Procedures for Integrating SLS and Cortex XDR

Integrating Strata Logging Service (SLS) with Cortex XDR allows the XDR platform to ingest and correlate detection data from Palo Alto Networks products (like NGFW or Prisma Access) that are already logging to an existing SLS instance (formerly known as Cortex Data Lake or CDL).

Prerequisites:

Before beginning the integration, ensure the following requirements are met:

• Licensing: You must have a Cortex XDR Pro per GB license enabled.
• Permissions: You must hold Super User permissions for your Customer Support Portal (CSP) account.
• Regional Alignment: The Cortex XDR tenant and the SLS/CDL instance must be provisioned in the exact same geographical region (e.g., both in US or both in EU). A region mismatch will prevent the SLS instance from being visible in the XDR console.

Integration Steps:

To configure the connection between SLS and Cortex XDR, follow these steps in the management console:

1. Log in to your Cortex XDR Management Console.
2. Navigate to:
   Settings → Configurations → Data Collection → Collection Integrations
   • Note: In some newer tenants migrated to Cloud Logging Collection, the path may be Data Collection → Data Sources instead.
3. Locate the Strata Logging Service section and click Add Instance.
4. Select Data Lake Instance.
5. Select the existing Strata Logging Service instances you wish to connect to this tenant.
6. Save the configuration.

Verification:

Once configured, you can verify the status of the integration:

• Visual Confirmation: A green check mark will appear underneath the Strata Logging Service configuration once events begin to flow into the tenant.
• Querying Data: You can use XQL Search to confirm data presence by querying the xdr_data dataset.
• Firewall CLI: On the firewall side, you can use the following command to confirm the connection status to the logging service:

• Technical Support (TAC): Assists with "break/fix" issues where an existing configuration is not working as expected.
• Sales Engineer (SE) or Account Team: Contact for guidance on new implementations, architectural designs, or complex multi-tenant/multi-account configurations.
• Professional Services: Recommended for in-depth setup assistance or creating specific parsing rules.

Important Note for New Tenants:

If you are using a new tenant, Cortex XDR now supports direct integration (via the Cloud Logging Collection Service or CLCS) where firewalls and Panorama send logs directly to Cortex XDR without requiring a separate manual SLS/CDL setup. This is often the default for new activations.