topic Re: Syslog Splunk Parsing in Cortex XDR Discussions

Syslog Splunk Parsing

eumbach — Fri, 27 Aug 2021 15:31:40 GMT

Hey everyone,

First time poster. We just rolled out XDR and having some issues getting data into Splunk. The Splunk TA App says it does not support Syslog, but there is loads of documentation for getting agent logs, alerts, management logs sent to Splunk. It seems there may be a disconnect between the DEV's for the APP and Product Management. Has anyone successfully parsed this data? Right now the only thing we are seeing in the API is INC and there are no mappings for CIM data (Which the documentation also says it has support for)

Introduction · GitBook (paloaltonetworks.com)

Cortex XDR is supported starting with App/Add-on 7.0.0.

Cortex XDR incidents are cloud-hosted so logs are retrieved by Splunk using the Cortex XDR API (syslog not supported).

Splunk Enterprise Security · GitBook (paloaltonetworks.com)
(Looking at you malware)

Common Information Model (CIM) Compliance

The Palo Alto Networks Add-on is fully compliant with the Common Information Model (CIM) provided by Splunk to normalize data fields. This table indicates the CIM datamodels and tags that apply to Palo Alto Networks data.

CIM Datamodel Tags Palo Alto Networks Eventtypes

Change Analysis	change	pan_config
Email	email, filter	pan_email
Intrusion Detection	ids, attack	pan_threat
Malware	malware, attack, operations	pan_malware_attacks, pan_malware_operations, pan_wildfire
Network Sessions	network, session, start, end	pan_traffic_start, pan_traffic_end
Network Traffic	network, communicate	pan_traffic
Web	web, proxy	pan_url

Re: Syslog Splunk Parsing

JEbrahimi — Tue, 31 Aug 2021 14:12:33 GMT

Hi. If you are using the latest app it work by polling the data via the api and stores in as sourcetype pan:xdr_incident. The data is normalized to be CIM compliant. You can configure you Splunk to use the API by selecting the Add On and then creating a new input. This requires setting up the API ID/Key inside XDR to be used to poll the data.

Re: Syslog Splunk Parsing

eumbach — Wed, 01 Sep 2021 11:34:08 GMT

I already have done this... there is too little information in the Incident to even be considered an alert.

None of the API data is being tagged for an event. Take the following for example:

{"incident_id": "6969696", "incident_name": null, "creation_time": 1630475896376, "modification_time": 1630493807149, "detection_time": null, "status": "new", "severity": "medium", "description": "4 'WildFire Malware' alerts prevented by XDR Agent on host foobar involving user foo\\bar", "assigned_user_mail": null, "assigned_user_pretty_name": null, "alert_count": 4, "low_severity_alert_count": 0, "med_severity_alert_count": 4, "high_severity_alert_count": 0, "user_count": 1, "host_count": 1, "notes": null, "resolve_comment": null, "manual_severity": null, "manual_description": null, "xdr_url": "https://foobar.xdr.us.paloaltonetworks.com, "users": ["foo\\bar"], "incident_sources": ["XDR Agent"], "rule_based_score": null, "manual_score": null, "wildfire_hits": 1, "alerts_grouping_status": "Enabled", "mitre_techniques_ids_and_names": null, "mitre_tactics_ids_and_names": null, "alert_categories": ["Malware"]}

This should be tagged for Malware Data model, but since there is no action field or tags it doesn't.

(`cim_Malware_indexes`) tag=malware tag=attack

See attached... It flat out fails even the most basic checks.