Integrate with Third-party Systems

IoT Security uses Cortex XSOAR to integrate with third-party systems.
In addition to coordinating with Palo Alto Networks next-generation firewalls, IoT Security integrates with third-party systems, augmenting their inventory, network management, network security, and vulnerability detection by making them IoT aware and by gathering device and network data from other sources to enrich its own inventory and capabilities. IoT Security does this by leveraging Cortex XSOAR technology to integrate with third-party systems. It uses either a cohosted, partially featured Cortex XSOAR instance (available at no extra charge when you purchase an IoT Security Third-party Integrations Add-on license) or a full-featured, on-premises Cortex XSOAR server. There’s also a third option for integrating Cortex XSOAR with IoT Security through its API. In short, there are three options:
  • IoT Security with a cohosted, limited-featured Cortex XSOAR instance
    – This requires the purchase of an IoT Security Third-party Integrations Add-on license, which comes with an automatically generated, cloud-hosted XSOAR module at no extra charge.
  • IoT Security with a full-featured Cortex XSOAR server on premises
    – No add-on license required.
    The IoT Security FedRAMP Moderate solution must use an on-premises Cortex XSOAR server.
  • Cortex XSOAR with access to the IoT Security API

IoT Security with a Cohosted Cortex XSOAR Instance

If you want to integrate IoT Security with third-party systems but do not have a Cortex XSOAR server, you can buy an IoT Security Third-party Add-on license. After you activate it, IoT Security automatically generates a cohosted XSOAR instance with the functionality necessary to support IoT Security integrations. When IoT Security communicates with third-party systems, it does so through the XSOAR instance, which connects with other systems and runs various jobs such as importing device data into IoT Security or sending work orders for security alerts and vulnerabilities to other systems for investigation and remediation.
More information about cohosted Cortex XSOAR instances is available in Third-party Integrations Using Cohosted XSOAR.

IoT Security with an On-premises Cortex XSOAR Server

If you already have a full-featured Cortex XSOAR server deployed on premises, you can use that to integrate IoT Security with third-party systems without needing to buy an add-on license and use a limited cloud-hosted XSOAR module. For the Cortex XSOAR server to support IoT Security third-party integrations, you must install an IoT Security content pack and configure an integration instance on the XSOAR server. The content pack provides XSOAR with all the third-party integration instance settings, playbooks, and jobs that IoT Security requires, and the Palo Alto Networks IoT 3rd Party integration instance allows XSOAR to establish a permanent web socket connection with the IoT Security application.
The XSOAR server continues to provide the same functionality it did before it was set up to work with IoT Security. However, the IoT Security integrations the XSOAR server supports are limited to those in the content pack you install. The content pack has the same set of integrations that a cohosted XSOAR instance has with one exception: you can modify the playbooks for IoT Security integrations on an XSOAR server but not on a cloud-hosted instance. To be precise, you can’t modify the playbooks directly, but you can duplicate them, modify the duplicate playbooks, and then use those on the server, which is something you can’t do in a cloud-hosted instance.
When integrating IoT Security with third-party systems in a deployment that must comply with FedRAMP Moderate, you must use a full on-premises XSOAR server running a vendor-approved FIPS version that complies with the FIPS 140-2 standard. This option supports all the same IoT Security integrations as the cohosted version but is FIPS compliant and does not require the purchase of a third-party integrations add-on license.
The IoT Security portal (and this guide) refer to this as an on-premises Cortex XSOAR server, which is a useful way to distinguish it from a cohosted Cortex XSOAR instance. Nevertheless, the XSOAR server only needs to be deployed on premises to comply with FedRAMP regulations. If your deployment doesn’t need to be FedRAMP compliant, you can deploy the XSOAR server on premises or in the cloud. In either case, the XSOAR server connects to IoT Security in the same way.
The setup of an on-premises XSOAR server to work with IoT Security is described in Third-party Integrations Using On-premises XSOAR.

Cortex XSOAR Using the IoT Security API

If you have a Cortex XSOAR instance and your goal is to integrate it with IoT Security—for example, to run an automation or playbook that downloads its inventory of IoT devices—see Palo Alto Networks IoT. There you can learn the commands to create a direct IoT Security-to-Cortex XSOAR integration. Note that this is different from the type of integrations in which IoT Security leverages XSOAR to work with third-party systems as described in this guide.

Recommended For You