Insight IDR ingesting Palo Alto Cortex Data Lake data via API

I am having a tough time understanding this documentation, and am curious if anyone else had had even partial success with it. I know it is new.

New API Collection Method now available as of January 2023

We’ve released an API option for our Palo Alto Data Lake event source.
https://docs.rapid7.com/insightidr/palo-alto-cortex-data-lake/#New-API-Collection-Method-now-available-as-of-January-2023

1 Like

You should ignore this setup page, it will not work as Corex XDR does not send logs to the data lake anymore. I would recommend setting up two ingestions for Cortex XDR data:

  • Ask to join the Beta for the new Cortex XDR API ingestion, this one will be used by the SOC to monitor Cortex events. If they give you access to the beta, the icon to setup will show up under ‘Third Party Alerts’ area when adding a new data source
  • I would recommend also setting up log ingestion via syslog from Cortex XDR. This one can be configured by going to ‘Virus Scan’ → ‘Palo Alto Networks TRAPS TSM’.
    The reason I suggest also doing the syslog from Cortex XDR is the syslog pulls in more relevant data for alerting and log search than the current API. I prefer to use the syslog data over the API data.

Not sure why Rapid7 hasn’t updated the documentation regarding Cortex Data Lake.

Palo Alto has placed (unreasonable) barriers to access their CDL API - https://pan.dev/cdl/api/log-forwarding/

Outlining the CDL API as a viable option for log ingestion is misleading from Rapid7 and extremely confusing.

Hi all,

Our team is in the process of removing this option from our documentation - Apologies for the any confusion caused by this.