This article leads you through the process of integrating Cortex with Red Canary. Follow the procedure from beginning to end. 

Requirements

• Cortex Tenant licensed with
  • Pro Per Endpoint (PAN-XDR-ADV-EP)
  • Event Forwarding EP (PAN-XDR-EP-FRWRD)
• Cortex Version 3.3 or later 

Step 1: Cortex–Create a new Cortex profile

Create a Cortex configuration profile to begin collecting endpoint data in the Cortex Data Lake.

1. Login to the Cortex tenant that you want to connect to Red Canary.
2. From your address bar, copy the URL, and then save your Cortex Tenant Url. You’ll use this in a later step.
3. From your Cortex Homepage, click Endpoints, and then click Policy Management.
   
   
4. From the Prevention dropdown, click Profiles.
   
   
5. Scroll down, and then find the default Agent Setting profile.
6. Right-click the default Agent Settings profile.   
7. Click Save As New.
   
   
8. Enter a name for your Cortex Profile.
9. Scroll down to the XDR Pro Endpoints section, and then uncheck Use Default.
10. From the XDR Pro Endpoints Capabilities, select Enabled.
    
    
11. Click Create.
12. To apply this security profile to Endpoints, follow these steps. For more information on Endpoint Data Collected by Cortex XDR, click here.

Step 2: Cortex–Create API Key for your Service Account

Create a service account API key to allow Red Canary to pull Indicator of Compromise (IOC) and Behavioral Indicator of Compromise (BIOC) alert data, monitor endpoint health, and respond to threats with Cortex XSOAR capabilities.

1. From your Cortex Homepage, click Settings, and then click Configurations.
2. From the Integrations dropdown, click API Keys.
   
   
3. Click Copy URL, and then save your Cortex API Url. You’ll use this in a later step.
   
   
4. Click +New Key.
   
   
5. From the Security Level section, select Advanced.
6. From the Role dropdown, select Instance Administrator. 
7. Click Save.
8. Click Copy, and then save the API Key for your Service Account. You’ll use this in a later step.
   
   
9. From the list of API keys, search for the key you just created and copy the key ID number. Save the Cortex API Key ID. You’ll use this in a later step.
   
   

Step 3: Cortex–Download your Service Account JSON WEB Token

Download a consolidated package of credentials and tokens which Red Canary uses to authenticate and ingest telemetry data from the Cortex Data Lake hosted in Google Cloud Platform (GCP).

1. From your Cortex Homepage, click Settings, and then click Configurations.
   
   
2. From the Data Management dropdown, click Event Forwarding.
3. From the Activation section, click Enable Endpoints Event Forwarding. 
4. From the Destination section, click Copy, and then save your Cortex GCP Path. You’ll use this in a later step.
5. From the Destination section, click Generate and download. You’ll use this file in a later step. 

Step 4: Red Canary–Input your Cortex information

Enter your Cortex information into Red Canary to start sending Cortex telemetry to Red Canary.

1. From the Red Canary homepage, click the Integrations dropdown.
2. Click EDR Products.
3. In the search bar, type and then select Cortex Endpoint Detection & Response (EDR).
   
   
4. Click Cortex.
   
   
5. Enter a Description.
6. Enter your Cortex Tenant URL from Step 1.2.
7. Enter your Cortex API URL from Step 2.3.
8. Enter your Cortex API Key - Service Account from Step 2.8.
9. Enter your Cortex API Key ID from Step 2.9.
10. Enter your Cortex GCP Path from Step 3.4.
11. Click Choose File, and then upload your Cortex Service Account JSON Web Token from Step 3.5.
12. Click Test.
13. If you followed the steps correctly a success message will display. If there's an error, you can follow the help text in the message and make your corrections.
    
    
14. Click Save.

Step 5: Cortex Support Portal–Create a Red Canary integration user

You will need to have the Red Canary Integration user email provided to you via email from your Red Canary contact. 

Note: Red Canary will receive a time sensitive email to validate this user. Complete this step during normal business hours.

1. Login to your Cortex Customer Support Portal.
2. Locate the email from your Red Canary contact containing the integration user email. You’ll use this in a later step.
3. From your Cortex Customer Support Portal homepage, verify you are in the account you have integrated with Red Canary via the Account Selector.
   
4. Click Members.
5. Click Manage Users.
6. Click Add User to Account.
7. Enter the Red Canary integration email located in Step 5.2 via email.
8. Set the Activation Date as the current date. 
9. Do not set an Expiration Date.
10. From the Select Roles section, select Super User.
11. Click Add User to Account.
    Note: Please complete Step 6 immediately following this step.
    

Step 6: Cortex Gateway–Update the Red Canary integration user permissions

The Red Canary integration user created in Step 5.6 will automatically populate within your Cortex Gateway, however it is not given a role by default. You'll need to update the user’s role to Account Admin.

1. Navigate to your Cortex Gateway from the Customer Support Portal.
2. Click Resources.
3. Click XDR Gateway.
   
   
4. Click Permission Management.
   
   
5. Click Permissions.
6. Search for the new Red Canary user and then click the pencil to edit.
   
   
7. From the Role section, select Account Admin.
   
   
8. Click Save.
9. Click Yes on the validation window.
   
   

Red Canary will finish integrating your Cortex XDR environment by creating a viewer account and, if applicable, an Active Remediation account.