Skip to main content
 

Important

This guide is for XDR Pro only. Expel doesn't support XDR Prevent.

Integrating your technology with Expel Workbench requires advanced user privileges that some products don't offer. Palo Alto Networks (PAN) Cortex XDR Prevent has limitations on read/write privileges that prevent full communication with Expel Workbench. So, Pan Cortex XDR Pro is required for Expel Workbench.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Step 1: Enable console access

  1. Log onto Cortex XDR Pro.

  2. In a new tab, open the Palo Alto Customer Support Portal.

  3. Navigate to Members > Create New User.

  4. Create a new user for the Expel SOC.

    1. Type a Display Name.

    2. Type a Password.

    3. For First Name, type Expel and for Last Name, type SOC.

    4. For Email Address, type soc+<Your_Organization_Name>@expel.io.

      Tip

      Yes, the "+" sign is part of the email address (as in soc+megacorp@expel.io) and it's important. Click here to find out why.

  5. Expel receives the account activation email and sets a new password.

  6. In the Cortex XDR console navigate to Settings (gear Icon) > Configuration > Access Management > Users.

  7. Confirm that the newly created Expel SOC user is present and edit the user to add the Privileged Security Admin role from the list of predefined roles. https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/get-started-with-cortex-xdr-pro/manage-cortex-xdr-roles/administrative-roles.html

Step 2: Generate API credentials

  1. In the Cortex XDR Pro console, navigate to Settings > Configurations > Integrations > API Keys.

  2. Click the Copy URL button and save the output, because you need it later.

  3. In the upper right corner, click the New Key button.

  4. In the Generate API Key window, make sure that the Security Level is set as Advanced. Make sure that the role includes all “Investigation” options selected. We recommend Instance Administrator as it selects all of the necessary options that we need to complete investigative action.

  5. Click the Generate button.

  6. Be sure to copy the generated credentials as you can't access them again.

  7. After it's generated, note your API Key ID.

Step 3: Configure the technology in Workbench

  1. In a new browser tab, log into https://workbench.expel.io.

  2. On the console page, navigate to Settings and click Security Devices.

  3. At the top of the page, click + Add Security Device.

    image-1
  4. Search for and select your technology Cortex XDR Pro.

    mceclip0.png
  5. Complete all fields using the credentials and information you collected in Step 1 and Step 2 above.

  6. For Name type the host name of the device.

  7. For Location type the geographic location of the appliance.

  8. For URL type your Cortex XDR Pro URL.

  9. For API key type the API generated in Step 2.

  10. For API key ID type the Key ID noted in Step 2.

  11. Username and Password type username and password created in Step 1.

Cortex API Routes we use

Route

Permission

/public_api/v1/incidents/get_incidents

VIEW PRIVILEGES:Investigation

/public_api/v1/incidents/get_incident_extra_data

VIEW PRIVILEGES:Investigation

/public_api/v1/endpoints/get_endpoint

VIEW PRIVILEGES:Investigation