Integrate Palo Alto Cortex XDR with Red Canary
    • 16 Aug 2024
    • 6 Minutes to read
    • PDF

    Integrate Palo Alto Cortex XDR with Red Canary

    • PDF

    Article summary

    Combining Palo Alto Networks Cortex XDR with Red Canary’s advanced threat hunting and incident response capabilities creates a formidable defense against modern cyberattacks. This integration provides a unified view of threats across your environment, accelerates incident investigation, and improves overall security posture.

    By leveraging the combined power of these platforms, organizations can gain deeper insights into malicious activities, prioritize critical alerts, and streamline response efforts.

    To integrate Palo Alto Cortex XDR with Red Canary, follow the procedure below from beginning to end.

    Prerequisites

    • Cortex Tenant licensed with

      • Pro Per Endpoint (PAN-XDR-ADV-EP)

      • Event Forwarding EP (PAN-XDR-EP-FRWRD)

    • Cortex Version 3.3 or later

    Step 1: Cortex Support Portal–Provide Red Canary your Account Registration Link

    Provide Red Canary with your Account Registration Link so we can request that a new user be added to your account. Once the link is provided provided, we will use the link to request user creation. You will then need to approve Red Canary’s Request.

    1. Login to your Cortex Customer Support Portal.

    2. Click Account Management and then click Account Details.

    3. Copy and then save the Account Registration Link.

    4. Email this link to your Red Canary contact who is supporting your integration experience.

      Note: Red Canary will use this link to request one to two users. If you have purchased Active Remediation, two user requests will be submitted.

    Step 2: Cortex–Create a new Cortex profile

    Create a Cortex configuration profile to begin collecting endpoint data in the Cortex Data Lake.

    1. Login to the Cortex tenant that you want to connect to Red Canary.

    2. From your address bar, copy the URL, and then save your Cortex Tenant Url. You’ll use this in a later step.

    3. From your Cortex Homepage, click Endpoints, and then click Policy Management.

    4. From the Prevention dropdown, click Profiles.

    5. Scroll down, and then find the default Agent Settings profile.

    6. Right-click the default Agent Settings profile.   

    7. Click Save As New.

    8. Enter a name for your Cortex Profile.

    9. Scroll down to the XDR Pro Endpoints section, and then uncheck Use Default.

    10. From the XDR Pro Endpoints Capabilities, select Enabled.

    11. Click Create.

    12. To apply this security profile to Endpoints, follow these steps. For more information on Endpoint Data Collected by Cortex XDR, click here.

    Global Agent Settings

    One can configure a global Agent Settings profile that applies to all endpoints, regardless of operating system. That is what is referred to above as the "Default Agent Setting profile". If the only default Agent Settings profile available is limited to a certain operating system, we recommend creating a Global Agent Settings profile that can be applied to all endpoints. Learn how to create a Global Agent Settings profile here.

    Once created, make sure that in addition to other desired settings, steps 1.9 and 1.10 are applied. 

    One can absolutely create other profiles that are specific to OS and apply them to their endpoints. However, those profiles and their application is not required for this integration. Check this list for the supported profile types by operating system.

    Step 3: Cortex–Create API Key for your Service Account

    Create a service account API key to allow Red Canary to pull Indicator of Compromise (IOC) and Behavioral Indicator of Compromise (BIOC) alert data, monitor endpoint health, and respond to threats with Cortex XSOAR capabilities.

    1. From your Cortex Homepage, click Settings, and then click Configurations.

    2. From the Integrations dropdown, click API Keys.

      5.png

    3. Click Copy URL, and then save your Cortex API url. You’ll use this in a later step.

      6.png

    4. Click +New Key.

      7.png

    5. From the Security Level section, select Advanced.

    6. From the Role dropdown, select Instance Administrator

    7. Click Save.

    8. Click Copy, and then save the API Key for your Service Account. You’ll use this in a later step.
      8.png

    9. From the list of API keys, search for the key you just created and copy the key ID number. Save the Cortex API Key ID. You’ll use this in a later step. 9.png

    Step 4: Cortex–Download your Service Account JSON WEB Token

    Download a consolidated package of credentials and tokens which Red Canary uses to authenticate and ingest telemetry data from the Cortex Data Lake hosted in Google Cloud Platform (GCP).

    1. From your Cortex Homepage, click Settings, and then click Configurations.

      10.png

    2. From the Data Management dropdown, click Event Forwarding.

    3. From the Activation section, click Enable Endpoints Event Forwarding

    4. From the Destination section, click Copy, and then save your Cortex GCP Path. You’ll use this in a later step.

    5. From the Destination section, click Generate and download. You’ll use this file in a later step. 

    Step 5: Red Canary–Input your Cortex information

    Enter your Cortex information into Red Canary to start sending Cortex telemetry to Red Canary.

    1. From your Red Canary homepage, click Integrations. If you do not see the required integration, click See all integrations.

    2. In the search bar, type and then select Palo Alto Networks Cortex XDR.

    3. Click Configure.

    4. Enter a Description.

    5. Enter your Cortex Tenant URL from Step 1.2.

    6. Enter your Cortex API URL from Step 2.3.

    7. Enter your Cortex API Key - Service Account from Step 2.8.

    8. Enter your Cortex API Key ID.

    9. Enter your Cortex GCP Path.

    10. Click Choose File, and then upload your Cortex Service Account JSON Web Token from Step 3.5.

    11. Click Test.

    12. If you followed the steps correctly a success message will display. If there's an error, you can follow the help text in the message and make your corrections.

      13.png

    13. Click Save.

    Step 6: Cortex Support Portal–Approve the new user notification(s)

    Red Canary needs you to approve the new user notification(s). 

    Note: You will receive two separate user approval notifications if you are an Active Remediation user. These users will default to the “Standard User” support portal role, which Red Canary requires.

    1. The Red Canary contact who is supporting your integration experience will notify you that the user request(s) have been submitted for your approval.

    2. Login to your Cortex Customer Support Portal.

    3. Click the icon.

    4. Click Approve for the notification titled “New user RC Viewer has requested access to your account.”

    5. If you have purchased Active Remediation, click Approve for the notification titled “New user RC Active Remediation has requested access to your account.”

    Step 7: Cortex Gateway–Create a Red Canary Security Operations role

    A custom role must be created in Cortex to enable Red Canary’s customer security operations team to support your security needs.

    1. Navigate to your Cortex Gateway from the Customer Support Portal.

    2. Click Resources.

    3. Click XDR Gateway.

    4. Click Permission Management, and then click Roles.

    5. Click New Role.

    6. In the ROLE NAME field, enter Red Canary Security Operations.

    7. Select the permissions shown in the following images:

    8. Click Save.

    Step 8: Cortex Gateway–Update the Red Canary integration user permissions

    The Red Canary integration user created in Step 5 will automatically populate within your Cortex Gateway, however it is not given a role by default. You'll need to update the user’s role to the custom Red Canary Security Operations role you created in Step 6.

    1. Navigate to your Cortex Gateway from the Customer Support Portal.

    2. Click Resources.

    3. Click XDR Gateway.

    4. Click Permission Management.

    5. Click Permissions.

    6. Search for the new Red Canary user and then click the to edit.

    7. From the Role section, select the role that was created in Step 6.

    8. Click Save.

    9. Click Yes on the validation window.

    Step 9: Cortex Gateway–Update the Red Canary Active Remediation user permissions

    Note: This step is only applicable for users who have purchased Active Remediation.

    The Red Canary Active Remediation user created in Step 7 will automatically populate within your Cortex Gateway, however it is not given a role by default. You'll need to update the user’s role to Privileged Responder.

    1. Navigate to your Cortex Gateway from the Customer Support Portal.

    2. Click Resources.

    3. Click XDR Gateway

      .

    4. Click Permission Management.

    5. Click Permissions.

    6. Search for the new Red Canary user and then click the to edit.

    7. From the Role section, select Privileged Responder.

    8. Click Save.

    9. Click Yes.


    Was this article helpful?