@securepoint API-to-HEC Approach Using the Cortex XDR APIs with Splunk’s HEC is a viable path. Here’s how you could approach it: API Access: You’ll need an API key and key ID from Co...
See more...
@securepoint API-to-HEC Approach Using the Cortex XDR APIs with Splunk’s HEC is a viable path. Here’s how you could approach it: API Access: You’ll need an API key and key ID from Cortex XDR (check the "Getting Started with Cortex XDR APIs" guide). Ensure you have the right permissions. Relevant Endpoints: /public_api/v1/endpoints/get_endpoints: Lists all endpoints with basic metadata (e.g., hostname, IP, OS). /public_api/v1/endpoints/get_endpoint: Detailed data for a specific endpoint (e.g., status, last seen). /public_api/v1/alerts/get_alerts_multi_events: Alert details, but you want more than this. /public_api/v1/incidents/get_incidents and /public_api/v1/incidents/get_incident_extra_data: Incident data with some context. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-Endpoint https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Endpoints https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API Raw Data: There’s no direct "get all endpoint telemetry" endpoint. You’d need to use XQL (XDR Query Language) via the /public_api/v1/xql/start_xql_query endpoint to query raw telemetry (e.g., process, network, file events). Splunk HEC Setup Configure an HEC token in Splunk (Settings > Data Inputs > HTTP Event Collector). Ensure the endpoint is reachable (e.g., https://<splunk_host>:8088/services/collector). Data sent to HEC should be JSON-formatted, with fields like event, time, host, and source type. Scripting the Solution You’ll need a script (e.g., in Python) to: Authenticate with the Cortex XDR API. Query endpoint data and/or XQL for raw telemetry. Format the results as JSON. Send it to Splunk HEC. Here’s a basic example script to get you started: import requests
import json
import time
# Cortex XDR API credentials
api_key = "your_api_key"
api_key_id = "your_api_key_id"
fqdn = "your-tenant.xdr.us.paloaltonetworks.com" # Replace with your tenant FQDN
headers = {
"x-xdr-auth-id": api_key_id,
"Authorization": api_key,
"Content-Type": "application/json"
}
# Splunk HEC settings
hec_url = "https://your-splunk-host:8088/services/collector"
hec_token = "your_hec_token"
hec_headers = {"Authorization": f"Splunk {hec_token}"}
# Function to query Cortex XDR endpoints
def get_all_endpoints():
url = f"https://api-{fqdn}/public_api/v1/endpoints/get_endpoints"
response = requests.post(url, headers=headers, json={"request_data": {}})
if response.status_code == 200:
return response.json().get("reply", {}).get("endpoints", [])
else:
print(f"Error: {response.status_code} - {response.text}")
return []
# Function to send data to Splunk HEC
def send_to_splunk(data):
payload = {
"event": data,
"time": int(time.time()),
"sourcetype": "cortex_xdr_endpoint",
"host": "cortex_xdr"
}
response = requests.post(hec_url, headers=hec_headers, json=payload)
if response.status_code == 200:
print("Data sent to Splunk successfully")
else:
print(f"HEC Error: {response.status_code} - {response.text}")
# Main logic
endpoints = get_all_endpoints()
for endpoint in endpoints:
send_to_splunk(endpoint)
time.sleep(1) # Throttle to avoid rate limits
# Example XQL query for raw telemetry (adjust as needed)
xql_query = {
"request_data": {
"query": "dataset = xdr_data | filter event_type = PROCESS | limit 100",
"timeframe": {"relative": {"unit": "hour", "value": -24}}}
}
xql_url = f"https://api-{fqdn}/public_api/v1/xql/start_xql_query"
xql_response = requests.post(xql_url, headers=headers, json=xql_query)
if xql_response.status_code == 200:
query_id = xql_response.json().get("reply", {}).get("query_id")
# Fetch results with /get_xql_query_results (implement polling logic)
# Send results to Splunk https://pan.dev/splunk/docs/getting-data-in/ https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-splunk/td-p/476724 https://docs.paloaltonetworks.com/strata-logging-service/administration/forward-logs/forward-logs-to-an-https-server https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-and-Palo-Alto-Cortex-Data-Lake-Data-for-global-protect/m-p/493384