Cortex Cloud by Palo Alto Networks

The Cortex Cloud Connector bridges Palo Alto Networks' cloud security platform with Qualys' risk management system, enabling organizations to ingest cloud asset and vulnerability data from Cortex Cloud into Qualys Enterprise TruRisk Management for unified visibility. Security teams gain centralized insight into compute, serverless, and container image assets across cloud environments without manual data correlation.

By automating the continuous ingestion of vulnerability findings through scheduled syncs, the connector reduces the operational burden of managing fragmented security tools and accelerates risk assessment across hybrid cloud infrastructure. This integration empowers teams to make faster remediation decisions by consolidating cloud-native threats into their existing enterprise risk management workflows.

Connector Details

High-level overview of the Cortex Cloud connector capabilities.

Vendor Palo Alto Networks
Product Name Cortex Cloud
Connector Category Asset
Assets Supported Compute, Serverless, Container Image
Finding Types Supported Vulnerabilities and misconfigurations
Version 1.0.0
Integration Type API Integration (REST)
Direction Unidirectional (Cortex Cloud to Qualys)
Incremental Sync (Delta) Supported

Connection Settings

Before configuring the connector, generate API credentials in Cortex Cloud with the required roles and scope.

User Roles and Permissions

Cortex Cloud supports two types of API keys:

  • Standard API Key
  • Advanced API Key
Required Permissions
Entity Type Permissions scope
API Key Viewer ALL
How to Obtain the Required Permissions

Navigate to Configurations > Integrations > API Keys from the Cortex UI and create a new key.

The Advanced API Key uses a nonce, timestamp, and hashing mechanism to prevent replay attacks.

Provide the required 

Required configuration:

  • Role: Viewer > Provide the below roles

  • Scope:
    • Assets: All
    • Cases / Issues: All

Authentication Details

Provide the following values on the connector configuration screen.

Name Key Type Description
Domain Name domainName String

Base URL of the Cortex Cloud pod

(for example: cc-qualys.xdr.us.paloaltonetworks.com)
API ID apiId String Generated API ID
API Key apiKey Encrypted String Generated API key
API Key Type apiKeyType String Standard or Advanced

Connector Configuration

Basic Details

  1. Log in to Qualys Enterprise TruRisk Management (ETM).
  2. Navigate to Connectors > Integration.
  3. Locate the Cortex Cloud Connector and click Manage.
  4. Provide a Connector Name and Description.
  5. Enter the required authentication details.
  6. Click Next.

Schedules

Profiles control what data is imported and when the connector runs.

  1. Click + to add a new profile.
  2. Provide a Name and Description.
  3. Select the required Asset Types.
  4. Enable Vulnerabilities if findings are required.
  5. Configure a Schedule:
    • Single Occurrence, or
    • Recurring with start and end date/time
  6. Click Next.

Review and Confirm

  1. Review the connector and profile configuration.
  2. Click Create to activate the connector.

How Does a Connection Work?

The Cortex Cloud connector executes based on the configured schedule or on-demand request.

  • Assets and vulnerabilities are fetched from Cortex Cloud APIs.
  • Recurring executions perform an incremental (delta) pull.
  • Data is transformed using default Cortex Cloud transformation maps.
  • Transformed data is imported into Enterprise TruRisk Management (ETM).

How Does a Connection Work?

The Cortex Cloud Connector executes on schedule (or on-demand) based on the configured profile. On each run, the connector authenticates with the Cortex Cloud REST API, retrieves device and vulnerability records, applies the selected transform map, and imports the data into ETM.

A successfully configured connector transitions through the following states:

  • Registered: The connector is successfully created and registered to fetch data from Cortex Cloud.
  • Scheduled: The connector is scheduled to execute a connection with the vendor.
  • Processing: A connection is executing and the connector is actively fetching asset and findings data.
  • Processed: The connector has successfully fetched the assets and is completing the import of findings.

The Processed state indicates that the connector is successfully configured and the import is underway. This process may take up to 2 hours to complete.

Viewing Assets and Findings in ETM

View Assets

Navigate to Enterprise TruRisk Management > Inventory > Assets and apply the following filter:

asset.inventory:(source:"Cortex Cloud")

View Vulnerability Findings

Navigate to Risk Management > Findings > Vulnerability and apply the following filter:

finding.vendorProductName:"Cortex Cloud"

API Endpoints Used

Function Endpoint
Assets /public_api/v1
Vulnerabilities /public_api/v1/issue/search

Transformation Maps

Here is the Cortex Cloud to Qualys transformation mapping for each of the supported cloud assets.

AWS EC2 InstanceAWS EC2 Instance

Source Field

Target Field
xdm.asset.type.id asset.assetDetail.computeAssetClass.services[].name
xdm.asset.name asset.assetDetail.name
tags[].key asset.assetDetail.externalTags[].key
tags[].value asset.assetDetail.externalTags[].value
externalAssetId asset.assetHeader.externalAssetId
xdm.asset.id asset.assetHeader.vendorAssetId
xdm.asset.cloud.region asset.assetDetail.cloudInfo.region
xdm.asset.realm asset.assetDetail.cloudInfo.accountId
xdm.asset.provider asset.assetDetail.cloudInfo.provider
xdm.cloud.vpc_id asset.assetDetail.computeAssetClass.cloudInstance.vpcId
xdm.cloud.zone asset.assetDetail.cloudInfo.availabilityZone
xdm.host.image asset.assetDetail.computeAssetClass.cloudInstance.imageId
xdm.host.ipv4_addresses asset.assetDetail.computeAssetClass.cloudInstance.privateIpv4Address
xdm.host.ipv4_public_addresses asset.assetDetail.computeAssetClass.cloudInstance.publicIpv4Address
FUNCTION_PICKER asset.assetDetail.operatingSystem.name
FUNCTION_PICKER asset.assetDetail.operatingSystem.osCatalog.name
xdm.host.os_distribution asset.assetDetail.operatingSystem.publisher
xdm.host.os_distribution asset.assetDetail.operatingSystem.osCatalog.publisher
xdm.host.os_family asset.assetDetail.operatingSystem.osCatalog.productFamily
FUNCTION_PICKER asset.assetHeader.status
xdm.asset.name asset.assetDetail.hostname
xdm.host.ipv4_public_addresses asset.assetDetail.network[].ipv4Addresses[]
xdm.asset.name asset.assetDetail.hostIdentity.hostname
xdm.asset.first_observed asset.assetDetail.sourceCreatedAt
xdm.asset.last_observed asset.assetDetail.sourceUpdatedAt
findings[].misconfigPolicyDescription findingGroup.findings[].findingType.misconfiguration.policy.description
findings[].misconfigPolicyTitle findingGroup.findings[].findingType.misconfiguration.policy.title
findings[].misconfigPolicyCategory findingGroup.findings[].findingType.misconfiguration.policy.type
findings[].misconfigRuleName findingGroup.findings[].findingType.misconfiguration.rule.ruleName

Azure Virtual MachineAzure Virtual Machine

Source Field

Target Field
xdm.asset.type.id asset.assetDetail.computeAssetClass.services[].name
xdm.asset.name asset.assetDetail.name
tags[].key asset.assetDetail.externalTags[].key
tags[].value asset.assetDetail.externalTags[].value
externalAssetId asset.assetHeader.externalAssetId
xdm.asset.id asset.assetHeader.vendorAssetId
xdm.asset.cloud.region asset.assetDetail.cloudInfo.region
xdm.asset.realm asset.assetDetail.cloudInfo.accountId
xdm.asset.provider asset.assetDetail.cloudInfo.provider
FUNCTION_PICKER asset.assetDetail.operatingSystem.name
FUNCTION_PICKER asset.assetDetail.operatingSystem.osCatalog.name
xdm.host.os_distribution asset.assetDetail.operatingSystem.publisher
xdm.asset.name asset.assetDetail.hostname
xdm.asset.name asset.assetDetail.hostIdentity.hostname
xdm.host.os_distribution asset.assetDetail.operatingSystem.osCatalog.publisher
xdm.host.os_family asset.assetDetail.operatingSystem.osCatalog.productFamily
xdm.asset.first_observed asset.assetDetail.sourceCreatedAt
xdm.asset.last_observed asset.assetDetail.sourceUpdatedAt
findings[].externalAssetId findingGroup.findings[].asset.externalAssetId
FUNCTION_PICKER findingGroup.findings[].findingType.vulnerability.cveId
findings[].name findingGroup.findings[].name
findings[].external_id findingGroup.findings[].externalFindingId
findings[].category findingGroup.findings[].category
findings[].description findingGroup.findings[].description
FUNCTION_PICKER findingGroup.findings[].severity
findings[].remediation findingGroup.findings[].remediation.remediationStrategy
findings[].detection.method findingGroup.findings[].detectionMethod
findings[]._insert_time findingGroup.findings[].firstFoundOn
findings[].last_update_timestamp findingGroup.findings[].lastFoundOn
FUNCTION_PICKER findingGroup.findings[].findingStatus
findings[].misconfigPolicyDescription findingGroup.findings[].findingType.misconfiguration.policy.description
findings[].misconfigPolicyTitle findingGroup.findings[].findingType.misconfiguration.policy.title
findings[].misconfigPolicyCategory findingGroup.findings[].findingType.misconfiguration.policy.type
findings[].misconfigRuleName findingGroup.findings[].findingType.misconfiguration.rule.ruleName

GCP Virtual MachinesGCP Virtual Machines

Source Field

Target Field
xdm.asset.type.id asset.assetDetail.computeAssetClass.services[].name
xdm.asset.name asset.assetDetail.name
tags[].key asset.assetDetail.externalTags[].key
tags[].value asset.assetDetail.externalTags[].value
externalAssetId asset.assetHeader.externalAssetId
xdm.asset.id asset.assetHeader.vendorAssetId
xdm.asset.cloud.region asset.assetDetail.cloudInfo.region
xdm.asset.realm asset.assetDetail.cloudInfo.accountId
xdm.asset.name asset.assetDetail.hostname
xdm.host.ipv4_public_addresses asset.assetDetail.network[].ipv4Addresses[]
xdm.asset.name asset.assetDetail.hostIdentity.hostname
xdm.asset.provider asset.assetDetail.cloudInfo.provider
xdm.cloud.zone asset.assetDetail.cloudInfo.availabilityZone
xdm.host.image asset.assetDetail.computeAssetClass.cloudInstance.imageId
xdm.host.ipv4_addresses asset.assetDetail.computeAssetClass.cloudInstance.privateIpv4Address
xdm.host.ipv4_public_addresses asset.assetDetail.computeAssetClass.cloudInstance.publicIpv4Address
FUNCTION_PICKER asset.assetDetail.operatingSystem.name
FUNCTION_PICKER asset.assetDetail.operatingSystem.osCatalog.name
xdm.host.os_distribution asset.assetDetail.operatingSystem.publisher
xdm.host.os_distribution asset.assetDetail.operatingSystem.osCatalog.publisher
xdm.host.os_family asset.assetDetail.operatingSystem.osCatalog.productFamily
FUNCTION_PICKER asset.assetHeader.status
findings[].externalAssetId findingGroup.findings[].asset.externalAssetId
FUNCTION_PICKER findingGroup.findings[].findingType.vulnerability.cveId
findings[].name findingGroup.findings[].name
findings[].external_id findingGroup.findings[].externalFindingId
findings[].category findingGroup.findings[].category
findings[].description findingGroup.findings[].description
FUNCTION_PICKER findingGroup.findings[].severity
findings[].remediation findingGroup.findings[].remediation.remediationStrategy
findings[].detection.method findingGroup.findings[].detectionMethod
findings[]._insert_time findingGroup.findings[].firstFoundOn
findings[].last_update_timestamp findingGroup.findings[].lastFoundOn
FUNCTION_PICKER findingGroup.findings[].findingStatus
findings[].misconfigPolicyDescription findingGroup.findings[].findingType.misconfiguration.policy.description
findings[].misconfigPolicyTitle findingGroup.findings[].findingType.misconfiguration.policy.title
findings[].misconfigPolicyCategory findingGroup.findings[].findingType.misconfiguration.policy.type
findings[].misconfigRuleName findingGroup.findings[].findingType.misconfiguration.rule.ruleName

Container ImageContainer Image

Source Field

Target Field
xdm.asset.name asset.assetDetail.name
xdm.asset.realm asset.assetDetail.cloudInfo.accountId
xdm.asset.cloud.region asset.assetDetail.cloudInfo.region
tags[].key asset.assetDetail.externalTags[].key
tags[].value asset.assetDetail.externalTags[].value
xdm.asset.first_observed asset.assetDetail.sourceCreatedAt
xdm.asset.last_observed asset.assetDetail.sourceUpdatedAt
xdm.asset.id asset.assetDetail.containerImageAssetClass.name
imageTag asset.assetDetail.containerImageAssetClass.tag
imageRegistry asset.assetDetail.containerImageAssetClass.registry
imageRepository asset.assetDetail.containerImageAssetClass.repository
xdm.asset.provider asset.assetDetail.cloudInfo.provider
xdm.image.digest asset.assetDetail.containerImageAssetClass.digest
externalAssetId asset.assetHeader.externalAssetId
xdm.asset.id asset.assetHeader.vendorAssetId
xdm.image.architecture asset.assetDetail.containerImageAssetClass.architecture
FUNCTION_PICKER asset.assetDetail.operatingSystem.name
FUNCTION_PICKER asset.assetDetail.operatingSystem.osCatalog.name
xdm.image.os_distribution asset.assetDetail.operatingSystem.publisher
xdm.image.os_release asset.assetDetail.operatingSystem.version
xdm.image.os_distribution asset.assetDetail.operatingSystem.osCatalog.publisher
xdm.image.os_release asset.assetDetail.operatingSystem.osCatalog.version
xdm.image.os_family asset.assetDetail.operatingSystem.osCatalog.productFamily
xdm.image.size asset.assetDetail.containerImageAssetClass.sizeInBytes
xdm.image.layers[].identifier asset.assetDetail.containerImageAssetClass.layers[].digest
xdm.image.layers[].instruction asset.assetDetail.containerImageAssetClass.layers[].command
xdm.image.layers[].size asset.assetDetail.containerImageAssetClass.layers[].sizeInBytes
findings[].externalAssetId findingGroup.findings[].asset.externalAssetId
FUNCTION_PICKER findingGroup.findings[].findingType.vulnerability.cveId
findings[].name findingGroup.findings[].name
findings[].external_id findingGroup.findings[].externalFindingId
findings[].category findingGroup.findings[].category
findings[].description findingGroup.findings[].description
FUNCTION_PICKER findingGroup.findings[].severity
findings[].remediation findingGroup.findings[].remediation.remediationStrategy
findings[].detection.method findingGroup.findings[].detectionMethod
findings[]._insert_time findingGroup.findings[].firstFoundOn
findings[].last_update_timestamp findingGroup.findings[].lastFoundOn
FUNCTION_PICKER findingGroup.findings[].findingStatus
findings[].misconfigPolicyDescription findingGroup.findings[].findingType.misconfiguration.policy.description
findings[].misconfigPolicyTitle findingGroup.findings[].findingType.misconfiguration.policy.title
findings[].misconfigPolicyCategory findingGroup.findings[].findingType.misconfiguration.policy.type
findings[].misconfigRuleName findingGroup.findings[].findingType.misconfiguration.rule.ruleName

Serverless - AWS LAMBDA_FUNCTIONServerless - AWS LAMBDA_FUNCTION

Source Field

Target Field
xdm.asset.type.id asset.assetDetail.serverlessAssetClass.serviceName
xdm.asset.name asset.assetDetail.name
tags[].key asset.assetDetail.externalTags[].key
tags[].value asset.assetDetail.externalTags[].value
externalAssetId asset.assetHeader.externalAssetId
xdm.asset.id asset.assetHeader.vendorAssetId
xdm.asset.cloud.region asset.assetDetail.cloudInfo.region
xdm.asset.realm asset.assetDetail.cloudInfo.accountId
xdm.asset.provider asset.assetDetail.cloudInfo.provider
xdm.cloud.function.name asset.assetDetail.serverlessAssetClass.functionName
xdm.cloud.function.runtime asset.assetDetail.serverlessAssetClass.runtime
xdm.asset.first_observed asset.assetDetail.sourceCreatedAt
xdm.asset.last_observed asset.assetDetail.sourceUpdatedAt
findings[].externalAssetId findingGroup.findings[].asset.externalAssetId
SPLIT(findings[].name, " ", "0") findingGroup.findings[].findingType.vulnerability.cveId
findings[].name findingGroup.findings[].name
findings[].external_id findingGroup.findings[].externalFindingId
findings[].category findingGroup.findings[].category
findings[].description findingGroup.findings[].description
LOOKUP(findings[].severity, severity_mapping, "2") findingGroup.findings[].severity
findings[].remediation findingGroup.findings[].remediation.remediationStrategy
findings[].detection.method findingGroup.findings[].detectionMethod
findings[]._insert_time findingGroup.findings[].firstFoundOn
findings[].last_update_timestamp findingGroup.findings[].lastFoundOn
LOOKUP(findings[].status.progress, status_mapping, "ACTIVE") findingGroup.findings[].findingStatus
findings[].misconfigPolicyDescription findingGroup.findings[].findingType.misconfiguration.policy.description
findings[].misconfigPolicyTitle findingGroup.findings[].findingType.misconfiguration.policy.title
findings[].misconfigPolicyCategory findingGroup.findings[].findingType.misconfiguration.policy.type
findings[].misconfigRuleName findingGroup.findings[].findingType.misconfiguration.rule.ruleName

GCP Cloud RunGCP Cloud Run

Source Field

Target Field
xdm.asset.type.id asset.assetDetail.serverlessAssetClass.serviceName
xdm.asset.name asset.assetDetail.serverlessAssetClass.functionName
xdm.asset.name asset.assetDetail.name
tags[].key asset.assetDetail.externalTags[].key
tags[].value asset.assetDetail.externalTags[].value
externalAssetId asset.assetHeader.externalAssetId
xdm.asset.id asset.assetHeader.vendorAssetId
xdm.asset.cloud.region asset.assetDetail.cloudInfo.region
xdm.asset.realm asset.assetDetail.cloudInfo.accountId
xdm.asset.provider asset.assetDetail.cloudInfo.provider
xdm.asset.first_observed asset.assetDetail.sourceCreatedAt
xdm.asset.last_observed asset.assetDetail.sourceUpdatedAt
findings[].externalAssetId findingGroup.findings[].asset.externalAssetId
SPLIT(findings[].name, " ", "0") findingGroup.findings[].findingType.vulnerability.cveId
findings[].name findingGroup.findings[].name
findings[].external_id findingGroup.findings[].externalFindingId
findings[].category findingGroup.findings[].category
findings[].description findingGroup.findings[].description
LOOKUP(findings[].severity, severity_mapping, "2") findingGroup.findings[].severity
findings[].remediation findingGroup.findings[].remediation.remediationStrategy
findings[].detection.method findingGroup.findings[].detectionMethod
findings[]._insert_time findingGroup.findings[].firstFoundOn
findings[].last_update_timestamp findingGroup.findings[].lastFoundOn
LOOKUP(findings[].status.progress, status_mapping, "ACTIVE") findingGroup.findings[].findingStatus
findings[].misconfigPolicyDescription findingGroup.findings[].findingType.misconfiguration.policy.description
findings[].misconfigPolicyTitle findingGroup.findings[].findingType.misconfiguration.policy.title
findings[].misconfigPolicyCategory findingGroup.findings[].findingType.misconfiguration.policy.type
findings[].misconfigRuleName findingGroup.findings[].findingType.misconfiguration.rule.ruleName

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: March, 2026