>
    Strata Copilot
    Set up Device Security and XSOAR for Cortex XDR Integration
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Integration Guide
    4. Endpoint Protection
    5. Integrate Device Security with Cortex XDR
    6. Set up Device Security and XSOAR for Cortex XDR Integration
    Download PDF
    Device Security

    Set up Device Security and XSOAR for Cortex XDR Integration

    Table of Contents

    Set up Device Security and XSOAR for Cortex XDR Integration

    Set up Device Security and Cortex XSOAR to integrate with Cortex XDR.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
    • Device Security X subscription
    One of the following Cortex XSOAR setups:
    • A free, cohosted, limited-featured Cortex XSOAR instance
    • A full-featured Cortex XSOAR server
    To set up Device Security to integrate through Cortex XSOAR with Cortex XDR, you need the following:
    • Advanced API key for Cortex XDR
    • API key ID
    • URL of your XDR instance
    Device Security can integrate with Cortex XDR directly through the Cortex XDR API. The API integration does not require Cortex XSOAR. To integrate Device Security with Cortex XDR through the API, see Set up Device Security for Cortex XDR API Integration.
    1. Log in to Device Security and then access Cortex XDR integration settings in Cortex XSOAR.
      1. Because Device Security uses XSOAR to integrate with XDR, you must configure settings for the XDR integration instance in the Cortex XSOAR interface. To access XSOAR, log in to Device Security and select IntegrationsLaunch Cortex XSOAR.
      2. Click Settings in the left navigation menu and search for xdr to locate it among other instances.
    2. Configure the Cortex XDR integration instance.
      1. Add instance to open the settings panel.
      2. Enter the following and leave other settings at their default values:
        Name: Enter a name for the XDR integration instance.
        Server URL (copy URL from XDR): Copy the URL that you saved earlier in a text file and paste it here.
        API Key ID: Enter the API key ID that you previously noted.
        API Key: Copy the API key string and paste it here.
        Single engine: Choose No engine.
      3. When finished, click Test.
        If the test is successful, a Success message appears. If not, check that the settings were entered correctly, and then test the configuration again.
      4. After the test succeeds, copy the name of the integration instance to use in the job you create next, and then click Save & exit to save your changes and close the settings panel.
    3. Create a job to retrieve device attributes from Cortex XDR every 15 minutes.
      1. Click Jobs near the bottom of the left navigation menu to open the Jobs page.
      2. Click New Job at the top of the Jobs page.
      3. Enter the following, leave the other fields at their default values:
        Time triggered: (select)
        Recurring: Select this because you want to periodically import device attributes from Cortex XDR.
        Every: Enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days on which to run the job. (If you don’t select anything, the job runs everyday.) This determines how often XSOAR imports data from Cortex XDR. It’s important to set an interval that provides enough time for the job to complete, considering factors such as the number of devices that are active on the network. You might start by running the job every 15 minutes and then increasing it as necessary until each job completes before the next one starts. You can see the run status of a recurring job on the Jobs page. When in progress, its status is Running. When done, its status changes to Completed.
        Name: Type a name for the job such as XDR device attributes retrieval.
        Playbook: Incremental Export of Cortex XDR - PANW IoT 3rd Party Integration
        Integration Instance Name: Paste the integration instance name that you copied in the previous step. If this field is empty or an entered name does not match an instance, the job won’t run successfully.
        Playbook Poll Interval: Enter a number (the value, though unspecified, is minutes) defining the period of time during which Device Security must see newly discovered devices or network activity from previously discovered devices to import device attributes from XDR. It’s common to use the same interval as the one for running the recurring job. However, if you increase the interval between jobs, you can set a shorter interval for polling than that for the job. If you leave it blank, the default poll interval is 15 minutes.
        The default value is 15 minutes.
        Site Names: Leave the field empty to import device attributes for all sites. To limit imports to devices at one or more sites, enter comma-separated site names.
      4. Create new job.
    4. To enable the XDR integration instance, click Enable.
      XSOAR begins an automated process that retrieves incrementally updated device attributes from Cortex XDR occurring within the last 15 minutes.
    5. Continue creating and enabling more integration instances and jobs as needed for Device Security to import device attributes from other Cortex XDR instances.
      Run the job for each integration instance you create. The first time you run a job that references an integration instance triggers XSOAR to report the instance to Device Security, which then displays the integration instance on the Integrations page.
    6. Return to Device Security and check the status of the Cortex XDR integration instances you created and enabled.
      An integration instance can be in one of four states, which Device Security displays in the Status column on the Integrations page:
      • Disabled means that either the integration was configured but intentionally disabled or it was never configured and a job that references it's enabled and running.
      • Error means that the integration was configured and enabled but isn’t functioning properly, possibly due to a configuration error or network condition.
      • Inactive means that the integration was configured and enabled but no job has run for at least the past 60 minutes.
      • Active means that the integration was configured and enabled and is functioning properly.
      When you see that the status of an integration instance has changed from Disabled to Active, its setup is complete.

    © 2026 Palo Alto Networks, Inc. All rights reserved.