topic Re: CDL and Rapid7 InsightIDR, new API method? in Cortex XDR Discussions

CDL and Rapid7 InsightIDR, new API method?

Ssady1 — Fri, 03 Feb 2023 15:04:02 GMT

Is anyone using the "new API method" R7 references?

https://docs.rapid7.com/insightidr/palo-alto-cortex-data-lake/#New-API-Collection-Method-now-available-as-of-January-2023

Re: CDL and Rapid7 InsightIDR, new API method?

etugriceri — Tue, 07 Feb 2023 11:02:25 GMT

Hi Ssady1

I believe this document is not 100% correct.

There is no method to get logs from CDL via API. (You need to use syslog)

But if you have XDR Pro per TB license, You can reach out the data in CDL via XDR. If you dont have XDR Pro per TB license, You can only reach out endpoint related data which is in CDL via API. But still from XDR perspective this is not new API or method.

If this is new method on the R7 side, I believe this question should be asked to r7 community.

I hope that helps

Re: CDL and Rapid7 InsightIDR, new API method?

JackSenesap — Tue, 07 Feb 2023 13:04:01 GMT

I am trying to figure this out as well. I have another security vendors leveraging CDL API to gather logs but Rapid7IDR fails at this.

Re: CDL and Rapid7 InsightIDR, new API method?

etugriceri — Tue, 07 Feb 2023 16:39:49 GMT

If you would like to continuously get data from API, You should have enough Compute Unit. Otherwise, data'll not be completely fetched after consuming all free CU.

You can check from settings how much you have and how your usage.