08-27-2021 08:31 AM
Hey everyone,
First time poster. We just rolled out XDR and having some issues getting data into Splunk. The Splunk TA App says it does not support Syslog, but there is loads of documentation for getting agent logs, alerts, management logs sent to Splunk. It seems there may be a disconnect between the DEV's for the APP and Product Management. Has anyone successfully parsed this data? Right now the only thing we are seeing in the API is INC and there are no mappings for CIM data (Which the documentation also says it has support for)
Introduction · GitBook (paloaltonetworks.com)
Cortex XDR is supported starting with App/Add-on 7.0.0.
Cortex XDR incidents are cloud-hosted so logs are retrieved by Splunk using the Cortex XDR API (syslog not supported).
Splunk Enterprise Security · GitBook (paloaltonetworks.com)
(Looking at you malware)
Common Information Model (CIM) Compliance
The Palo Alto Networks Add-on is fully compliant with the Common Information Model (CIM) provided by Splunk to normalize data fields. This table indicates the CIM datamodels and tags that apply to Palo Alto Networks data.
CIM Datamodel Tags Palo Alto Networks Eventtypes
| Change Analysis | change | pan_config |
| email, filter | pan_email | |
| Intrusion Detection | ids, attack | pan_threat |
| Malware | malware, attack, operations | pan_malware_attacks, pan_malware_operations, pan_wildfire |
| Network Sessions | network, session, start, end | pan_traffic_start, pan_traffic_end |
| Network Traffic | network, communicate | pan_traffic |
| Web | web, proxy | pan_url |
08-31-2021 07:12 AM
Hi. If you are using the latest app it work by polling the data via the api and stores in as sourcetype pan:xdr_incident. The data is normalized to be CIM compliant. You can configure you Splunk to use the API by selecting the Add On and then creating a new input. This requires setting up the API ID/Key inside XDR to be used to poll the data.
09-01-2021 04:34 AM
I already have done this... there is too little information in the Incident to even be considered an alert.
None of the API data is being tagged for an event. Take the following for example:
{"incident_id": "6969696", "incident_name": null, "creation_time": 1630475896376, "modification_time": 1630493807149, "detection_time": null, "status": "new", "severity": "medium", "description": "4 'WildFire Malware' alerts prevented by XDR Agent on host foobar involving user foo\\bar", "assigned_user_mail": null, "assigned_user_pretty_name": null, "alert_count": 4, "low_severity_alert_count": 0, "med_severity_alert_count": 4, "high_severity_alert_count": 0, "user_count": 1, "host_count": 1, "notes": null, "resolve_comment": null, "manual_severity": null, "manual_description": null, "xdr_url": "https://foobar.xdr.us.paloaltonetworks.com, "users": ["foo\\bar"], "incident_sources": ["XDR Agent"], "rule_based_score": null, "manual_score": null, "wildfire_hits": 1, "alerts_grouping_status": "Enabled", "mitre_techniques_ids_and_names": null, "mitre_tactics_ids_and_names": null, "alert_categories": ["Malware"]}
This should be tagged for Malware Data model, but since there is no action field or tags it doesn't.
See attached... It flat out fails even the most basic checks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
