Have you considered the API on your PA? Since the botnet report is a predefined report, you can pull it using the API with a URL like this: https://PA_FIREWALL_IP/api/?type=report&reporttype=predefined&reportname=botnet With that in play, all you have to do is have something pull that URL (need to add the API auth string to the request first) and change out the IP address with that of each of your firewall modules. As long as the server (QRadar) for example, is configured to read the XML responses, you can read and act as needed on the report results. You can pull the CSV's straight out as well - but that takes two requests - one to generate the report and the other to fetch the result. Cheers.
... View more