topic How to configure Cortex XDR Alerts into Splunk? in Getting Data In

How to configure Cortex XDR Alerts into Splunk?

bharathkumarnec — Tue, 31 May 2022 18:07:51 GMT

Hello Everyone,

We are receiving PaloAlto Cortex XDR logs to splunk via syslog in CEF format as given in the below link:

https://docs.logrhythm.com/docs/devices/syslog-log-sources/syslog-palo-alto-cortex-xdr/cortex-alert-messages

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/cortex-xdr-log-notification-formats/management-audit-log-notification-format.html

With the PaloAlto Networks Add-on we were unable to find the proper sourcetype for extracting the fields.

https://splunkbase.splunk.com/app/2757/#/overview

Also the git project for this addon doesnot have any reference of this data:

https://github.com/PaloAltoNetworks/Splunk-Apps/tree/develop/demo/samples

Does anyone managed to address this? If so, how? we need to write our own sourcetype configurations for this kind of data?

Thanks a lot for the help in advance!

Regards,

Re: Cortex XDR Alerts into Splunk

Nomadic_Splunk — Fri, 06 Aug 2021 03:12:24 GMT

Hey,

I had the same issues. I am using TRAPS4 for the sourcetype. And had to manually map the datasets. This worked well for us since we get reports on configuration changes and agent logs.

The New PAN Addon/App 7.0.X Supports the Cortex API. Please refence the following:

Cortex XDR · GitBook (paloaltonetworks.com)

Re: Cortex XDR Alerts into Splunk

splunk_w_ro — Fri, 27 May 2022 20:46:27 GMT

Hi @bharathkumarnec,

I have the need to ingest Cortex XDR logs into Splunk - are you using Splunk Connect for Syslog to ingest this data?

Thanks!

Re: Cortex XDR Alerts into Splunk

Nomadic_Splunk — Fri, 27 May 2022 20:59:00 GMT

No, Palo Alto does not support syslog logging for Cortex XDR. Only the API method is supported and it doesn't tell you much. There is zero CIM mapping for compliance.

Cortex XDR · GitBook (paloaltonetworks.com)

Example Data:

{
   alert_categories: [
     Impact
   ]
   alert_count: 1
   alerts_grouping_status: Disabled
   assigned_user_mail: null
   assigned_user_pretty_name: null
   creation_time: 1653682350413
   critical_severity_alert_count: 0
   description: 'Sensitive account password reset attempt' generated by XDR Analytics BIOC detected on host <HOST> involving user <USER>
   detection_time: null
   high_severity_alert_count: 0
   host_count: 1
   hosts: [
     <HOST>:<GUID>
   ]
   incident_id: XXXX
   incident_name: null
   incident_sources: [
     XDR Analytics BIOC
   ]
   low_severity_alert_count: 1
   manual_description: null
   manual_score: null
   manual_severity: null
   med_severity_alert_count: 0
   mitre_tactics_ids_and_names: [
     TA0040 - Impact
   ]
   mitre_techniques_ids_and_names: [
     T1531 - Account Access Removal
   ]
   modification_time: 1653683107818
   notes: null
   rule_based_score: null
   severity: low
   starred: false
   status: new
   user_count: 1
   users: [
     <USER>
   ]
   wildfire_hits: 0
   xdr_url: https://<COMPNAY>.xdr.<REGION>.paloaltonetworks.com/incident-view?caseId=xxxxx
}

Re: Cortex XDR Alerts into Splunk

splunk_w_ro — Tue, 31 May 2022 14:15:27 GMT

Thanks for getting back to me - per the PAN documentation (https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs), it looks like alerts can be sent to a syslog receiver. It's disappointing that you can't get those using an input within the PAN TA.

Thanks!

Re: Cortex XDR Alerts into Splunk

Nomadic_Splunk — Tue, 31 May 2022 18:02:22 GMT

@splunk_w_ro ,

Don't get me wrong, you can send them to a syslog receiver, you'll just need to write your own parsing from the pan::log SourceType which is owned by the PAN_TA which creates a really nasty problem of needing to do the changes everytime the PAN_TA is updated.