https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-integration-with-ibm-qradar/m-p/520980#M3134 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/223431">@MithunKT</a>&nbsp;you can forward all alert logs via email and have QRadar pick them up and parse it, if that works.</P> <P>&nbsp;</P> <P>Alternately, you can also leverage XDR API's to <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-apis/incident-management/get-alerts" target="_blank">retrieve all alerts</A>, but you might run into throttling issues if the number of alerts are very high.</P> <P>&nbsp;</P> Fri, 11 Nov 2022 06:24:13 GMT bbarmanroy 2022-11-11T06:24:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-integration-with-ibm-qradar/m-p/520978#M3133 <P><SPAN>Hi All,</SPAN></P> <P><BR /><SPAN>We have a requirement to get cortex XDR Data(Alerts, agent audit logs) into IBM Qradar. Following the documentation, we took the approach of configuring syslog server in <STRONG>external applications</STRONG>, new configuration in <STRONG>notifications, </STRONG>and adding<STRONG> Cortex DSM app extension </STRONG>in QRadar<STRONG>.</STRONG></SPAN></P> <P>&nbsp;</P> <P>Due to security concerns, our QRadar team does not wish to make our syslog server's private IP address public.</P> <P>&nbsp;</P> <P>A public IP is required in order to add a Syslog server to External Applications, according to the XDR documentation. We lack a public IP, hence we are unable to use this strategy.</P> <P>&nbsp;</P> <P>As a result, I was searching for a different way to send XDR alerts to the Qradar Syslog Server (perhaps using an API). If anyone has any alternative suggestions, I'd appreciate it.</P> <P>&nbsp;</P> <P><SPAN>Thanks in Advance.</SPAN></P> <P>&nbsp;</P> <P><SPAN><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</SPAN></P> Fri, 11 Nov 2022 05:17:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-integration-with-ibm-qradar/m-p/520978#M3133 MithunKT 2022-11-11T05:17:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-integration-with-ibm-qradar/m-p/520980#M3134 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/223431">@MithunKT</a>&nbsp;you can forward all alert logs via email and have QRadar pick them up and parse it, if that works.</P> <P>&nbsp;</P> <P>Alternately, you can also leverage XDR API's to <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-apis/incident-management/get-alerts" target="_blank">retrieve all alerts</A>, but you might run into throttling issues if the number of alerts are very high.</P> <P>&nbsp;</P> Fri, 11 Nov 2022 06:24:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-integration-with-ibm-qradar/m-p/520980#M3134 bbarmanroy 2022-11-11T06:24:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-integration-with-ibm-qradar/m-p/521050#M3136 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/223431">@MithunKT</a>&nbsp;</P> <P>I'm assuming the QRadar data gateway is not an option? Typically this is what I encounter on customer that have QRadar.</P> Fri, 11 Nov 2022 20:42:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-integration-with-ibm-qradar/m-p/521050#M3136 jcandelaria 2022-11-11T20:42:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-integration-with-ibm-qradar/m-p/539190#M4173 <P>Hello&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/223431" target="_blank">@MithunKT</A><SPAN>&nbsp;,<BR />From my experience with Qradar SIEM this could be solved by deploying seprate <STRONG>disconnected log collector</STRONG> with public IP for these type of sources.&nbsp;<BR /><A href="https://www.ibm.com/docs/en/qradar-common?topic=disconnected-log-collector" target="_blank">Disconnected Log Collector - IBM Documentation</A><BR />Maybe it will help&nbsp;<BR />Kind Regards</SPAN></P> Tue, 18 Apr 2023 12:11:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-integration-with-ibm-qradar/m-p/539190#M4173 SevcikMichal 2023-04-18T12:11:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-integration-with-ibm-qradar/m-p/1252462#M9262 <P>Hi,</P> <P>that true,&nbsp;<SPAN>&nbsp;public IP Cortex sent to private syslog will not be option here, due to&nbsp;&nbsp;lack a public IP of QRadar.</SPAN></P> <P><SPAN>I used&nbsp;Universal Cloud REST API protocol&nbsp;</SPAN></P> <P><SPAN>here the workflow files<BR /><A class="relative pointer-events-auto a cursor-pointer underline" href="https://github.com/iceMBD/Workflow-Palo-Alto-Cortex-XDR-Integration-for-IBM-QRadar/tree/main" rel="noopener nofollow ugc" target="_blank">https://github.com/iceMBD/Workflow-Palo-Alto-Cortex-XDR-Integration-for-IBM-QRadar/tree/main</A></SPAN></P> Fri, 17 Apr 2026 20:46:27 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-integration-with-ibm-qradar/m-p/1252462#M9262 m.abulamddi 2026-04-17T20:46:27Z