Cortex XDR

Cortex XDR is supported starting with App/Add-on 7.0.0.

Cortex XDR incidents are cloud-hosted so logs are retrieved by Splunk using the Cortex XDR API (syslog not supported). Incidents are retrieved and indexed and each incident includes a URL in the Cortex API interface to get more information about the alerts for each incident. The Cortex XDR Dashboard in the App cross-launches to the incidents in the Cortex XDR GUI. Logs are pulled down in JSON format as sourcetype="pan:xdr_incident".

Create API Key in Cortex XDR

Use the instruction in the Cortex XDR Getting Started Guide to gain API access:

Use these values to generate the API key:

Security Level Role
Advanced Viewer

This action will provide you a Key and Key ID. The Key be shown only once, so make sure to record it or you'll need to re-create the Key.

Create Cortex XDR Input and add Key to Splunk

In Splunk, navigate to the Palo Alto Networks Add-on.

Figure: screenshot

Within the Add-on, click the Input tab at the top left. Then click Create New Input and select Cortex XDR.

Figure: screenshot

In the dialog window, enter the following:

Field Value
Name Any friendly name (eg. "cortex_xdr")
Interval Frequency in seconds to check for new logs (60 seconds recommended)
Index The index in which to put the Cortex XDR incidents
Tenant Name Found in the hostname when accessing Cortex XDR. (eg. https://<tenant-name>.xdr. <tenant-region>
API Key ID Enter Key ID
API Key Enter Key

Then click Add to save the modular input.


After waiting the interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:


You should see some JSON formatted logs show up. If nothing shows up, wait a little longer, ensure there is activity in Cortex XDR to generate logs, and try the Troubleshooting Guide.

results matching ""

    No results matching ""