API keys are used to manage and secure API interactions. An API key is essentially a unique string of alphanumeric characters that acts as a credential, allowing a specific user or application to access and interact with a particular API. When you request data or perform an action through an API call, you must include this API key in the header. Cortex XSIAM then verifies the key's authenticity and, if valid, grants the requested access.
Select Settings → Configurations → Integrations → API Keys → New Key.
In the Role tab, perform for the following:
Under Security Level, select the type of API Key you want to generate: Advanced or Standard. The Advanced API key hashes the key using a nonce, a random string, and a timestamp to prevent replay attacks. cURL does not support this but it is suitable with scripts.
Under Role, select the desired level of access for this key. You can select from predefined roles or custom roles. Roles are available according to what was defined in either the Cortex Gateway or Cortex XSIAM Access Management. You can view the configuration of the role selected by expanding the sections under Components. For more information, see Assign user roles and groups.
(Optional) Under Comment, provide a comment that describes the purpose of the API key.
(Optional) If you want to define a time limit on the API key authentication, select Enable Expiration Date, and select the expiration date and time. You can track the expiration date of each API key in the API Keys page. In addition, Cortex XSIAM displays a API Key Expiration notification in the Notification Center one week and one day prior to the defined expiration date.
(Optional) To configure and manage granular scoping for Scope-Based Access Control (SBAC), click the Scope tab, and under Scope Definition, expand the scoping areas that you want to grant the user role access to for this API by clicking the chevron icon (>) beside the scoping area title. The following table explains the options available to configure:
Important
Before configuring, ensure that you review Understand scoping in the Manage user scope section.
Scoping Area
Granular Scoping Configurations
Assets
Set the Scope by selecting one of the following:
No assets: No asset is accessible.
All assets: Defines access to all assets.
Select asset groups: Defines access to the specific assets associated with the Asset Groups selected, and to view all their related cases, issues, and findings for these specific assets and Asset Groups. Under Select asset groups, define the specific asset groups that you want to grant access. Only Asset Groups relevant for scoping are listed, which are asset groups that are using only the asset attributes listed in Manage user scope (under Understand scoping → Scoping Areas → Assets).
The scoping of assets also affects the scoping of cases, issues, and findings.
Note
Visibility of Security domain Issues that refer to assets with agents is controlled by the Endpoints scoping configuration.
Cases and Issues
Set the Scope by selecting one of the following:
No cases and issues: Defines access to no cases and issues.
All cases and issues: Defines access to all cases and issues. Users can view cases or issues referencing assets within their scope. Use the Assets section to define which assets are in scope.
Select domains: Defines access to the domains selected to view their related cases and issues. Under Select domains, define the specific domains that you want to grant access.
Users can only view cases or issues referencing assets and endpoints within their scope. Use the Assets section to define which assets are in scope.
When selecting All cases and issues or Select domains, you can separately configure access to issues and cases that lack an asset reference or where the referenced asset is not in All Assets and All Endpoints inventories. To provide access, select the Allow access to cases and issues that are not referencing known assets or endpoints checkbox. Once selected, you can specifically control which users have access to issues and cases that lack Affected Assets (as seen in the issue’s panel) and Assets (as seen in the case's panel), or where the listed assets are not part of the Asset or Endpoint inventories. When the assets listed are not part of the inventories, the asset string is typically non-clickable. In some cases, such as for identity-related issues, assets may open a dedicated User Risk View, which differs from the standard inventories panels. In the Issues and Cases tables, such items can be identified by empty values in the following columns: Asset IDs, Target Agent Identifier, and Source Agent Identifier.
Endpoints
Set the Scope by selecting one of the following:
No endpoints: Defines access to no endpoints with no ability to view their related agent management and enterprise policies.
All endpoints: Defines access to all endpoints with the ability to view their related agent management and enterprise policies. This configuration can impact the visibility of related Security domain Cases and Issues, but will not affect asset visibility.
Select specific (at least one required): Defines specific access to all endpoint groups by selecting Endpoint Groups or all endpoint tags by selecting Endpoint Tags to view their related agent management and enterprise policies. This configuration can impact the visibility of related Security domain Cases and Issues, but will not affect asset visibility.
Datasets Rows
Configure a
filterto define the specific subset of rows a user is allowed to access in each raw dataset. A raw dataset is every dataset where Palo Alto Networks data is ingested out-of-the-box or third-party data is ingested using a configured dedicated collector, also called a data source. This filter configuration does not impact the visibility of cases and issues.Follow these steps to configure a
filter:For datasets where no
filteris defined, determine how to set the When no filter is defined option as either:No rows are accessible (default): Without a configured
filter, no rows are accessible. Users can query the datasets in Cortex Query Language (XQL) as they have access, but the results will be empty.All rows are accessible: Without a configured
filter, all rows are accessible. Users can query the datasets in Cortex Query Language (XQL) as they have access, and view all results.
Note
When defining a filter for row-level scoping on raw datasets, queries based on the Cortex Data Model (XDM) are not supported. XDM queries return specific rows only when All rows are accessible is selected and no filter is defined in the Datasets Rows scoping area. Otherwise, no rows are returned.
Define any filters for the applicable datasets listed in the table:
Scroll down the list of datasets to the dataset you want to apply a
filteron, and click the Edit Scope icon.In the Define what rows are accessible window, continue to write the query for the
filterin the query box (where the syntax is a limited subset of XQL) to limit the data rows for the selected dataset according to the access permissions you want the user to have. The beginning of the query is already defined before the query box, and there is no need to include this in your query.Important
For optimal performance, we recommend using a single field in the
filterdefinition and simple comparison operators.Fields
You can define the rest of the
filterin the query box, where only the following system fields are supported:_broker_device_id,_broker_device_ip,_broker_device_name,_collector_id,_collector_ip,_collector_name,_collector_type,_device_id,_final_reporting_device_ip,_final_reporting_device_name,_log_type,_product,_scope,_reporting_device_ip,_reporting_device_name, and_vendor.For more information on these fields, see the table that describes all the fields in the
metrics_sourcedataset andmetrics_viewpreset in Overview of data ingestion metrics. For more information on the_scopefield (relevant when_scopeis defined in the Parsing Rule), see [Scenario 3: Supported fields don't provide the necessary segmentation] in Scenarios related to Datasets Rows scoping.Manage user scopeComparison operators
The following comparison operators are supported:
Exact matches (
=,!=)Comparing numerical values (
>,<,>=,<=)Checking membership in lists (
in)Querying arrays (
array_contains)Partial matches (
contains,starts_with): Using this operator has additional performance overhead, and we recommend avoiding its use.
Example 1.If you only want a user to be able to access rows in the
pan_dds_rawdataset, when the_collector_nameisbu2_collector, you'd have to define thefilterin the query box as:_collector_name = “bu2_collector”
(Optional) Set the Time frame for the query. The default is Last 1 day.
(Optional) You can preview the query results displayed based on your defined query by clicking Preview. You can edit your query until you're satisfied with the output. By default, the query results are limited to 1000 records.
When you are finished, click Done.
The Scope field for the dataset that you added the filter on is updated with the query.
Example 2.In the above example, the Scope field displays
_collector_name = “bu2_collector”.
Important
By default, Enable Scope Based Access Control is disabled in Settings → Configurations → General → Server Settings, and granular scoping is not enforced. Before enabling SBAC, we recommend that an administrator or a user with Access Management permissions first ensures that the users, user groups, and API Keys defined in Cortex XSIAM are granted the required access by assigning the relevant scopes. For more information, see Manage user scope.
Click Generate to generate the API key.
Copy the generated API key and click Done.
Important
You will not be able to view the API key again after you complete this step. Ensure that you copy the API key before closing the notification.
Below are some of the main pivot (right-click) options for actions available on each API key listed in the API Keys table. Only tasks that need further explanation are explained below.
Action | Description |
|---|---|
View Examples | Copies the Python 3 example, so you can edit it to set up your own API calls. |
Copy text to clipboard / Copy entire row | Copies the value of an API setting, such as the ID, to the clipboard by right-clicking the setting and selecting Copy text to clipboard. You can copy all the settings of an API key by right-clicking and selecting Copy entire row. |
Filter API keys | Filters the API keys by selecting one of the filter options, such as Show rows 30 days prior to.... You can then adjust the filter options to filter the API keys according to all the available fields. |