@splunk_w_ro ,  Don't get me wrong, you can send them to a syslog receiver, you'll just need to write your own parsing from the pan::log SourceType which is owned by the PAN_TA which creates a really nasty problem of needing to do the changes everytime the PAN_TA is updated.  ... View more

No, Palo Alto does not support syslog logging for Cortex XDR. Only the API method is supported and it doesn't tell you much. There is zero CIM mapping for compliance.  Cortex XDR · GitBook (paloaltonetworks.com) Example Data:  {    alert_categories: [      Impact    ]    alert_count: 1    alerts_grouping_status: Disabled    assigned_user_mail: null    assigned_user_pretty_name: null    creation_time: 1653682350413    critical_severity_alert_count: 0    description: 'Sensitive account password reset attempt' generated by XDR Analytics BIOC detected on host <HOST> involving user <USER>    detection_time: null    high_severity_alert_count: 0    host_count: 1    hosts: [      <HOST>:<GUID>    ]    incident_id: XXXX    incident_name: null    incident_sources: [      XDR Analytics BIOC    ]    low_severity_alert_count: 1    manual_description: null    manual_score: null    manual_severity: null    med_severity_alert_count: 0    mitre_tactics_ids_and_names: [      TA0040 - Impact    ]    mitre_techniques_ids_and_names: [      T1531 - Account Access Removal    ]    modification_time: 1653683107818    notes: null    rule_based_score: null    severity: low    starred: false    status: new    user_count: 1    users: [      <USER>    ]    wildfire_hits: 0    xdr_url: https://<COMPNAY>.xdr.<REGION>.paloaltonetworks.com/incident-view?caseId=xxxxx } ... View more

Hey,    I had the same issues. I am using TRAPS4 for the sourcetype. And had to manually map the datasets. This worked well for us since we get reports on configuration changes and agent logs.  The New PAN Addon/App 7.0.X Supports the Cortex API. Please refence the following:  Cortex XDR · GitBook (paloaltonetworks.com) ... View more