Palo Alto Networks Cortex XDR
Palo Alto Networks Cortex XDR is a detection and response solution that natively integrates network, endpoint, and cloud data to stop attacks. When you configure the Cortex XDR API, you can start to send events to InsightIDR.
The event types that InsightIDR can parse from this event source are alerts from threat events for the Cloud Connection method, and incidents from the Collector method. You can read more about Cortex XDR incidents in the Palo Alto Cortex XDR documentation.
There are two ways to send data from your Palo Alto Networks Cortex XDR account to InsightIDR: event collection through the Cloud or through an on-premises Rapid7 Collector.
To set up Palo Alto Networks Cortex XDR:
- Read the requirements and complete any prerequisite steps.
- Configure Palo Alto Networks Cortex XDR to send data to InsightIDR.
- Configure InsightIDR to collect data from the event source.
- Test the configuration.
You can also:
Visit the third-party vendor's documentation
For the most accurate information about preparing your event source product for integration with InsightIDR, we recommend that you visit the third-party vendor's product documentation.
Requirements
Before you start the configuration, you’ll need access to an account that can set up Cortex XDR for integration. For more information, see: https://docs.paloaltonetworks.com/iot/iot-security-integration/endpoint-protection/set-up-cortex-xdr-for-integration
If you have any questions about accessing your account, we advise you to contact Palo Alto Networks directly. As an account holder, you can retrieve the API Key and ID (API Key ID) to complete the configuration.
Configure Palo Alto Cortex XDR to send data to InsightIDR
To send Cortex XDR data to InsightIDR, you need an API URL, ID, Security Level, and API Key. You can record these in a temporary text file, because you will need them to set up the event source in InsightIDR.
To get credentials from Palo Alto Networks:
- In your Cortex XDR environment, sign into the Management Console as an admin-level user.
- Go to Settings > Configurations > Integrations > API Keys.
- Select + New Key.
- Choose Advanced API Key type.
- Select Deployment Admin in Role.
- Click Generate.
- Ensure that you store the API key in an accessible location because it cannot be retrieved once the window is closed.
- Click Done.
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
Task 1: Select Palo Alto Networks Cortex XDR
- Go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Palo Alto Networks Cortex XDR in the event sources search bar.
- In the Product Type filter, select Third Party Alerts.
- Select the Cortex XDR event source tile.
Task 2: Set up your collection method
There are two methods of collecting data from Cortex XDR: through a Cloud Connection (recommended) or through a Collector.
New credentials are required for cloud event sources
You cannot reuse existing on-premise credentials to create a cloud connection with this event source. You must create new credentials.
Use the Cloud Connection method (recommended)
- In the Add Event Source panel, select Run On Cloud.
- Name the event source. This will become the name of the log that contains the event data in Log Search.
- Optionally, select the option to send unparsed data.
- Connect to Cortex XDR by selecting an existing connection or click Add a New Connection:
- In the Create a Cloud Connection screen, enter a name for the new connection.
- In the URL, ID (API Key ID), and Security Level fields, enter the information that you obtained in the previous section, Configure Cortex XDR to send data to InsightIDR. These can also be retrieved from the Cortex XDR portal in Settings > Configurations> API Keys. You can click Copy API URL to copy the URL to your clipboard.
- In Credentials, in the Select Credential field, enter the API Key. Select Current Product or Platform.
- Click Save & Test Connection.
- Optionally, you can provide a Java-style regex filter to exclude any unwanted data.
- Click Save.
Use the Collector method
- In the Add Event Source panel, select Run On Collector.
- Name the event source. This will be the name of the log that contains the event data in Log Search.
- Select a Collector.
- Optionally, choose to send unparsed data.
- Provide a Fully Qualified Domain Name, to attribute users and assets.
- Select an existing credential or create a new credential:
- Click Create New.
- Specify a name for the credential.
- Enter the ID (API Key ID).
- Enter the Password.
- Optionally, you can provide a Java-style regex filter to exclude any unwanted data.
- Click Save.
Test the configuration
The event types that InsightIDR parses from this event source are alerts from threat events (using the Cloud Connection method) and incidents (using the Collector method).
To test that event data is flowing into InsightIDR:
- From the Data Collection Management page, open the Event Sources tab.
- Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
- Wait approximately 7 minutes, then open Log Search.
Next, verify that log entries are appearing in Log Search:
- From the left menu, go to Log Search.
- In the Log Search filter panel, search for the event source you named in Configure InsightIDR to collect data from the event source. Cortex XDR logs should flow into the Third Party Alert log set.
- Select the log set and the logs within them.
- Set the time range to Last 10 minutes and click Run.
The Results table displays all events that flowed into InsightIDR in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs.
Sample logs
In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log set Third Party Alert. Here are typical raw log entries that are created by the event source:
Sample alert log
JSON
1{2"reply": {3"total_count": 20834,4"result_count": 1,5"alerts": [6{7"agent_os_sub_type": "6.3.9600",8"fw_app_category": null,9"fw_app_id": null,10"fw_app_subcategory": null,11"fw_app_technology": null,12"causality_actor_process_command_line": null,13"causality_actor_process_image_md5": null,14"causality_actor_process_image_name": null,15"causality_actor_process_image_path": null,16"causality_actor_process_image_sha256": null,17"causality_actor_process_signature_status": "N/A",18"causality_actor_process_signature_vendor": null,19"causality_actor_causality_id": null,20"identity_sub_type": null,21"identity_type": null,22"operation_name": null,23"project": null,24"cloud_provider": null,25"referenced_resource": null,26"resource_sub_type": null,27"resource_type": null,28"cluster_name": null,29"container_id": null,30"contains_featured_host": "NO",31"contains_featured_ip": "NO",32"contains_featured_user": "NO",33"action_country": "UNKNOWN",34"fw_interface_to": null,35"dns_query_name": null,36"agent_device_domain": "attractions.disney.com",37"fw_email_recipient": null,38"fw_email_sender": null,39"fw_email_subject": null,40"event_type": null,41"is_whitelisted": false,42"action_file_macro_sha256": null,43"action_file_md5": null,44"action_file_name": null,45"action_file_path": null,46"action_file_sha256": null,47"fw_device_name": null,48"fw_rule_id": null,49"fw_rule": null,50"fw_serial_number": null,51"agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com",52"mac": "00:50:56:bb:34:34,00:50:56:bc:bc:2f",53"agent_os_type": "Windows",54"image_name": null,55"actor_process_image_name": "10.91.72.115",56"actor_process_command_line": null,57"actor_process_image_md5": null,58"actor_process_image_path": null,59"actor_process_os_pid": null,60"actor_process_image_sha256": null,61"actor_process_signature_status": "N/A",62"actor_process_signature_vendor": null,63"actor_thread_thread_id": null,64"fw_is_phishing": "N/A",65"action_local_ip": null,66"action_local_port": null,67"fw_misc": null,68"mitre_tactic_id_and_name": "TA0007 - Discovery",69"mitre_technique_id_and_name": "T1012 - Query Registry",70"module_id": "Behavioral Threat Protection",71"fw_vsys": null,72"os_actor_process_command_line": null,73"os_actor_thread_thread_id": null,74"os_actor_process_image_name": null,75"os_actor_process_os_pid": null,76"os_actor_process_image_sha256": null,77"os_actor_process_signature_status": "N/A",78"os_actor_process_signature_vendor": null,79"os_actor_effective_username": null,80"action_process_signature_status": "N/A",81"action_process_signature_vendor": null,82"action_registry_data": null,83"action_registry_full_key": null,84"action_external_hostname": null,85"action_remote_ip": "10.71.62.215",86"action_remote_port": null,87"matching_service_rule_id": null,88"fw_interface_from": null,89"starred": false,90"action_process_image_command_line": null,91"action_process_image_name": null,92"action_process_image_sha256": null,93"fw_url_domain": null,94"user_agent": null,95"fw_xff": null,96"alert_domain": "DOMAIN_SECURITY",97"external_id": "7c96737d50f74c7b9487450426e9eafb",98"severity": "high",99"matching_status": "MATCHED",100"end_match_attempt_ts": null,101"local_insert_ts": 1706539597503,102"last_modified_ts": 1706539706370,103"bioc_indicator": null,104"attempt_counter": 0,105"bioc_category_enum_key": null,106"case_id": 391722,107"deduplicate_tokens": null,108"filter_rule_id": null,109"agent_version": "8.1.0.42616",110"agent_ip_addresses_v6": null,111"agent_data_collection_status": false,112"agent_is_vdi": false,113"agent_install_type": "STANDARD",114"agent_host_boot_time": null,115"event_sub_type": null,116"association_strength": 50,117"dst_association_strength": null,118"story_id": null,119"event_id": null,120"event_timestamp": 1706540499609,121"actor_process_instance_id": null,122"actor_process_causality_id": null,123"actor_causality_id": null,124"causality_actor_process_execution_time": null,125"action_registry_key_name": null,126"action_registry_value_name": null,127"action_local_ip_v6": null,128"action_remote_ip_v6": null,129"action_process_instance_id": null,130"action_process_causality_id": null,131"os_actor_process_instance_id": null,132"os_actor_process_image_path": null,133"os_actor_process_causality_id": null,134"os_actor_causality_id": null,135"dst_agent_id": null,136"dst_causality_actor_process_execution_time": null,137"dst_action_external_hostname": null,138"dst_action_country": null,139"dst_action_external_port": null,140"is_pcap": false,141"image_id": null,142"container_name": null,143"namespace": null,144"alert_type": "Unclassified",145"resolution_status": "STATUS_020_UNDER_INVESTIGATION",146"resolution_comment": null,147"dynamic_fields": null,148"tags": "DS:PANW/XDR Agent",149"malicious_urls": null,150"dss_job_title": null,151"dss_department": null,152"dss_country": null,153"dss_groups": null,154"alert_id": "50023290705",155"detection_timestamp": 1706540499609,156"name": "Behavioral Threat",157"category": "Malware",158"endpoint_id": "866d9341c27a4df389b246d977d216ec",159"description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)",160"host_ip": "10.71.62.2,10.71.62.5",161"host_name": "hostname",162"source": "XDR Agent",163"action": "REPORTED",164"action_pretty": "Detected (Reported)",165"user_name": null,166"events_length": 1,167"original_tags": "DS:PANW/XDR Agent"168}169]170}171}
Sample incidents log
JSON
1{2"incident":{3"incident_id":"1",4"incident_name":null,5"creation_time":1621448873194,6"modification_time":1621448873194,7"detection_time":null,8"status":"new",9"severity":"high",10"description":"'Behavioral Threat' generated by XDR Agent detected on host msedgewin10 involving user ieuser",11"assigned_user_mail":null,12"assigned_user_pretty_name":null,13"alert_count":1,14"low_severity_alert_count":0,15"med_severity_alert_count":0,16"high_severity_alert_count":1,17"user_count":1,18"host_count":1,19"notes":null,20"resolve_comment":null,21"manual_severity":null,22"manual_description":null,23"xdr_url":"https://example.xdr.us.paloaltonetworks.com/incident-view/1",24"starred":false,25"hosts":[26"examplehost:0123456abcdef12345abcde12345abcd"27],28"users":[29"exampleuser"30],31"incident_sources":[32"XDR Agent"33],34"rule_based_score":null,35"manual_score":null36}37}