Skip to main content

What Living Security needs

Scopes: Read access to incidents (Alerts And Incidents → View) Required role: Instance Admin or equivalent with API key management access; API key role should be Viewer
Living Security requires an Advanced API key. Standard keys do not support the incidents endpoint.

Prerequisites

  • You must be signed in to your Cortex XDR tenant with an account that has permission to manage API keys.

Part A — In Palo Alto Cortex XDR

Your Cortex XDR administrator completes these steps.
1

Navigate to API Keys

  1. Sign in to your Cortex XDR tenant.
  2. In the left navigation, click Settings, then select Configurations.
  3. Click API Keys.
2

Copy your tenant URL

Before creating the key, copy your tenant FQDN:
  1. In the top-right corner of the API Keys page, click Copy URL.
  2. The copied value will be a full URL (e.g., https://api-acme.xdr.us.paloaltonetworks.com).
  3. Strip the https:// prefix and any trailing slash — enter only the host.
3

Create a new API key

  1. Click + New Key.
  2. For Key Type, select Advanced.
  3. For Role, assign the least-privileged role with incident read access:
Living Security reads incident data only. The Viewer role satisfies requirements and follows least-privilege best practices.
  1. Click Create.
4

Copy and save your API key and key ID

After creation:
  1. Copy the API key value and store it securely.
  2. Note the Key ID — the numeric identifier in the ID column (e.g., 42).
Cortex XDR displays the API key value only once. If you navigate away without copying it, you must delete the key and create a new one. The Key ID remains visible in the table.

Part B — In the Living Security Platform

The program owner completes this step, or the system admin if using delegated setup.
1
You are now connected to Palo Alto Cortex XDR.

Troubleshooting

The API key is invalid or has been deleted. Generate a new key from Settings → Configurations → API Keys.
The API key’s role is missing incident read permission. API key roles cannot be changed after creation — create a new key with a role that includes Alerts And Incidents → View access.
Living Security requires an Advanced API key. Standard keys do not support the incidents endpoint. Delete the Standard key and create a new Advanced key.
Verify:
  • The host matches your Cortex XDR console URL region (US, EU, or APAC)
  • You entered only the host (no https:// prefix, no trailing slash)
  • The tenant name in the host matches your organization
Both the API key and API key ID are required. The key ID is the numeric value in the ID column of the API Keys table.