This onboarding guide takes you through how to set up Palo Alto Networks (PAN) Cortex XSIAM with Expel Workbench.

Prerequisites

  • You must have admin privileges in PAN to create a user account.
  • You must have admin access in Workbench to set up this integration.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Add an Account for Console Access
  2. Create Cortex XSIAM API Credentials for Expel
  3. Add Palo Alto Networks Cortex XSIAM as a Security Device in Workbench

Step 1: Add an Account for Console Access

Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, alerts cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.

  1. Log in to the Palo Alto Customer Support Portal.
  2. Navigate to Members > Create New User.
  3. Create a new user for Expel by completing the fields as follows:
    • First name - enter "Expel".
    • Last name - enter "SOC".
    • Email - enter "soc+<Your_Organization_Name>@expel.io".
      • For example, if your organization were Acme Corp, the format would be "soc+acme_corp@expel.io".
    • Phone - enter "1 844 397 5762".
    • The other fields can be left as is.
  4. In the Security Notification Subscriptions section, deselect all the checkboxes.
  5. Select Create.
  6. Work with your Customer Success Manager (CSM) to coordinate account creation with the SOC, as Expel will receive the account activation email and set a new password. You cannot perform the next step until the account is activated.
  7. In the Cortex XSIAM console, navigate to Settings > Configurations.
  8. In the Configurations pane, scroll to the Access Management section and select Users.
  9. Confirm that the newly created Expel SOC user is present. Right-click the user and select Edit User Permissions.
  10. Under Role, select Instance Administrator.
  11. Select Save.

Step 2: Create Cortex XSIAM API Credentials for Expel

Next, you will create secure credentials to the API to integrate the technology with Workbench.

  1. In Cortex XSIAM, navigate to Settings > Configurations.
  2. In the Configurations pane, scroll to the Integrations section and choose API Keys.
    pan-xsiam-api-keys.png
  3. In the top right of the screen, select + New Key.
    pan-xsiam-new-key.png
  4. The Generate API Key screen appears. In the General section, configure the settings as follows:
    • Security Level - select Standard.
    • Role - select Instance Administrator. Make sure that the role includes all “Investigation” options. We recommend Instance Administrator as it covers all of the options that we need to complete investigative action.
    • Comment - enter "Expel" to help indicate what this API key is for.
    • Enable Expiration Date - leave unchecked.
    • Leave the Components section as is.
      pan-xsiam-generate-api-key.png
  5. Select Generate.
  6. Copy and save the API key in a safe place, as you will need it to complete the next section. The API key only displays once and you cannot access it later, so ensure you copy it before closing the notification.
  7. Select Done.
  8. In the top right corner, select Copy API URL. Save it in a safe place for use in the next section.

    pan-xsiam-copy-api-url.png
  9. In the API Keys table, locate the ID field and copy and save the value as your API Key ID. You will also need this value in the next section.
    pan-xsiam-api-key-id.png

Step 3: Add Cortex XSIAM as a Security Device in Workbench

Now that you have the necessary credentials, you can configure the integration in Workbench.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Palo Alto” and then select the Palo Alto Networks Cortex XSIAM integration.
    pan-cortext-xsiam-wb-add-device.png
  5. The Add Security Device screen displays. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as "CompanyName PAN Cortex XSIAM"; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example "cloud." This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • URL - enter the API URL you acquired in Step 2.
    • API key - enter the API key you generated in Step 2.
    • API key ID - enter the API Key ID noted in Step 2.
  6. Select Save.
  7. On the console access screen, select Set up later from the dropdown, as Expel will complete console access configuration.
  8. Select Save.
  9. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

 

Reference

Cortex API Routes Expel Uses

Route

Permission

/public_api/v1/incidents/get_incidents

VIEW PRIVILEGES:Investigation

/public_api/v1/incidents/get_incident_extra_data

VIEW PRIVILEGES:Investigation

/public_api/v1/endpoints/get_endpoint

VIEW PRIVILEGES:Investigation

/public_api/v1/audits/management_logs

VIEW PRIVILEGES:Investigation