External Integrations

You can integrate Cortex XDR with other security products of Palo Alto Networks, and of third parties as well.
To aid you with threat investigation,
Cortex
XDR
displays the WildFire-issued verdict for each Key Artifactin an incident. To provide additional verification sources, you can integrate external threat intelligenceservice with
Cortex
XDR
which can then be displayed for each Key Artifactin an incident.
Cortex
XDR
supports the following integrations.
Integration
Description
Threat Intelligence
WildFire®
Cortex
XDR
automatically includes WildFire threat intelligence in incident and alert investigation. WildFire detects known and unknown threats, such as malware. The WildFire verdict contains detailed insights into the behavior of identified threats. The WildFire verdict displays next to relevant
Key Artifacts
in the incidents details page. See Review WildFire® Analysis Details for more information.
AutoFocus™
AutoFocus groups conditions and indicators related to a threat with a tag. Tags can be user-defined or come from threat-research team publications and are divided into classes, such as exploit, malware family, and malicious behavior. See the AutoFocus Administrator’s Guide for more information on AutoFocus tags.
To view AutoFocus tags in
Cortex
XDR
incidents, you must obtain the license key for the service and add it to the
Cortex
XDR
Configuration
. When you add the service, the relevant tags display in the incident details page under
Key Artifacts
.
VirusTotal
VirusTotal provides aggregated results from over 70 antivirus scanners, domain services included in the block list, and user contributions. The VirusTotal score is represented as a fraction, where, for example, a score of 34/52 means out of 52 queried services, 34 services determined the artifact to be malicious.
To view VirusTotal threat intelligence in
Cortex
XDR
incidents, you must obtain the license key for the service and add it to the
Cortex
XDR
Configuration
. When you add the service, the relevant VirusTotal (VT) score displays in the incident details page under
Key Artifacts
.
Incident Management
Cortex XSOAR
Cortex XSOAR enables automated and coordinated threat response with the ability to adjust and test response playbooks. When used with
Cortex
XDR
, you can manage incidents from the Cortex XSOAR interface and leverage the
Cortex
XDR
Causality Analytics Engine and detection capabilities. Changes to one app are reflected in the other.
Third-party ticketing systems
To manage incidents from the application of your choice, you can use the
Cortex
XDR
API Reference to send alerts and alert details to an external receiver. After you generate your API key and set up the API to query
Cortex
XDR
, external apps can receive incident updates, request additional data about incidents, and make changes such as to set the status and change the severity, or assign an owner. To get started, see the .

Recommended For You