Palo Alto Networks Device Security supports security information and event management (SIEM) logging, which allows you to send information about discovered devices, security alerts, and device vulnerabilities to your SIEM server for further actions. Device Security integrates through Cortex XSOAR with any SIEM that supports the CEF format.

After the setup is complete, you initiate an initial export of the entire device inventory from Device Security through XSOAR to the SIEM server. After that, XSOAR requests incremental updates at 15-minute intervals by default. Device Security determines if there are any newly discovered devices, alerts, or vulnerabilities, or if there are changes in any attribute fields of previously discovered devices in the past 15 minutes and, if found, responds with an update. In contrast to these periodic automated updates, you can also initiate commands in the Device Security portal to send security alerts and device vulnerabilities to SIEM.

After the setup is complete, XSOAR makes an initial request to Device Security for its entire device inventory. After that, XSOAR periodically requests incremental updates at 15-minute intervals. Device Security determines if there were changes in any of device attribute fields since the previous update and, if found, responds with a delta. XSOAR and Device Security apply the same logic for security alerts and vulnerabilities.

Integrating with SIEM requires either a full-featured Cortex XSOAR server or the purchase and activation of an Device Security third-party integration add-on license, which comes with a free cohosted Cortex XSOAR instance. The basic plan includes a license for three integration add-ons, one of which can be used for SIEM. The advanced plan includes a license for all supported third-party integrations.