article Palo Alto Cortex XDR Event Forwarding to Google SecOps (Chronicle) in General Articles https://live.paloaltonetworks.com/t5/general-articles/palo-alto-cortex-xdr-event-forwarding-to-google-secops-chronicle/ta-p/600621 <P><SPAN>This document provides detailed steps for a customer to achieve Cortex XDR Events / Telemetry forwarding to </SPAN><SPAN>Google Security Operations (SIEM/Chronicle).&nbsp;</SPAN></P> <P>You can contact&nbsp;<A href="mailto:google-tech@paloaltonetworks.com" target="_blank" rel="noopener">google-tech@paloaltonetworks.com</A>&nbsp;if you have any further questions.</P> <P>&nbsp;</P> <H2><FONT color="#FF6600"><STRONG><SPAN>Cortex XDR Event Forwarding to Google SecOps (Chronicle) Solution</SPAN></STRONG></FONT></H2> <P>&nbsp;</P> <P><SPAN>The telemetry data is pulled into an intermediary bucket in the customer tenant and the native integration is set up from there.</SPAN></P> <P>&nbsp;</P> <P><SPAN>The following diagram demonstrates this.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_2-1728953430741.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62797iD6A7CF2D60BD4355/image-size/large?v=v2&amp;px=999" role="button" title="Danielma911_2-1728953430741.png" alt="Danielma911_2-1728953430741.png" /></span></P> <P>&nbsp;</P> <H2><FONT color="#FF6600"><STRONG>Steps To Setup The Integration (with an example)</STRONG></FONT></H2> <H3><SPAN>Create Required GCS Bucket</SPAN></H3> <P><SPAN>The customer creates a GCS bucket in the Customer/MDR tenant. Let’s call it </SPAN><STRONG>Project1</STRONG></P> <P><SPAN>For this example, we are using the following bucket (your bucket name </SPAN><STRONG>will</STRONG><SPAN> be different)</SPAN></P> <P><STRONG>cortex-xdr-events-destination</STRONG><SPAN> - Used to hold the XDR telemetry data temporarily.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Make sure that the bucket is in the same region as the customer’s Chronicle Region.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_3-1728953746394.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62798i1E8CDFA5D553ABE1/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_3-1728953746394.png" alt="Danielma911_3-1728953746394.png" /></span></P> <P>&nbsp;</P> <H3><STRONG>Set up Cortex XDR Event Forwarding&nbsp;</STRONG></H3> <P><SPAN>Setup the Cortex XDR event forwarding and download the service account key. We will call it </SPAN><STRONG>xdr_sa_key.json</STRONG><SPAN> going forward. For the complete guide to event forwarding please refer to </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Parsing-Rules-Raw-Dataset" target="_blank" rel="noopener"><SPAN>this link</SPAN></A><SPAN>. The following screenshot shows the customer performing this action. At the end of this step the customer must have&nbsp;</SPAN></P> <OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Storage Path (GCS Bucket URL)</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Service account JSON key.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_4-1728953818011.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62799i21A9E1AA3E9DDF7D/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_4-1728953818011.png" alt="Danielma911_4-1728953818011.png" /></span> <P>&nbsp;</P> </LI> </OL> <H3><STRONG>Secret Manager Setup</STRONG></H3> <P><SPAN>Create a secret called </SPAN><STRONG>EVENT_FRWD_CRTX_KEY</STRONG><SPAN> and add the contents of the SA</SPAN></P> <P><SPAN>JSON </SPAN><STRONG>xdr_sa_key.json</STRONG><SPAN> as the value of the secret</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_5-1728953868964.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62800iAF37382CC4B1B25D/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_5-1728953868964.png" alt="Danielma911_5-1728953868964.png" /></span></P> <P>&nbsp;</P> <H3><SPAN>Set up Native Chronicle Feed Integration</SPAN></H3> <UL> <LI style="font-weight: 400;" aria-level="2"><SPAN>Create a new feed by navigating to </SPAN><STRONG>SIEM Settings - Feeds - ADD NEW</STRONG><SPAN>.&nbsp;&nbsp;</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_6-1728953938295.png" style="width: 505px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62801i122D4862FA812470/image-dimensions/505x224?v=v2" width="505" height="224" role="button" title="Danielma911_6-1728953938295.png" alt="Danielma911_6-1728953938295.png" /></span></P> <P>&nbsp;</P> <UL> <LI><SPAN>&nbsp;Provide a feed name and select options as shown below. Click GET A SERVICE ACCOUNT. Click Next.</SPAN></LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_10-1728954123904.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62805i9D47CD26C9E35355/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_10-1728954123904.png" alt="Danielma911_10-1728954123904.png" /></span></P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="2"><SPAN>Provide the bucket name and select the options as shown below. Please add a namespace if that’s relevant to you/ your customer. It is recommended to add an ingestion label. Copy the service account name.</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_11-1728954194057.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62806i93BF723184710056/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_11-1728954194057.png" alt="Danielma911_11-1728954194057.png" /></span></P> <P class="lia-indent-padding-left-30px"><SPAN>Review the details added and Submit</SPAN></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_12-1728954260708.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62807i20241EBA4B10CAB9/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_12-1728954260708.png" alt="Danielma911_12-1728954260708.png" /></span></P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="2"><SPAN>The feed should be available in feeds now (the feed name in the example below is different as we are using a feed created earlier)</SPAN></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_13-1728954324210.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62808iE40553F4CCB09A64/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_13-1728954324210.png" alt="Danielma911_13-1728954324210.png" /></span></P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="2"><SPAN>For now, disable the feed. We will enable it later.</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_14-1728954372465.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62809iD65FA047BA82F3BC/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_14-1728954372465.png" alt="Danielma911_14-1728954372465.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <H3><STRONG>IAM Setup</STRONG></H3> <P><SPAN>The Cortex XDR service account created during the event forwarding setup already has access to the source bucket. Now go ahead and provide the </SPAN><STRONG>Storage Object Admin </STRONG><SPAN>and </SPAN><STRONG>Storage Legacy Bucket Reader</STRONG><SPAN> access to this service account on the bucket (</SPAN><STRONG>cortex-xdr-events-destination</STRONG><SPAN>) created in Step 1.&nbsp;</SPAN><SPAN>Also, grant the account (the chronicle service account, see below when you adding feeds in Chronicle) created during feed creation of the </SPAN><STRONG>Storage Object Viewer </STRONG><SPAN>(</SPAN><SPAN>roles/storage.objectViewer</SPAN><SPAN>)</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_0-1728955978355.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62816i454A31E1956E3B02/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_0-1728955978355.png" alt="Danielma911_0-1728955978355.png" /></span></P> <P>&nbsp;</P> <H3><SPAN>Set up the Solution (One-time setup)</SPAN></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Enable Following APIs</SPAN></LI> <OL> <LI style="font-weight: 400;" aria-level="2"><SPAN>Cloud Run</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Artifact Registry</SPAN></LI> </OL> <LI><SPAN>Open Cloud Shell and download the code using:&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="python">git clone https://github.com/PaloAltoNetworks/google-cloud-cortex-chronicle.git</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <UL> <LI><SPAN>cd google-cloud-cortex-chronicle/ </SPAN><SPAN>The contents of this directory are shown below</SPAN></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_2-1728956127266.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62818i4CF5755877EFE600/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_2-1728956127266.png" alt="Danielma911_2-1728956127266.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Danielma911_3-1728955417032.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62813i39AF20FEB392E863/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_3-1728955417032.png" alt="Danielma911_3-1728955417032.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <UL> <LI><SPAN>Open the file </SPAN><SPAN>env.properties</SPAN><SPAN> with the editor of your choice. Update the values of the variables as shown below. Job Schedule minutes can be adjusted based on the size and frequency of data pushed by Cortex.</SPAN></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="python">REGION=us-central1 # update this to the region you want REPO_NAME=panw-chronicle # The repo name to create IMAGE_NAME=sync_cortex_bucket # The image name to create GCP_PROJECT_ID=xdrxxxxxtion # update this to your project ID JOB_NAME=cloud-run-job-cortex-data-sync # The Cloud Job name to create PROJECT_NUMBER=80xxxxx9 # update this to your project number # JOB ENV VARIABLES SRC_BUCKET=xdr-us-xxxxx-event-forwarding # update this to Cortex XDR GCS bucket DEST_BUCKET=cortex-xdr-events-destination # Update to the GCS name you created SECRET_NAME=EVENT_FRWD_CRTX_KEY # Need to match exactly the secret you created JOB_SCHEDULE_MINS=30 </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <UL> <LI><SPAN>Provide execute permissions to the deploy.sh using the command</SPAN></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="python">chmod 744 deploy.sh</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Run the </SPAN><SPAN>deploy.sh</SPAN><SPAN> using command </SPAN><SPAN>./deploy.sh</SPAN><SPAN>. This step does following</SPAN></LI> <OL> <LI style="font-weight: 400;" aria-level="2"><SPAN>Creates an artifact registry repository</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Build an image for a cloud run job</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Pushes the image to the Artifact registry</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Creates a Cloud Run Job using this image</SPAN></LI> <LI style="font-weight: 400;" aria-level="2">Creates a trigger for this cloud run job every <SPAN>JOB_SCHEDULE_MINS</SPAN><SPAN> minutes (configured in </SPAN><SPAN>env.properties</SPAN><SPAN>)</SPAN></LI> </OL> <LI><SPAN><SPAN>After the script finishes, you would need to grant permission to access the Secret Manager Secret you created before to the service account (you can see the service account used by the Cloud Jobs from the script output; see below).</SPAN></SPAN></LI> </UL> <DIV id="tinyMceEditorDanielma911_4" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_5-1728955691985.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62815i74F8CA6567AF8C14/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_5-1728955691985.png" alt="Danielma911_5-1728955691985.png" /></span></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px"><SPAN>Grant permission through the Secret Manager -&gt; Permissions (Secret Manager Secret Accessor):</SPAN></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_1-1728955993010.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62817i58577909B46FA30F/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_1-1728955993010.png" alt="Danielma911_1-1728955993010.png" /></span></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <H3><SPAN>Verify setup</SPAN></H3> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Verify if artifacts mentioned above are created.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>You can wait for </SPAN><SPAN>JOB_SCHEDULE_MINS</SPAN><SPAN> minutes or perform the following steps to force execute the job. </SPAN><STRONG>This is required/recommended to be done only once to test.</STRONG></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Go to the Cloud run job. In your case, it might show “no executions” in the status.</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_3-1728956137613.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62819i523B71E8F266E360/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_3-1728956137613.png" alt="Danielma911_3-1728956137613.png" /></span></P> <UL> <LI><SPAN>Force Execute</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_5-1728956227537.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62821i64AA7974C00FC043/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_5-1728956227537.png" alt="Danielma911_5-1728956227537.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <UL> <LI><SPAN>Check logs</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_6-1728956316094.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62822iFCB07DB9073CE9A3/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_6-1728956316094.png" alt="Danielma911_6-1728956316094.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Now check the destination bucket</SPAN></LI> <UL> <LI style="font-weight: 400;" aria-level="2"><SPAN>It should have the files downloaded from the XDR Bucket</SPAN></LI> </UL> </UL> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_7-1728956503193.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62823iC2AF02EF669DE7DD/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_7-1728956503193.png" alt="Danielma911_7-1728956503193.png" /></span></P> <UL> <LI><SPAN>Download one of the files and unzip it and note down one or more event ids as shown below</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_8-1728956635895.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62824iCBF71FE14F86C017/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_8-1728956635895.png" alt="Danielma911_8-1728956635895.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <UL> <LI><SPAN>Now go to Chronicle - SIEM Settings - [Your Feed Name] -&gt; Enable Feed</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_9-1728956715776.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62825iAED3B772C39FE5D3/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_9-1728956715776.png" alt="Danielma911_9-1728956715776.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <UL> <LI><SPAN>Search for the event id in Chronicle with RAW search / UDM search (you may have to wait for a few minutes for UDM search). You should find the event in the Chronicle.</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_10-1728956779158.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62826i593FA81528FEB63F/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_10-1728956779158.png" alt="Danielma911_10-1728956779158.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Regular Usage &amp; Monitoring</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>You do not have to change anything going forward for this integration.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The feed should remain enabled from this point forward unless you want to troubleshoot.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>You can change the schedule based on your requirements. Recommended 30 minutes initially when there’s too much data in the source bucket and gradually reducing to about 5 minutes as things stabilize. You can change that directly on the trigger as shown below</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_11-1728956880491.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62827iDE2DF26407669BA3/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_11-1728956880491.png" alt="Danielma911_11-1728956880491.png" /></span></P> <UL> <LI><SPAN>Monitor the Job Run execution History in Cloud run.</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_12-1728956949082.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62828i655297AA5A975B94/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_12-1728956949082.png" alt="Danielma911_12-1728956949082.png" /></span></P> <P>&nbsp;</P> <H2><FONT color="#FF6600"><STRONG>Cloud Billing Costs</STRONG></FONT></H2> <P><SPAN>Predominantly this solution uses the following resources that are billed.</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>GCS cloud bucket</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Cloud Run Batch job</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Artifact Registry</SPAN></LI> </UL> <P><SPAN>Assuming the deployment region to be </SPAN><SPAN>us-central1</SPAN><SPAN>&nbsp;about 10GB of data persistently stored every day and a cloud run job that runs every 10 minutes for 30 days, the estimated cost is</SPAN><SPAN>&nbsp;about USD 10 per month.</SPAN></P> <P><SPAN>These are approximate costs. Your costs may vary based on the amount of data and the frequency of the job.</SPAN></P> <P>&nbsp;</P> <H2><FONT color="#FF6600"><STRONG>Troubleshooting</STRONG></FONT></H2> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>If the data is not available in the Chronicle</SPAN></LI> <OL> <LI style="font-weight: 400;" aria-level="2"><SPAN>Check if the feed is enabled</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Check the cloud run job logs</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>For the very first time, the job may have to deal with GBs of data if you had the forwarding setup enabled for many days. Please check the job logs and wait for it to finish.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Wait for a few minutes if the event is from a recent file</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Sometimes Cortex sends older files, so try to expand the search time range by a few hours.</SPAN></LI> </OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Troubleshooting the Cloud run job</SPAN></LI> <OL> <LI style="font-weight: 400;" aria-level="2"><SPAN>Check for logs for any errors</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>If there are no files logged by the job please check with Cortex XDR support as the files may not be present in the source bucket.</SPAN></LI> </OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>How to reduce GCS costs?</SPAN></LI> </UL> <P class="lia-indent-padding-left-60px">You can set up the Lifecycle Management rule to delete the object after 14 days. Follow the steps shown in the screenshots below</P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_0-1728957534041.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62829i9DB2E693CCE16D99/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_0-1728957534041.png" alt="Danielma911_0-1728957534041.png" /></span></P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_1-1728957574746.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62830i4650ECC736FAAF35/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_1-1728957574746.png" alt="Danielma911_1-1728957574746.png" /></span></P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_2-1728957614077.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62831i607F5686DEA88660/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_2-1728957614077.png" alt="Danielma911_2-1728957614077.png" /></span></P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Danielma911_3-1728957648309.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62832i71D3DA64A9939CED/image-size/medium?v=v2&amp;px=400" role="button" title="Danielma911_3-1728957648309.png" alt="Danielma911_3-1728957648309.png" /></span></P> <H2>&nbsp;</H2> <H2><FONT color="#FF6600"><STRONG>Uninstallation</STRONG></FONT></H2> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P><SPAN>Go to the installation folder, provide execute permissions to the uninstall.sh, and execute it by using the command </SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="python">chmod 744 uninstall.sh &amp;&amp; ./uninstall.sh</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Nov 2024 22:24:09 GMT Danielma911 2024-11-15T22:24:09Z Palo Alto Cortex XDR Event Forwarding to Google SecOps (Chronicle) https://live.paloaltonetworks.com/t5/general-articles/palo-alto-cortex-xdr-event-forwarding-to-google-secops-chronicle/ta-p/600621 <P><SPAN>This document provides detailed steps for a customer to achieve Cortex XDR Events / Telemetry forwarding to </SPAN><SPAN>Google Security Operations (SIEM/Chronicle)</SPAN></P> Fri, 15 Nov 2024 22:24:09 GMT https://live.paloaltonetworks.com/t5/general-articles/palo-alto-cortex-xdr-event-forwarding-to-google-secops-chronicle/ta-p/600621 Danielma911 2024-11-15T22:24:09Z