Skip to main content
Cortex XDR Connector
Updated over a week ago

Am I reading the correct user guide?

Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.

To open the correct user guide for your setup and version, go to the connector's setup page and click How to connect.

Connector details

About Cortex XDR

Cortex XDR is a detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks. It accurately detects threats with behavioral analytics and reveals the root cause to speed up investigations.

Support scope

Supported products

Cortex XDR

Category

Endpoint Security

Ingestion type

Assets and vulnerabilities

Ingested asset type(s)

Hosts

Cloud Resources

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)

Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

  • Cortex XDR Pro per Endpoint license is needed to run the integration.

  • Corted XDR credentials:

    • FQDN

    • API Key

    • API ID

Generating FQDN, API, and ID Keys

Follow the instructions at: Get Started with Cortex XDR APIs

Configuring the Cortex XDR connector

  1. Login to the Vulcan ExposureOS platform and go to Connectors > Add a Connector.

  2. Click on the Cortex XDR icon.

  3. Set up the Connector as follows:

    1. If a gateway is required, refer to the Vulcan Gateway guide to configure the gateway before proceeding. If not, continue following the steps in this guide.

    2. Enter the FQDN, API key, and API ID you generated earlier.

  4. Data pulling configuration:

    This configuration has dynamic settings tailored to the specific connector and integration type. Below are the configurations relevant to this connector.

    • Asset Retention: Configure the retention period for inactive assets based on their last seen date. If an asset has not been detected or updated in a scan within the specified days, it will be automatically removed from the Vulcan ExposureOS platform. This ensures your asset inventory stays current and relevant.

      Example:

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Cortex XDR instance.

    Notes:

    • A successful connectivity test confirms that the platform can connect to the Cortex XDR instance. However, it does not guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.

      Example:

    • If the connectivity test fails, an error message with details about the issue will appear. Click the arrow next to the error message for more information about the exact error.

      Example:

  6. Connector scheduling: Set the connector's sync time and days. By default, all days are selected.

  7. Click Create to start syncing the new connector, or Save Changes if editing an existing connector.

  8. Allow some time for the sync to complete. Then, you can review the sync status on the Connectors main page or under Connector sync logs on the connector's specific setup page.

  9. To confirm the sync is complete, navigate to the Connectors page. The sync is complete once the Cortex XDR icon shows Connected.

    Example:

Cortex XDR in the Vulcan platform

Viewing findings

To view findings (instances) ingested by the Cortex XDR connector:

  1. Go to the Findings page.

  2. Click on Filter and set the condition to Vulnerability > Source > is > Cortex XDR.

    Example:

You can also:

Viewing vulnerabilities

To view vulnerabilities ingested by the Cortex XDR connector:

  1. Go to the Vulnerabilities page.

  2. Click on Filter and set the condition to Vulnerability > Source > is > Cortex XDR.

    Example:

You can also:

Viewing assets

To view assets ingested by the Cortex XDR connector:

  1. Go to the Assets page.

  2. Click on Filter and set the condition to Asset > Source > is > Cortex XDR.

    Example:

You can also:

Taking action on vulnerabilities and assets

To take remediation action on vulnerabilities and assets ingested by Cortex XDR:

  1. Go to the Vulnerabilities or Assets Page.

  2. Use the Filter to view the assets/vulnerabilities by source. You can always filter by Business Group and add more filters to narrow your search.

  3. Select the relevant vulnerabilities/assets from the results list.

  4. Click on Take Action to proceed with remediation or further actions.

    Example:

Automating remediation actions on vulnerabilities

Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.

Data Mapping

The Vulcan Platform integrates with Cortex XDR through an API that pulls relevant vulnerability and asset data and maps it to the platform's pages and fields. The vulnerabilities and/or assets data is ingested from the vendor platform and mapped into the Vulcan ExposureOs platform.

Host data mapping

Asset data

Cortex XDR UI field

Cortex XDR API field

Vulcan field

Asset name

endpoint_name

Asset Uniqueness criteria

endpoint_id

endpoint_id

Cloud ID cloud_instance_id

Asset name

endpoint_name

Host Name (hostname)

Operating system

operating_system

Host OS (os)

os version

os_version

Host OS Version (os_version)

IP Address

ip

Host IP (ip )

-

public_ip

Host external IP (ip )

-

domain

Host FQDN (fqdn, if list fqdns)

MAC Address

mac_address

Host MAC addresses (mac_address)

First observed

first_seen

Host first Seen (first_seen)

Last observed

last_seen

Host Last report (last_seen)

external ip"
Type
user

public_ip

os_type

users

Host details (added_data)

tags

tags

Host Tags - Vendor’s tags (tags)

Unique vulnerability data

Cortex XDR UI field

Cortex XDR API field

Vulcan field

-

cve_id

Unique Vulnerability uniqueness criteria

CVE / Title if available

name

Vulnerability title (title)

Severity score

severity_score

Vulnerability score (cvss_score)

Description

description

Vulnerability description (description)

Type (Application/ Operating system)
Platform
Publication date
Last modified date
Scope

type

os_type

publication_date

modification_date

Vulnerability details (added_data)

CVE

name

CVE/S (report_item_cve)

Finding data (asset-instance connection)

Cortex XDR UI field

Cortex XDR API field

Vulcan field

-

endpoint_name,
cve_id

Vulnerability instance uniqueness criteria

Vulnerability status mapping

Findings (instances) ingested from connectors are mapped into the Vulcan platform by status.

Cortex XDR status

Vulcan status

In Cortex XDR, connections/findings do not include a specific status. Consequently, upon integration with Vulcan, all connections are ingested as vulnerable.

Vulnerable

The statuses are mapped into the Findings page > Show <status> view:


Vulnerability score mapping

Risk scores ingested from connectors are converted into numeric scores and mapped into the Vulcan platform risk score field, eventually impacting the contextualized risk calculation.

  • Based on the SCORE field

Cortex XDR score

Vulcan score

Critical

10

High

7

Medium

5

Low

3

-

0

The scores are mapped into the Score field of the Vulnerability details:

Status update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones.

The table below lists how the status update mechanism works in the <X Connector> for the vulnerabilities and assets in the Vulcan Platform.

Status change

When?

The asset is archived

- Asset not found on the connector's last sync

- Asset not seen for X days according to "Last Seen"

The vulnerability instance status changes to "Fixed"

- If the vulnerability no longer appears in the scan findings

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

API endpoints in use

API

Use in Vulcan

Permission required

https://api-amadeus-sas.xdr.eu.paloaltonetworks.com/public_api/v1/endpoints/get_endpoint

Get the asset count and the assets themself.

Cortex XDR Pro per Endpoint license

https://api-amadeus-sas.xdr.eu.paloaltonetworks.com/public_api/v1/xql/start_xql_query

Get vulnerabilities and findings.

Cortex XDR Pro per Endpoint license

Data Validation

This section shows how to validate and compare data between Vulcan ExposureOS and the Cortex XDR platform.

Matching Asset Count

Objective: Ensure the number of endpoints (assets) in Cortex XDR aligns with the assets displayed in Vulcan.

In Cortex XDR:

  1. Go to the All Endpoints section where all endpoints are listed. These endpoints represent the assets that should be ingested into Vulcan.

    Example:


In Vulcan:

  1. Go to Assets and filter by connector (Set Where → Asset → Connector to Cortex XDR).

  2. The filtered list in Vulcan should match the number of endpoints in Cortex XDR.

    Example:

Validations if an asset is not present in Vulcan:

  • Archive by date: Ensure the asset is not archived in Vulcan based on an outdated last-seen date.

  • Archive by status: If the asset is no longer present or valid, confirm that it was removed or deleted.

  • Data pulling configuration: Verify that the relevant data-pulling configurations are correctly set on the connectors setup page. Make sure to click Save Changes if you modify the connector's setup.

Matching vulnerabilities count

Objective: Ensure the number of unique vulnerabilities in Cortex XDR aligns with Vulcan’s unique vulnerabilities.

In Cortex XDR:

  1. Go to All Assets > Vulnerability Assessment.

    Example:

In Vulcan:

  1. Go to Vulnerabilities and filter by connector (Set Where → Vulnerability → Source to Cortex XDR).

    Example:


Validations if vulnerability is not present in Vulcan:

  • No asset has this vulnerability: Check if the vulnerability is tied to an asset in Cortex XDR that exists in Vulcan.

Matching findings (instances) count

Objective: Ensure the total number of vulnerability instances (findings) between Cortex XDR and Vulcan is consistent.

Note: There's currently no straightforward way to confirm that an asset-vulnerability connection is aligned in the Cortex XDR platform. The only resource available is a vulnerability table, where each vulnerability includes a field labeled Affected Endpoints, listing the assets impacted by that vulnerability. To verify the numbers are consistent, users must count the assets under each vulnerability and sum them manually. Cortex XDR does not explicitly display the total number of asset-vulnerability connections (findings).

In Cortex XDR:

  1. Go to All Assets > Vulnerability Assessment.

  2. For each vulnerability, look for the Affected Endpoints field, which displays all the endpoints associated with that specific vulnerability.

    Example:


In Vulcan:

  1. Go to Findings and filter by connector (Set Where → Asset → Connector to Xortex XDR).

  2. Compare the findings to Cortex XDR vulnerability-asset connections. There should be a match between the two platforms.

    Example:

Possible discrepancies:

  • Fix or Resolution: If a vulnerability instance is fixed in Cortex XDR, you should see it on Vulcan’s Fixed screen.

Related Articles
CrowdStrike Connector
Microsoft Defender for Cloud Connector (new revision)
Armis Connector
Tanium Connector (new revision)
SentinelOne Connector (new revision)
Did this answer your question?