>
    Strata Copilot
    Set up Device Security and XSOAR for Cortex XDR Integration
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Integration Guide
    4. Endpoint Protection
    5. Integrate Device Security with Cortex XDR
    6. Set up Device Security and XSOAR for Cortex XDR Integration
    Download PDF
    Device Security

    Set up Device Security and XSOAR for Cortex XDR Integration

    Table of Contents

    Set up Device Security and XSOAR for Cortex XDR Integration

    Set up Device Security and Cortex XSOAR to integrate with Cortex XDR.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
    • Device Security X subscription
    One of the following Cortex XSOAR setups:
    • A free, cohosted, limited-featured Cortex XSOAR instance
    • A full-featured Cortex XSOAR server
    Device Security can integrate with Cortex XDR directly through the Cortex XDR API. The API integration does not require Cortex XSOAR. To integrate Device Security with Cortex XDR through the API, see Set up Device Security for Cortex XDR API Integration.
    To set up Device Security to integrate through Cortex XSOAR with Cortex XDR, you need the following:
    • Advanced API key for Cortex XDR
    • API key ID
    • URL of your XDR instance
    If you plan to enable XQL options to import CVEs, KB articles, or application inventory, you also need a Cortex XDR Pro per Endpoint or Cortex XDR Pro per TB license and available XQL query quota.
    Frequently running the XQL playbooks can consume your XQL query quota quickly. We recommend running the XQL playbook manually first to estimate the quota consumption.
    1. Log in to Device Security and then access Cortex XDR integration settings in Cortex XSOAR.
      1. Because Device Security uses XSOAR to integrate with XDR, you must configure settings for the XDR integration instance in the Cortex XSOAR interface. To access XSOAR, log in to Device Security and select IntegrationsLaunch Cortex XSOAR.
      2. Click Settings in the left navigation menu and search for xdr to locate it among other instances.
    2. Configure the Cortex XDR integration instance.
      1. Add instance to open the settings panel.
      2. Enter the following and leave other settings at their default values:
        Name: Enter a name for the XDR integration instance.
        Server URL (copy URL from XDR): Copy the URL that you saved earlier in a text file and paste it here.
        API Key ID: Enter the API key ID that you previously noted.
        API Key: Copy the API key string and paste it here.
        Last Seen: Enter the number of days back from which to retrieve endpoint data. The default is 7 days.
        Optional Learn Multi Interfaces: Select to import network interface data for endpoints with multiple network interfaces. This is unselected by default.
        Optional XQL - Learn CVEs: Select to import CVE vulnerability data via XQL. This is unselected by default.
        Optional XQL - Learn KBs: Select to import installed Windows KB patch data via XQL. This is unselected by default.
        Optional XQL - Learn Applications: Select to import installed application data via XQL. This is unselected by default.
      3. When finished, click Test.
        If the test is successful, a Success message appears. If not, check that the settings were entered correctly, and then test the configuration again.
      4. After the test succeeds, copy the name of the integration instance to use in the job you create next, and then click Save & exit to save your changes and close the settings panel.
    3. Create a job for Cortex XSOAR to receive information from Cortex XDR.
      Each playbook requires its own job. If you want to run multiple playbooks, you must create a separate job for each.
      1. Click Jobs near the bottom of the left navigation menu to open the Jobs page.
      2. Click New Job at the top of the Jobs page.
      3. Enter the following, leave the other fields at their default values:
        Time triggered: (select)
        Recurring: Select this because you want to periodically import device attributes from Cortex XDR.
        Every: Enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days on which to run the job. (If you don’t select anything, the job runs everyday.) This determines how often XSOAR imports data from Cortex XDR. It’s important to set an interval that provides enough time for the job to complete, considering factors such as the number of devices that are active on the network. You can see the run status of a recurring job on the Jobs page. When in progress, its status is Running. When done, its status changes to Completed.
        Name: Type a name for the job.
        Playbook: Select the playbook for the type of job you’re configuring. If you want to run both playbooks, create separate jobs, one for each:
        1. Import Cortex XDR Endpoints to PANW IoT — Import endpoint attributes from Cortex XDR.
        2. Import Cortex XDR XQL Data to Device Security — Import host inventory, application inventory, KB article, and CVE data via XQL queries. Requires XQL options to be enabled in the integration instance settings.
        Integration Instance Name: Paste the integration instance name that you copied in the previous step. If this field is empty or an entered name does not match an instance, the job won’t run successfully.
        Site Names: Leave the field empty to import device attributes for all sites. To limit imports to devices at one or more sites, enter comma-separated site names.
      4. Create new job.
    4. Enable the XDR integration instance.
    5. Return to Device Security and check the status of the Cortex XDR integration instances you created and enabled.
      An integration instance can be in one of four states, which Device Security displays in the Status column on the Integrations page:
      • Disabled means that either the integration was configured but intentionally disabled or it was never configured and a job that references it's enabled and running.
      • Error means that the integration was configured and enabled but isn’t functioning properly, possibly due to a configuration error or network condition.
      • Inactive means that the integration was configured and enabled but no job has run for at least the past 60 minutes.
      • Active means that the integration was configured and enabled and is functioning properly.
      When you see that the status of an integration instance has changed from Disabled to Active, its setup is complete.

    © 2026 Palo Alto Networks, Inc. All rights reserved.