データ マネージャー - Palo Alto XDR アダプタ

はじめに

Palo Alto XDR is a tool produced by Palo Alto Networks that is used for extended detection and response.

Palo Alto XDR Adapter uses an API connection to bring data into Assets Data Manager.

How do I connect this tool to Assets Data Manager?

Follow this procedure to connect this tool to Assets Data Manager using the custom-built Adapter:

1. Gather all of the information listed in the Data Manager Fields section, such as the Name, Object class, Data Source Name, and Data Source Type.

2. Gather all of the information in the Palo Alto XDR Fields section - this may require consultation with the subject matter expert (SME) for Palo Alto XDR.

3. Within Data Manager:

   1. Create a new job by selecting the Adaptor that matches your tool.

   2. Configure all of the required fields with the appropriate information.

4. Within Palo Alto XDR:

   1. Follow all of the steps listed in the Authentication and Authorisation section, below, to properly configure Authentication and Authorisation.

   2. Review the information in the API Call section, below, and ensure the endpoints are available.

   3. Review the information in the Fields Retrieved section, below.

Each time this job is run, the data your have selected will be brought into Data Manager using the configured Adapter and become raw data.

Data Manager Fields

You will need to specify the following information from Assets Data Manager:

1. Name - the name of the connection, visible as the job name in Adapters.

2. Object Class - the name of the Object Class you want to the data to be loaded into.

3. Data Source Name - the type of data being created; which is usually the tool name, e.g AD, Qualys etc. Note: This can be the same as Name.

4. Data Source Type - what type of data is the tool providing? For example, Assets, CMDB, user location and more.

Palo Alto XDR Fields

You will need to specify the following information from Palo Alto XDR:

1. FQDN - the FQDN is a unique host and domain name associated with each tenant. When you generate the API Key and Key ID, you are assigned an individual FQDN.

2. API Key - the API Key is a unique identifier used for authenticating API calls.

3. API Key ID - the API Key ID is a unique token used to authenticate the API Key.

Authentication and Authorisation

1. Get your Palo Alto XDR API Key.

   • In Palo Alto XDR, navigate to Settings -> Configurations -> Integrations -> API Keys.

   • Select + New Key.

   • Choose the type of API Key you want to generate based on your desired security level: Advanced or Standard.

   • If you want to define a time limit on the API key authentication, mark Enable Expiration Date and select the expiration date and time.

   • Select the desired level of access for this key. Generate the API Key.

   • Copy the API key, and then select Done.

2. Get your Palo Alto XDR API Key ID.

   • In the API Keys table, locate the ID field.

   • Note your corresponding ID number.

3. Get your FQDN.

   • Right-click your API key and select View Examples.

   • Copy the CURL Example URL.
     The example contains your unique FQDN: https://api-{fqdn}/public_api/v1/{name of api}/{name of call}/

API Call

The API call for Palo Alto XDR is: Device.Read.All.

Fields Retrieved

The following fields are retrieved: