Ingest Alerts and Assets from PAN IoT Security - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex

Ingest Alerts and Assets from PAN IoT Security - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2023-03-27

Last date published

2023-03-27

Note

Ingesting alerts and assets from PAN IoT Security requires a Cortex XDR Pro per TB license.

The Palo Alto Networks IoT Security solution discovers unmanaged devices, detects behavioral anomalies, recommends policy based on risk, and automates enforcement without the need for additional sensors or infrastructure. The Cortex XDR - PAN IoT Security integration enables you to ingest alerts and device information from your PAN IoT Security instance.

To receive data, configure the Collection Integrations settings in Cortex XDR for the PAN IoT Security data collector in Settings → Configurations → Data Collection → Collection Integrations.

As soon as data collection begins, Cortex XDR displays the PAN IoT Security alerts in the Cortex XDR Alerts table and groups them into Incidents. The PAN IoT Security alerts are updated every 15 minutes. PAN IoT security alerts which were resolved before the integration aren’t added to the Cortex XDR table. Cortex XDR adds device activities detected by PAN IoT Security into the Cortex XDRCortex XDR Assets table. Device activities are updated every five minutes.

Cortex XDR automatically creates a new dataset for device activities (panw_iot_security_devices_raw) and a new dataset for alerts (panw_iot_security_alerts_raw), which you can use to initiate XQL Search queries and create Correlation Rules.

Before you configure the PAN IoT Security Collector, generate an access key and a key ID for the integration.

Log in to the PAN IoT Security portal and click your user name.
Select Preferences.
In the User Role & Access section, Create an API Access Key.
Download and save the access key and key ID in a secure location.

For more information about the PAN IoT Secuity API, see Get Started with the IoT Security API.

Configure the PAN IoT Security alerts and assets collection in Cortex XDR.

Select Settings → Configurations → Data Collection → Collection Integrations.
In the PAN IoT Security Collector configuration, click Add Instance to begin a new configuration.
Specify the following parameters.
- Customer ID—Tenant domain part of the FQDN used for your PAN IoT Security account. For example, in yourcorp.iot.paloaltonetworks.com, the customer ID is yourcorp. The customer ID is unique and case sensitive. After you save the integration instance, you can't edit the Customer ID.
- Access Key and Key ID previously generated for the integration.
- Integration Scope—Select at least one of the two values, Alerts and Devices depending on which information you want to ingest.
Click Test to validate access, and then click Enable.
When events start to come in, a green check mark appears underneath the PAN IoT Security Collector configuration with the data and time that the data was last synced.
(Optional) Manage your PAN IOT Security Collector.
After you enable the PAN IOT Security Collector, you can make additional changes as needed. To modify a configuration, select any of the following options.
- Edit the PAN IOT Security Collector settings.
- Disable the PAN IOT Security Collector.
- Delete the PAN IOT Security Collector.
After Cortex XDR begins receiving data from PAN IOT Security, you can use the XQL Search to search for logs in the new datasets, panw_iot_security_devices_raw for device activities, and panw_iot_security_alerts_raw for alerts.