Integrating Cortex wth QRadar

Noshutdown · ‎04-13-2026

Hello Everyone,

Does the installed Cortex XDR for QRadar Version1.2.0 and config it via syslog allow receive Alerts directly from Cortex XDR into QRadar?

I found https://apps.xforce.ibmcloud.com/extension/d12c3794f142ee334b4bbdc83d10347f but not able to find newer version.

Can someone know if there is other way to receive alerts directly from Cortex XDR into QRadar?

My Goal is to have everything what will appear in Tenant visible in QRadar.

Appreciate any feedbacks.

Matti

susekar · ‎04-13-2026

Hello @Noshutdown ,

Greetings for the day.

The Cortex XDR for QRadar extension (Version 1.2.0) and standard syslog configuration allow QRadar to receive alerts and audit logs directly from the Cortex XDR tenant. However, standard syslog integration is limited in scope and does not support forwarding raw endpoint telemetry or full EDR data.

1. Integration Methods and Data Visibility:

To achieve your goal of visibility in QRadar, you must choose the integration method based on the data type required:

Syslog Forwarding (Direct):
Supports Alerts, Agent Audit Logs, and Management Audit Logs.
It does not support incidents (as a separate object) or raw telemetry.
Public API (Pull):
QRadar can use the Cortex XDR REST API to retrieve more comprehensive data, including Incidents and Extra Incident Data.
Event Forwarding (Egress):
To see "everything" (raw telemetry/EDR logs), you must use the Event Forwarding feature, which streams raw logs to cloud storage (e.g., AWS S3, Google Cloud Storage), where QRadar can then ingest them.
This typically requires a Cortex XDR Pro per TB license.

2. Extension Version and Support:

The "Cortex XDR for QRadar" extension is listed on the IBM X-Force App Exchange, but the standard Technical Assistance Center (TAC) does not maintain the versioning details or the installer itself.

Dedicated Support:
For the latest version, download links, or specialized parsing assistance, contact:
qradar@paloaltonetworks.com

3. Syslog Format Compatibility (Cortex XDR 5.0+):

If you are running Cortex XDR 5.0 or newer, be aware of a significant architectural change regarding syslog:

Missing Incident ID:
The incident (Case ID) field is no longer included in the "Alert Standard" CEF payload.
If your QRadar correlation rules rely on this field, you may need to use the "Alert Legacy" log format.
Note that this format uses a CSV structure and may require custom parsing in QRadar.

4. Recommended Configuration Steps:

To configure standard direct alert forwarding:

Configure Syslog Receiver:
Navigate to:
Settings → Configurations → Integrations → External Applications
Add your QRadar server details.
Notification Forwarding Rule:
Navigate to:
Settings → Configurations → Notifications → Notification Forwarding
Data Selection:
Create a rule selecting Alerts and/or Audit Logs to be sent to the QRadar receiver.
Log Format:
For out-of-the-box parsing in SIEMs, ensure the "Use Legacy Log Format" checkbox is unchecked, which defaults to Common Event Format (CEF).

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

m.abulamddi · ‎04-17-2026

Hi,

in case of Cortex XDR cloud and QRadar inside private network such forward hard to be done.

using Universal Cloud REST API protocol
here the workflow files
https://github.com/iceMBD/Workflow-Palo-Alto-Cortex-XDR-Integration-for-IBM-QRadar/tree/main

Unlock your full community experience!

Integrating Cortex wth QRadar