WE recently migrated from a A/V provider to now Cortex XDR. I am not seeing any way for these logs to be shipped to IDR. Is there a way to do this ?
Unfortunately, we do not support Cortex XDR yet, but happy to say that it is on our roadmap for this year.
When we have a better estimation delivery date, I will let you know.
Thanks much for the reply, I will noted that
we are using Cortex XDR as well and I was able to ship data from Cortex XDR to InsightIDR.
In Cortex XDR you can forward the logs to a Collector and on InsightIDR you can use the legacy Palo Alto Networks Traps TSM Event Source. It works, but of course it’s not well implemented. However, you can trigger your own alerts form the logs received if thats what you need.
Right now, Iam not forwarding Cortex XDR logs to InsightIDR anymore because it adds no real value for me, but this might change when Cortex XDR will be officially supported by InsightIDR.
FWIW, Cortex XDR is supported by InsightConnect for multiple types of response actions.
Are there any updates as for when the integration for Palo Alto Cortex XDR to Insight IDR will be ready?
Thanks in advance
Yes, Iam also interested if there is an updated timeline for this.
Is there a better estimation delivery date for this integration to ship Cortex XDR logs to IDR?
I’ve added a short update below on this topic. Let me know if you’ve any questions/thoughts.
We’ve kicked off engineering work to support Palo Alto data via syslog. We are aiming to support any Palo Alto products that flow into the data lake such as Cortex XDR, Prisma and Firewall Activity.
We are targeting to release syslog support for Palo Alto Data Lake within Q2 2022.
We are also hoping to introduce a native API integration with Palo Alto Data Lake in the future. However, this is not something engineering teams are actively working on right now.
Hi, any news here? Q2 22 is over, we don’t see native integration until now.
We now have a syslog integration for Palo Alto Cortex Data Lake live in Early Access. Palo Alto Cortex XDR logs flows into Data Lake so these will be pulled into InsightIDR through this event-source.
Let me know if you want to be added to this Early Access program!
thanks for your quick response. Yes pls, giv e us access to EAP
Are there any docs or guidance on setting up Data Cortex Data Lake event source?
The config looks fairly straightforward in the IDR console i.e. specify TCP/UDP and port number. Does anything need to be done on the IDR collector or Palo Alto side e.g. importing certs to establish TLS connection?
Can I be included on this Early Access as well? I’m from Palo Alto Networks and my customer is using IDR. I’m using the 30day eval to test the integration of our Cortex Data Lake to IDR and I’m stuck on TLS certificate error.
Happy to let you know we now have a Palo Alto Networks Cortex Data Lake syslog integration available in InsightIDR.
- This syslog integration will ingest data from products that flow into Palo Alto’s Cortex Data Lake which include, Palo Cortex XDR, Prisma & Firewall.
- You can set up the event source by navigating to Cloud Services on the Add Event Source page
- Documentation: Palo Alto Cortex Data Lake | InsightIDR Documentation
Hi @cathal_bergin4! Is shipping logs directly from Cortex XDR to IDR without Data Lake supported? We have Cortex XDR but no Data Lake, thus I’d like to ship the logs directly from Cortex XDR to the collector and have IDR parse those logs. Is it possible to do so when using the new Data Lake event source? The virus scan event source for “Palo Alto Networks Traps TSM” did’t parse the logs of Cortex XDR correctly as far as I remember.
Hey @RHolzer, unfortunately we don’t currently have a native method of ingesting these logs without going through the Data Lake.
However our team has done some initial investigation into supporting the Cortex XDR Incidents API if that would be helpful to you?
API Documentation: Get Incidents
hey guys I guess I am late to this party. I have been shipping my cortex xdr logs to the siem since 2019. in the XDR console (currently running v3.4) I just use the notifications and send via syslog to an on-prem syslog server (kiwi) and configure it to dump to a log then use an R7 to pick them up. the logs are formatted beautifully.
And so many sweet queries and dashboards from that, much thanks!!
According to Palo Alto, “Originally Cortex Data Lake was used for storage of XDR logs, but the architecture was changed a while back to where all XDR logs are now stored natively in XDR. Cortex Data Lake is now exclusively used for the storage of NGFW logs.”
So the Cortex Data Lake connector will not bring in Cortex XDR logs since they aren’t stored there anymore.
I have the syslog connector mentioned above, and the logs are parsed correctly, no special parsing rule needed. Seems like you should just go with that method instead of the data lake since it works out of the box.