WIP - PACXDR connector

baton/_release-notes.mdx

@@ -3,7 +3,7 @@ title: "Connector release notes"
 sidebarTitle: "Release notes"
 description: "Here you'll find the latest on new connectors, connector updates, and other connector news from C1."
 ---
-{/* OpenAI */}
+{/* Cortex XDR */}
 {/* No connector release notes for week of January 9, 2026 */}
 
 <Update label="January 2, 2026">

baton/capabilities.mdx

@@ -165,6 +165,8 @@ og:description: "A quick reference for how each connector can be set up and what
 | [Oracle Identity Cloud Service](/baton/oracle-idcs) | <Icon icon="cloud" /> <Icon icon="plug" /> | <Icon icon="key"  /> <Icon icon="user" /> <Icon icon="face-confused"  /> |  |
 | [Outreach](/baton/outreach) | <Icon icon="cloud" /> <Icon icon="plug" /> | <Icon icon="key"  /> <Icon icon="user" /> <Icon icon="face-confused"  /> |  |
 | [PagerDuty](/baton/pagerduty) | <Icon icon="cloud" /> <Icon icon="plug" /> |  |  |
+| [Palo Alto Networks Cortex XDR](/docs/baton/palo-alto-cortex) | <Icon icon="cloud" /> <Icon icon="plug" /> | <Icon icon="key"  /> | |
+| [Palo Alto Networks Cortex XSOAR](/docs/baton/xsoar) | <Icon icon="cloud" /> <Icon icon="plug" /> | | |
 | [PandaDoc](/baton/panda-doc) | <Icon icon="cloud" /> <Icon icon="plug" /> |  |  |
 | [Panther](/baton/panther) | <Icon icon="cloud" /> <Icon icon="plug" /> |  |  |
 | [Paylocity](/baton/paylocity) | <Icon icon="cloud" /> <Icon icon="plug" /> |  |  |
@@ -229,7 +231,6 @@ og:description: "A quick reference for how each connector can be set up and what
 | [Workday Account](/baton/workday-wql) | <Icon icon="cloud" /> <Icon icon="plug" /> | <Icon icon="key"  /> |  |
 | [Workday](/baton/workday) | <Icon icon="cloud" /> <Icon icon="plug" /> |  |  |
 | [Xero](/baton/xero) | <Icon icon="cloud" /> <Icon icon="plug" /> |  |  |
-| [XSOAR](/baton/xsoar) | <Icon icon="cloud" /> <Icon icon="plug" /> |  |  |
 | [YouTrack](/baton/youtrack) | <Icon icon="cloud" /> <Icon icon="plug" /> |  |  |
 | [Zendesk v1](/baton/v1/zendesk) | <Icon icon="cloud" /> |  |  |
 | [Zendesk v2](/baton/zendesk-v2) | <Icon icon="cloud" /> <Icon icon="plug" /> | <Icon icon="key"  /> <Icon icon="user" /> <Icon icon="face-confused"  /> |  |

baton/intro.mdx

@@ -199,6 +199,8 @@ You can build it yourself, or we can build it for you. Whether it’s API-based,
   - [Oracle Utilities Work and Asset Cloud Service](/baton/oracle-idcs) 
   - [Outreach](/baton/outreach)
   - [PagerDuty](/baton/pagerduty) 
+  - [Palo Alto Networks Cortex XDR](/docs/baton/palo-alto-cortex)
+  - [Palo Alto Networks Cortex XSOAR](/docs/baton/xsoar)
   - [PandaDoc](/baton/panda-doc)    
   - [Panther](/baton/panther)
   - [Paylocity](/baton/paylocity)  
@@ -257,7 +259,6 @@ You can build it yourself, or we can build it for you. Whether it’s API-based,
   - [Workday](/baton/workday)
   - [Workday Account](/baton/workday-wql)
   - [Xero](/baton/xero)
-  - [XSOAR](/baton/xsoar)
   - [YouTrack](/baton/youtrack) 
   - [Zendesk](/baton/zendesk-v2) 
   - [ZipHQ](/baton/ziphq)
@@ -270,6 +271,7 @@ You can build it yourself, or we can build it for you. Whether it’s API-based,
 
 <Tab title="New this month" >
 
+- [Palo Alto Networks Cortex XDR](/docs/baton/palo-alto-cortex)
 - [OpenAI](/baton/openai)
 - [Valimail](/baton/valimail)
 - [ZipHQ](/baton/ziphq)
@@ -492,11 +494,12 @@ You can build it yourself, or we can build it for you. Whether it’s API-based,
 - [CloudAMQP](/baton/cloudamqp)
 - [Cloudflare](/baton/cloudflare-v2)
 - [Cloudflare Zero Trust](/baton/cloudflare-zero-trust)
-- [Cortex XSOAR](/baton/xsoar)
 - [CrowdStrike](/baton/crowdstrike)
 - [DigiCert CertCentral](/baton/digicert-certcentral)
 - [Fastly](/baton/fastly)
 - [Jamf](/baton/jamf)
+- [Palo Alto Networks Cortex XDR](/docs/baton/palo-alto-cortex)
+- [Palo Alto Networks Cortex XSOAR](/docs/baton/xsoar)
 - [Panther](/baton/panther)
 - [PrivX](/baton/privx)
 - [Rapid7](/baton/rapid7)

baton/palo-alto-cortex.mdx

@@ -0,0 +1,238 @@
+---
+title: Set up a Palo Alto Networks Cortex XDR connector
+og:title: Set up a Palo Alto Networks Cortex XDR connector - ConductorOne docs
+og:description: Integrate your Cortex XDR instance with ConductorOne to run user access reviews, enable just-in-time access requests, and easily provision and deprovision access.
+description: ConductorOne provides identity governance and just-in-time provisioning for Cortex XDR. Integrate your Cortex XDR instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.
+sidebarTitle: "Palo Alto Networks Cortex XDR"
+---
+
+## Capabilities
+
+| Resource     | Sync | Provision |
+| :--- | :--- | :--- |
+| Accounts     | <Icon icon="square-check" iconType="solid"  color="#65DE23"/>   |           |       
+| Roles     | <Icon icon="square-check" iconType="solid"  color="#65DE23"/>    | <Icon icon="square-check" iconType="solid"  color="#65DE23"/>  |
+| Groups     | <Icon icon="square-check" iconType="solid"  color="#65DE23"/>    |   |
+
+<Info>
+*Due to a limitation of the underlying API, the Cortex XDR **Account Admin** role cannot be granted or revoked by this connector.
+</Info>
+
+## Gather Cortex XDR credentials 
+
+Each setup method requires you to pass in credentials generated in Cortex XDR. Gather these credentials before you move on. 
+
+<Warning>
+A an **Instance Administrator** in Cortex XDR must perform this task.
+</Warning>
+
+### Generate an API key
+
+<Steps>
+<Step>
+In Cortex XDR, navigate to **Settings > Configurations > Integrations > API Keys**.
+</Step>
+<Step>
+Click **+ New Key**.
+</Step>
+<Step>
+Choose the type of API Key you want to generate based on your desired security level: Advanced or Standard. 
+</Step>
+<Step>
+**Optional.** If desired, set an expiration date and time for the API key and add a comment describing its use. 
+</Step>
+<Step>
+Give the key the **Instance Administrator** role. 
+</Step>
+<Step>
+Click **Generate**, then carefully copy and save the new API key. 
+</Step>
+</Steps>
+
+### Look up the API key ID
+
+<Steps>
+<Step>
+In the API keys table, locate the key you just created. 
+</Step>
+<Step>
+Find and copy the key's **ID**. 
+</Step>
+</Steps>
+
+**That's it!** Next, move on to the connector configuration instructions. 
+
+## Configure the Cortex XDR connector
+
+<Warning>
+To complete this task, you'll need:
+
+- The **Connector Administrator** or **Super Administrator** role in ConductorOne
+- Access to the set of Cortex XDR credentials generated by following the instructions above
+</Warning>
+
+<Tabs>
+<Tab title="Cloud-hosted">
+
+**Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.**
+
+<Steps>
+<Step>
+In ConductorOne, navigate to **Admin** > **Connectors** and click **Add connector**.
+</Step>
+<Step>
+Search for **Cortex XDR** and click **Add**. 
+</Step>
+<Step>
+Choose how to set up the new Cortex XDR connector: 
+
+   * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with ConductorOne)
+
+   * Add the connector to a managed app (select from the list of existing managed apps)
+
+   * Create a new managed app
+</Step>
+<Step>
+Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed. 
+
+   If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
+</Step>
+<Step>
+Click **Next**.
+</Step>
+<Step>
+Find the **Settings** area of the page and click **Edit**.
+</Step>
+<Step>
+Enter the Cortex XDR credentials into the relevant fields. 
+</Step>
+<Step>
+Click **Save**.
+</Step>
+<Step>
+The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
+</Step>
+</Steps>
+**That's it!** Your Cortex XDR connector is now pulling access data into ConductorOne.
+</Tab>
+
+<Tab title="Self-hosted">
+
+**Follow these instructions to use the [Cortex XDR](https://github.com/ConductorOne/baton-palo-alto-cortex) connector, hosted and run in your own environment.**
+
+When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.
+
+### Step 1: Configure the Cortex XDR connector
+
+<Steps>
+<Step>
+In ConductorOne, navigate to **Connectors** > **Add connector**.
+</Step>
+<Step>
+Search for **Baton** and click **Add**.
+</Step>
+<Step>
+Choose how to set up the new Cortex XDR connector: 
+
+   * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with ConductorOne)
+
+   * Add the connector to a managed app (select from the list of existing managed apps)
+
+   * Create a new managed app
+</Step>
+<Step>
+Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed. 
+
+   If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
+</Step>
+<Step>
+Click **Next**.
+</Step>
+<Step>
+In the **Settings** area of the page, click **Edit**.
+</Step>
+<Step>
+Click **Rotate** to generate a new Client ID and Secret. 
+
+   Carefully copy and save these credentials. We'll use them in Step 2. 
+</Step>
+</Steps>
+
+### Step 2: Create Kubernetes configuration files
+
+Create two Kubernetes manifest files for your Cortex XDR connector deployment:
+
+#### Secrets configuration
+
+```yaml expandable
+# baton-palo-alto-cortex-secrets.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: baton-palo-alto-cortex-secrets
+type: Opaque
+stringData:
+  # ConductorOne credentials
+  BATON_CLIENT_ID: <ConductorOne client ID>
+  BATON_CLIENT_SECRET: <ConductorOne client secret>
+
+  # Cortex XDR credentials
+  BATON_CORTEX_API_KEY: <Cortex XDR API key>
+  BATON_CORTEX_API_KEY_ID: <Cortex XDR API key ID>
+  BATON_CORTEX_BASE_URL: <Base URL for your Cortex XDR instance>
+
+  # Optional: Include if you want ConductorOne to provision access using this connector
+  BATON_PROVISIONING: true
+```
+
+<Info>
+See the connector's README or run `--help` to see all available configuration flags and environment variables.
+</Info>
+
+#### Deployment configuration
+
+```yaml expandable
+# baton-palo-alto-cortex.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: baton-palo-alto-cortex
+  labels:
+    app: baton-palo-alto-cortex
+spec:
+  selector:
+    matchLabels:
+      app: baton-palo-alto-cortex
+  template:
+    metadata:
+      labels:
+        app: baton-palo-alto-cortex
+        baton: true
+        baton-app: palo-alto-cortex
+    spec:
+      containers:
+      - name: baton-palo-alto-cortex
+        image: ghcr.io/conductorone/baton-palo-alto-cortex:latest
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: BATON_HOST_ID
+          value: baton-palo-alto-cortex
+        envFrom:
+        - secretRef:
+            name: baton-palo-alto-cortex-secrets
+```
+
+### Step 3: Deploy the connector
+
+<Steps>
+<Step>
+Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files. 
+</Step>
+<Step>
+Check that the connector data uploaded correctly. In ConductorOne, click **Applications**. On the **Managed apps** tab, locate and click the name of the application you added the Cortex XDR connector to. Cortex XDR data should be found on the **Entitlements** and **Accounts** tabs.
+</Step>
+</Steps>
+
+**That's it!** Your Cortex XDR connector is now pulling access data into ConductorOne.
+</Tab>
+</Tabs>

baton/xsoar.mdx

@@ -1,9 +1,9 @@
 ---
-title: Set up a Cortex XSOAR connector
-og:title: Set up a Cortex XSOAR connector - ConductorOne docs
+title: Set up a Palo Alto Networks Cortex XSOAR connector
+og:title: Set up a Palo Alto Networks Cortex XSOAR connector - ConductorOne docs
 og:description: Integrate your XSOAR instance with ConductorOne to run user access reviews, enable just-in-time access requests, and easily provision and deprovision access.
 description: ConductorOne provides identity governance and just-in-time provisioning for Cortex XSOAR. Integrate your XSOAR instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.
-sidebarTitle: "XSOAR"
+sidebarTitle: "Palo Alto Networks Cortex XSOAR"
 ---
 
 ## Capabilities
@@ -46,6 +46,7 @@ Click **Save** to generate the new API key.
 Carefully copy and save the API key. 
 </Step>
 </Steps>
+
 ## Find your API URL
 
 <Steps>

docs.json

@@ -370,6 +370,8 @@
               "baton/oracle-idcs",
               "baton/outreach",
               "baton/pagerduty",
+              "baton/palo-alto-cortex",
+              "baton/xsoar",
               "baton/panda-doc",
               "baton/panther",
               "baton/paylocity",
@@ -427,7 +429,6 @@
               "baton/workday",
               "baton/workday-wql",
               "baton/xero",
-              "baton/xsoar",
               "baton/youtrack",
               "baton/zendesk-v2",
               "baton/ziphq",