All Apps and Add-ons

Cortex XDR Add-On installation

rivars
Engager

Hello all,
I'm trying to install Palo Alto Add-On to integrate Cortex XDR on Splunk. I followed the steps in https://splunk.paloaltonetworks.com/cortex-xdr.html
configured Tenant Name, API Key ID and API Key but when tries to retrieve events this error it's logged:

File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api-https', port=443): Max retries exceeded with url: //masked_tenant_name.xdr.masked_tenant_region.paloaltonetworks.com/.xdr.masked_tenant_region.paloaltonetworks.com/public_api/v1/incidents/get_incidents/ (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f1afcb645d0>: Failed to establish a new connection: [Errno -2] Name or service not known'))

As you can see, after the message "Max retries exceeded with url:" the URL doesn't contain "https:", well this cannot be the problem.
The configuration it's this:
Name = DEV_XDR
Interval = 60
Index = default
Status = false
Tenant Namehttps://masked_tenant_name.xdr.masked_tenant_region.paloaltonetworks.com/
Tenant Region = masked_tenant_region
API Key ID********
API Key********

I tried "curl" from server with add-on to the tenant URL, and the URL can be reached

Before openning a case in Palo Alto, did anyone had this problem or similar before?

Labels (1)
0 Karma
1 Solution

rivars
Engager

Hello, 
I was able to solve this problem. In the "tenant name" filed when configuring, I added the full URL, not only the tenant name. That's the reason of duplicate URL in log.
I configured just tenant name and now it's working fine.
Thank you

View solution in original post

Rakzskull
Path Finder

@rivars  You are a lifesaver! 🙂 

0 Karma

rivars
Engager

Hello, 
I was able to solve this problem. In the "tenant name" filed when configuring, I added the full URL, not only the tenant name. That's the reason of duplicate URL in log.
I configured just tenant name and now it's working fine.
Thank you

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...