>
    Third-party Integrations Using Cohosted XSOAR
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Integration Guide
    4. Get Started with Device Security Integrations
    5. Third-party Integrations Using Cohosted XSOAR
    Download PDF
    Device Security

    Third-party Integrations Using Cohosted XSOAR

    Table of Contents

    Third-party Integrations Using Cohosted XSOAR

    Use a cohosted Cortex XSOAR instance for Device Security integration with third-party solutions.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
    • Device Security X subscription
    One of the following Cortex XSOAR setups:
    • A free, cohosted, limited-featured Cortex XSOAR instance
    • A full-featured Cortex XSOAR server
    When you activate an Device Security cohosted Cortex XSOAR, a cloud-hosted, purpose-built instance of Cortex XSOAR is generated exclusively for your Device Security tenant at no extra charge. It enables Device Security to integrate with both cloud-based third-party systems and—by means of an on-site Cortex XSOAR engine—with third-party systems deployed on premises. (For Cortex XSOAR engine installation instructions, refer to the “Cortex XSOAR Engine Installation” section for the third-party product that you are integrating with Device Security.)

    Strata Cloud Manager

    Use a cohosted Cortex XSOAR instance for Device Security in Strata Cloud Manager integration with third-party solutions.

    Access and Manage Your Cohosted Cortex XSOAR

    Once the cohosted Cortex XSOAR is available, you can log in to your Cortex XSOAR instance from Device Security in Strata Cloud Manager. Navigate to IntegrationsIntegration Management, and under the Integrations section, click Launch Cortex XSOAR.
    When you log into a cohosted Cortex XSOAR instance with Device Security, you have a special Device Security role with the following limitations:
    • You can only access the Settings and Jobs page.
    • You can only download logs for the cohosted Cortex XSOAR from Device Security.
    • You can't access the Cortex XSOAR Marketplace.
    • You can't run Cortex XSOAR commands from the CLI.
    • You can't set configuration flags.
    You can find the serial number for the cohosted Cortex XSOAR in Device Security in Strata Cloud Manager. Navigate to AdministrationTenant Details, and locate the XSOAR Serial Number.

    Available Third-party Integrations

    After you activate a limited, cloud-hosted Cortex XSOAR instance, Device Security generates a cohosted Cortex XSOAR that exclusively supports third-party integrations for Device Security. The cohosted Cortex XSOAR supports integrations with the following third-party systems:
    When integrating Device Security with one of the third-party systems, you’ll use the interface of the dedicated XSOAR instance to configure this side of the integration and the user interface of the remote system to configure the other side. The XSOAR interface has been scaled down to just those features and settings essential for Device Security to integrate with these other systems. To access the Cortex XSOAR interface, log in to Device Security in Strata Cloud Manager, open IntegrationsIntegration Management, and then click Launch Cortex XSOAR. Due to the automatic authentication mechanism that occurs between Device Security and Cortex XSOAR when you click this link, it’s the only way to access the interface of your Cortex XSOAR instance.
    If you don’t see all available third-party integrations in the Cortex XSOAR interface, it's possible that your XSOAR instance needs to update to the latest content pack. Content packs include code changes to the jobs and playbooks of existing integrations as well as additional new third-party integrations. To get the latest XSOAR content pack, log in to your Customer Support Portal account and create a case with your request.
    Some integrations such as ServiceNow, Nuvolo, and Qualys occur completely in the cloud, from the Device Security cloud through Cortex XSOAR to the third-party cloud. Others such as Cisco ISE, SIEM, and Aruba ClearPass occur both in the cloud and on premises. The Device Security cloud sends data to Cortex XSOAR, which forwards it to an XSOAR engine installed on a VM on premises. The XSOAR engine then forwards the data across the network to a third-party server that’s also on premises. The following shows which integrations require an on-premises XSOAR engine when Device Security is communicating through a cohosted XSOAR instance:
    Asset Management IntegrationsRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    AIMSNo (cloud-hosted AIMS instance), Yes (on-premises AIMS system)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to an on-premises AIMS system
    Jamf Pro No (cloud-hosted Jamf Pro instance), Yes (on-premises Jamf Pro instance) HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to your on-premises Jamf Pro
    Microsoft SCCMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and TCP 1433 (default) to an on-premises SCCM SQL system
    NuvoloNo
    ServiceNowNo
    SoftPro Medusa No (cloud-hosted SoftPro Medusa), Yes (on-premises SoftPro Medusa servers) HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to your on-premises SoftPro Medusa
    Endpoint ProtectionRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Cortex XDRNo
    CrowdStrikeNo
    Microsoft Defender XDRNo
    TaniumNo (cloud-hosted Tanium), Yes (one or more on-premises Tanium servers)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Tanium API
    Network ManagementRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Aruba AirWaveYes HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/
    Aruba CentralNo (cloud-hosted Aruba Central), Yes (one or more on-premises Aruba Central servers)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSH on TCP 22 to an on-premises Aruba Central server
    Cisco DNA CenterYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Cisco DNA Center API
    Cisco Meraki CloudNo
    Cisco Prime InfrastructureYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Cisco Prime instance
    SNMP DiscoveryYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SNMP on UDP 161 to local network switches
    Network DiscoveryYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SNMP on UDP 161 to local network switches
    Identity and Access ManagementRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Microsoft Entra IDNo
    IP Address ManagementRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    BlueCat IPAMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTP or HTTPS on TCP 80 or TCP 443 to your on-premises BlueCat Address Manager
    Infoblox IPAMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and to your on-premises Infoblox Grid Master API
    Wireless Network ControllersRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Aruba WLAN ControllersYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 4343 (default) to the API of on-premises Aruba WLAN controllers
    Cisco WLAN ControllersYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSH on TCP 22 (default) to on-premises Cisco WLAN controllers
    Security Information and Event ManagementRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    SIEMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and syslog event messages on UDP 514 (default) to your SIEM server
    Network Access ControlRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Aruba ClearPassYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and to the on-premises Aruba ClearPass system
    Cisco ISEYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 and 9060 to your on-premises Cisco ISE system
    Cisco ISE pxGridYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSL on TCP 8910 (default) to your on-premises Cisco pxGrid controller or ISE system
    Extreme Networks ExtremeCloud IQYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and to the on-premises Extreme Networks ExtremeCloud IQ Site Engine system
    ForescoutYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to your on-premises Forescout system
    Vulnerability ScanningRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    QualysNo
    Rapid7No (cloud-hosted Rapid7 system), Yes (on-premises Rapid7 system)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/, HTTPS on TCP 3780 (default) to your on-premises Rapid7 web interface, and HTTPS on TCP 8080 and 443 (default) to your on-premises Rapid7 API
    Tenable (Tenable.io)No
    After you set up Device Security to work with a full-featured or cohosted XSOAR instance and configure some integration instances in XSOAR, various settings become available for use in the Device Security portal. For example, options to quarantine a device and release a previously quarantined device only appear after you configure an integration instance that supports such actions.

    Legacy IoT Security

    Use a cohosted Cortex XSOAR instance for Device Security integration with third-party solutions.
    With Device Security, you no longer need a Third-party Add-on License. To activate and use the free, cohosted Cortex XSOAR for third-party integrations, you must access Device Security in Strata Cloud Manager.

    Access and Manage Your Cohosted XSOAR

    Once the cohosted Cortex XSOAR is available, you can log in to your Cortex XSOAR instance from the Device Security portal. Navigate to IntegrationsThird-party Integrations, and under the Integrations section, click Launch Cortex XSOAR.
    When you log into a cohosted Cortex XSOAR instance with Device Security, you have a special Device Security role with the following limitations:
    • You can only access the Settings and Jobs page.
    • You can only download logs for the cohosted Cortex XSOAR from Device Security.
    • You can't access the Cortex XSOAR Marketplace.
    • You can't run Cortex XSOAR commands from the CLI.
    • You can't set configuration flags.
    Because the cohosted Cortex XSOAR instance relies on having the third-party integrations add-on license, you can find the serial number for the cohosted Cortex XSOAR in the Device Security portal. Navigate to AdministrationAboutTenant Details, and locate the XSOAR Serial Number.

    Available Third-party Integrations

    After you activate the add-on during the onboarding process, a limited, cloud-hosted Cortex XSOAR instance is generated exclusively to support third-party integrations included in the add-on. There is no extra charge for this dedicated XSOAR instance, which supports integrations with the following third-party systems:
    When integrating Device Security with one of the third-party systems, you’ll use the interface of the dedicated XSOAR instance to configure this side of the integration and the user interface of the remote system to configure the other side. The XSOAR interface has been scaled down to just those features and settings essential for Device Security to integrate with these other systems. To access the Cortex XSOAR interface, log in to the Device Security portal, open IntegrationsThird-party Integrations, and then click Launch Cortex XSOAR. Due to the automatic authentication mechanism that occurs between Device Security and Cortex XSOAR when you click this link, it’s the only way to access the interface of your Cortex XSOAR instance.
    If you don’t see all available third-party integrations in the Cortex XSOAR interface, it's possible that your XSOAR instance needs to update to the latest content pack. Content packs include code changes to the jobs and playbooks of existing integrations as well as additional new third-party integrations. To get the latest XSOAR content pack, log in to your Customer Support Portal account and create a case with your request.
    Some integrations such as ServiceNow, Nuvolo, and Qualys occur completely in the cloud, from the Device Security cloud through Cortex XSOAR to the third-party cloud. Others such as Cisco ISE, SIEM, and Aruba ClearPass occur both in the cloud and on premises. The Device Security cloud sends data to Cortex XSOAR, which forwards it to an XSOAR engine installed on a VM on premises. The XSOAR engine then forwards the data across the network to a third-party server that’s also on premises. The following shows which integrations require an on-premises XSOAR engine when Device Security is communicating through a cohosted XSOAR instance:
    Asset Management IntegrationsRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    AIMSNo (cloud-hosted AIMS instance), Yes (on-premises AIMS system)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to an on-premises AIMS system
    Jamf Pro No (cloud-hosted Jamf Pro instance), Yes (on-premises Jamf Pro instance) HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to your on-premises Jamf Pro
    Microsoft SCCMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and TCP 1433 (default) to an on-premises SCCM SQL system
    NuvoloNo
    ServiceNowNo
    SoftPro Medusa No (cloud-hosted SoftPro Medusa), Yes (on-premises SoftPro Medusa servers) HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to your on-premises SoftPro Medusa
    Endpoint ProtectionRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Cortex XDRNo
    CrowdStrikeNo
    Microsoft Defender XDRNo
    TaniumNo (cloud-hosted Tanium), Yes (one or more on-premises Tanium servers)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Tanium API
    Network ManagementRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Aruba AirWaveYes HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/
    Aruba CentralNo (cloud-hosted Aruba Central), Yes (one or more on-premises Aruba Central servers)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSH on TCP 22 to an on-premises Aruba Central server
    Cisco DNA CenterYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Cisco DNA Center API
    Cisco Meraki CloudNo
    Cisco Prime InfrastructureYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Cisco Prime instance
    SNMP DiscoveryYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SNMP on UDP 161 to local network switches
    Network DiscoveryYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SNMP on UDP 161 to local network switches
    Identity and Access ManagementRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Microsoft Entra IDNo
    IP Address ManagementRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    BlueCat IPAMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTP or HTTPS on TCP 80 or TCP 443 to your on-premises BlueCat Address Manager
    Infoblox IPAMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and to your on-premises Infoblox Grid Master API
    Wireless Network ControllersRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Aruba WLAN ControllersYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 4343 (default) to the API of on-premises Aruba WLAN controllers
    Cisco WLAN ControllersYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSH on TCP 22 (default) to on-premises Cisco WLAN controllers
    Security Information and Event ManagementRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    SIEMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and syslog event messages on UDP 514 (default) to your SIEM server
    Network Access ControlRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Aruba ClearPassYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and to the on-premises Aruba ClearPass system
    Cisco ISEYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 and 9060 to your on-premises Cisco ISE system
    Cisco ISE pxGridYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSL on TCP 8910 (default) to your on-premises Cisco pxGrid controller or ISE system
    Extreme Networks ExtremeCloud IQYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and to the on-premises Extreme Networks ExtremeCloud IQ Site Engine system
    ForescoutYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to your on-premises Forescout system
    Vulnerability ScanningRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    QualysNo
    Rapid7No (cloud-hosted Rapid7 system), Yes (on-premises Rapid7 system)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/, HTTPS on TCP 3780 (default) to your on-premises Rapid7 web interface, and HTTPS on TCP 8080 and 443 (default) to your on-premises Rapid7 API
    Tenable (Tenable.io)No
    After you set up Device Security to work with a full-featured or cohosted XSOAR instance and configure some integration instances in XSOAR, various settings become available for use in the Device Security portal. For example, options to quarantine a device and release a previously quarantined device only appear after you configure an integration instance that supports such actions.

    © 2025 Palo Alto Networks, Inc. All rights reserved.