> ## Documentation Index
> Fetch the complete documentation index at: https://docs.livingsecurity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Palo Alto Cortex XDR

> Connect Palo Alto Cortex XDR to import incident data.

export const ConnectInPlatform = ({tile, children}) => <Step title="Enter the credentials in the Living Security Platform">
    <p>
      Completed by whoever holds Living Security access — the program owner, or the system
      admin if they've been invited (delegated setup).
    </p>
    <ol>
      <li>
        Go to <strong>Settings → Integrations → Catalog</strong>, find the{' '}
        <strong>{tile}</strong> tile, click <strong>Connect</strong>.
      </li>
      <li>
        Fill in the fields below, then click <strong>Connect</strong>.
      </li>
    </ol>
    {children}
  </Step>;

export const SystemAdminBanner = ({system, recommendDelegated}) => <Note>
    <p>
      <strong>This guide is for your {system} administrator.</strong> It covers creating API
      credentials inside {system}, which requires admin access to {system} — not to the
      Living Security Platform.
    </p>
    <p>
      If you're the Living Security <strong>program owner</strong> and don't administer {system},
      send this page to whoever does. They complete Part A and hand the credentials back to you
      (or enter them directly if you've invited them into the platform).
      {recommendDelegated && <>
          {' '}Because setup produces sensitive key material, we recommend the{' '}
          <strong>delegated setup</strong> path so the secret is never sent back to you.
        </>}
    </p>
  </Note>;

<SystemAdminBanner system="Palo Alto Cortex XDR" recommendDelegated={true} />

## What Living Security needs

| Credential      | Description                                                        |
| --------------- | ------------------------------------------------------------------ |
| **API key**     | An Advanced API key generated from Cortex XDR Settings             |
| **API key ID**  | The numeric identifier shown next to the key in the API Keys table |
| **Tenant FQDN** | The fully-qualified hostname for your Cortex XDR tenant            |

**Scopes:** Read access to incidents (`Alerts And Incidents → View`)

**Required role:** **Instance Admin** or equivalent with API key management access; API key role should be **Viewer**

<Note>
  Living Security requires an **Advanced** API key. Standard keys do not support the incidents endpoint.
</Note>

### Prerequisites

* You must be signed in to your Cortex XDR tenant with an account that has permission to manage API keys.

***

## Part A — In Palo Alto Cortex XDR

*Your Cortex XDR administrator completes these steps.*

<Steps>
  <Step title="Navigate to API Keys">
    1. Sign in to your Cortex XDR tenant.
    2. In the left navigation, click **Settings**, then select **Configurations**.
    3. Click **API Keys**.
  </Step>

  <Step title="Copy your tenant URL">
    Before creating the key, copy your tenant FQDN:

    1. In the top-right corner of the **API Keys** page, click **Copy URL**.
    2. The copied value will be a full URL (e.g., `https://api-acme.xdr.us.paloaltonetworks.com`).
    3. Strip the `https://` prefix and any trailing slash — enter only the host.

    | Region | Host pattern                                 |
    | ------ | -------------------------------------------- |
    | US     | `api-{tenant}.xdr.us.paloaltonetworks.com`   |
    | EU     | `api-{tenant}.xdr.eu.paloaltonetworks.com`   |
    | APAC   | `api-{tenant}.xdr.apac.paloaltonetworks.com` |
  </Step>

  <Step title="Create a new API key">
    1. Click **+ New Key**.
    2. For **Key Type**, select **Advanced**.
    3. For **Role**, assign the least-privileged role with incident read access:

    | Role               | Incident access        | Notes                                    |
    | ------------------ | ---------------------- | ---------------------------------------- |
    | **Viewer**         | Read                   | Minimum required — read-only             |
    | **Investigator**   | Read                   | Suitable for SOC analysts                |
    | **Responder**      | Read + limited actions | Broader than needed                      |
    | **Instance Admin** | Full                   | Use only if restricted roles unavailable |

    <Note>
      Living Security reads incident data only. The **Viewer** role satisfies requirements and follows least-privilege best practices.
    </Note>

    4. Click **Create**.
  </Step>

  <Step title="Copy and save your API key and key ID">
    After creation:

    1. **Copy the API key value** and store it securely.
    2. Note the **Key ID** — the numeric identifier in the **ID** column (e.g., `42`).

    <Warning>
      Cortex XDR displays the API key value **only once**. If you navigate away without copying it, you must delete the key and create a new one. The Key ID remains visible in the table.
    </Warning>
  </Step>
</Steps>

***

## Part B — In the Living Security Platform

*The program owner completes this step, or the system admin if using delegated setup.*

<Steps>
  <ConnectInPlatform tile="Palo Alto Cortex XDR">
    | Field           | Value                                                                       |
    | --------------- | --------------------------------------------------------------------------- |
    | **API key**     | The key value from Part A, Step 4                                           |
    | **Tenant FQDN** | The host from Part A, Step 2 (e.g., `api-acme.xdr.us.paloaltonetworks.com`) |
    | **API key ID**  | The numeric key ID from Part A, Step 4                                      |

    <Note>
      Both the API key and API key ID are sent on every request — the key as the `Authorization` header and the key ID as the `x-xdr-auth-id` header. Both fields are required.
    </Note>

    <img src="https://mintcdn.com/livingsecurity/oVkrOMkYmNevekTI/integrations/images/palo-alto-cortex-xdr/connect-dialog.png?fit=max&auto=format&n=oVkrOMkYmNevekTI&q=85&s=5cbe32b4db8df6b3fe6884578bf365ea" alt="Living Security connect dialog for Palo Alto Cortex XDR" style={{maxWidth: "450px"}} width="576" height="486" data-path="integrations/images/palo-alto-cortex-xdr/connect-dialog.png" />
  </ConnectInPlatform>
</Steps>

You are now connected to Palo Alto Cortex XDR.

***

## Troubleshooting

<AccordionGroup>
  <Accordion title="401 Unauthorized">
    The API key is invalid or has been deleted. Generate a new key from **Settings → Configurations → API Keys**.
  </Accordion>

  <Accordion title="403 Forbidden">
    The API key's role is missing incident read permission. API key roles cannot be changed after creation — create a new key with a role that includes **Alerts And Incidents → View** access.
  </Accordion>

  <Accordion title="Using a Standard key instead of Advanced">
    Living Security requires an **Advanced** API key. Standard keys do not support the incidents endpoint. Delete the Standard key and create a new Advanced key.
  </Accordion>

  <Accordion title="Wrong tenant FQDN">
    Verify:

    * The host matches your Cortex XDR console URL region (US, EU, or APAC)
    * You entered only the host (no `https://` prefix, no trailing slash)
    * The tenant name in the host matches your organization
  </Accordion>

  <Accordion title="Missing API key ID">
    Both the API key and API key ID are required. The key ID is the numeric value in the **ID** column of the API Keys table.
  </Accordion>
</AccordionGroup>
