Cortex XDR API requests

OrkhanM — Thu, 19 Jun 2025 12:25:10 GMT

Hi everyone,

There is an problem im facing with. The problem is -- Some of API requests are not shown in "Management Audit Logs". There is another API's which ones can be shown in "Management Audit Logs". Is there other option for this case? To collect unseen API logs?

Re: Cortex XDR API requests

eluis — Fri, 20 Jun 2025 13:27:33 GMT

Hello OrkhanM,

Related to API logs at Management Audit logs, please refer to the documentation at:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Management-audit-log-messages

There you can see that there should be logs for the following:

API Key: Modification of the Cortex XDR API key.
Broker API: Operation related to the Broker application programming interface (API).
Public API: Authentication activity using an associated Cortex XDR API key.

If there are missing logs for the documented API logs on the documentation, please open a TAC support ticket with detailed information on which kind of logs there might be missing.

Additionally I recommend to perform the following test:

Go to cogwheel settings --> Configurations --> Notifications --> At the top right corner click on black button Add forwarding configuration and then fill out your data, on the filter to add the notifications, please configure/add the following filters: Description contains API OR Type select all APIs options there.

You can add email addresses to send the logs or a syslog server (might be even a siem) or a linux box to store it on a file.

Save it and compare the results of logs you get with this method with the logs you can see from the audit lot window in the XDR tenant configuring the same filters.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

KR,

Luis

topic Re: Cortex XDR API requests in Cortex XDR Discussions

Cortex XDR API requests

Re: Cortex XDR API requests