API & Integrations - Palo Alto Networks Cortex XDR

Updated January 14, 2026 08:59

This article contains information on integrating Human Risk with Palo Alto Networks Cortex XDR to enhance user risk management through real-time malware incident ingestion, user behavior insights, and simplified onboarding for proactive cybersecurity.

Overview

The integration of Human Risk with Palo Alto Networks Cortex XDR marks a significant advancement in proactive cybersecurity and human risk management. By ingesting real-time malware-related endpoint incidents from Cortex XDR, organizations can enhance their visibility into user behavior, update user risk scores, and implement targeted security awareness interventions. This integration is designed to be forward-looking, processing only new incidents from the point of activation onward, thereby preserving the integrity of historical user scores and simplifying onboarding.

Key Feature:

Real-Time Data Ingestion: Periodic retrieval of malware incidents ensures up-to-date risk scoring.
User Behavior Insights: Incidents are correlated with specific users, enabling targeted interventions.
Simplified Onboarding: Only new incidents are ingested, avoiding complications with historical data.
Scalability: The platform is designed to handle high event volumes, with future enhancements planned for additional endpoint security integrations.

Considerations

Implementing this integration requires careful attention to several operational and strategic factors:

No Historical Data: Only incidents occurring after integration are ingested; historical user scores remain unchanged.
True Positives Only: Only confirmed true positive incidents are processed, ensuring accuracy in risk scoring.
Availability: Accessible to all Engage customers on Cloud Gateway, including trial users and those with the Human Risk Command Center.
Data Visibility Delay: Malware-related scores appear in the Human Risk Dashboard within 24 hours of ingestion.
Unidirectional Flow: Data flows from Cortex XDR to Human Risk only; no feedback or automated actions are sent back.

Prerequisites

To deploy the integration successfully, the following prerequisites must be met:

Cortex XDR Product: Must have a Cortex XDR product with Endpoint Detection and Response (EDR) capabilities.
Platform Access: Access to the Integration Hub in AdCon, available to Engage license holders or Human Risk Command Center users.
Administrative Roles: Only users with specific roles can configure the integration.

Permission

The integration is secured through robust permission controls:

API Credentials: The API Key must be created with advanced security level and viewer permissions to ensure read-only access to incident data.
Role-Based Access: Only authorized users (see Prerequisites) can add, edit, or delete the integration.
Credential Security: API credentials are securely masked during input and should be stored in a secure vault.
Access Control: Configuration changes are restricted to designated administrative roles.
Supported Administrative Roles:

Global Sys Admin
Sys Admin - SD Full
Super Administrator
Full Administrator
Basic Administrator
Partner Administrator
Custom roles with Integrations Marketplace Read/Write enabled

Integration Configuration

Log in to our Mimecast Administrator Console.
Navigate to Integrations | Integrations Hub.

Click Configure New on the Palo Alto Network Cortex XDR tile.

Fill in the following

- - Details: Application Name, Description
  - Activate: Client ID, Client Secret, Base URL

After filling in the details, click Save.

A pop-up message confirming the success of the integration will display.

Once the integration has been successfully configured, navigate back to the Palo Alto Network Cortex XDR tile and click View.

Once the integration is successful, refresh and the status will change to Connected.

While on the Mimecast Administrator Console, Navigate to Human Risk Command Center | Dashboard
The newly integrated will appear under Human Risk Behaviors | Malware.