Indeed. Agreed. Using the product as designed is your best option. Anything else is our own complication of the process or unrealistic expectations.
@mwhite is accurate: “I have the syslog connector mentioned above, and the logs are parsed correctly, no special parsing rule needed. Seems like you should just go with that method instead of the data lake since it works out of the box.”
So, what’s the best way to integrate Cortex XDR to IDR?
Hi @mpetrov , are you familiar with our XDR event source outlined here Palo Alto Networks Cortex XDR Incidents | InsightIDR Documentation
This allows your XDR Incidents to be integrated within IDR
Is this what you are looking to achieve?
Actually I integrated Cortex using this way, but I don´t quite understand the advantages of it, I mean, we don´t get any valuable info about the alerts besides the incident URL.
I agree with mmur lazaro, the integration is lacking in usefulness (the API doesn’t pull enough information to conduct an investigation) and all it does is create duplicate alerts between Rapid7 and Cortex. I have been running it as-is for a few months but am considering changing all the alerts to notable events to prevent having to acknowledge alerts in two systems for the same event.
I would recommend to still setup the syslog connector as it brings in case evidence into Rapid7 which can be used in correlation rules or for investigations.