Step 1: Generate API credentials
This procedure creates an authentication that allows Expel to access the Palo Alto Networks SaaS Security API.
In Palo Alto SaaS Security API, select Settings > External Service.
Click Add Client App.
Type Expel for the API Client Name.
Authorize the Expel API client for these Scopes:
- Log access
- Incident management
- Quarantine management
Save your changes.
SaaS Security API shows a Client Secret. Write down the Client Secret and save it. Note: You must have the Client Secret for the next step.
Step 2: Configure the technology in Workbench
Now that you have the correct access configured and noted the credentials, you can integrate Palo Alto Networks SaaS Security with Expel.
Register device in Expel Workbench
- In a new browser tab, log into https://workbench.expel.io.
- On the console page, navigate to Settings and click Security Devices.
- At the top right of the page, click Add Security Device.
- Search for and select Palo Alto SaaS.
- For SIEM, select Expel Cloud.
- Enter the Server Name and Location.
- For API ID, enter Expel.
- For API secret, enter the secret generated in Step 1.
- Click Save.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.