Skip to main content

Cortex XDR

Prerequisites

To enable log retrieval, account API permissions must be configured in Cortex, and the following information must be collected:

  • API Key: Authorization secret key to authenticate to API calls (credential).
  • API Key ID: Unique token used to authenticate the API Key (credential).
  • API URL: The full URL used for API communication (connector).

Creating an API Key with the Privileged Responder Role in Cortex

  • To collect the necessary information in Cortex, follow the steps in this Cortex procedure: Get Started with Cortex XDR APIs.
    • warning

    When selecting the level of access for the API Key, grant the Privileged Responder Role to the API Key.

Creating the Credentials and Service Connector in ActiveEye

Creating the Cortex Credentials

Cortex credentials must be set up before creating the service connector.

  1. In ActiveEye, in the left pane, click Admin, and then click Service Connectors.
    The Service Connectors page appears.
    The Service Connectors page
  2. In the upper-right corner of the page, click Manage connectors credentials.
    The Connector Credentials page appears.
    The Connector Credentials page
  3. In the upper-left corner of the page, click Add Credential.
    The Add Connector Credentials page appears.
  4. In the Connector Type list, select Cortex.
    The AENS Alerts Credentials section appears.
  5. In the Display Name box, enter a unique name.
  6. In the API Key ID box, enter the API Key ID that you collected in Cortex.
  7. In the API Key box, enter the API Key that you collected in Cortex.
  8. Click Add.
    The Cortex credentials are created.

Creating the Service Connector

With Cortex credentials set up, the Cortex service connector can be created.

  1. In ActiveEye, in the left pane, click Admin, and then click Service Connectors.
    The Service Connectors page appears.
  2. In the upper-left corner of the page, click Add Connector.
    A list of service connectors appears.
    The list of service connectors
  3. Scroll down to the ENDPOINT SECURITY section, and then, in the Cortex subsection, click the Add Connection button.
    The Add Connector Account page appears.
  4. In the Display Name box, enter a unique name.
  5. In the API URL box, enter the required portion of the API URL that you collected in Cortex. For example, if the full API URL is `https://api-example.xdr.us.paloaltonetworks.com`, you only need to enter `example.xdr.us`, as seen in the following example:
    Cortex - image
  6. In the Credential Set list, select the name of the Cortex credentials created in the previous procedure.
  7. Optionally, modify the priority level in the Priority box. Raising or lowering the priority will increase or decrease the visibility of alerts related to this service connector.
  8. If you do not want data ingestion to begin immediately once cloud accounts have been configured, clear the Enable Account check box. Otherwise, leave the check box selected.
  9. Click Add.
    The Cortex service connector is created.