Device Configuration: Cortex XDR API

TABLE OF CONTENTS

• Overview
• Prerequisites
• Generate Cortex XDR API Credentials
  • 1. Generate API Key
  • 2. Retrieve the API Key ID
  • 3. Retrieve the FQDN
• Configuration on ADR
• Proxy Configuration
• Verification
  • On ADR UI
  • On ADR CCE

Overview

Step-by-step instructions for integrating Cortex XDR with ADR using API-based connectivity. Once configured, Cortex XDR logs and alerts will be ingested into aiSIEM for real-time monitoring, threat detection, and correlation analysis.

Prerequisites

To configure the integration, the customer must provide the following details from Cortex XDR:

• API Key

• API Key ID

• FQDN (Fully Qualified Domain Name)

Ensure that you have administrator access to both:

• The Cortex XDR Console

• The ADR UI

Generate Cortex XDR API Credentials

1. Generate API Key

1. Log in to the Cortex XDR Console.

2. Navigate to:
   Settings → Configurations → Integrations → API Keys

3. Click + New Key.

4. Choose the type of API Key you want to generate based on your desired security level: Advanced or Standard. 

5. (Optional) Add a description or comment for the key.

6. Assign appropriate access permissions:

   • Select from predefined Roles

   • Or choose Custom for granular permissions.

7. Click Generate.

8. Copy the API Key immediately — it is shown only once.

9. Click Done to finish.

⚠️ Important: API Keys cannot be retrieved again after creation. Store them securely.

2. Retrieve the API Key ID

1. In the API Keys section, locate your newly created key.

2. Copy the value in the ID column.

3. This represents the x-xdr-auth-id:{key_id} used for authentication.

3. Retrieve the FQDN

1. In the API Keys section, right-click your key and select View Examples.

2. In the cURL example, locate the URL:

https://api-{fqdn}/public_api/v1/{api_category}/{api_call}/

3. Extract the {fqdn} portion. Example:

api-xxxxxxxxxxxx.xdr.traps.paloaltonetworks.com

Configuration on ADR

1. Log in to the ADR UI.

2. Navigate to:
   Administration → Add-on Store

3. Use the filter/search and select Cortex XDR.

4. Enter the following details:

   • Access ID/Username → Enter the API Key ID.

   • Password/Secret Key → Enter the API Key.

   • CCE Host → Enter the CCE server IP address.

   • Config (JSON format) → Provide FQDN in the format:

{
  "fqdn": "api-xxxxxxxxxxxx.xdr.traps.paloaltonetworks.com","key_type":"YOUR_KEY_TYPE"
}

5. 

6. Click Save to complete the configuration.

Proxy Configuration

In case of proxy follow the below steps, Please ignore it in case of Non-proxy environment:

config should be look like

{
"key_type": "Advanced",
"proxy": {
"http": "http://10.117.48.12: 8080",
"https": "http://10.117.48.12: 8080"
}

Verification (MSSP Only)

On ADR UI

1. Navigate to: System → Log/Flow Collection Status.

2. Verify that Cortex XDR is listed and logs are being received.

On ADR CCE

1. SSH into the CCE Server.

2. Run:

otmdoc -s cce-addon-devices

3. Inside the add-on container, check scheduled jobs:

crontab -l

4. Identify the Python script associated with Cortex XDR and run it manually to confirm execution.