Can Cortex XDR logs be shipped to IDR

zeroproxy · May 5, 2021, 5:34pm

Good Day,
WE recently migrated from a A/V provider to now Cortex XDR. I am not seeing any way for these logs to be shipped to IDR. Is there a way to do this ?

mirela_smlatic · June 17, 2021, 3:45pm

Hey Kadeem,
good day!

Unfortunately, we do not support Cortex XDR yet, but happy to say that it is on our roadmap for this year.
When we have a better estimation delivery date, I will let you know.

Mirela

zeroproxy · June 17, 2021, 3:57pm

Thanks much for the reply, I will noted that

RHolzer · June 19, 2021, 6:06pm

Hi Kadeem,

we are using Cortex XDR as well and I was able to ship data from Cortex XDR to InsightIDR.

In Cortex XDR you can forward the logs to a Collector and on InsightIDR you can use the legacy Palo Alto Networks Traps TSM Event Source. It works, but of course it’s not well implemented. However, you can trigger your own alerts form the logs received if thats what you need.

Right now, Iam not forwarding Cortex XDR logs to InsightIDR anymore because it adds no real value for me, but this might change when Cortex XDR will be officially supported by InsightIDR.

Best regards
Robert

matthew_gardiner · July 1, 2021, 2:18pm

FWIW, Cortex XDR is supported by InsightConnect for multiple types of response actions.

richard_davidsson · March 1, 2022, 4:35pm

Hi Mirela,

Are there any updates as for when the integration for Palo Alto Cortex XDR to Insight IDR will be ready?

Thanks in advance
/Richard

RHolzer · March 17, 2022, 8:31am

Yes, Iam also interested if there is an updated timeline for this.

ilyaaz_noerkhan · April 19, 2022, 6:37pm

Hi Mirela,

Is there a better estimation delivery date for this integration to ship Cortex XDR logs to IDR?

cathal_bergin3 · April 20, 2022, 11:22am

Hi all,

I’ve added a short update below on this topic. Let me know if you’ve any questions/thoughts.

Current Status:
We’ve kicked off engineering work to support Palo Alto data via syslog. We are aiming to support any Palo Alto products that flow into the data lake such as Cortex XDR, Prisma and Firewall Activity.

Timelines:
We are targeting to release syslog support for Palo Alto Data Lake within Q2 2022.

Further Integrations:
We are also hoping to introduce a native API integration with Palo Alto Data Lake in the future. However, this is not something engineering teams are actively working on right now.

mpaprott · July 5, 2022, 1:31pm

Hi, any news here? Q2 22 is over, we don’t see native integration until now.
regards

cathal_bergin2 · July 5, 2022, 4:10pm

Hi @mpaprott,

We now have a syslog integration for Palo Alto Cortex Data Lake live in Early Access. Palo Alto Cortex XDR logs flows into Data Lake so these will be pulled into InsightIDR through this event-source.

Let me know if you want to be added to this Early Access program!

mpaprott · July 6, 2022, 5:42am

Hi @cathal_bergin2
thanks for your quick response. Yes pls, giv e us access to EAP

regards

Maik

jlee · July 12, 2022, 11:01pm

Hi @cathal_bergin2

Are there any docs or guidance on setting up Data Cortex Data Lake event source?

The config looks fairly straightforward in the IDR console i.e. specify TCP/UDP and port number. Does anything need to be done on the IDR collector or Palo Alto side e.g. importing certs to establish TLS connection?

cpascua · July 21, 2022, 2:47pm

Hi Cathal,

Can I be included on this Early Access as well? I’m from Palo Alto Networks and my customer is using IDR. I’m using the 30day eval to test the integration of our Cortex Data Lake to IDR and I’m stuck on TLS certificate error.

Thanks!

cathal_bergin4 · November 1, 2022, 11:15am

Hey all,

Happy to let you know we now have a Palo Alto Networks Cortex Data Lake syslog integration available in InsightIDR.

This syslog integration will ingest data from products that flow into Palo Alto’s Cortex Data Lake which include, Palo Cortex XDR, Prisma & Firewall.
You can set up the event source by navigating to Cloud Services on the Add Event Source page
Documentation: Palo Alto Cortex Data Lake | InsightIDR Documentation

RHolzer · November 3, 2022, 7:52am

Hi @cathal_bergin4! Is shipping logs directly from Cortex XDR to IDR without Data Lake supported? We have Cortex XDR but no Data Lake, thus I’d like to ship the logs directly from Cortex XDR to the collector and have IDR parse those logs. Is it possible to do so when using the new Data Lake event source? The virus scan event source for “Palo Alto Networks Traps TSM” did’t parse the logs of Cortex XDR correctly as far as I remember.

cathal_bergin5 · November 4, 2022, 11:19am

Hey @RHolzer, unfortunately we don’t currently have a native method of ingesting these logs without going through the Data Lake.

However our team has done some initial investigation into supporting the Cortex XDR Incidents API if that would be helpful to you?

API Documentation: Get Incidents

pete_jacob · November 29, 2022, 1:29pm

hey guys I guess I am late to this party. I have been shipping my cortex xdr logs to the siem since 2019. in the XDR console (currently running v3.4) I just use the notifications and send via syslog to an on-prem syslog server (kiwi) and configure it to dump to a log then use an R7 to pick them up. the logs are formatted beautifully.

SDavis · November 29, 2022, 4:49pm

And so many sweet queries and dashboards from that, much thanks!!

mwhite · December 7, 2022, 10:19pm

According to Palo Alto, “Originally Cortex Data Lake was used for storage of XDR logs, but the architecture was changed a while back to where all XDR logs are now stored natively in XDR. Cortex Data Lake is now exclusively used for the storage of NGFW logs.”

So the Cortex Data Lake connector will not bring in Cortex XDR logs since they aren’t stored there anymore.

I have the syslog connector mentioned above, and the logs are parsed correctly, no special parsing rule needed. Seems like you should just go with that method instead of the data lake since it works out of the box.