Re: Detailed logs from Cortex XDR

securepoint · ‎03-03-2025

I'm trying to extract endpoint data from Cortex XDR, but I don't want to see just alerts in Splunk—I need all the endpoint data collected by XDR to be replicated in Splunk. Neither Palo Alto nor Splunk support has been able to assist with this. I can't be the first person to ask about it since this is a fundamental requirement—unless it's simply not possible and everyone else already knows that except me. There should be one way calling the APIs through HEC in Splunk, I need to write a script for it, any one tried this approach or any other ?

kiran_panchavat · ‎03-08-2025

@securepoint

API-to-HEC Approach

Using the Cortex XDR APIs with Splunk’s HEC is a viable path. Here’s how you could approach it:

API Access:

You’ll need an API key and key ID from Cortex XDR (check the "Getting Started with Cortex XDR APIs" guide). Ensure you have the right permissions.

Relevant Endpoints:

/public_api/v1/endpoints/get_endpoints: Lists all endpoints with basic metadata (e.g., hostname, IP, OS).

/public_api/v1/endpoints/get_endpoint: Detailed data for a specific endpoint (e.g., status, last seen).

/public_api/v1/alerts/get_alerts_multi_events: Alert details, but you want more than this.

/public_api/v1/incidents/get_incidents and /public_api/v1/incidents/get_incident_extra_data: Incident data with some context.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-Endpoint

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Endpoints

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API

Raw Data: There’s no direct "get all endpoint telemetry" endpoint. You’d need to use XQL (XDR Query Language) via the /public_api/v1/xql/start_xql_query endpoint to query raw telemetry (e.g., process, network, file events).

Splunk HEC Setup

Configure an HEC token in Splunk (Settings > Data Inputs > HTTP Event Collector).
Ensure the endpoint is reachable (e.g., https://<splunk_host>:8088/services/collector).
Data sent to HEC should be JSON-formatted, with fields like event, time, host, and source type.

Scripting the Solution

You’ll need a script (e.g., in Python) to:

Authenticate with the Cortex XDR API.
Query endpoint data and/or XQL for raw telemetry.
Format the results as JSON.
Send it to Splunk HEC.

Here’s a basic example script to get you started:

import requests
import json
import time

# Cortex XDR API credentials
api_key = "your_api_key"
api_key_id = "your_api_key_id"
fqdn = "your-tenant.xdr.us.paloaltonetworks.com"  # Replace with your tenant FQDN
headers = {
    "x-xdr-auth-id": api_key_id,
    "Authorization": api_key,
    "Content-Type": "application/json"
}

# Splunk HEC settings
hec_url = "https://your-splunk-host:8088/services/collector"
hec_token = "your_hec_token"
hec_headers = {"Authorization": f"Splunk {hec_token}"}

# Function to query Cortex XDR endpoints
def get_all_endpoints():
    url = f"https://api-{fqdn}/public_api/v1/endpoints/get_endpoints"
    response = requests.post(url, headers=headers, json={"request_data": {}})
    if response.status_code == 200:
        return response.json().get("reply", {}).get("endpoints", [])
    else:
        print(f"Error: {response.status_code} - {response.text}")
        return []

# Function to send data to Splunk HEC
def send_to_splunk(data):
    payload = {
        "event": data,
        "time": int(time.time()),
        "sourcetype": "cortex_xdr_endpoint",
        "host": "cortex_xdr"
    }
    response = requests.post(hec_url, headers=hec_headers, json=payload)
    if response.status_code == 200:
        print("Data sent to Splunk successfully")
    else:
        print(f"HEC Error: {response.status_code} - {response.text}")

# Main logic
endpoints = get_all_endpoints()
for endpoint in endpoints:
    send_to_splunk(endpoint)
    time.sleep(1)  # Throttle to avoid rate limits

# Example XQL query for raw telemetry (adjust as needed)
xql_query = {
    "request_data": {
        "query": "dataset = xdr_data | filter event_type = PROCESS | limit 100",
        "timeframe": {"relative": {"unit": "hour", "value": -24}}}
}
xql_url = f"https://api-{fqdn}/public_api/v1/xql/start_xql_query"
xql_response = requests.post(xql_url, headers=headers, json=xql_query)
if xql_response.status_code == 200:
    query_id = xql_response.json().get("reply", {}).get("query_id")
    # Fetch results with /get_xql_query_results (implement polling logic)
    # Send results to Splunk

https://pan.dev/splunk/docs/getting-data-in/

https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-splunk/td-p/476724

https://docs.paloaltonetworks.com/strata-logging-service/administration/forward-logs/forward-logs-to...

https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-and-Palo-Alto-Cortex-Data-Lake-Data-for-...

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

livehybrid · ‎03-03-2025

Hi @securepoint

Unfortunately I cant get any of the Cortex docs to load for me at the moment, however at a previous customer we used Splunk SC4S to receive a syslog feed from Cortex and then sent this to Splunk over HEC. This was the raw data rather than alerts etc.

Are you able to configure any outputs such as syslog from your Cortex XDR configuration?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

securepoint · ‎03-05-2025

Thanks for hitting me back, syslog has been tried but raw data has always been unsuccessful. As you suggested I will try SC4S

Detailed logs from Cortex XDR

HTTP Event Collector

scripted input

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?