Ingest Alerts and Assets from IoT Security - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Ingest alerts and device data from IoT Security.

The Palo Alto Networks IoT Security solution discovers unmanaged devices, detects behavioral anomalies, recommends policy based on risk, and automates enforcement without the need for additional sensors or infrastructure. The Cortex XSIAM - IoT Security integration enables you to ingest alerts and device information from your IoT Security instance.

To receive data, configure the Data Sources settings in Cortex XSIAM for the IoT Security data collector in SettingsData Sources.

As soon as data collection begins, Cortex XSIAM displays the IoT Security alerts in the Cortex XSIAM Alerts table and groups them into Incidents. The IoT Security alerts are updated every 15 minutes. IoT security alerts which were resolved before the integration aren’t added to the Cortex XSIAM table. Cortex XSIAM adds device activities detected by IoT Security into the Cortex XDRCortex XSIAM Assets table. Device activities are updated every five minutes.

Cortex XSIAM automatically creates a new dataset for device activities (panw_iot_security_devices_raw) and a new dataset for alerts (panw_iot_security_alerts_raw), which you can use to initiate XQL Search queries and create Correlation Rules.

Before you configure the IoT Security Collector, generate an access key and a key ID for the integration.

  1. Log in to the PAN IoT Security portal and click your user name.

  2. Select Preferences.

  3. In the User Role & Access section, Create an API Access Key.

  4. Download and save the access key and key ID in a secure location.

For more information about the PAN IoT Secuity API, see Get Started with the IoT Security API.

Configure the IoT Security alerts and assets collection in Cortex XSIAM.

  1. Select SettingsConfigurationsData CollectionData Sources.

  2. In the IoT Security Collector configuration, click Add Instance to begin a new configuration.

  3. Specify the following parameters.

    • Customer ID—Tenant domain part of the FQDN used for your IoT Security account. For example, in, the customer ID is yourcorp. The customer ID is unique and case sensitive. After you save the integration instance, you can't edit the Customer ID.

    • Access Key and Key ID previously generated for the integration.

    • Integration Scope—Select at least one of the two values, Alerts and Devices depending on which information you want to ingest.

  4. Click Test to validate access, and then click Enable.

    When events start to come in, a green check mark appears underneath the IoT Security Collectorconfiguration with the data and time that the data was last synced.

  5. (Optional) Manage your IOT Security Collector.

    After you enable the IOT Security Collector, you can make additional changes as needed. To modify a configuration, select any of the following options.

    • Edit the IOT Security Collector settings.

    • Disable the IOT Security Collector.

    • Delete the IOT Security Collector.

  6. After Cortex XSIAM begins receiving data from IOT Security, you can use the XQL Search to search for logs in the new datasets, panw_iot_security_devices_raw for device activities, and panw_iot_security_alerts_raw for alerts.