Getting Data In

How to configure Cortex XDR Alerts into Splunk?

bharathkumarnec
Contributor

Hello Everyone,

We are receiving PaloAlto Cortex XDR logs to splunk via syslog in CEF format as given in the below link:

https://docs.logrhythm.com/docs/devices/syslog-log-sources/syslog-palo-alto-cortex-xdr/cortex-alert-...

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/cortex-xdr-log-notific...

With the PaloAlto Networks Add-on we were unable to find the proper sourcetype for extracting the fields.

https://splunkbase.splunk.com/app/2757/#/overview

Also the git project for this addon doesnot have any reference of this data:

https://github.com/PaloAltoNetworks/Splunk-Apps/tree/develop/demo/samples

Does anyone managed to address this? If so, how? we need to write our own sourcetype configurations for this kind of data?

Thanks a lot for the help in advance!

Regards,

BK

Labels (1)
Tags (1)
0 Karma

splunk_w_ro
Explorer

Hi @bharathkumarnec,

I have the need to ingest Cortex XDR logs into Splunk - are you using Splunk Connect for Syslog to ingest this data?

Thanks!

0 Karma

Nomadic_Splunk
New Member

No, Palo Alto does not support syslog logging for Cortex XDR. Only the API method is supported and it doesn't tell you much. There is zero CIM mapping for compliance. 

Cortex XDR · GitBook (paloaltonetworks.com)

Example Data: 

{
   alert_categories: [
     Impact
   ]

   alert_count1
   alerts_grouping_statusDisabled
   assigned_user_mailnull
   assigned_user_pretty_namenull
   creation_time1653682350413
   critical_severity_alert_count0
   description'Sensitive account password reset attempt' generated by XDR Analytics BIOC detected on host <HOST> involving user <USER>
   detection_timenull
   high_severity_alert_count0
   host_count1
   hosts: [
     <HOST>:<GUID>
   ]

   incident_idXXXX
   incident_namenull
   incident_sources: [
     XDR Analytics BIOC
   ]

   low_severity_alert_count1
   manual_descriptionnull
   manual_scorenull
   manual_severitynull
   med_severity_alert_count0
   mitre_tactics_ids_and_names: [
     TA0040 - Impact
   ]

   mitre_techniques_ids_and_names: [
     T1531 - Account Access Removal
   ]

   modification_time1653683107818
   notesnull
   rule_based_scorenull
   severitylow
   starredfalse
   statusnew
   user_count1
   users: [
     <USER>
   ]

   wildfire_hits0
   xdr_urlhttps://<COMPNAY>.xdr.<REGION>.paloaltonetworks.com/incident-view?caseId=xxxxx

}

0 Karma

splunk_w_ro
Explorer

Thanks for getting back to me - per the PAN documentation (https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs), it looks like alerts can be sent to a syslog receiver. It's disappointing that you can't get those using an input within the PAN TA.

Thanks!

0 Karma

Nomadic_Splunk
New Member

@splunk_w_ro , 

Don't get me wrong, you can send them to a syslog receiver, you'll just need to write your own parsing from the pan::log SourceType which is owned by the PAN_TA which creates a really nasty problem of needing to do the changes everytime the PAN_TA is updated. 

0 Karma

Nomadic_Splunk
New Member

Hey, 

 

I had the same issues. I am using TRAPS4 for the sourcetype. And had to manually map the datasets. This worked well for us since we get reports on configuration changes and agent logs. 

The New PAN Addon/App 7.0.X Supports the Cortex API. Please refence the following: 

Cortex XDR · GitBook (paloaltonetworks.com)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...