Permissions needed - Cortex XDR API Key

swarner1 · June 3, 2024, 9:22pm

Hi Guys,

Looking to build out our Cortex XDR/Rapid7 integration so that I can do incident response from the Rapid7 console (Isolate Machine, run antivirus scan, etc).

I can see in the documentation that an API key is needed to connect to our Cortex XDR instance. I cannot see what permissions this API key will need.

Has anyone completed this integration already and if so could they let me know what permissions they used on the key? Or alternatively if there’s any documentation on the permissions needed that I’ve missed that would also be awesome.

darrick_hall1 · June 3, 2024, 9:37pm

I haven’t created the connection within the Palo Alto platform, so I am not sure what they are called.

If you go to this site you can look at what actions the plugin supports: Rapid7 Extensions

The permission you would give the API Access is only for the actions you intend to use.

For Endpoint Management you will need:

Get Endpoint

For Response Action you will need:

Allow List Files
Block List Files
Get Quarantine Status
Isolate Endpoints
Unisolate Endpoints

To use the Cortex Plugin as a trigger it will need permission to incidents and alerts.

Get All Alerts
Get All Incidents

To use the XQL Query:

Start An XQL Query
Get XQL Query Results

I haven’t tested this, I just took a peek at the API doc https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API , and referenced the endpoints we have actions for.

swarner1 · June 3, 2024, 9:50pm

Awesome, thanks Darrick. This is enough of a launching pad that I can create a change request to get the API key created and modify the permissions needed down the line as needed - appreciate the response.