: Third-party Integrations Using a Full-featured XSOAR Server
Focus
Focus

Third-party Integrations Using a Full-featured XSOAR Server

Table of Contents

Third-party Integrations Using a Full-featured XSOAR Server

Set up a full-featured
Cortex XSOAR
server for
IoT Security
integration with third-party solutions.
IoT Security
can integrate with third-party systems through a full on-premises or cloud-hosted
Cortex XSOAR
server running
Cortex XSOAR
version 6.8–6.12 and 8.0 (
Cortex XSOAR
NG). This option supports the same
IoT Security
integrations as the cohosted version but doesn’t require the purchase of an
IoT Security
Third-party Integrations Add-on license. In addition, the full-featured
Cortex XSOAR
product allows you to create and modify third-party integration playbooks, unlike the cohosted, purpose-built XSOAR service, which has preconfigured playbooks that can't be modified.
The following instructions for setting up
IoT Security
and a full-featured XSOAR server assume that you’ve already installed an XSOAR server on your network or in the cloud and that you are now preparing it to provide third-party integration opportunities for
IoT Security
.
IoT Security
supports third-party integrations through XSOAR servers running
Cortex XSOAR
version 6.8–6.12 and version 8.0 (
Cortex XSOAR
NG).
For FedRAMP compliance, the on-premises XSOAR server must be running a vendor-approved FIPS version that complies with the FIPS 140-2 standard.
  1. Choose a
    Cortex XSOAR
    server for
    IoT Security
    to use for third-party integrations.
    1. Log in to the
      IoT Security
      portal, select
      Integrations
      .
      If you have not bought and activated an
      IoT Security
      Third-Party Integrations Add-on license, two options appear on the Integrations page.
    2. Select
      Integrate through a full-featured
      Cortex XSOAR
      server
      and then
      Save
      .
      IoT Security
      takes a few minutes to prepare to use a
      Cortex XSOAR
      server for third-party integrations. When done, the Integrations page changes to show XSOAR installation settings and a list of the steps for setting up third-party integrations through a full-featured XSOAR server.
      After you save your selection, a button appears in the upper right of the page:
      Switch integration methods
      . If you have both a full-featured
      Cortex XSOAR
      server and an
      IoT Security
      Third-party Integrations Add-on license, you can switch between the XSOAR server and the cohosted XSOAR instance. However, you can only use one method at a time.
  2. Download the
    IoT Security
    Content Pack.
    On the Integrations page, download the
    IoT Security
    content pack as a .zip file.
    Do not download and attempt to use the
    IoT Security
    content pack from the
    Cortex XSOAR
    marketplace. It isn't current and doesn't support all the third-party integrations that the content pack available from the
    IoT Security
    portal does. Only download and use the content pack from the
    IoT Security
    portal.
    On the Integrations page, download the
    IoT Security
    content pack as a .zip file.
  3. Create an API access key and then download the key and key ID.
    If you have the text file for a currently active API access key, you can use that instead of creating a new API access key.
    1. On the Integrations page in
      IoT Security
      , click
      Create
      under API Access Key.
    2. In the Create Access Key dialog box, click
      Create
      again.
    3. In the Access Key Created dialog box,
      Download
      the access key and key ID as a text file.
  4. Copy the
    IoT Security
    tenant URL.
  5. Configure the
    Cortex XSOAR
    server.
    Log in to the
    Cortex XSOAR
    server, upload the content pack, and use your
    IoT Security
    tenant URL, API access key, and key ID to configure the "Palo Alto Networks IoT 3rd Party" integration instance.
    1. Log in to the XSOAR server using credentials for a user account with administrator privileges, which let you upload the
      IoT Security
      content pack.
    2. Cortex XSOAR
      version 6.8–6.12
      Because the
      IoT Security
      content pack is not provided by
      Cortex XSOAR
      , set content pack verification to
      false
      . Select
      Settings
      About
      Troubleshooting
      , enter
      false
      in the
      content.pack.verify
      field in the Server Configuration section, and then
      Save
      .
      or
      Cortex XSOAR
      version 8.0
      Because
      IoT Security
      provides the content pack instead of
      Cortex XSOAR
      , it cannot be verified. Therefore, to upload it without a verification check, select
      Settings & Info
      Server Settings
      and then either drag-and-drop the content pack file onto
      Upload custom content
      in the Custom Content section or
      browse
      to the content pack file and upload it.
    3. Cortex XSOAR
      version 6.8–6.12
      On the XSOAR server, navigate to the
      Marketplace
      , click the three vertical dots icon in the upper right, and then
      Upload Content Packs
      .
    4. Cortex XSOAR
      version 6.8–6.12
      Select the previously downloaded
      IoT Security
      content pack for XSOAR to upload and install.
    5. Select
      Settings
      , search for
      palo alto networks iot 3rd party
      , and then click
      Add instance
      to open the settings panel.
    6. Enter the following and leave other settings at their default values:
      Name
      : Use the default name (
      Palo Alto Networks IoT 3rd Party_instance_1
      ) or enter a new one.
      IoT Security
      Tenant URL
      : Copy this from the Integrations page in
      IoT Security
      and paste it here.
      Access Key
      : Copy this from the API access key file you downloaded and paste it here.
      Key ID
      : Copy this from the API access key file you downloaded and paste it here.
      Long running instance
      : (select; this maintains a session between the XSOAR server and
      IoT Security
      , using a regular heartbeat mechanism to monitor connectivity)
      Single engine
      : Choose
      No engine
      .
    7. Test the integration instance settings.
      When finished, click
      Test
      . If the test is successful, a Success message appears and
      Cortex XSOAR
      and
      IoT Security
      have established a link. If not, check that the settings were entered correctly and then test the configuration again.
    8. Click
      Save & exit
      to save your changes and close the settings panel.
  6. Configure
    IoT Security
    third-party integrations.
    After you’ve installed a content pack for IoT 3rd party integrations, you can begin configuring integrations with third-party systems. For
    IoT Security
    and
    Cortex XSOAR
    to integrate with a third-party system, you must configure XSOAR with an integration instance specifying connection settings and a job running a playbook over the connection.
    The following is a list of the jobs and their configuration elements for the third-party integrations that
    IoT Security
    supports. For detailed configuration instructions, see the section for specific integrations in this guide.
    Although the integration instructions later in this guide assume that you’re using a cohosted XSOAR module, the configuration instructions for the integration instances and jobs are similar for both cohosted deployments and full-featured
    Cortex XSOAR
    server deployments.
    Asset Discovery
    Integration Name
    Playbook
    Recurring Job
    Job Parameters
    Description
    Details
    PANW IoT 3rd Party Integration - Rockwell Asset Centre
    Import Rockwell AssetCentre assets to PANW IoT cloud
    Yes
    Required
    : "Integration Instance Name"
    Optional
    : "Poll Interval" (If not set, playbook imports all devices.)
    Imports devices from Rockwell Automation AssetCentre to
    IoT Security
    PANW IoT 3rd Party Integration - Asset Attribute Polling
    Bulk Import Asset Attributes Using Asset Attribute Polling - PANW IoT 3rd Party Integration
    No
    Required:
    "Integration Instance Name" and "Device Polling IP address/Subnet"
    Imports device attributes using asset attribute polling.
    Asset Management
    Integration Name
    Playbook
    Recurring Job
    Job Parameters
    Description
    Details
    PANW IoT 3rd Party Integration - AIMS
    Export AIMS maps and devices to PANW IoT
    Yes
    No arguments required. Only a single instance is supported.
    Exports AIMS facilities, vendors, employees, work order priority list mappings, and device data to
    IoT Security
    .
    PANW IoT 3rd Party Integration - AIMS
    Export AIMS assignee and priority lists to PANW IoT
    Yes
    No arguments required. Only a single instance is supported.
    Exports the assignee list and work order priority list from AIMS to
    IoT Security
    .
    PANW IoT 3rd Party Integration - Microsoft SCCM
    Import Microsoft SCCM devices to PANW IoT cloud
    Yes
    Required
    : "Integration Instance Name"
    Fetches available endpoint data from a Microsoft SCCM SQL server and sends it to
    IoT Security
    .
    PANW IoT 3rd Party Integration - Nuvolo
    Bulk Export Devices to Nuvolo - PANW IoT 3rd Party Integration
    No
    No arguments required. Only a single instance is supported.
    Retrieves all devices from
    IoT Security
    and sends it to a third-party integration instance.
    PANW IoT 3rd Party Integration - Nuvolo
    Bulk Import Devices from Nuvolo to PANW IoT Cloud - PANW IoT 3rd Party Integration
    No
    No arguments required. Only a single instance is supported.
    Retrieves all devices from the Nuvolo instance and sends them to
    IoT Security
    .
    Although this job is prebuilt on a cohosted XSOAR instance, it must be manually created on a full-featured XSOAR server.
    PANW IoT 3rd Party Integration - Nuvolo
    Incremental Export Devices to Nuvolo - PANW IoT 3rd Party Integration
    Yes
    No arguments required. Only a single instance is supported. The fixed poll interval is 15 minutes.
    Retrieves devices from
    IoT Security
    and sends them to the third-party integration instance.
    Although this job is prebuilt on a cohosted XSOAR instance, it must be manually created on a full-featured XSOAR server.
    PANW IoT 3rd Party Integration - ServiceNow v2
    Incremental Export Devices to ServiceNow - PANW IoT 3rd Party Integration
    Yes
    No arguments required. Only a single instance is supported. The fixed poll interval is 15 minutes.
    Retrieves devices discovered by
    IoT Security
    and sends them to a third-party integration instance.
    PANW IoT 3rd Party Integration - ServiceNow v2
    Bulk Export Devices to ServiceNow - PANW IoT 3rd Party Integration
    No
    No arguments required. Only a single instance is supported.
    Retrieves all devices from
    IoT Security
    and sends them to a third-party integration instance.
    Endpoint Protection
    Integration Name
    Playbook
    Recurring Job
    Job Parameters
    Description
    Details
    PANW IoT 3rd Party Integration - Cortex
    XDR
    - IR
    Incremental Export of Cortex
    XDR
    - PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Optional
    : "Site Names", and "Playbook Poll Interval"
    Retrieves active devices found by
    IoT Security
    , queries Cortex
    XDR
    to get associated device attributes, and reports the data to
    IoT Security
    . Filters for active devices: Site names and playbook poll interval.
    PANW IoT 3rd Party Integration - CrowdStrike Falcon
    Incremental Import of CrowdStrike Falcon - PANW IoT 3rd Party Integration
    No
    Required
    : "Integration Instance Name"
    Optional
    : "Site Names", and "Playbook Poll Interval"
    Retrieves active devices found by
    IoT Security
    , queries CrowdStrike Falcon to get associated device attributes and reports the data to
    IoT Security
    . Filters for active devices: Site names and playbook poll interval.
    PANW IoT 3rd Party Integration - Tanium
    Import Tanium Vulnerabilities to PANW IoT cloud
    Yes
    Required
    : "Integration Instance Name"
    Optional:
    "Import vulnerabilities by CVE severity levels"
    Imports vulnerabilities from Tanium to the
    IoT Security
    .
    Network Management
    Integration Name
    Playbook
    Recurring Job
    Job Parameters
    Description
    Details
    PANW IoT 3rd Party Integration - Aruba Central
    Import Aruba Central devices to PANW IoT cloud
    Yes
    Required
    : "Integration Instance Name"
    Optional
    : “Import Aruba Central wired client details to
    IoT Security
    Retrieves client details from Aruba Central. By default, only wireless device details are retrieved. You have the option to retrieve details for both wired and wireless devices
    PANW IoT 3rd Party Integration - cisco-dnac-IoT
    extract-dnac-clients
    Yes
    Required
    : "Integration Instance Name"
    Optional
    : "Site Names" and "Playbook Poll Interval"
    Retrieves active devices found by
    IoT Security
    , queries Cisco DNA Center to get associated device attributes, and reports the data to
    IoT Security
    . Filters for active devices: Site names and playbook poll interval.
    PANW IoT 3rd Party Integration - Cisco Meraki Cloud
    Get Cisco Meraki Cloud Organizations and Networks - PANW IoT 3rd Party Integration
    No
    Required
    : "Integration Instance Name"
    Retrieves Cisco Meraki Cloud organizations and networks.
    PANW IoT 3rd Party Integration - Cisco Meraki Cloud
    Import Cisco Meraki Cloud Network Clients - PANW IoT 3rd Party Integration
    Yes
    Required:
    "Integration Instance Name"
    Optional:
    "Cisco Meraki Networks"
    Optional:
    "Cisco Meraki Organizations"
    Optional:
    "Poll Interval" (Range: 1-31 days, default: 31)
    Imports all the Cisco Meraki Cloud clients to
    IoT Security
    .
    PANW IoT 3rd Party Integration - Cisco Prime
    Cisco Prime Clients
    Yes
    Required
    : "Integration Instance Name"
    Optional
    : "Site Names" and "Playbook Poll Interval"
    Retrieves active devices found on
    IoT Security
    , queries Cisco Prime to get associated device attributes, and reports the data to
    IoT Security
    . Filters for active devices: Site names and playbook poll interval.
    PANW IoT 3rd Party Integration - SNMP
    Incremental SNMP data import to PANW IoT Cloud - PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Performs an SNMP crawl, retrieves all available endpoint data, and reports it to
    IoT Security
    .
    PANW IoT 3rd Party Integration - Network Discovery
    Network Discovery - Export Devices using SNMP
    Yes
    Required
    : "Integration Instance Name"
    Optional
    : Network Discovery Skip Neighbor Discovery Patterns
    Performs an SNMP crawl, retrieves all available L2, L3, and endpoint data and reports it to
    IoT Security
    .
    IP Address Management
    Integration Name
    Playbook
    Recurring Job
    Job Parameters
    Description
    Details
    PANW IoT 3rd Party Integration - BlueCat IPAM
    Bulk Import of subnet network info from BlueCat IPAM to PANW IoT Cloud
    Yes
    Required
    : "Integration Instance Name"
    Fetches available IPAM data from a BlueCat Address Manager and sends it to
    IoT Security
    .
    PANW IoT 3rd Party Integration - Infoblox IPAM
    Bulk Import of subnet network info from Infoblox IPAM to PANW IoT Cloud
    Yes
    Required
    : "Integration Instance Name"
    Fetches available IPAM data from an Infoblox Grid Master and sends it to
    IoT Security
    .
    Wireless Network Controllers
    Integration Name
    Playbook
    Recurring Job
    Job Parameters
    Description
    Details
    PANW IoT 3rd Party Integration - Aruba WLAN Controller
    Import Aruba WLC devices to PANW IoT cloud
    Yes
    Required
    : "Integration Instance Name"
    Fetches available endpoint data from an Aruba WLAN controller and sends it to
    IoT Security
    .
    PANW IoT 3rd Party Integration - Cisco WLAN Controller
    Import Cisco WLC devices to PANW IoT cloud
    Yes
    Required
    : "Integration Instance Name"
    Fetches available endpoint data from a Cisco WLAN controller and sends it to
    IoT Security
    .
    Security Information and Event Management
    Integration Name
    Playbook
    Recurring Job
    Job Parameters
    Description
    Details
    PANW IoT 3rd Party Integration - Syslog Sender
    Bulk Export to SIEM - PANW IoT 3rd Party Integration
    No
    Required
    : "Integration Instance Name"
    Retrieves all devices, alerts, and vulnerabilities from
    IoT Security
    and sends them to a third-party integration instance.
    PANW IoT 3rd Party Integration - Syslog Sender
    Incremental Export to SIEM - PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name". Default poll interval is 15 minutes.
    Retrieves devices, alerts, and vulnerabilities from
    IoT Security
    and sends them to a third-party integration instance.
    Although this job is prebuilt on a cohosted XSOAR instance, it must be manually created on a full-featured XSOAR server.
    Network Access Control
    Integration Name
    Playbook
    Recurring Job
    Job Parameters
    Description
    Details
    PANW IoT 3rd Party Integration - Aruba ClearPass
    Incremental Export to Aruba ClearPass- PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Optional
    : "PANW IoT Device Custom Attributes", "Playbook Poll Interval", "Site Names", and "PANW IoT In Scope Tag Enforcement".
    Retrieves devices from
    IoT Security
    and sends it to a third-party integration instance. Filters for
    IoT Security
    devices: Custom attributes, poll interval, site names, and tag enforcement.
    PANW IoT 3rd Party Integration - Aruba ClearPass
    Bulk Export to Aruba ClearPass - PANW IoT 3rd Party Integration
    No
    Required
    : "Integration Instance Name"
    Optional
    : "PANW IoT Device Custom Attributes", "Site Names", and "PANW IoT In Scope Tag Enforcement"
    Retrieves all devices from
    IoT Security
    and sends them to the third-party integration instance. Filters for
    IoT Security
    devices: Custom attributes, site names, and tag enforcement.
    PANW IoT 3rd Party Integration - Cisco ISE
    Incremental Export to Cisco ISE - PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Optional
    : "PANW IoT Device Custom Attributes", "Playbook Poll Interval", "Site Names", and "PANW IoT In Scope Tag Enforcement"
    Retrieves devices from
    IoT Security
    and sends them to a third-party integration instance. Filters for
    IoT Security
    devices: Custom attributes, poll interval, site names, and tag enforcement.
    PANW IoT 3rd Party Integration - Cisco ISE
    Bulk Export to Cisco ISE - PANW IoT 3rd Party Integration
    No
    Required
    : "Integration Instance Name"
    Optional
    : "PANW IoT Device Custom Attributes", "Site Names", and "PANW IoT In Scope Tag Enforcement"
    Retrieves all devices from
    IoT Security
    and sends them to a third-party integration instance. Filters for
    IoT Security
    devices: Custom attributes, site names, and tag enforcement.
    PANW IoT 3rd Party Integration - Cisco ISE pxGrid
    Bulk Export to Cisco ISE pxGrid - PANW IoT 3rd Party Integration
    No
    Required
    : "Integration Instance Name"
    Optional
    : "PANW IoT Device Custom Attributes", "Site Names", and "PANW IoT In Scope Tag Enforcement"
    Retrieves all devices from
    IoT Security
    and sends them to a third-party integration instance. Filters for
    IoT Security
    devices: Custom attributes, site names, and tag enforcement.
    PANW IoT 3rd Party Integration - Cisco ISE pxGrid
    Increment Export to Cisco ISE pxGrid - PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Optional
    : "PANW IoT Device Custom Attributes", "Playbook Poll Interval", "Site Names", and "PANW IoT In Scope Tag Enforcement"
    Retrieves devices from
    IoT Security
    and sends them to a third-party integration instance. Filters for
    IoT Security
    devices: Custom attributes, poll interval, site names, and tag enforcement.
    PANW IoT 3rd Party Integration - Forescout
    Incremental Export to Forescout - PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Optional
    : "PANW IoT Device Custom Attributes", "Playbook Poll Interval", "Site Names", and "PANW IoT In Scope Tag Enforcement"
    Retrieves devices from
    IoT Security
    and sends them to a third-party integration instance.Filters for
    IoT Security
    devices: Custom attributes, poll interval, site names, and tag enforcement.
    PANW IoT 3rd Party Integration - Forescout
    Bulk Export to Forescout - PANW IoT 3rd Party Integration
    No
    Required
    : "Integration Instance Name"
    Optional
    : "PANW IoT Device Custom Attributes", "Site Names", and "PANW IoT In Scope Tag Enforcement"
    Retrieves all devices from
    IoT Security
    and sends it to the third party integration instance.Filters for PANW IoT devices: site name(s), custom attributes, tag enforcement.
    Vulnerability Scanning
    Integration Name
    Playbook
    Recurring Job
    Job Parameters
    Description
    Details
    PANW IoT 3rd Party Integration - Qualys
    Incremental Qualys Get Scans and Report Handling V2- PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Generates and retrieves all reports from scans generated in the last hour.
    PANW IoT 3rd Party Integration - Qualys
    Bulk Qualys Get Scans and Report Handling V2- PANW IoT 3rd Party Integration
    No
    Required
    : "Integration Instance Name"
    Generates and retrieves all reports from scans generated in the last 30 days.
    PANW IoT 3rd Party Integration - Qualys
    Get Qualys Scanners and Profiles - PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Run this job periodically to retrieve names of all scan engines, sites, and vulnerability scan templates that Qualys uses. Set the interval to run the job based on the frequency of change on the Qualys side of the integration.
    Although this job is prebuilt on a cohosted XSOAR instance and runs every 15 minutes by default, it must be manually created on a full-featured XSOAR server.
    PANW IoT 3rd Party Integration - Qualys
    Qualys Report Handling - PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Generates reports for all scans initiated from
    IoT Security
    since the last time this job was run. A typical recurring interval is every 20 or 30 minutes.
    Although this job is prebuilt on a cohosted XSOAR instance, it must be manually created on a full-featured XSOAR server.
    PANW IoT 3rd Party Integration - Rapid7 Nexpose
    Incremental Rapid7 Get Scans and Generate Reports V2- PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Automatically generates reports of all vulnerability scans that Rapid7 performed in the last hour.
    PANW IoT 3rd Party Integration - Rapid7 Nexpose
    Incremental Rapid7 Get Scans and Report Handling V2- PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Retrieves all Rapid7 vulnerability scan reports generated in the last hour.
    PANW IoT 3rd Party Integration - Rapid7 Nexpose
    Bulk Rapid7 Get Scans and Generate Reports V2- PANW IoT 3rd Party Integration
    No
    Required
    : "Integration Instance Name"
    Run this job on demand to generate Rapid7 vulnerability scan reports in bulk for the last 30 days.
    PANW IoT 3rd Party Integration - Rapid7 Nexpose
    Bulk Rapid7 Get Scans and Report Handling V2- PANW IoT 3rd Party Integration
    No
    Required
    : "Integration Instance Name"
    Run this job after finishing the bulk report generation job to import the reports from Rapid7 to IoT Security.
    PANW IoT 3rd Party Integration - Rapid7 Nexpose
    Get Nexpose Engines, Sites and Templates - PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Run this job periodically to retrieve names of all scan engines, sites, and vulnerability scan templates that Rapid7 uses. Set the interval to run the job based on the frequency of change on the Rapid7 side of the integration.
    Although this job is prebuilt on a cohosted XSOAR instance and runs every 15 minutes by default, it must be manually created on a full-featured XSOAR server.
    PANW IoT 3rd Party Integration - Tenable.io
    Incremental Tenable Get Scans and Report Handling V2- PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Generates and retrieves all reports from scans generated in the last hour.
    PANW IoT 3rd Party Integration - Tenable.io
    Bulk Export Devices to ServiceNow - PANW IoT 3rd Party Integration
    No
    Required
    : "Integration Instance Name"
    Generates and retrieves all reports from scans generated in the last 30 days.
    PANW IoT 3rd Party Integration - Tenable.io
    PANW IoT Get Tenable Scanners and Profiles - PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Run this job periodically to retrieve names of all scan engines, sites, and vulnerability scan templates that Tenable uses. Set the interval to run the job based on the frequency of change on the Tenable side of the integration.
    Although this job is prebuilt on a cohosted XSOAR instance and runs every 15 minutes by default, it must be manually created on a full-featured XSOAR server.
    PANW IoT 3rd Party Integration - Tenable.io
    Tenable Report Handling - PANW IoT 3rd Party Integration
    Yes
    Required
    : "Integration Instance Name"
    Generates reports for all scans initiated from
    IoT Security
    since the last time this job was run. A typical recurring interval is every 20 or 30 minutes.
    Although this job is prebuilt on a cohosted XSOAR instance, it must be manually created on a full-featured XSOAR server.

Recommended For You