topic Re: Cortex XDR dashboard into Grafana? in Cortex XDR Discussions

Cortex XDR dashboard into Grafana?

J.JohnsonRock — Tue, 09 Apr 2024 06:03:09 GMT

Hello, I don't know if I'm in the right place...

I would like to integrate our Cortex XDR dashboard into Grafana. I know this is possible via an API, but which connection do I choose in Grafana? 'Websocket API'? Which data connection in Grafana do I need?

Have somebody already done that? Are there instructions for this?

Basically I would like to create a dashboard in Grafana that shows the incidents from XDR.

It would be nice if someone could help me. Thanks.

Re: Cortex XDR dashboard into Grafana?

jtalton — Wed, 10 Apr 2024 15:33:37 GMT

Hi J.JohnsonRock,

You can use the Cortex XDR Rest API to send incident/alerts details to Grafana, see Incident Management • Cortex XDR REST API • Reader • Palo Alto Networks documentation portal

After you generate your API key and set up the API to query Cortex XDR, Grafana can receive incident/alert data. Additional details are located in Cortex XDR API Reference guide which also provides a Standard Key cURL example:

curl -X POST https://api-{fqdn}/public_api/v1/{name of api}/{name of call}/ -H "x-xdr-auth-id:{key_id}" -H "Authorization:{key}" -H "Content-Type:application/json" -d '{}'

Here is a video walkthrough of the process Public API Cortex XDR 2.0 | Palo Alto Networks

If you found this answer helpful, please select Accept as Solution.

Thank you

Re: Cortex XDR dashboard into Grafana?

J.JohnsonRock — Fri, 12 Apr 2024 11:26:12 GMT

Thank you for your guidance. I created the API token exactly as explained in the video and it worked well.

In Grafana under "Data Sources" I tried to connect with the "Infinity" plugin, but without success.

The message always comes up: "error getting data frame. requested URL is not allowed. To allow this URL, update the datasource config Security -> Allowed Hosts section"
No matter what I set.

I don't know if I'm setting something up incorrectly in the "Infinity Plugin" under Authentication or "Auth type"
Can you tell me which auth type I have to choose?
Or maybe instructions or a screenshot??

Re: Cortex XDR dashboard into Grafana?

jtalton — Fri, 12 Apr 2024 20:32:52 GMT

Hi J.JohnsonRock,

For better security, we generally recommend setting the Cortex XDR API to Advanced to prevent replay attacks. However, the Advanced API key does not support cURL but it is suitable with scripts.

As outlined in the Get Started with APIs • Cortex XDR API Reference • Reader • Palo Alto Networks documentation portal, here is a Standard Key cURL Example:

curl -X POST https://api-{fqdn}/public_api/v1/{name of api}/{name of call}/
-H "x-xdr-auth-id:{key_id}"
-H "Authorization:{key}"
-H "Content-Type:application/json"
-d '{}'

Advanced Key Python 3 Example

import requests

from datetime import datetime, timezone
import secrets
import string
import hashlib
import requests

def test_advanced_authentication(api_key_id, api_key):
# Generate a 64 bytes random string
nonce = "".join([secrets.choice(string.ascii_letters + string.digits) for _ in range(64)])
# Get the current timestamp as milliseconds.
timestamp = int(datetime.now(timezone.utc).timestamp()) * 1000
# Generate the auth key:
auth_key = "%s%s%s" % (api_key, nonce, timestamp)
# Convert to bytes object
auth_key = auth_key.encode("utf-8")
# Calculate sha256:
api_key_hash = hashlib.sha256(auth_key).hexdigest()
# Generate HTTP call headers
headers = {
"x-xdr-timestamp": str(timestamp),
"x-xdr-nonce": nonce,
"x-xdr-auth-id": str(api_key_id),
"Authorization": api_key_hash
}
parameters = {}
res = requests.post(url="https://api-{fqdn}/public_api/v1/{name of api}/{name of call}",
headers=headers,
json=parameters)
return res

Also, I suggest contacting Grafana support for assistance with their plugin.

Thanks

Re: Cortex XDR dashboard into Grafana?

J.JohnsonRock — Tue, 16 Apr 2024 12:23:57 GMT

Good day,
Thank you very much for the detailed description.
I have now created a "standard token" for testing and, following your instructions, created the connection to the Grafana data source "infinitiy" (see picture)

grafana-infinity-setting's

Now I have a question: which post URL do I need so that I can only display the last "Open Incidents by Severity (Last 30 days)"?

I currently see all incidents in Grafana >including those I have marked as completed (I don't want to display them)

grafana-Total-Incidents

Eigentlich so wie in Cortex Dashboard "Open Incidents by Severity Last 30 days: Open Incidents by Severity (Last 30 days)

Do you understand what I mean?

Can you help me there?

Re: Cortex XDR dashboard into Grafana?

jtalton — Tue, 16 Apr 2024 14:29:43 GMT

Good morning,

That is an OOTB widget, so you will need to create an XQL query to create the pie chart. Please note that using the XQL API consumes your daily free quota of query units. Each XQL Query consumes query units based on the number of responses from the API results. Queries called without enough quota will fail. Additional units can be purchased through your account team.

Here is an XQL query to get started:

config case_sensitive = false timeframe = 30d
|dataset = incidents_assets
| fields incident_id, agent_id
| join type = left (dataset = alerts | filter excluded = FALSE and host_name != null | dedup incident_id, host_name | fields host_name, endpoint_id, incident_id, alert_arrival_timestamp, original_tags, alert_source ) as join_alerts join_alerts.incident_id = incident_id
| join type = left (dataset = scheduled_endpoints_dataset ) as endpoint_id endpoint_id.endpoint_id = endpoint_id
| join type = left (dataset = incidents | fields incident_id, severity, status ) as join_incidents join_incidents.incident_id = incident_id
| filter status in(ENUM.NEW, ENUM.UNDER_INVESTIGATION)
| comp count_distinct(incident_id ) as Incidents by severity
|
view graph type = pie header = "Open Incidents by Severity" xaxis = severity yaxis = Incidents valuecolor("LOW","#3f8aff") valuecolor("MEDIUM","#ffb43e") valuecolor("HIGH","rgba(255,0,0,0.99)")

The instructions are outlined in this Live Community webinar LIVEcommunity - On-Demand Webinar: "How To Use XQL APIs With Cortex XDR" - LIVEcommunity - 459696 (paloaltonetworks.com)

The following is a request example to help you build your query based on the information generated.

Take note of the required parameters
- URI /public_api/v1/xql/start_xql_query/
  HTTP Method POST
- Required License Cortex XDR Pro per Endpoint or Cortex XDR Pro per TB

Sample
curl -X POST https://api-{fqdn}/public_api/v1/xql/start_xql_query/ \
-H "x-xdr-auth-id:{key_id}" \
-H "Authorization:{key}" \
-H "Content-Type:application/json" \
-d '{
"request_data": {
"query": "dataset=xdr_data | fields event_id, event_type, event_sub_type | limit 3",
"tenants": ["tenantID", "tenantID"],
"timeframe": {"from": 1598907600000, "to": 1599080399000}
}
}'

Also, if you are unfamiliar with XQL, training is provided in Live Community as well as Beacon.

LIVEcommunity - Cortex XDR Basic XQL Crash Course - LIVEcommunity - 544056 (paloaltonetworks.com)

Thank you

Re: Cortex XDR dashboard into Grafana?

J.JohnsonRock — Fri, 19 Apr 2024 07:13:47 GMT

Hello, that sounds very interesting but also complicated.
How many queries per day is normal or allowed?

Can't I do this with Grafana using the normal API?

Re: Cortex XDR dashboard into Grafana?

jtalton — Fri, 19 Apr 2024 19:21:55 GMT

The query size/CU usage is dependent upon the query and the customers environment.

I am not a Grafana SME and provided the options available in Cortex XDR.

Re: Cortex XDR dashboard into Grafana?

J.JohnsonRock — Wed, 24 Apr 2024 06:22:06 GMT

Good morning,

I created my dashboard as requested using the “Infinity” plugin. Therefore I no longer need the “XQL” variant.

Grafana-XDR

Best regards

Re: Cortex XDR dashboard into Grafana?

jtalton — Wed, 24 Apr 2024 13:16:11 GMT

Good Morning JJohnsonRock,

Look great!