Palo Alto Cortex XDR Integration
Overview
Cortex XDR by Palo Alto Networks provides extended detection and response across endpoints, network, and cloud. KYRA MDR ingests Cortex XDR incidents and alerts via the API for centralized security operations.
Prerequisites
- A KYRA MDR Collector installed and running
- Cortex XDR tenant with administrative access
- API key with Security Admin or higher role
- Advanced security level API key
Configuration
Configure Cortex XDR API access:
- In the Cortex XDR console, navigate to Settings > Configurations > API Keys
- Click New Key and configure:
| Setting | Value |
|---|---|
| Security Level | Advanced |
| Role | Viewer (minimum) |
- Copy the API Key, API Key ID, and FQDN
- Configure the KYRA MDR collector:
sources: - type: cortex-xdr api_url: https://<tenant>.xdr.<region>.paloaltonetworks.com api_key_id: <key-id> api_key: <api-key> poll_interval: 60s- Restart the collector service
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Incidents | Correlated threat incidents | Incident investigation |
| Alerts | Individual detection alerts | Threat detection and triage |
| Endpoint Data | Device and agent information | Asset inventory |
| Audit Logs | Administrative action logs | Compliance and auditing |
| XQL Results | Custom query results | Advanced threat hunting |
| Behavioral Threats | BIOC-based detections | Behavioral threat detection |
Troubleshooting
API authentication failed: Verify the API key security level is set to Advanced. Standard keys have limited endpoint access.
No incidents returned: Check the date range filter. The Cortex XDR API returns incidents from the last 30 days by default.
Rate limiting: Cortex XDR API enforces call limits. Set the poll interval to at least 60 seconds.
Contact kyra@seekerslab.com for support.