Device Security
Third-Party Integrations Using a Full-Featured XSOAR Server
Table of Contents
Third-Party Integrations Using a Full-Featured XSOAR Server
Set up a full-featured Cortex XSOAR server for Device Security integration
with third-party solutions.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of the following subscriptions:
One of the following Cortex XSOAR setups:
|
Device Security can integrate with third-party systems through a full on-premises or
cloud-hosted
Cortex XSOAR server running
Cortex XSOAR version 6.8–6.12 and 8.0 (Cortex XSOAR NG). This option
supports the same Device Security integrations as the cohosted version but
requires you to install the content pack to support Device Security integrations.
In addition, the full-featured Cortex XSOAR product enables
you to create and modify third-party integration playbooks, unlike the cohosted,
purpose-built XSOAR service, which has preconfigured playbooks that can't be
modified.
The following instructions for setting up Device Security and a full-featured XSOAR server
assume that you’ve already
installed an XSOAR server on your network
or in the cloud and that you're now preparing it to provide third-party integration
opportunities for Device Security. Device Security supports third-party
integrations through XSOAR servers running Cortex XSOAR version 6.8–6.12 and
version 8.0 (Cortex XSOAR NG).
For FedRAMP compliance, the on-premises XSOAR server must be running a vendor-approved
FIPS version that complies with the
FIPS 140-2 standard.
Strata Cloud Manager
Set up a full-featured Cortex XSOAR server for Device Security integration
with third-party solutions, from Device Security in Strata Cloud Manager.
- Choose a Cortex XSOAR server for Device Security to use for third-party integrations.
- Log in to Device Security in Strata Cloud Manager, select .If you have not bought and activated an Device Security Third-Party Integrations Add-on license, two options appear on the Integrations page.
![]()
- Select Integrate through a full-featured Cortex XSOAR server and then Save.Device Security takes a few minutes to prepare to use a Cortex XSOAR server for third-party integrations. When done, the Integrations page changes to show XSOAR installation settings and a list of the steps for setting up third-party integrations through a full-featured XSOAR server.
![]()
After you save your selection, a button appears in the upper right of the page: Switch integration methods. If you have both a full-featured Cortex XSOAR server and an Device Security Third-party Integrations Add-on license, you can switch between the XSOAR server and the cohosted XSOAR instance. However, you can only use one method at a time.
Download the Device Security Content Pack.On the Integrations page, download the Device Security content pack as a .zip file.Don't download and attempt to use the Device Security content pack from the Cortex XSOAR marketplace. It isn't current and does not support all the third-party integrations that the content pack available from the Device Security portal does. Only download and use the content pack from the Device Security portal.Create an API access key and then download the key and key ID.If you have the text file for a currently active API access key, you can use that instead of creating a new API access key.- On the Integrations page in Device Security in Strata Cloud Manager, click Create under API Access Key.
- In the Create Access Key dialog, click Create again.
- In the Access Key Created dialog, Download the access key and key ID as a text file.
Copy the Device Security tenant URL.Configure the Cortex XSOAR server.Log in to the Cortex XSOAR server, upload the content pack, and use your Device Security tenant URL, API access key, and key ID to configure the "Palo Alto Networks IoT 3rd Party" integration instance.- Log in to the XSOAR server using credentials for a user account with administrator privileges, which let you upload the Device Security content pack.
![]()
- Because the Device Security content pack isn't provided by Cortex XSOAR, set content pack verification to false.Cortex XSOAR version 6.8-6.12 Select , enter false in the content.pack.verify field in the Server Configuration section, and then Save.
![]()
Cortex XSOAR version 8.x Cortex XSOAR version 8.x hides the content pack verify option, so you need to enable it before you can set the value. Select . On a macOS device, press the Option key on your keyboard to see all of the hidden fields. On a Windows or Linux device, press the Alt key on your keyboard to see all of the hidden fields. Select the content.pack.verify option, and set the field to false. Save your changes.![]()
![]()
- On the Cortex XSOAR server, navigate to the Marketplace, and then Upload Content Packs.
![]()
- Select the Device Security content pack for XSOAR to upload and install.
- Select Settings, search for palo alto networks iot 3rd party, and then click Add instance to open the settings panel.
- Enter the following and leave other settings at their default values:Name: Use the default name (Palo Alto Networks IoT 3rd Party_instance_1) or enter a new one.Device Security Tenant URL: Copy this from the Integrations page in Device Security and paste it here.Access Key: Copy this from the API access key file you downloaded and paste it here.Key ID: Copy this from the API access key file you downloaded and paste it here.Long running instance: (select; this maintains a session between the XSOAR server and Device Security, using a regular heartbeat mechanism to monitor connectivity)Single engine: Choose No engine.
![]()
- Test the integration instance settings.When finished, click Test. If the test is successful, a Success message appears and Cortex XSOAR and Device Security have established a link. If not, check that the settings were entered correctly, and then test the configuration again.
![]()
- Click Save & exit to save your changes and close the settings panel.
Cortex XSOAR version 8.0 and later If the Device Security content pack incident fields don't appear in the job creation page, create a customized incident layout in Cortex XSOAR.When running Cortex XSOAR version 8.0 and later, the Device Security third-party content pack custom fields might not appear in the job creation page. Create an incident layout, assign it to a custom incident type for third-party integrations, and add the customized incident type to all Device Security third-party integration jobs that you create.- Navigate to . This brings up the table of incident layouts.
![]()
- Select to create a new layout.
- Enter a descriptive name for the layout for Device Security third-party integrations.
- From the Library in the left-side panel, add fields into the Custom Fields box in the right-side panel by dragging and dropping. Drag and drop the following fields.
- Asset Attribute Polling IP/Subnet
- Automatically Synchronize Scanners with IoT Security
- Bulk Export Interval (Days)
- Cisco Meraki Networks
- Cisco Meraki Organizations
- Custom IPAM Data List Name
- ExtremeCloud IQ SE End-System Custom Attributes
- Import Aruba Central wired client details to IoT Security
- Import IPAM site definitions to IoT Security
- Import vulnerabilities by CVE severity levels
- Integration Instance Name
- ip
- IPAM subnet Data Overwrite
- jobid
- Network Discovery Skip Neighbor Discovery Patterns
- PANW IoT Device Custom Attributes
- PANW IoT In Scope Tag Enforcement
- PANW-ServiceNow-Category-Map
- Playbook Poll Interval
- Polling Duration in days
- Primary Active Instance Name
- Primary Instance Name(s)
- Primary Standby Instance Name
- profileid
- Rockwell AssetCentre Asset Property UUIDs
- Rockwell AssetCentre Asset Type UUIDs
- Run Once
- scannerid
- Secondary Active Instance Name
- Secondary Instance Name(s)
- Secondary Standby Instance Name
- ServiceNow Discovered IoT Device Table Name
- ServiceNow-IoT Device Category
- ServiceNow-IoT Device Model
- ServiceNow-IoT Device OS
- ServiceNow-IoT Device Profile
- ServiceNow-IoT Device Site
- ServiceNow-IoT Device SSID
- ServiceNow-IoT Device Supported OS
- ServiceNow-IoT Device Tag
- ServiceNow-IoT Device Vendor
- ServiceNow-IoT Device VLAN
- ServiceNow-IoT Wired/Wireless Device
- Site Names
- siteid
- Splunk Index
- Splunk Source Type
- Use IPAM non-site data if the same block or subnet is in IoT Security
- Use IPAM site data if the same root block is in IoT Security
- Select Save Version. This takes you back to the Layouts table.
- Navigate to Types and then select + New Incident Type. This brings up the New Incident Type dialog.
- Enter a Name, and then under Layout select the layout you created. Save the new incident type to close the dialog.
![]()
- Make note of the name of your incident type. You will need to assign the incident type to all Device Security third-party integration jobs that you create.
Configure Device Security third-party integrations.After you’ve installed a content pack for IoT 3rd party integrations, you can begin configuring integrations with third-party systems. For Device Security and Cortex XSOAR to integrate with a third-party system, you must configure XSOAR with an integration instance specifying the connection settings and a job running a playbook over the connection.Although the integration instructions later in this guide assume that you’re using a cohosted XSOAR module, the configuration instructions for the integration instances and jobs are similar for both cohosted deployments and full-featured Cortex XSOAR server deployments.Legacy IoT Security
Set up a full-featured Cortex XSOAR server for Device Security integration with third-party solutions, from the Device Security portal.- Choose a Cortex XSOAR server for Device Security to use for third-party integrations.
- Log in to the Device Security portal, select Integrations.If you have not bought and activated an Device Security Third-Party Integrations Add-on license, two options appear on the Integrations page.
![]()
- Select Integrate through a full-featured Cortex XSOAR server and then Save.Device Security takes a few minutes to prepare to use a Cortex XSOAR server for third-party integrations. When done, the Integrations page changes to show XSOAR installation settings and a list of the steps for setting up third-party integrations through a full-featured XSOAR server.
![]()
After you save your selection, a button appears in the upper right of the page: Switch integration methods. If you have both a full-featured Cortex XSOAR server and an Device Security Third-party Integrations Add-on license, you can switch between the XSOAR server and the cohosted XSOAR instance. However, you can only use one method at a time.
Download the Device Security Content Pack.On the Integrations page, download the Device Security content pack as a .zip file.Don't download and attempt to use the Device Security content pack from the Cortex XSOAR marketplace. It isn't current and does not support all the third-party integrations that the content pack available from the Device Security portal does. Only download and use the content pack from the Device Security portal.Create an API access key and then download the key and key ID.If you have the text file for a currently active API access key, you can use that instead of creating a new API access key.- On the Integrations page in Device Security, click Create under API Access Key.
- In the Create Access Key dialog, click Create again.
- In the Access Key Created dialog, Download the access key and key ID as a text file.
Copy the Device Security tenant URL.Configure the Cortex XSOAR server.Log in to the Cortex XSOAR server, upload the content pack, and use your Device Security tenant URL, API access key, and key ID to configure the "Palo Alto Networks IoT 3rd Party" integration instance.- Log in to the XSOAR server using credentials for a user account with administrator privileges, which let you upload the Device Security content pack.
![]()
- Because the Device Security content pack isn't provided by Cortex XSOAR, set content pack verification to false.Cortex XSOAR version 6.8-6.12 Select , enter false in the content.pack.verify field in the Server Configuration section, and then Save.
![]()
Cortex XSOAR version 8.x Cortex XSOAR version 8.x hides the content pack verify option, so you need to enable it before you can set the value. Select . On a macOS device, press the Option key on your keyboard to see all the hidden fields. On a Windows or Linux device, press the Alt key on your keyboard to see all the hidden fields. Select the content.pack.verify option, and set the field to false. Save your changes.![]()
![]()
- On the Cortex XSOAR server, navigate to the Marketplace, and then Upload Content Packs.
![]()
- Select the Device Security content pack for XSOAR to upload and install.
- Select Settings, search for palo alto networks iot 3rd party, and then click Add instance to open the settings panel.
- Enter the following and leave other settings at their default values:Name: Use the default name (Palo Alto Networks IoT 3rd Party_instance_1) or enter a new one.Device Security Tenant URL: Copy this from the Integrations page in Device Security and paste it here.Access Key: Copy this from the API access key file you downloaded and paste it here.Key ID: Copy this from the API access key file you downloaded and paste it here.Long running instance: (select; this maintains a session between the XSOAR server and Device Security, using a regular heartbeat mechanism to monitor connectivity)Single engine: Choose No engine.
![]()
- Test the integration instance settings.When finished, click Test. If the test is successful, a Success message appears and Cortex XSOAR and Device Security have established a link. If not, check that the settings were entered correctly, and then test the configuration again.
![]()
- Click Save & exit to save your changes and close the settings panel.
Cortex XSOAR version 8.0 and later If the Device Security content pack incident fields don't appear in the job creation page, create a customized incident layout in Cortex XSOAR.When running Cortex XSOAR version 8.0 and later, the Device Security third-party content pack custom fields might not appear in the job creation page. Create an incident layout, assign it to a custom incident type for third-party integrations, and add the customized incident type to all Device Security third-party integration jobs that you create.- Navigate to . This brings up the table of incident layouts.
![]()
- Select to create a new layout.
- Enter a descriptive name for the layout for Device Security third-party integrations.
- From the Library in the left-side panel, add fields into the Custom Fields box in the right-side panel by dragging and dropping. Drag and drop the following fields.
- Asset Attribute Polling IP/Subnet
- Automatically Synchronize Scanners with IoT Security
- Bulk Export Interval (Days)
- Cisco Meraki Networks
- Cisco Meraki Organizations
- Custom IPAM Data List Name
- ExtremeCloud IQ SE End-System Custom Attributes
- Import Aruba Central wired client details to IoT Security
- Import IPAM site definitions to IoT Security
- Import vulnerabilities by CVE severity levels
- Integration Instance Name
- ip
- IPAM subnet Data Overwrite
- jobid
- Network Discovery Skip Neighbor Discovery Patterns
- PANW IoT Device Custom Attributes
- PANW IoT In Scope Tag Enforcement
- PANW-ServiceNow-Category-Map
- Playbook Poll Interval
- Polling Duration in days
- Primary Active Instance Name
- Primary Instance Name(s)
- Primary Standby Instance Name
- profileid
- Rockwell AssetCentre Asset Property UUIDs
- Rockwell AssetCentre Asset Type UUIDs
- Run Once
- scannerid
- Secondary Active Instance Name
- Secondary Instance Name(s)
- Secondary Standby Instance Name
- ServiceNow Discovered IoT Device Table Name
- ServiceNow-IoT Device Category
- ServiceNow-IoT Device Model
- ServiceNow-IoT Device OS
- ServiceNow-IoT Device Profile
- ServiceNow-IoT Device Site
- ServiceNow-IoT Device SSID
- ServiceNow-IoT Device Supported OS
- ServiceNow-IoT Device Tag
- ServiceNow-IoT Device Vendor
- ServiceNow-IoT Device VLAN
- ServiceNow-IoT Wired/Wireless Device
- Site Names
- siteid
- Splunk Index
- Splunk Source Type
- Use IPAM non-site data if the same block or subnet is in IoT Security
- Use IPAM site data if the same root block is in IoT Security
- Select Save Version. This takes you back to the Layouts table.
- Navigate to Types and then select + New Incident Type. This brings up the New Incident Type dialog.
- Enter a Name, and then under Layout select the layout you created. Save the new incident type to close the dialog.
![]()
- Make note of the name of your incident type. You will need to assign the incident type to all Device Security third-party integration jobs that you create.
Configure Device Security third-party integrations.After you’ve installed a content pack for IoT 3rd party integrations, you can begin configuring integrations with third-party systems. For Device Security and Cortex XSOAR to integrate with a third-party system, you must configure XSOAR with an integration instance specifying the connection settings and a job running a playbook over the connection.Although the integration instructions later in this guide assume that you’re using a cohosted XSOAR module, the configuration instructions for the integration instances and jobs are similar for both cohosted deployments and full-featured Cortex XSOAR server deployments.
