Cortex XDR
Cortex XDR is supported starting with App/Add-on 7.0.0.
Cortex XDR incidents are cloud-hosted so logs are retrieved by Splunk using the Cortex XDR API (syslog not supported). Incidents are retrieved and indexed and each incident includes a URL in the Cortex API interface to get more information about the alerts for each incident. The Cortex XDR Dashboard in the App cross-launches to the incidents in the Cortex XDR GUI. Logs are pulled down in JSON format as sourcetype="pan:xdr_incident".
Create API Key in Cortex XDR
Use the instruction in the Cortex XDR Getting Started Guide to gain API access:
Use these values to generate the API key:
| Security Level | Role |
|---|---|
| Advanced | Viewer |
This action will provide you a Key and Key ID. The Key be shown only once, so make sure to record it or you'll need to re-create the Key.
Create Cortex XDR Input and add Key to Splunk
In Splunk, navigate to the Palo Alto Networks Add-on.
Within the Add-on, click the Input tab at the top left. Then click Create New Input and select Cortex XDR.
In the dialog window, enter the following:
| Field | Value |
|---|---|
| Name | Any friendly name (eg. "cortex_xdr") |
| Interval | Frequency in seconds to check for new logs (60 seconds recommended) |
| Index | The index in which to put the Cortex XDR incidents |
| Tenant Name | Found in the hostname when accessing Cortex XDR. (eg. https://<tenant-name>.xdr. <tenant-region>.paloaltonetworks.com) |
| API Key ID | Enter Key ID |
| API Key | Enter Key |
Then click Add to save the modular input.
Verify
After waiting the interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:
sourcetype="pan:xdr_incident"
You should see some JSON formatted logs show up. If nothing shows up, wait a little longer, ensure there is activity in Cortex XDR to generate logs, and try the Troubleshooting Guide.