# Palo Alto Networks Cortex XSIAM

Palo Alto Networks Cortex XSIAM is an extended SIEM and XDR platform that detects intrusions, malicious activity, and policy violations across endpoints, network traffic, identities, and cloud workloads. Connecting Cortex XSIAM forwards alerts and events to Radiant Security via the XSIAM REST API. Radiant uses these alerts and events for AI triage, classifying and enriching each before it reaches an analyst.

At the end of this configuration, you provide Radiant Security with the following values:

* **API Key**
* **API Key ID**
* **FQDN**

### Prerequisites

* [ ] System Admin access to Cortex XSIAM

### Generate API credentials in Cortex XSIAM

Follow the [Cortex XSIAM REST API guide](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM-REST-API/Cortex-XSIAM-Overview) to generate the three values you will provide to Radiant Security:

* **API Key**: a new key created in the Cortex XSIAM console.
* **API Key ID**: the identifier displayed alongside the API Key.
* **FQDN**: the fully qualified domain name of your Cortex XSIAM tenant, in the form `<customer>.xdr.us.paloaltonetworks.com`.

{% hint style="warning" %}
Copy the **API Key** value when it is generated. It cannot be retrieved later.
{% endhint %}

{% hint style="info" %}
If you do not see the option to add a new key, you do not have the permissions to create access keys. Sign in with a System Admin account.
{% endhint %}

### Add the data connector in Radiant Security

1. Sign in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors**, then click **+ Add Connector**.
3. Search for and select **Palo Alto Cortex XSIAM REST API**, then click **Data Feeds**.
4. Under **Select your data feeds**, select the feeds to forward to Radiant: **Palo Alto Cortex XSIAM Cases**, and **Palo Alto Cortex XSIAM Events**. Click **Credentials**.&#x20;
5. Under **Credential Name**, enter an identifiable name for this credential (e.g., `PAN Credentials`). To reuse an existing credential, select it from the drop-down menu.
6. Under **Required Credentials**, enter the following:
   * **API Base URL**: `https://api-<YOUR_FQDN>`, where `<YOUR_FQDN>` is the FQDN obtained in the previous section.
   * **API Key**: the API Key value copied from Cortex XSIAM.
   * **API Key ID**: the API Key ID value copied from Cortex XSIAM.
7. Click **Add Connector**.

### Verify ingestion

After Palo Alto begins forwarding, confirm cases and events are reaching Radiant.

1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Filter by the `rs_connectorType` for each data feed you enabled:

<table><thead><tr><th width="339.34765625">Data feed</th><th>Filter</th></tr></thead><tbody><tr><td>Palo Alto Networks Cortex XSIAM Cases</td><td><code>rs_connectorType:"pan_cortex_xsiam_cases"</code></td></tr><tr><td>Palo Alto Networks Cortex XSIAM Events</td><td><code>rs_connectorType:"pan_cortex_xsiam_events"</code></td></tr></tbody></table>

3. Confirm recent cases and events appear for each enabled feed.

{% hint style="info" %}
Allow several minutes for cases and events to be parsed, indexed, and available for search.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/palo-alto-networks-cortex-xsiam.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.