IoT Security Integration Guide
    : Third-party Integrations Using Cohosted XSOAR
    Focus
    Download PDF
    Focus
    1. Home
    2. IoT
    3. IoT Security Integration Guide
    4. Get Started with IoT Security Integrations
    5. Third-party Integrations Using Cohosted XSOAR
    Download PDF

    IoT Security Integration Guide

    Third-party Integrations Using Cohosted XSOAR

    Table of Contents

    Third-party Integrations Using Cohosted XSOAR

    Use a cohosted Cortex XSOAR instance for IoT Security integration with third-party solutions.
    When you buy and activate an IoT Security Third-party Integrations Add-on license, a cloud-hosted, purpose-built instance of XSOAR is generated exclusively for your IoT Security tenant at no extra charge. It enables IoT Security to integrate with both cloud-based third-party systems and—by means of an on-site XSOAR engine—with third-party systems deployed on premises. (For XSOAR engine installation instructions, refer to the “Cortex XSOAR Engine Installation” section for the third-party product being integrated with IoT Security.)
    An IoT Security Third-party Integrations Add-on does not require the purchase of a full Cortex XSOAR product. After you enable the add-on, IoT Security automatically generates a cloud-hosted XSOAR instance with limited functionality (in contrast to a full Cortex XSOAR product) to assist IoT Security with the integrations it supports.
    After you activate the add-on during the onboarding process, a limited, cloud-hosted Cortex XSOAR instance is generated exclusively to support third-party integrations included in the add-on. There is no extra charge for this dedicated XSOAR instance, which supports integrations with the following third-party systems:
    When integrating IoT Security with one of the third-party systems, you’ll use the interface of the dedicated XSOAR instance to configure this side of the integration and the user interface of the remote system to configure the other side. The XSOAR interface has been scaled down to just those features and settings essential for IoT Security to integrate with these other systems. To access the XSOAR interface, log in to the IoT Security portal, open the Integrations page, and then click Launch Cortex XSOAR. Due to the automatic authentication mechanism that occurs between IoT Security and XSOAR when you click this link, it’s the only way to access the interface of your XSOAR instance.
    If you do not see all available third-party integrations in the Cortex XSOAR interface, it's possible that your XSOAR instance hasn't been updated with the latest content pack. Content packs include code changes to the jobs and playbooks of existing integrations as well as additional new third-party integrations. To get the latest XSOAR content pack, log in to your Customer Support Portal account and create a case with your request.
    Some integrations such as ServiceNow, Nuvolo, and Qualys occur completely in the cloud, from the IoT Security cloud through Cortex XSOAR to the third-party cloud. Others such as Cisco ISE, SIEM, and Aruba ClearPass occur both in the cloud and on premises. The IoT Security cloud sends data to Cortex XSOAR, which forwards it to an XSOAR engine installed on a VM on premises. The XSOAR engine then forwards the data across the network to a third-party server that’s also on premises. The following shows which integrations require an on-premises XSOAR engine when IoT Security is communicating through a cohosted XSOAR instance:
    Asset Management IntegrationsRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    AIMSNo (cloud-hosted AIMS instance), Yes (on-premises AIMS system)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to an on-premises AIMS system
    Microsoft SCCMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and TCP 1433 (default) to an on-premises SCCM SQL system
    NuvoloNo
    ServiceNowNo
    Endpoint ProtectionRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Cortex XDRNo
    CrowdStrikeNo
    Microsoft Defender XDRNo
    TaniumNo (cloud-hosted Tanium), Yes (one or more on-premises Tanium servers)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Tanium API
    Network ManagementRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Aruba AirWaveYes HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/
    Aruba CentralNo (cloud-hosted Aruba Central), Yes (one or more on-premises Aruba Central servers)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSH on TCP 22 to an on-premises Aruba Central server
    Cisco DNA CenterYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Cisco DNA Center API
    Cisco Meraki CloudNo
    Cisco Prime InfrastructureYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 to your on-premises Cisco Prime instance
    SNMP DiscoveryYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SNMP on UDP 161 to local network switches
    Network DiscoveryYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SNMP on UDP 161 to local network switches
    IP Address ManagementRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    BlueCat IPAMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTP or HTTPS on TCP 80 or TCP 443 to your on-premises BlueCat Address Manager
    Infoblox IPAMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and to your on-premises Infoblox Grid Master API
    Wireless Network ControllersRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Aruba WLAN ControllersYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 4343 (default) to the API of on-premises Aruba WLAN controllers
    Cisco WLAN ControllersYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSH on TCP 22 (default) to on-premises Cisco WLAN controllers
    Security Information and Event ManagementRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    SIEMYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and syslog event messages on UDP 514 (default) to your SIEM server
    Network Access ControlRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    Aruba ClearPassYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and to the on-premises Aruba ClearPass system
    Cisco ISEYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 and 9060 to your on-premises Cisco ISE system
    Cisco ISE pxGridYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and SSL on TCP 8910 (default) to your on-premises Cisco pxGrid controller/ISE system
    ForescoutYesHTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/ and HTTPS on TCP 443 (default) to your on-premises Forescout system
    Vulnerability ScanningRequires an XSOAR Engine on PremisesXSOAR Engine Communications
    QualysNo
    Rapid7No (cloud-hosted Rapid7 system), Yes (on-premises Rapid7 system)HTTPS on TCP 443 to https://<your-domain>.iot.demisto.live/, HTTPS on TCP 3780 (default) to your on-premises Rapid7 UI, and HTTPS on TCP 8080 and 443 (default) to your on-premises Rapid7 API
    Tenable (Tenable.io)No
    After you set up IoT Security to work with a full-featured or cohosted XSOAR instance and configure some integration instances in XSOAR, various settings become available for use in the IoT Security portal. For example, options to quarantine a device and release a previously quarantined device only appear after you configure an integration instance that supports such actions.

    © 2024 Palo Alto Networks, Inc. All rights reserved.