1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations
  4. Palo Alto

Palo Alto Networks Cortex XDR Pro Setup for Workbench

This guide is for XDR Pro only. Expel does not support XDR Prevent.

Integrating your technology with Expel Workbench requires advanced user privileges that some products don't offer. Palo Alto Networks (PAN) Cortex XDR Prevent has limitations on read/write privileges that prevent full communication with Expel Workbench.

Quick Links

Step 1: Enable Console Access

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech. For more information, see Why Expel Asks for Console Access.

  1. Log onto Cortex XDR Pro.
  2. In a new tab, open the Palo Alto Customer Support Portal.
  3. Navigate to Members > Create New User.

  4. Create a new user for the Expel SOC.

    • Type a Display Name.
    • Type a Password.
    • For First Name, type Expel and for Last Name, type SOC.
    • For Email Address, type soc+<Your_Organization_Name>@expel.io.

      Note
      Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.
  5. Expel receives the account activation email and sets a new password.
  6. In the Cortex XDR console navigate to Settings (gear Icon) > Configuration > Access Management > Users.
  7. Confirm that the newly created Expel SOC user is present and edit the user to add the Privileged Security Admin role from the list of predefined roles.

Step 2: Generate API Credentials

To integrate the technology with Workbench, we need to create secure credentials to the API.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. In the Cortex XDR Pro console, navigate to Settings > Configurations > Integrations > API Keys.
  2. Click the Copy URL button and save the output, because you need it later.
  3. In the upper right corner, click the New Key button.
  4. In the Generate API Key window, make sure that the Security Level is set as Advanced. Make sure that the role includes all “Investigation” options selected. We recommend Instance Administrator as it selects all of the options that we need to complete investigative action.
  5. Click Generate.
  6. Copy and save the following credentials for use in the next section:
    • URL
    • API Key
  7. In the API Keys table, locate the ID field and copy and save the value as your API Key ID. You will also need this value in the next section.

Step 3: Add PAN Cortex XDR Pro as a Security Device in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. Log in to Workbench.
  2. On the console page, navigate to Settings and click Security Devices.
  3. At the top of the page, click + Add Security Device.

  4. Search for and select your technology Cortex XDR Pro.

    mceclip0.png

  5. Complete all fields using the credentials and information you collected in Step 1 and Step 2 above.

    • For Name, type the host name of the device.
    • For Location, type the geographic location of the appliance.
    • For URL, type your Cortex XDR Pro URL.
    • For API key, type the API generated in Step 2.
    • For API key ID, type the Key ID noted in Step 2.
  6. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Reference

Cortex API Routes Expel Uses

Route Permission
/public_api/v1/incidents/get_incidents VIEW PRIVILEGES:Investigation
/public_api/v1/incidents/get_incident_extra_data VIEW PRIVILEGES:Investigation
/public_api/v1/endpoints/get_endpoint VIEW PRIVILEGES:Investigation

Status Syncing

Expel supports alert status syncing between Workbench and Palo Alto Networks Cortex XDR Pro. Specifically, when an ingested alert or incident from Cortex XDR results in the creation of an Expel Alert, the Expel Alert status (e.g. Open, Investigating, Closed) are reflected back in Cortex XDR as Expel’s SOC works the Expel Alert. Syncing is keyed off the original Cortex XDR alert ID that was ingested.

Syncing is currently one-way and Workbench serves as the source of truth. This means statuses in Cortex XDR are updated by Workbench, but Workbench is not informed or updated by status changes made in Cortex XDR.

If you would like to enable alert status syncing in your environment, please contact Support.

Object Mappings

Workbench Object Syncing Key Cortex XDR Object
Expel Alert Cortex XDR alert ID Alert
Expel Alert Cortex XDR alert ID Incident
Investigation N/A N/A
Incident N/A N/A

State Mappings

Expel Alert State or Action Cortex Console Update
Investigating States
Assigned to Analyst UNDER_INVESTIGATION
Moved to Investigating UNDER_INVESTIGATION
Added to Investigation UNDER_INVESTIGATION
Add or move Expel Alert to Open Incident UNDER_INVESTIGATION (as long as Workbench Incident remains open)
Reopen Closed Expel Alert UNDER_INVESTIGATION
 Closed States
Closed / PUP/PUA RESOLVED_OTHER
Closed / Testing RESOLVED_OTHER
Closed / Possible Policy Violation RESOLVED_SECURITY_TESTING
Closed / Activity Blocked RESOLVED_OTHER
Closed / Attack Failed RESOLVED_OTHER
Closed / IT Misconfiguration RESOLVED_OTHER
Closed / Benign RESOLVED_OTHER
Closed / Suppressed by Ruxie RESOLVED_OTHER
Move Expel Alert to Closed Incident RESOLVED_TRUE_POSITIVE
Move Alert to Closed Investigation Match close reason mapping above
Move Alert to Closed Incident RESOLVED_TRUE_POSITIVE

Related articles