https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/procedures-for-integrating-sls-and-cortex-xdr/m-p/1252015#M9245 <P>Hi, <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/241098">@susekar</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for your comment.<BR />I can't find the “Strata Logging Service” section under “Collection Integrations” in the XDR management console. Do you know why that might be?</P> <P>&nbsp;</P> <P>Best Regards</P> Fri, 10 Apr 2026 06:04:53 GMT D.Watanabe454116 2026-04-10T06:04:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/procedures-for-integrating-sls-and-cortex-xdr/m-p/1251940#M9243 <P>Hello.<BR />This is my first time using Cortex XDR and SLS. I understand the procedure for integrating PA and SLS, but I’m not quite sure how to integrate SLS and XDR. I haven’t been able to find any instructions on any website. Could someone please help me?</P> Thu, 09 Apr 2026 10:09:31 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/procedures-for-integrating-sls-and-cortex-xdr/m-p/1251940#M9243 D.Watanabe454116 2026-04-09T10:09:31Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/procedures-for-integrating-sls-and-cortex-xdr/m-p/1251970#M9244 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1615570263">@D.Watanabe454116</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <DIV class="flex flex-col text-sm pb-25"> <SECTION class="text-token-text-primary w-full focus:outline-none [--shadow-height:45px] has-data-writing-block:pointer-events-none has-data-writing-block:-mt-(--shadow-height) has-data-writing-block:pt-(--shadow-height) [&amp;:has([data-writing-block])&gt;*]:pointer-events-auto scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]" dir="auto" data-turn="assistant" data-scroll-anchor="true" data-testid="conversation-turn-16" data-turn-id="request-WEB:358a5213-a90e-4527-a384-1953c1b320a4-7"> <DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:var(--thread-content-margin-xs,calc(var(--spacing)*4))] @w-sm/main:[--thread-content-margin:var(--thread-content-margin-sm,calc(var(--spacing)*6))] @w-lg/main:[--thread-content-margin:var(--thread-content-margin-lg,calc(var(--spacing)*16))] px-(--thread-content-margin)"> <DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn"> <DIV class="flex max-w-full flex-col gap-4 grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal outline-none keyboard-focused:focus-ring [.text-message+&amp;]:mt-1" dir="auto" tabindex="0" data-turn-start-message="true" data-message-model-slug="gpt-5-3" data-message-id="3a1b46f8-a765-47bf-b893-ad564b8d3910" data-message-author-role="assistant"> <DIV class="flex w-full flex-col gap-1 empty:hidden"> <DIV class="markdown prose dark:prose-invert w-full wrap-break-word light markdown-new-styling"> <P data-end="127" data-start="67">&nbsp;</P> <P data-end="408" data-start="129">Integrating Strata Logging Service (SLS) with Cortex XDR allows the XDR platform to ingest and correlate detection data from Palo Alto Networks products (like NGFW or Prisma Access) that are already logging to an existing SLS instance (formerly known as Cortex Data Lake or CDL).</P> <H4 data-end="436" data-start="415" data-section-id="5j00zn">&nbsp;</H4> <H4 data-end="436" data-start="415" data-section-id="5j00zn"><SPAN><STRONG data-end="436" data-start="419">Prerequisites:</STRONG></SPAN></H4> <P data-end="513" data-start="437">Before beginning the integration, ensure the following requirements are met:</P> <UL data-end="948" data-start="515"> <LI data-end="588" data-start="515" data-section-id="7wd3m5"><STRONG data-end="531" data-start="517">Licensing:</STRONG> You must have a Cortex XDR Pro per GB license enabled.</LI> <LI data-end="694" data-start="589" data-section-id="551lnu"><STRONG data-end="607" data-start="591">Permissions:</STRONG> You must hold Super User permissions for your Customer Support Portal (CSP) account.</LI> <LI data-end="948" data-start="695" data-section-id="3ukv5v"><STRONG data-end="720" data-start="697">Regional Alignment:</STRONG> The Cortex XDR tenant and the SLS/CDL instance must be provisioned in the exact same geographical region (e.g., both in US or both in EU). A region mismatch will prevent the SLS instance from being visible in the XDR console.</LI> </UL> <H4 data-end="980" data-start="955" data-section-id="1c94fy1"><SPAN><STRONG data-end="980" data-start="959">Integration Steps:</STRONG></SPAN></H4> <P data-end="1082" data-start="981">To configure the connection between SLS and Cortex XDR, follow these steps in the management console:</P> <OL data-end="1602" data-start="1084"> <LI data-end="1134" data-start="1084" data-section-id="1nrk23k">Log in to your Cortex XDR Management Console.</LI> <LI data-end="1364" data-start="1135" data-section-id="12j9ma2">Navigate to:<BR data-end="1153" data-start="1150" /><STRONG data-end="1229" data-start="1156">Settings → Configurations → Data Collection → Collection Integrations</STRONG> <UL data-end="1364" data-start="1235"> <LI data-end="1364" data-start="1235" data-section-id="1vla6hl">Note: In some newer tenants migrated to Cloud Logging Collection, the path may be <STRONG data-end="1353" data-start="1319">Data Collection → Data Sources</STRONG> instead.</LI> </UL> </LI> <LI data-end="1443" data-start="1365" data-section-id="51nuys">Locate the <STRONG data-end="1405" data-start="1379">Strata Logging Service</STRONG> section and click <STRONG data-end="1440" data-start="1424">Add Instance</STRONG>.</LI> <LI data-end="1479" data-start="1444" data-section-id="11ric5f">Select <STRONG data-end="1476" data-start="1454">Data Lake Instance</STRONG>.</LI> <LI data-end="1573" data-start="1480" data-section-id="56jgx9">Select the existing Strata Logging Service instances you wish to connect to this tenant.</LI> <LI data-end="1602" data-start="1574" data-section-id="82adiz">Save the configuration.</LI> </OL> <H3 data-end="1629" data-start="1609" data-section-id="127xt8f"><SPAN><STRONG data-end="1629" data-start="1613">Verification:</STRONG></SPAN></H3> <P data-end="1692" data-start="1630">Once configured, you can verify the status of the integration:</P> <UL data-end="2090" data-start="1694"> <LI data-end="1848" data-start="1694" data-section-id="1k6kvnc"><STRONG data-end="1720" data-start="1696">Visual Confirmation:</STRONG> A green check mark will appear underneath the Strata Logging Service configuration once events begin to flow into the tenant.</LI> <LI data-end="1957" data-start="1849" data-section-id="sbh8qi"><STRONG data-end="1869" data-start="1851">Querying Data:</STRONG> You can use XQL Search to confirm data presence by querying the <STRONG data-end="1946" data-start="1934">xdr_data</STRONG> dataset.</LI> <LI data-end="2090" data-start="1958" data-section-id="tx127g"><STRONG data-end="1977" data-start="1960">Firewall CLI:</STRONG> On the firewall side, you can use the following command to confirm the connection status to the logging service:</LI> </UL> <DIV class="relative w-full mt-4 mb-1"> <DIV class=""> <DIV class="relative"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="border border-token-border-light border-radius-3xl corner-superellipse/1.1 rounded-3xl"> <DIV class="h-full w-full border-radius-3xl bg-token-bg-elevated-secondary corner-superellipse/1.1 overflow-clip rounded-3xl lxnfua_clipPathFallback"> <DIV class="w-full overflow-x-hidden overflow-y-auto pe-11 pt-3"> <DIV class="relative z-0 flex max-w-full"> <DIV id="code-block-viewer" class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼ5 ͼj" dir="ltr"> <DIV class="cm-scroller"> <DIV class="cm-content q9tKkq_readonly"><SPAN>request logging-service-forwarding status</SPAN></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class=""> <DIV class=""><STRONG style="color: inherit; font-family: 'TT Hoves', DecimalMedium, 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 18px;" data-end="2178" data-start="2152">(Support and Assistance)</STRONG></DIV> </DIV> </DIV> </DIV> </DIV> <UL data-end="2580" data-start="2180"> <LI data-end="2304" data-start="2180" data-section-id="1wnfasn"><STRONG data-end="2210" data-start="2182">Technical Support (TAC):</STRONG> Assists with "break/fix" issues where an existing configuration is not working as expected.</LI> <LI data-end="2471" data-start="2305" data-section-id="11u0b8i"><STRONG data-end="2347" data-start="2307">Sales Engineer (SE) or Account Team:</STRONG> Contact for guidance on new implementations, architectural designs, or complex multi-tenant/multi-account configurations.</LI> <LI data-end="2580" data-start="2472" data-section-id="zxdbr4"><STRONG data-end="2500" data-start="2474">Professional Services:</STRONG> Recommended for in-depth setup assistance or creating specific parsing rules.</LI> </UL> <H4 data-end="2625" data-start="2587" data-section-id="1qb7qv4">&nbsp;</H4> <H4 data-end="2625" data-start="2587" data-section-id="1qb7qv4"><SPAN><STRONG data-end="2625" data-start="2591">Important Note for New Tenants:</STRONG></SPAN></H4> <P data-is-only-node="" data-is-last-node="" data-end="2910" data-start="2626">If you are using a new tenant, Cortex XDR now supports direct integration (via the Cloud Logging Collection Service or CLCS) where firewalls and Panorama send logs directly to Cortex XDR without requiring a separate manual SLS/CDL setup. This is often the default for new activations.</P> </DIV> </DIV> </DIV> </DIV> <DIV class="z-0 flex min-h-[46px] justify-start">&nbsp;</DIV> </DIV> </DIV> </SECTION> </DIV> <P>If you feel this has answered your query, please let us know by clicking<SPAN>&nbsp;</SPAN><STRONG>like</STRONG><SPAN>&nbsp;</SPAN>and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 09 Apr 2026 15:22:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/procedures-for-integrating-sls-and-cortex-xdr/m-p/1251970#M9244 susekar 2026-04-09T15:22:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/procedures-for-integrating-sls-and-cortex-xdr/m-p/1252015#M9245 <P>Hi, <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/241098">@susekar</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for your comment.<BR />I can't find the “Strata Logging Service” section under “Collection Integrations” in the XDR management console. Do you know why that might be?</P> <P>&nbsp;</P> <P>Best Regards</P> Fri, 10 Apr 2026 06:04:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/procedures-for-integrating-sls-and-cortex-xdr/m-p/1252015#M9245 D.Watanabe454116 2026-04-10T06:04:53Z