This guide is for XDR Pro only. Expel doesn't support XDR Prevent.

Integrating your technology with Expel Workbench requires advanced user privileges that some products don't offer. Palo Alto Networks (PAN) Cortex XDR Prevent has limitations on read/write privileges that prevent full communication with Expel Workbench. So, PAN Cortex XDR Pro is required for Expel Workbench.

Step 1: Enable console access

  1. Log onto Cortex XDR Pro.

  2. In a new tab, open the Palo Alto Customer Support Portal.

  3. Navigate to Members > Create New User.

  4. Create a new user for the Expel SOC.

    • Type a Display Name.

    • Type a Password.

    • For First Name, type Expel and for Last Name, type SOC.

    • For Email Address, type soc+<Your_Organization_Name>


      Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.

  5. Expel receives the account activation email and sets a new password.

  6. In the Cortex XDR console navigate to Settings (gear Icon) > Configuration > Access Management > Users.

  7. Confirm that the newly created Expel SOC user is present and edit the user to add the Privileged Security Admin role from the list of predefined roles.

Step 2: Generate API credentials


Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. In the Cortex XDR Pro console, navigate to Settings > Configurations > Integrations > API Keys.

  2. Click the Copy URL button and save the output, because you need it later.

  3. In the upper right corner, click the New Key button.

  4. In the Generate API Key window, make sure that the Security Level is set as Advanced. Make sure that the role includes all “Investigation” options selected. We recommend Instance Administrator as it selects all of the options that we need to complete investigative action.

  5. Click Generate.

  6. Be sure to copy the generated credentials as you can't access them again.

  7. After it's generated, note your API Key ID.

Step 3: Configure the technology in Workbench

  1. In a new browser tab, log into

  2. On the console page, navigate to Settings and click Security Devices.

  3. At the top of the page, click + Add Security Device.

  4. Search for and select your technology Cortex XDR Pro.

  5. Complete all fields using the credentials and information you collected in Step 1 and Step 2 above.

    • For Name type the host name of the device.

    • For Location type the geographic location of the appliance.

    • For URL type your Cortex XDR Pro URL.

    • For API key type the API generated in Step 2.

    • For API key ID type the Key ID noted in Step 2.

Cortex API routes we use










This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!