What is Palo Alto Networks Device Security with a Cohosted, limited-featured Cortex XSOAR instance?
5578
Created On 12/16/24 19:10 PM - Last Modified 06/10/25 22:58 PM
Question
What is Palo Alto Networks Device Security with a Cohosted, limited-featured Cortex XSOAR instance ?
Environment
Palo Alto Networks Device Security with a Cohosted, limited-featured Cortex XSOAR 6 instance
Answer
Following is a background on Palo Alto Networks Device Security and the different methods of IoT integration with Cortex XSOAR, followed by details on Cohosted, limited-feature Cortex XSOAR instance
Palo Alto Networks Device Security - Integrate with Third-party Systems
In addition to coordinating with Palo Alto Networks next-generation firewalls, Device Security integrates with third-party systems, augmenting their inventory, network management, network security, and vulnerability detection by making them IoT aware and by gathering device and network data from other sources to enrich its own inventory and capabilities.
There are three options for Device Security to leverage Cortex XSOAR technology to integrate with third-party systems, they are listed below. Note that more information about these options is available in Device Security Integration Guide and Third-party integrations Using Cohosted XSOAR.
Device Security with a Cohosted, limited-featured Cortex XSOAR instance
If you want to integrate Device Security with third-party systems but do not have a Cortex XSOAR server, you can buy an Device Security Third-party Add-on license, which comes with an automatically generated, cloud-hosted Cortex XSOAR module. Additional information for this option can be found at Third-party Integrations Using Cohosted XSOAR
Device Security with a full-featured Cortex XSOAR server
If you already have a full-featured Cortex XSOAR server deployed on premises or in the cloud, you can use that to integrate Device Security with third-party systems without needing to buy an add-on license and use a limited cloud-hosted Cortex XSOAR module. The setup of a full-featured XSOAR server to work with Device Security is described in Third-party Integrations Using a Full-featured XSOAR Server
Cortex XSOAR with access to the Device Security API
If you have a Cortex XSOAR instance and your goal is to integrate it with Device Security, check the Palo Alto Networks IoT integration guide, which explains how to configure the integration on the XSOAR and run the integration commands
How to find out the Serial Number of Cohosted Cortex XSOAR instance
When using a Cohosted limited feature Cortex XSOAR instance, you can find out the serial # of the XSOAR using the Knowledgebase article: How to find out the Serial Number of a IoT Co-Hosted Cortex XSOAR instance
Additional details on Device Security with Cohosted, limited-featured Cortex XSOAR
Post Deployment
Single Sign on
Once the XSOAR instance is up, IoT side (CronJob) sets up SSO. This allows customers to log into XSOAR only via the launch button on the IoT UI. This involves setting up the "SAML 2.0" integration on the XSOAR.Note: The end users can only access the XSOAR through the IoT UI. IF the SAML integration is disabled, the launch button will not work. IoT also provides an option to download XSOAR logs directly via the IoT UI.
Pre-Populating Jobs and Integration instances
Another set of actions done post deployment is creating integration instances and jobs with specific parameters for customers on XSOAR. These actions are shared between XSOAR ops team and IoT backend team. In addition to adding integration instances, XSOAR ops team also creates the IoT Role for customers which define user privileges and UI access limitations .
Limited XSOAR functionality
When users log into the XSOAR via the IoT portal through SSO they are assigned a special IoT role. Some noteworthy limitations enforced by this role:
-
-
- Users can only access Settings and Jobs pages
- Users are not allowed to download XSOAR logs - IoT UI has a dedicated button to download logs
- Users do not have access to Market place
- Users can not run any XSOAR commands via CLI
- Users cannot set configuration flags
-
Content pack and Upgrades
Content pack management
IoT manages their own content packs and these packs are not available on the XSOAR market place. Once developers have a content pack ready, they upload it to "staging" which is nothing but an AWS S3 location (s3://contentpack-staging/). A golden image is created based on the IoT provided content packs and used to deploy the XSOAR instances. All new customers get the latest content in this way. For existing customers the IoT team has Jenkins jobs (One for each IoT Region) which programmatically via API uploads the IoT content packs to all existing customer XSOARs.
For existing customers of XSOAR, IoT requires them to download the content pack via IoT UI and upload them manually. Customer would need to set the "content.pack.verify" flag to "false" and upload the packs manually. Reference: https://docs.paloaltonetworks.com/iot/iot-security-integration/get-started-with-iot-security-integrations/third-party-integrations-using-a-full-featured-xsoar-server
XSOAR Server upgrades
Currently XSOAR 6.X upgrades are done on a ad-hoc basis. IoT displays a UI notification message to inform of downtime during specified outage time window.
Currently XSOAR 6.X upgrades are done on a ad-hoc basis. IoT displays a UI notification message to inform of downtime during specified outage time window.
Licensing
IoT supports 3rd party integrations via an 3P add-on license or if the customer is already an existing XSOAR customer. The 3P add-on license comes in the following flavors:
-
-
- Advance - Customers can have unlimited integrations
- Basic - Customers can only enable 3 integrations at a time
-
For existing XSOAR customers, IoT does not require a license for integration. All license enforcement is done inside the playbooks.