Cortex XDR Connector
The Cortex XDR Connector integrates endpoint asset data from Cortex XDR into Qualys Enterprise TruRisk Management (ETM). The connector pulls endpoint (host) information so that endpoint telemetry and asset inventory from Cortex XDR can be analyzed alongside other enterprise findings in ETM.
The Cortex XDR Connector is available on demand. To activate it for your subscription, please contact your Technical Account Manager (TAM) or Qualys Support.
Connector Details
High-level details for the Cortex XDR connector.
| Vendor | Palo Alto Networks (Cortex XDR) |
| Product Name | Cortex XDR |
| Category | Risk Source |
| Findings Supported | Assets (Endpoints). Vulnerabilities / findings: N/A (not specified in source) |
| Assets Supported | Endpoints / Hosts |
| Version | N/A |
| Integration Type | API Integration (REST) |
| Direction | N/A |
| Delta Support | N/A |
Connection Settings
Before creating the connector, gather the required Cortex XDR credentials and confirm account role settings.
User Roles and Permissions
Requirements (from source):
- API Key role must be Viewer.
- API Key Security Level should be Standard.
- You must supply the Cortex XDR FQDN (for example,
https://api-<fqdn>).
Authentication Details
Provide these values on the connector configuration screen.
| Name | Key | Type | Example |
|---|---|---|---|
| Base URL | api_base_url |
String | e.g. https://api-<fqdn> |
| API Token | api_token |
Encrypted String | API token generated from Cortex XDR |
| API Key ID | api_key_id |
String | API Key ID generated alongside the API key |
Reference: Cortex XDR REST API documentation.
Connector Configuration
Steps to create the Cortex XDR connector in ETM.
- Log in to Qualys ETM.
- Navigate to Connectors App > Integration tab.
- Locate Cortex XDR Connector and click Manage.
- Under Basic Details, provide a valid Connector Name and Description.
- Select the type of findings: Assets / Host Asset.
- Enter authentication details: Base URL, API Token, and API Key ID.
Mapping Details
Data Model
The Cortex XDR connector provides an out-of-the-box data model for mapping Cortex endpoint attributes to the Qualys ETM schema. The source document references the data model but does not list explicit field mappings; view the data model in the ETM UI for exact fields.
Transform Maps
Default transform maps are provided. You can create or clone maps to customize field transformations from Cortex XDR to ETM.
- Click Create New to add a transform map.
- Provide Transform Map Name, choose Source Data Model, and choose Target Data Model.
- Save the transform map; you may also clone the default and edit mappings as required.
Data Model Mapping - Assets
|
Source Field |
Target Field |
|---|---|
|
Endpoint ID |
externalAssetId |
|
Endpoint Name |
assetName |
|
Operating System |
operatingSystemName |
|
OS Version |
operatingSystemVersion |
|
Domain |
domain |
|
Endpoint Type |
System Type |
|
First Seen |
firstFoundDate |
|
All IP Array |
ipAddress |
|
IP |
ipv4Address |
|
IPv6 |
ipv6Address |
|
Mac Address |
macAddress |
Profiles
Create profiles to control what the connector imports and when it runs.
- Click + to create a new profile.
- Provide Name and Description.
- Select the required Transform Map.
- Set the profile Status (Active / Inactive).
- Configure a Schedule: either a Single Occurrence or Recurring schedule (provide start/end dates/times).
View Assets in ETM
After a successful run, Cortex XDR assets appear in ETM's Inventory:
Assets: Enterprise TruRisk Management > Inventory > Assets > Host. Use the tag filter: tags.name:"Cortex XDR".
API Reference
APIs referenced in the source document for data fetch. Use the Base URL entered in the connector when calling these endpoints.
| API Function | Endpoint | Notes |
|---|---|---|
| Fetch Endpoints (Assets) | https://api-qualys-cortex-partner.xdr.us.paloaltonetworks.com/public_api/v1/endpoints/get_endpoint |
Max batch size: 100 (as listed in source) |
Additional Resources
Identification Rules
Identification Rules are the Qualys CSAM precedence rules used to match imported findings to ETM assets. The Cortex connector uses these rules as configured in ETM. You may proceed without changes, but ensure at least one rule is enabled.
Connector Status
After creation, connector lifecycle states in ETM include: Registered, Scheduled, Processing, and Processed. Processing time depends on data volume and may take time to fully import assets.