Device Security
Activate a Third-party Integrations Cortex XSOAR
Table of Contents
Expand All
|
Collapse All
Device Security Docs
Activate a Third-party Integrations Cortex XSOAR
Activate a Device Security Third-party Integrations Cortex XSOAR for
Device Security to integrate with third-party solutions.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of the following subscriptions:
One of the following Cortex XSOAR setups:
|
Integrating with a third-party solution requires either the use of a full-featured
Cortex XSOAR or
the activation of a free Device Security cloud-based, cohosted, limited
Cortex XSOAR instance. Regardless of which Cortex XSOAR you have,
Device Security provides access to
all supported integrations.
Device Security with a Cohosted Cortex XSOAR Instance
If you want to integrate Device Security with third-party systems but don't
have a full-featured Cortex XSOAR server, you can activate a limited,
cohosted Cortex XSOAR through Device Security.
After you activate it, IoT Security automatically generates a cohosted
Cortex XSOAR instance with the functionality necessary to support
Device Security integrations. When Device Security communicates with
third-party systems, it does so through the Cortex XSOAR instance, which
connects with other systems and runs various jobs such as importing device data into
Device Security or sending work orders for security alerts and vulnerabilities to
other systems for investigation and remediation.
More information about cohosted Cortex XSOAR instances is available at
Third-party Integrations Using Cohosted XSOAR.
- Log in to Device Security in Strata Cloud Manager.The free, cohosted Cortex XSOAR is exclusive to Device Security in Strata Cloud Manager. If you still access the Legacy IoT Security portal, take advantage of this opportunity to familiarize yourself with Device Security in Strata Cloud Manager.Navigate to IntegrationsIntegration Management.Click Initialize XSOAR.The first time you initialize the cohosted Cortex XSOAR, Device Security automatically creates the instance and associates it with your Device Security tenant.Access your Cortex XSOAR from IntegrationsIntegration Management, clicking Manage Integrations, and then clicking Launch Cortex XSOAR.
Device Security with a Full-featured Cortex XSOAR Server
If you already have a full-featured Cortex XSOAR server deployed on premises or in the cloud, you can use that to integrate Device Security with third-party systems. For the Cortex XSOAR server to support Device Security third-party integrations, you must install an Device Security content pack and configure an integration instance on the XSOAR server. The content pack provides XSOAR with all the third-party integration instance settings, playbooks, and jobs that Device Security requires, and the Palo Alto Networks IoT 3rd Party integration instance allows XSOAR to establish a permanent web socket connection with the Device Security application.The Cortex XSOAR server continues to provide the same functionality it did before it was set up to work with Device Security. However, the Device Security integrations the XSOAR server supports are limited to those in the content pack you install. The content pack has the same set of integrations that a cohosted XSOAR instance has with one exception: you can modify the playbooks for Device Security integrations on an XSOAR server but not on a cohosted instance. To be precise, you can’t modify the playbooks directly, but you can duplicate them, modify the duplicate playbooks, and then use those on the server, which is something you can’t do in a cloud-hosted instance.When integrating Device Security with third-party systems in a deployment that must comply with FedRAMP Moderate, you must use a full on-premises Cortex XSOAR server running a vendor-approved FIPS version that complies with the FIPS 140-2 standard. This option supports all the same Device Security integrations as the cohosted version but is FIPS compliant.The Device Security web interface (and the documentation) refer to this as a full-featured Cortex XSOAR server, which is a useful way to distinguish it from a cohosted Cortex XSOAR instance. Nevertheless, the XSOAR server only needs to be deployed on premises to comply with FedRAMP regulations. If your deployment doesn’t need to be FedRAMP compliant, you can deploy the XSOAR server on premises or in the cloud. In either case, the XSOAR server connects to Device Security in the same way.The setup of a full-featured XSOAR server to work with Device Security is described in Third-Party Integrations Using a Full-Featured XSOAR Server.Cortex XSOAR Using the Device Security API
If you have a Cortex XSOAR instance and your goal is to integrate it with Device Security—for example, to run an automation or playbook that downloads its inventory of IoT devices—see Palo Alto Networks IoT. There you can learn the commands to create a direct Device Security-to-Cortex XSOAR integration. Note that this is different from the type of integrations in which Device Security leverages XSOAR to work with third-party systems as described in this guide.