Note
This guide is for XDR Pro only. Expel doesn't support XDR Prevent.
Integrating your technology with Expel Workbench requires advanced user privileges that some products don't offer. Palo Alto Networks (PAN) Cortex XDR Prevent has limitations on read/write privileges that prevent full communication with Expel Workbench. So, PAN Cortex XDR Pro is required for Expel Workbench.
In this article
Step 1: Enable console access
-
Log onto Cortex XDR Pro.
-
In a new tab, open the Palo Alto Customer Support Portal.
-
Navigate to Members > Create New User.
-
Create a new user for the Expel SOC.
-
Type a Display Name.
-
Type a Password.
-
For First Name, type Expel and for Last Name, type SOC.
-
For Email Address, type soc+<Your_Organization_Name>@expel.io.
Note
Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.
-
-
Expel receives the account activation email and sets a new password.
-
In the Cortex XDR console navigate to Settings (gear Icon) > Configuration > Access Management > Users.
-
Confirm that the newly created Expel SOC user is present and edit the user to add the Privileged Security Admin role from the list of predefined roles. https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/get-started-with-cortex-xdr-pro/manage-cortex-xdr-roles/administrative-roles.html
Step 2: Generate API credentials
-
In the Cortex XDR Pro console, navigate to Settings > Configurations > Integrations > API Keys.
-
Click the Copy URL button and save the output, because you need it later.
-
In the upper right corner, click the New Key button.
-
In the Generate API Key window, make sure that the Security Level is set as Advanced. Make sure that the role includes all “Investigation” options selected. We recommend Instance Administrator as it selects all of the options that we need to complete investigative action.
-
Click Generate.
-
Copy and save the following credentials for use in the next section:
- URL
- API Key
-
In the API Keys table, locate the ID field and copy and save the value as your API Key ID. You will also need this value in the next section.
Step 3: Configure the technology in Workbench
-
In a new browser tab, log into https://workbench.expel.io.
-
On the console page, navigate to Settings and click Security Devices.
-
At the top of the page, click + Add Security Device.
-
Search for and select your technology Cortex XDR Pro.
-
Complete all fields using the credentials and information you collected in Step 1 and Step 2 above.
Cortex API routes we use
Route |
Permission |
---|---|
/public_api/v1/incidents/get_incidents |
VIEW PRIVILEGES:Investigation |
/public_api/v1/incidents/get_incident_extra_data |
VIEW PRIVILEGES:Investigation |
/public_api/v1/endpoints/get_endpoint |
VIEW PRIVILEGES:Investigation |