03-29-2022 03:59 PM
Does anyone have a working solution to export Cortex XDR alerts into Splunk?
We have tried to use Syslog but support was dropped by the PAN Splunk App Team for that in favor of the API which only pulls Incident data(no alerts) and a link back to the XDR console, none of the data is able to be mapped in Splunk ES for alerting.
We have tired to write a custom microservice to pull Alert Data only to find there is no correlation or wildfire verdict data in the alerts table. When then tried to pull 'extended' incident data only to get blocked as the API limits you to 10 requests / min.
We have tried to forward the data over the CDL like we do with our firewalls and HEC, but that was blocked as well since you don't have access to XDR data from the CDL.
Do we have any options?
03-30-2022 12:15 AM
Dear @eumbach
As you mentioned forward from CDL is not including XDR data. If you have PANW Firewall has been integrated with CDL, You can use CDL forward option.
I believe best option is to use Alert forwarding from Cortex XDR. (Configuration>Notification>Add Forwarding Notification). I dont know why syslog data dropped on splunk but i guess this is something you need to fix on splunk side.
03-30-2022 09:29 AM - edited 03-30-2022 09:32 AM
Syslog is not supported in the PAN_TA for Cortex XDR so there is no parsing of the fields.
Cortex XDR · GitBook (paloaltonetworks.com)
Cortex XDR incidents are cloud-hosted so logs are retrieved by Splunk using the Cortex XDR API (syslog not supported).
The method that is supported is with API but it only pulls the INC# and a link to the XDR console which doesn't provide value for correlation. This use to work using the TRAPS syslog parsing but that was removed in 7.X and forward.
03-30-2022 04:55 PM
Bump. New XDR customer and going through the onboarding phone calls with our teams etc. We were told that Splunk integrates withj XDR and we will be able to pull in alert data fairly easily and have all of the functions that you have made multiple threads about which now has me worried that the XDR guys may not really understand everything thats going on and perhaps need to go "find the small group of people that knows all about splunk integration and have done it before". lol all I know is that Splunk people exist but are not easily found.
03-31-2022 08:58 AM
"...We were told that Splunk integrates with XDR..." - We were told the same thing, and it does... in the since that XDR can ingest Splunk logs, but not the other way around. As a customer we have spoken with Product Management, Sales, VP of XDR, the Development team for the Splunk App with no resolution hence us finally giving up and coming to the LIVEcommunity to see if anyone else out there has a solution.
06-09-2022 08:36 AM
For Anyone following we have created our own Splunk App which uses the API to pull in alerts and map them by alert source to datamodels. The Python was not nearly as complex as we thought it would be.
Get Alerts (paloaltonetworks.com)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
