1. Accessing the Configuration Area
In the Cortex XDR main menu, click on the Configurations section on the left. From there, open Integrations → API Keys. In this area, you can view previously created API keys.
2. Creating a New API Key
Click the New Key button at the top right. The Generate API Key screen will appear. Configure the following settings:
Security Level
Select Standard. This option makes the API key usable as-is, which is especially suitable for curl, Postman, and SIEM integrations. The Advanced option provides additional protection against replay attacks but requires extra hashing and timestamp handling. At this stage, it’s not needed.
Role
Select Viewer. This role only allows read/authorized viewing. For adding sources, data manipulation, or deletion, a higher role may be required, but for log/alert retrieval, Viewer is sufficient.
3. Authorization and Component Selection
Configure permissions in the Components section. Set Incident Response → Alerts & Incidents to View. This allows SIEM or external systems to read incidents and alerts from Cortex XDR. Leave all other components at their default (None) since only alert/log retrieval is needed.
You can obtain the XDR Auth ID from the screen that appears after creating the API key.
Afterwards, log in to Logsign USO and add the source using the information you have obtained.
When entering the Host field, do not include the https:// part. You need to enter the URL directly and clearly.
As an example, it must be written directly in this way.
api-te.xdr.eu.paloaltonetworks.com