Skip to main content

Palo Alto Cortex XDR Source

thumbnail icon

The Palo Alto Cortex XDR Source provides a secure endpoint to receive alerts from the Get Alerts Incident Management API. It securely stores the required authentication, scheduling, and state tracking information.

By using the Cortex XDR Source Integration, you can easily access and analyze data from multiple sources, enabling you to quickly identify and respond to potential threats. This Source offers you with a centralized view of security events, allowing you to correlate data from various sources and gain deeper insights into security incidents.

The Cortex XDR Source Integration is a valuable Source for security teams that want to enhance their threat detection capabilities and streamline their incident response process. It helps you to effectively monitor your security posture, identify threats in real-time, and respond quickly to potential attacks.

note

This source is available in the Fed deployment.

Data collected

Polling IntervalData
10 minAlert data
10 minIncident data

Setup

Vendor configuration

In this configuration, you will set up a Cortex XDR source account and configure it to be authorized and authenticated to use device logs and alerts from the Cortex XDR API. The Palo Alto Cortex XDR Source requires you to provide an API KeyAPI Key ID, and an FQDN (excluding protocol and trailing slash). These are needed to use the Cortex XDR API.

Getting Cortex XDR API key

To authenticate to the Cortex XDR APIs, follow the steps below:

  1. Access the Cortex XDR application.
  2. Enter your login credentials, including your email ID and password, to log in. You will be directed to the application dashboard.
    login-palo-login.png
  3. On the left-hand panel of the dashboard, locate the Settings option and click on it. Then select Configurations.
    cortex-settings-configuration.png
  4. In the Configurations panel, navigate to the Integrations option and select API keys.
    cortex-select-api-key.png
  5. Click cortex-new-key-button.png button to add a new API key.
  6. You will be directed to a page to generate the key. Fill in the required information, then click Save.generate-api-key.png
    info

    Make sure to assign the API key the Standard security level.

  7. Copy copy-button.png the generated API key and save it to your personal folder for later use when creating the Cortex XDR source.
    cortex-api-key-generated.png
  8. Click Close to exit the API keys configuration panel.

Getting Cortex XDR API ID

  1. Once you have obtained the API key, you can retrieve the associated API ID.
  2. To do so, navigate to the API keys page, where you can view all of the created APIs. Your API ID can be found next to the API key you generated.
    cortex-api-id.png

Getting Cortex XDR FQDN

  1. Once you have obtained the API key and ID, the next step is to retrieve your FQDN.
  2. Navigate to the API Keys page where you can view all the APIs you have created. Right-click on the API ID you have generated and select View Examples from the options that appear. From the API keys page, you can see all the APIs created. Right click on the API ID you have generated, click View Examples from the options that appear.
    cortex-fqdn.png
  3. The API Example window will appear, and your FQDN can be found in the Curl example that starts from sumologic-partner.xdr.us.paloaltonetworks.com
    fqdn-name.png
note

To learn more about the Cordex XDR APIs, refer to the Get Started with Cortex XDR APIs section.

Source configuration

When you create a Palo Alto Cortex XDR Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.

To configure a Palo Alto Cortex XDR Source:

  1. In Sumo Logic, select Manage Data > Collection > Collection
  2. On the Collectors page, click Add Source next to a Hosted Collector.
  3. Select Palo Alto Cortex XDR.
  4. Enter a Name to display for the Source in the Sumo Logic web application. The description is optional.
  5. (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called _sourceCategory.
  6. Forward to SIEM. Check the checkbox to forward your data to Cloud SIEM.
  7. (Optional) Fields. Click the +Add Field link to define the fields you want to associate, each field needs a name (key) and value.
    • green check circle.png A green circle with a check mark is shown when the field exists in the Fields table schema.
    • orange exclamation point.png An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
  8. API Key. Enter the API Key that you generated and secured in step 7 of the API Key section.
  9. API ID. Enter the API ID that you generated and secured in step 2 of the API ID section.
  10. Tenant FQDN. Enter the FQDN that you obtained when you generated the API Key and API ID, as explained in the FQDN section. The FQDN is a unique host and domain name associated with each tenant.
  11. Ingest Associated Events. It enables the ingestion of all events associated with an alert as a separate set of log lines. Each alert will have all events ingested as individual log lines, each enriched with the original alert ID.
  12. Duplicate Alerts for each alert host IP. It simplifies the analysis of incoming alerts by flattening the host IP field and generating a duplicate alert for each unique host IP. The duplicates are identical except for the flattened host IP field, making it easier to work with the alerts and create rules or searches to detect potential security threats.
  13. Ingested Incident Events. It allows the ingestion of all events associated with an alert as individual log lines, each with the original alert ID enrichment.
  14. Polling Interval. It is set for 600 seconds by default, you can adjust it based on your needs. This sets how often the Source checks for new data.
  15. When you are finished configuring the Source, click Submit.
note

To ensure accurate and effective display of all alerts, we recommend enabling duplicate alerts for each alert host IP. This prevents any host IP array flattening.

Metadata fields

FieldValueDescription
_siemVendorPalo Alto Set when Forward To SIEM is checked.
_siemProductCortexSet when Forward To SIEM is checked.
_siemFormatJSONSet when Forward To SIEM is checked.
_siemEventID<category>Alert logs and associated event logs use {category} while incident logs use the static text incident

JSON schema

Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See how to use JSON to configure Sources for details. 

ParameterTypeValueRequiredDescription
schemaRefJSON Object{"type":"Palo Alto Cortex XDR"}YesDefine the specific schema type.
sourceTypeString"Universal"YesType of source.
configJSON ObjectConfiguration objectYesSource type specific values.

Configuration Object

The following table shows the config parameters for a Palo Alto Cortex XDR Source.

ParameterTypeRequiredDefaultDescriptionExample
nameStringYesnullType a desired name of the source. The name must be unique per Collector. This value is assigned to the metadata field _source."mySource"
descriptionStringNonullType a description of the source."Testing source"
categoryStringNonullType a category of the source. This value is assigned to the metadata field _sourceCategory. See best practices for details."mySource/test"
fieldsJSON ObjectNonullJSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field _siemForward to enable forwarding to SIEM.{"_siemForward": false, "fieldA": "valueA"}
api_keyStringYesnullProvide the API Key you want to use to authenticate collection requests.
api_idStringYesnullProvide the API ID for the API Key that you want to use to authenticate collection requests.
fqdnStringYesnullThe FQDN is a unique host and domain name associated with each tenant. When you generate the API Key and Key ID, you are assigned an individual FQDN.
ingest_eventsBooleanNoFalseWhen true, the ingestion of all events associated with an alert as a separate set of log lines. Each alert will have all events ingested as individual log lines, each enriched with the original alert ID.
dup_alertsBooleanNoFalseWhen true, it takes all inbound alerts and flatten the host IP field in the alert data structure. Then a duplicate alert is ingested for each, which will be identical except for the host IP field that is flattened from an array. This simplifies working with the alert and the generation of rules or searches based on alert content.
collect_incidentsBooleanNoFalseIf true, it collects incidents.
polling_intervalIntegerNo600This sets how often the Source checks for new data.

JSON example

{
"api.version": "v1",
"source": {
"schemaRef": {
"type": "Palo Alto Cortex XDR"
},
"config": {
"name": "Cortex XDR",
"fields": {
"_siemForward": false
},
"api_key": "***********",
"api_id": "*",
"fqdn": "palo-test.com",
"polling_interval": 600,
"ingest_events": true,
"dup_alerts": true,
"collect_incidents": true
},
"sourceType": "Universal"
}
}

Download example

Terraform example

resource "sumologic_cloud_to_cloud_source" "palo-alto-cortex-XDR-source" {
collector_id = sumologic_collector.collector.id
schema_ref = {
type = "Palo Alto Cortex XDR"
}
config = jsonencode({
"name": "Cortex XDR",
"fields": {
"_siemForward": false
},
"api_key": "***********",
"api_id": "*",
"fqdn": "palo-test.com",
"polling_interval": 600,
"ingest_events": true,
"dup_alerts": true,
"collect_incidents": true
})
}
resource "sumologic_collector" "collector" {
name = "my-collector"
description = "Just testing this"
}

Download example

FAQ

info

Click here for more information about Cloud-to-Cloud sources.

Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.