Palo Alto Networks Cortex XDR Incidents

Palo Alto Networks Cortex XDR is a detection and response solution that natively integrates network, endpoint, and cloud data to stop attacks. You can configure Palo Alto Cortex XDR to send events to InsightIDR to generate third-party alerts.

Assets and alerts from threat events are gathered to create Incidents. You can read more about Cortex XDR Incidents at: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-incidents/cortex-xdr-incidents.html

To set up Palo Alto Networks Cortex XDR Incidents, you’ll need to:

  1. Review the requirements
  2. Retrieve an API Key and an API Key ID from Palo Alto Networks Cortex XDR
  3. Set up the Palo Alto Networks Cortex XDR Incidents event source in InsightIDR
  4. Verify the configuration works

Requirements

To complete the tasks outlined in this article, you’ll need access to an account that can set up Palo Alto Networks Cortex XDR for integration. For more information, see: https://docs.paloaltonetworks.com/iot/iot-security-integration/endpoint-protection/set-up-cortex-xdr-for-integration

If you have any questions about accessing your account, we advise you to contact Palo Alto drectly. As an account holder, you can retrieve the API Key and API Key ID to complete the configuration.

Retrieve an API Key and an API Key ID from Palo Alto Networks Cortex XDR

To authenticate Palo Alto Networks Cortex XDR Incidents, you need an API Key and API Key ID. You should record these values in a temporary text file, because you will need them to set up the event source in InsightIDR.

To retrieve your API key and API Key ID, follow Palo Alto's documentation at: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis.html

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Palo Alto Networks Cortex XDR in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the Palo Alto Networks Cortex XDR event source tile.
  4. Choose your collector and event source type.
  5. Enter the name of your event source.
  6. Optionally, choose to send unparsed data.
  7. Enter the fully-qualified domain name. This should begin with https://api- and be followed by the URL that appears when you are on your Cortex XDR dashboard. For example, https://api-example.xdr.us.paloaltonetworks.com.
  8. Select your existing credentials or, optionally, create a new credential. If you’re creating a new credential, enter the API Key and API Key ID you created in Palo Alto Networks Cortex XDR.
  9. Click Save.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. On the new event source that was just created, click View Raw Log. If you see log messages in the box, then this indicates that logs are flowing to the Collector.
  2. In the left menu, click Log Search.
  3. Select the applicable log sets and within the sets, select the log names. The log name will be “Palo Alto Networks Cortex XDR Incidents” by default, if you chose not to rename it. Palo Alto Networks Cortex XDR incident logs will flow into this log set.

If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample Logs

JSON
1
{
2
"incident":{
3
"incident_id":"1",
4
"incident_name":null,
5
"creation_time":1621448873194,
6
"modification_time":1621448873194,
7
"detection_time":null,
8
"status":"new",
9
"severity":"high",
10
"description":"'Behavioral Threat' generated by XDR Agent detected on host msedgewin10 involving user ieuser",
11
"assigned_user_mail":null,
12
"assigned_user_pretty_name":null,
13
"alert_count":1,
14
"low_severity_alert_count":0,
15
"med_severity_alert_count":0,
16
"high_severity_alert_count":1,
17
"user_count":1,
18
"host_count":1,
19
"notes":null,
20
"resolve_comment":null,
21
"manual_severity":null,
22
"manual_description":null,
23
"xdr_url":"https://example.xdr.us.paloaltonetworks.com/incident-view/1",
24
"starred":false,
25
"hosts":[
26
"examplehost:0123456abcdef12345abcde12345abcd"
27
],
28
"users":[
29
"exampleuser"
30
],
31
"incident_sources":[
32
"XDR Agent"
33
],
34
"rule_based_score":null,
35
"manual_score":null
36
}
37
}