Folders and files Name Name Last commit message
Last commit date
parent directory
View all files
Custom Integration: Cortex XDR
API Key ID and API Key required for authentication.Cortex XDR API Base URL (depends on your region).
Obtain your Cortex XDR API credentials :
Log in to Cortex XDR .
Navigate to Settings > Configurations > Integrations > API Keys .
Select + New Key .
Choose Standard as the type of API Key.
Note the API Key and API Key ID .
Find your Cortex XDR API Base URL :
Example: https://api-{fqdn}.xdr.us.paloaltonetworks.com/public_api/v1/.
(OPTIONAL) - Modify the script if needed:
Adjust API queries to filter endpoint data.
Customize attributes stored in runZero.
Create a Credential for the Custom Integration :
Go to runZero Credentials .
Select Custom Integration Script Secrets.
Enter your Cortex XDR API Key as access_secret.
Enter your Cortex XDR API Key ID as access_key.
Create the Custom Integration :
Go to runZero Custom Integrations .
Add a Name and Icon for the integration (e.g., "cortex-xdr").
Toggle Enable custom integration script to input the finalized script.
Click Validate and then Save.
Schedule the Integration Task :
Go to runZero Ingest .
Select the Credential and Custom Integration created earlier.
Set a schedule for recurring updates.
Select the Explorer where the script will run.
Click Save to start the task.
The task will appear on the tasks page.
Assets in runZero will be updated with endpoint data from Cortex XDR .
The script captures details like agent status, policies, OS version, compliance, and IPs .
Search for these assets in runZero using custom_integration:cortex-xdr.
The script retrieves all endpoints using pagination.
All attributes from Cortex XDR are stored in customAttributes.
The task can be scheduled to sync endpoint data regularly.
You can’t perform that action at this time.