1. Home
    2. IoT
    3. IoT Security Integration Guide
    4. Get Started with IoT Security Integrations
    5. Third-party Integrations Using On-premises XSOAR

    Third-party Integrations Using On-premises XSOAR

    Set up an on-premises Cortex XSOAR server for IoT Security integration with third-party solutions.
    IoT Security can integrate with third-party systems through a full on-premises Cortex XSOAR server. This option supports the same IoT Security integrations as the cloud-hosted version but doesn’t require the purchase of an IoT Security Third-party Integrations Add-on license. In addition, the full-featured on-premises Cortex XSOAR product allows you to create and modify third-party integration playbooks, unlike the cohosted, purpose-built XSOAR service, which has preconfigured playbooks that can't be modified.
    The following instructions for setting up IoT Security and an on-premises XSOAR server assume that you’ve already installed an XSOAR server on your network and that you are now preparing it to provide third-party integration opportunities for IoT Security.
    For FedRAMP compliance, the XSOAR server must be running a vendor-approved FIPS version that complies with the FIPS 140-2 standard.
    1. Choose an on-premises Cortex XSOAR server for IoT Security to use for third-party integrations.
      1. Log in to the IoT Security portal, select
        Integrations
        .
        If you have not bought and activated an IoT Security Third-Party Integrations Add-on license, two options appear on the Integrations page.
      2. Select
        Integrate through an on-premises Cortex XSOAR server
         and then
        Save
        .
        IoT Security takes a few minutes to prepare to use a Cortex XSOAR server for third-party integrations. When done, the Integrations page changes to show XSOAR installation settings and a list of the steps for setting up third-party integrations through an on-premises XSOAR server.
        After you save your selection, a button appears in the upper right of the page:
        Switch integration methods
        . If you have both an on-premises Cortex XSOAR server and an IoT Security Third-party Integrations Add-on license, you can switch between the XSOAR server and the cohosted XSOAR instance. However, you can only use one method at a time.
    2. Download the IoT Security Content Pack.
      On the Integrations page, download the IoT Security content pack as a .zip file.
    3. Create an API access key and then download the key and key ID.
      If you have the text file for a currently active API access key, you can use that instead of creating a new API access key.
      1. On the Integrations page in IoT Security, click
        Create
         under API Access Key.
      2. In the Create Access Key dialog box, click
        Create
         again.
      3. In the Access Key Created dialog box,
        Download
         the access key and key ID as a text file.
    4. Copy the IoT Security tenant URL.
    5. Configure the Cortex XSOAR server.
      Log in to the Cortex XSOAR server, upload the content pack, and use your IoT Security tenant URL, API access key, and key ID to configure the "Palo Alto Networks IoT 3rd Party" integration instance.
      1. Log in to the XSOAR server using credentials for a user account with administrator privileges, which let you upload the IoT Security content pack.
      2. Because the IoT Security content pack is not provided by Cortex XSOAR, set content pack verification to
        false
        . Select
        Settings
        About
        Troubleshooting
        , enter
        false
        in the
        content.pack.verify
        field in the Server Configuration section, and then
        Save
        .
      3. On the XSOAR server, navigate to the
        Marketplace
        , click the three vertical dots icon in the upper right, and then
        Upload Content Packs
        .
      4. Select the previously downloaded IoT Security content pack for XSOAR to upload and install.
      5. Select
        Settings
        , search for
        palo alto networks iot 3rd party
        , and then click
        Add instance
         to open the settings panel.
      6. Enter the following and leave other settings at their default values:
        Name
        : Use the default name (
        Palo Alto Networks IoT 3rd Party_instance_1
        ) or enter a new one.
        IoT Security Tenant URL
        : Copy this from the Integrations page in IoT Security and paste it here.
        Access Key
        : Copy this from the API access key file you downloaded and paste it here.
        Key ID
        : Copy this from the API access key file you downloaded and paste it here.
        Long running instance
        : (select; this maintains a session between the XSOAR server and IoT Security, using a regular heartbeat mechanism to monitor connectivity)
        Single engine
        : Choose
        No engine
        .
      7. Test the integration instance settings.
        When finished, click
        Test
        . If the test is successful, a Success message appears and Cortex XSOAR and IoT Security have established a link. If not, check that the settings were entered correctly and then test the configuration again.
      8. Click
        Save & exit
         to save your changes and close the settings panel.
    6. Configure IoT Security third-party integrations.
      After you’ve installed a content pack for IoT 3rd party integrations, you can begin configuring integrations with third-party systems. For IoT Security and Cortex XSOAR to integrate with a third-party system, you must configure XSOAR with an integration instance specifying connection settings and a job running a playbook over the connection.
      The following is a list of the jobs and their configuration elements for the third-party integrations that IoT Security supports. For detailed configuration instructions, see the section for specific integrations in this guide.
      Although the integration instructions later in this guide assume that you’re using a cloud-hosted XSOAR module, the configuration instructions for the integration instances and jobs are similar for both cloud-hosted and on-premises deployments.
      Asset Discovery
      Integration Name
      Playbook
      Recurring Job
      Job Parameters
      Description
      Details
      PANW IoT 3rd Party Integration - Asset Attribute Polling
      Bulk Import Asset Attributes Using Asset Attribute Polling - PANW IoT 3rd Party Integration
      No
      Required:
      "Integration Instance Name" and "Device Polling IP address/Subnet"
      Imports device attributes using asset attribute polling.
      Asset Management
      Integration Name
      Playbook
      Recurring Job
      Job Parameters
      Description
      Details
      PANW IoT 3rd Party Integration - AIMS
      Export AIMS maps and devices to PANW IoT
      Yes
      No arguments required. Only a single instance is supported.
      Exports AIMS facilities, vendors, employees, work order priority list mappings, and device data to IoT Security.
      PANW IoT 3rd Party Integration - AIMS
      Export AIMS assignee and priority lists to PANW IoT
      Yes
      No arguments required. Only a single instance is supported.
      Exports the assignee list and work order priority list from AIMS to IoT Security.
      PANW IoT 3rd Party Integration - Microsoft SCCM
      Import Microsoft SCCM devices to PANW IoT cloud
      Yes
      Required
      : "Integration Instance Name".
      Fetches available endpoint data from a Microsoft SCCM SQL server and sends it to IoT Security.
      PANW IoT 3rd Party Integration - Nuvolo
      Bulk Export Devices to Nuvolo - PANW IoT 3rd Party Integration
      No
      No arguments required. Only a single instance is supported.
      Retrieves all devices from IoT Security and sends it to a third-party integration instance.
      PANW IoT 3rd Party Integration - Nuvolo
      Bulk Import Devices from Nuvolo to PANW IoT Cloud - PANW IoT 3rd Party Integration
      No
      No arguments required. Only a single instance is supported.
      Retrieves all devices from the Nuvolo instance and sends them to IoT Security.
      Although this job is prebuilt on a cohosted XSOAR instance, it must be manually created on an on-premises XSOAR server.
      PANW IoT 3rd Party Integration - Nuvolo
      Incremental Export Devices to Nuvolo - PANW IoT 3rd Party Integration
      Yes
      No arguments required. Only a single instance is supported. The fixed poll interval is 15 minutes.
      Retrieves devices from IoT Security and sends them to the third-party integration instance.
      Although this job is prebuilt on a cohosted XSOAR instance, it must be manually created on an on-premises XSOAR server.
      PANW IoT 3rd Party Integration - ServiceNow v2
      Incremental Export Devices to ServiceNow - PANW IoT 3rd Party Integration
      Yes
      No arguments required. Only a single instance is supported. The fixed poll interval is 15 minutes.
      Retrieves devices discovered by IoT Security and sends them to a third-party integration instance.
      PANW IoT 3rd Party Integration - ServiceNow v2
      Bulk Export Devices to ServiceNow - PANW IoT 3rd Party Integration
      No
      No arguments required. Only a single instance is supported.
      Retrieves all devices from IoT Security and sends them to a third-party integration instance.
      Endpoint Protection
      Integration Name
      Playbook
      Recurring Job
      Job Parameters
      Description
      Details
      PANW IoT 3rd Party Integration - Cortex XDR - IR
      Incremental Export of Cortex XDR - PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Optional
      : "Site Names", and "Playbook Poll Interval".
      Retrieves active devices found by IoT Security, queries Cortex XDR to get associated device attributes, and reports the data to IoT Security. Filters for active devices: Site names and playbook poll interval.
      PANW IoT 3rd Party Integration - CrowdStrike Falcon
      Incremental Import of CrowdStrike Falcon - PANW IoT 3rd Party Integration
      No
      Required
      : "Integration Instance Name".
      Optional
      : "Site Names", and "Playbook Poll Interval".
      Retrieves active devices found by IoT Security, queries CrowdStrike Falcon to get associated device attributes and reports the data to IoT Security. Filters for active devices: Site names and playbook poll interval.
      PANW IoT 3rd Party Integration - Tanium
      Import Tanium Vulnerabilities to PANW IoT cloud
      Yes
      Required
      : "Integration Instance Name"
      Optional:
      "Import vulnerabilities by CVE severity levels"
      Imports vulnerabilities from Tanium to the IoT Security.
      Network Management
      Integration Name
      Playbook
      Recurring Job
      Job Parameters
      Description
      Details
      PANW IoT 3rd Party Integration - Aruba Central
      Import Aruba Central devices to PANW IoT cloud
      Yes
      Required
      : "Integration Instance Name"
      Optional
      : “Import Aruba Central wired client details to IoT Security”
      Retrieves client details from Aruba Central. By default, only wireless device details are retrieved. You have the option to retrieve details for both wired and wireless devices
      PANW IoT 3rd Party Integration - cisco-dnac-IoT
      extract-dnac-clients
      Yes
      Required
      : "Integration Instance Name".
      Optional
      : "Site Names" and "Playbook Poll Interval".
      Retrieves active devices found by IoT Security, queries Cisco DNA Center to get associated device attributes, and reports the data to IoT Security. Filters for active devices: Site names and playbook poll interval.
      PANW IoT 3rd Party Integration - Cisco Meraki Cloud
      Get Cisco Meraki Cloud Organizations and Networks - PANW IoT 3rd Party Integration
      No
      Required
      : "Integration Instance Name"
      Retrieves Cisco Meraki Cloud organizations and networks.
      PANW IoT 3rd Party Integration - Cisco Meraki Cloud
      Import Cisco Meraki Cloud Network Clients - PANW IoT 3rd Party Integration
      Yes
      Required:
       "Integration Instance Name"
      Optional:
       "Cisco Meraki Networks"
      Optional:
       "Cisco Meraki Organizations"
      Optional:
       "Poll Interval" (Range: 1-31 days, default: 31)
      Imports all the Cisco Meraki Cloud clients to IoT Security.
      PANW IoT 3rd Party Integration - Cisco Prime
      Cisco Prime Clients
      Yes
      Required
      : "Integration Instance Name".
      Optional
      : "Site Names" and "Playbook Poll Interval".
      Retrieves active devices found on IoT Security, queries Cisco Prime to get associated device attributes, and reports the data to IoT Security. Filters for active devices: Site names and playbook poll interval.
      PANW IoT 3rd Party Integration - SNMP
      Incremental SNMP data import to PANW IoT Cloud - PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Performs an SNMP crawl, retrieves all available endpoint data, and reports it to IoT Security.
      PANW IoT 3rd Party Integration - Network Discovery
      Network Discovery - Export Devices using SNMP
      Yes
      Required
      : "Integration Instance Name".
      Optional
      : Network Discovery Skip Neighbor Discovery Patterns
      Performs an SNMP crawl, retrieves all available L2, L3, and endpoint data and reports it to IoT Security.
      IP Address Management
      Integration Name
      Playbook
      Recurring Job
      Job Parameters
      Description
      Details
      PANW IoT 3rd Party Integration - BlueCat IPAM
      Bulk Import of subnet network info from BlueCat IPAM to PANW IoT Cloud
      Yes
      Required
      : "Integration Instance Name".
      Fetches available IPAM data from a BlueCat Address Manager and sends it to IoT Security.
      PANW IoT 3rd Party Integration - Infoblox IPAM
      Bulk Import of subnet network info from Infoblox IPAM to PANW IoT Cloud
      Yes
      Required
      : "Integration Instance Name".
      Fetches available IPAM data from an Infoblox Grid Master and sends it to IoT Security.
      Wireless Network Controllers
      Integration Name
      Playbook
      Recurring Job
      Job Parameters
      Description
      Details
      PANW IoT 3rd Party Integration - Aruba WLAN Controller
      Import Aruba WLC devices to PANW IoT cloud
      Yes
      Required
      : "Integration Instance Name".
      Fetches available endpoint data from an Aruba WLAN controller and sends it to IoT Security.
      PANW IoT 3rd Party Integration - Cisco WLAN Controller
      Import Cisco WLC devices to PANW IoT cloud
      Yes
      Required
      : "Integration Instance Name".
      Fetches available endpoint data from a Cisco WLAN controller and sends it to IoT Security.
      Security Information and Event Management
      Integration Name
      Playbook
      Recurring Job
      Job Parameters
      Description
      Details
      PANW IoT 3rd Party Integration - Syslog Sender
      Bulk Export to SIEM - PANW IoT 3rd Party Integration
      No
      No arguments required. Sends syslogs to all configured instances.
      Retrieves all devices from IoT Security and sends them to a third-party integration instance.
      PANW IoT 3rd Party Integration - Syslog Sender
      Incremental Export to SIEM - PANW IoT 3rd Party Integration
      Yes
      No arguments required. Sends syslogs to all configured instances. Fixed poll interval is 15 minutes.
      Retrieves devices from IoT Security and sends them to a third-party integration instance.
      Although this job is prebuilt on a cohosted XSOAR instance, it must be manually created on an on-premises XSOAR server.
      Network Access Control
      Integration Name
      Playbook
      Recurring Job
      Job Parameters
      Description
      Details
      PANW IoT 3rd Party Integration - Aruba ClearPass
      Incremental Export to Aruba ClearPass- PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Optional
      : "PANW IoT Device Custom Attributes", "Playbook Poll Interval", "Site Names", and "PANW IoT In Scope Tag Enforcement".
      Retrieves devices from IoT Security and sends it to a third-party integration instance. Filters for IoT Security devices: Custom attributes, poll interval, site names, and tag enforcement.
      PANW IoT 3rd Party Integration - Aruba ClearPass
      Bulk Export to Aruba ClearPass - PANW IoT 3rd Party Integration
      No
      Required
      : "Integration Instance Name".
      Optional
      : "PANW IoT Device Custom Attributes", "Site Names", and "PANW IoT In Scope Tag Enforcement".
      Retrieves all devices from IoT Security and sends them to the third-party integration instance. Filters for IoT Security devices: Custom attributes, site names, and tag enforcement.
      PANW IoT 3rd Party Integration - Cisco ISE
      Incremental Export to Cisco ISE - PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Optional
      : "PANW IoT Device Custom Attributes", "Playbook Poll Interval", "Site Names", and "PANW IoT In Scope Tag Enforcement".
      Retrieves devices from IoT Security and sends them to a third-party integration instance.Filters for IoT Security devices: Custom attributes, poll interval, site names, and tag enforcement.
      PANW IoT 3rd Party Integration - Cisco ISE
      Bulk Export to Cisco ISE - PANW IoT 3rd Party Integration
      No
      Required
      : "Integration Instance Name".
      Optional
      : "PANW IoT Device Custom Attributes", "Site Names", and "PANW IoT In Scope Tag Enforcement".
      Retrieves all devices from IoT Security and sends them to a third-party integration instance.Filters for IoT Security devices: Custom attributes, site names, and tag enforcement.
      PANW IoT 3rd Party Integration - Cisco ISE pxGrid
      Bulk Export to Cisco ISE pxGrid - PANW IoT 3rd Party Integration
      No
      Required
      : "Integration Instance Name".
      Optional
      : "PANW IoT Device Custom Attributes", "Site Names", and "PANW IoT In Scope Tag Enforcement".
      Retrieves all devices from IoT Security and sends them to a third-party integration instance.Filters for IoT Security devices: Custom attributes, site names, and tag enforcement.
      PANW IoT 3rd Party Integration - Cisco ISE pxGrid
      Increment Export to Cisco ISE pxGrid - PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Optional
      : "PANW IoT Device Custom Attributes", "Playbook Poll Interval", "Site Names", and "PANW IoT In Scope Tag Enforcement".
      Retrieves devices from IoT Security and sends them to a third-party integration instance. Filters for IoT Security devices: Custom attributes, poll interval, site names, and tag enforcement.
      PANW IoT 3rd Party Integration - Forescout
      Incremental Export to Forescout - PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Optional
      : "PANW IoT Device Custom Attributes", "Playbook Poll Interval", "Site Names", and "PANW IoT In Scope Tag Enforcement".
      Retrieves devices from IoT Security and sends them to a third-party integration instance.Filters for IoT Security devices: Custom attributes, poll interval, site names, and tag enforcement.
      PANW IoT 3rd Party Integration - Forescout
      Bulk Export to Forescout - PANW IoT 3rd Party Integration
      No
      Required
      : "Integration Instance Name".
      Optional
      : "PANW IoT Device Custom Attributes", "Site Names", and "PANW IoT In Scope Tag Enforcement".
      Retrieves all devices from IoT Security and sends it to the third party integration instance.Filters for PANW IoT devices: site name(s), custom attributes, tag enforcement.
      Vulnerability Scanning
      Integration Name
      Playbook
      Recurring Job
      Job Parameters
      Description
      Details
      PANW IoT 3rd Party Integration - Qualys
      Incremental Qualys Get Scans and Report Handling V2- PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Generates and retrieves all reports from scans generated in the last hour.
      PANW IoT 3rd Party Integration - Qualys
      Bulk Qualys Get Scans and Report Handling V2- PANW IoT 3rd Party Integration
      No
      Required
      : "Integration Instance Name".
      Generates and retrieves all reports from scans generated in the last 30 days.
      PANW IoT 3rd Party Integration - Qualys
      Get Qualys Scanners and Profiles - PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Run this job periodically to retrieve names of all scan engines, sites, and vulnerability scan templates that Qualys uses. Set the interval to run the job based on the frequency of change on the Qualys side of the integration.
      Although this job is prebuilt on a cohosted XSOAR instance and runs every 15 minutes by default, it must be manually created on an on-premises XSOAR server.
      PANW IoT 3rd Party Integration - Qualys
      Qualys Report Handling - PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Generates reports for all scans initiated from IoT Security since the last time this job was run. A typical recurring interval is every 20 or 30 minutes.
      Although this job is prebuilt on a cohosted XSOAR instance, it must be manually created on an on-premises XSOAR server.
      PANW IoT 3rd Party Integration - Rapid7 Nexpose
      Incremental Rapid7 Get Scans and Report Handling V2- PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Generates and retrieves all reports from scans generated in the last hour.
      PANW IoT 3rd Party Integration - Rapid7 Nexpose
      Bulk Rapid7 Get Scans and Report Handling V2- PANW IoT 3rd Party Integration
      No
      Required
      : "Integration Instance Name".
      Generates and retrieves all reports from scans generated in the last 30 days.
      PANW IoT 3rd Party Integration - Rapid7 Nexpose
      Get Nexpose Engines, Sites and Templates - PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Run this job periodically to retrieve names of all scan engines, sites, and vulnerability scan templates that Rapid7 uses. Set the interval to run the job based on the frequency of change on the Rapid7 side of the integration.
      Although this job is prebuilt on a cohosted XSOAR instance and runs every 15 minutes by default, it must be manually created on an on-premises XSOAR server.
      PANW IoT 3rd Party Integration - Rapid7 Nexpose
      Rapid7 Nexpose Report Handling - PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Generates reports for all scans initiated from IoT Security since the last time this job was run. A typical recurring interval is every 20 or 30 minutes.
      Although this job is prebuilt on a cohosted XSOAR instance, it must be manually created on an on-premises XSOAR server.
      PANW IoT 3rd Party Integration - Tenable.io
      Incremental Tenable Get Scans and Report Handling V2- PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Generates and retrieves all reports from scans generated in the last hour.
      PANW IoT 3rd Party Integration - Tenable.io
      Bulk Export Devices to ServiceNow - PANW IoT 3rd Party Integration
      No
      Required
      : "Integration Instance Name".
      Generates and retrieves all reports from scans generated in the last 30 days.
      PANW IoT 3rd Party Integration - Tenable.io
      PANW IoT Get Tenable Scanners and Profiles - PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Run this job periodically to retrieve names of all scan engines, sites, and vulnerability scan templates that Tenable uses. Set the interval to run the job based on the frequency of change on the Tenable side of the integration.
      Although this job is prebuilt on a cohosted XSOAR instance and runs every 15 minutes by default, it must be manually created on an on-premises XSOAR server.
      PANW IoT 3rd Party Integration - Tenable.io
      Tenable Report Handling - PANW IoT 3rd Party Integration
      Yes
      Required
      : "Integration Instance Name".
      Generates reports for all scans initiated from IoT Security since the last time this job was run. A typical recurring interval is every 20 or 30 minutes.
      Although this job is prebuilt on a cohosted XSOAR instance, it must be manually created on an on-premises XSOAR server.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo