>
    Strata Copilot
    Integrate Device Security with Cortex XDR
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Integration Guide
    4. Endpoint Protection
    5. Integrate Device Security with Cortex XDR
    Download PDF
    Device Security

    Integrate Device Security with Cortex XDR

    Table of Contents

    Integrate Device Security with Cortex XDR

    Integrate Device Security through Cortex XSOAR with Cortex XDR.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
    • Device Security X subscription
    One of the following Cortex XSOAR setups:
    • A free, cohosted, limited-featured Cortex XSOAR instance
    • A full-featured Cortex XSOAR server
    Cortex XDR is a detection and response app that integrates endpoint, network, and cloud data to detect threats and uncover the cause to accelerate investigations. XDR collects endpoint data from: agents installed on IT devices such as laptops and desktops; network data from next-generation firewalls; cloud data from Prisma Access and GlobalProtect™; and additional data from integrated third-party firewalls.
    By integrating Device Security with Cortex XDR, Device Security can import attributes for devices in its inventory. You can integrate Device Security with Cortex XDR in two ways:
    This integration describes how to import information from Cortex XDR into Device Security. For information about importing alerts and device information from Device Security into Cortex XDR, see Ingest Alerts and Assets from Device Security.
    When you integrate Device Security with Cortex XDR, Device Security can import endpoint attributes including EDR isolation status, EDR operational status, EDR group name, OS type, OS version, MAC address, IP address, domain, and username.
    When you use the XSOAR-based integration, Device Security can also import host inventory data through XQL host inventory queries. You can enable the following additional data types in the integration instance settings in Cortex XSOAR:
    • Application inventory: Installed applications on managed endpoints
    • KB articles: Installed Windows knowledge base patches on managed endpoints; when Device Security detects that an installed KB resolves a known vulnerability, it marks that vulnerability as resolved
    • CVEs: CVEs identified on managed endpoints
    Application inventory, KB article, and CVE data require Cortex XDR XQL. To use XQL options, you need a Cortex XDR Pro per Endpoint or Cortex XDR Pro per TB license, an API key with Instance Administrator role permissions, and available XQL query quota.
    For a full list of attributes that Device Security can learn through the integration, see Cortex XDR Attribute Reference.
    If there is a conflict between Device Security and XDR about the OS type and version of a device, Device Security defers to the information from XDR. Because XDR has an agent running on each device, it's considered as the more authoritative source.

    © 2026 Palo Alto Networks, Inc. All rights reserved.