex XSOAR, you must generate an Advanced Key.

If you wish to assign the key an expiration date, check the box labeled "Enable Expiration Date" and input your desired expiration date

In the bottom left corner, click "Generate"

Copy the API Key shown for use later in the Dropzone UI where it is called "API Key"

In the API Keys table, locate the ID number for the newly generated API Key. Copy it for use later in the Dropzone UI where it is called "API Key ID"

In the top right hand corner, click "Copy API URL"

Save the URL for use later in the Dropzone UI where it is called "API FQDN"

Enable the Dropzone Data Source Integration

To enable the Data Source integration, you will need the following information:

Dropzone Field

Source

API FQDN

The API URL you copied earlier

API Key ID

The API key ID value you copied earlier

API Key

The API key value you generated earlier

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, navigate to Settings > Integrations

Click "Available"

In the Search bar, search Palo Alto Cortex XDR, then click "Configure"

Under the Data Source heading, input the API FQDN, API Key ID, and API Key

Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable the Dropzone Alert Source Integration

To enable the Alert Source integration, you will need the following information:

Dropzone Field

Source

API FQDN

The API URL you copied earlier

API Key ID

The API key ID value you copied earlier

API Key

The API key value you generated earlier

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, navigate to Settings > Integrations

Click "Available"

In the Search bar, search Palo Alto Cortex XDR, then click "Configure"

Under the Alert Source heading, input the API FQDN, API Key ID, and API Key
Select your desired log ingestion delay (in minutes)

Under "Enabled Incident Types," choose whether to ingest Alerts and/or incidents from Cortex XDR
Under "Enabled Severities," select the severity levels you want Dropzone to investigate alerts for

Input your desired Poll interval and lookback
Click "Test & Save" to finish

If you have any errors, engage your Dropzone AI support representative.

PreviousMicrosoft 365 Exchange Online Management NextPalo Alto Networks Firewall

Last updated 20 hours ago

Was this helpful?