Palo Alto Cortex XDR Source

The Palo Alto Cortex XDR Source provides a secure endpoint to receive alerts from the Get Alerts Incident Management API. It securely stores the required authentication, scheduling, and state tracking information.

By using the Cortex XDR Source Integration, you can easily access and analyze data from multiple sources, enabling you to quickly identify and respond to potential threats. This Source offers you with a centralized view of security events, allowing you to correlate data from various sources and gain deeper insights into security incidents.

The Cortex XDR Source Integration is a valuable Source for security teams that want to enhance their threat detection capabilities and streamline their incident response process. It helps you to effectively monitor your security posture, identify threats in real-time, and respond quickly to potential attacks.

Data sources

The Palo Alto Cortex XDR Integration ingests two types of Data Sources:

Cortex XDR Get Alerts API. It is an endpoint that allows you to retrieve alert data from the Cortex XDR Get Alerts API. Alerts are generated by the Cortex XDR application when it detects potential threats on an organization's network, endpoints, or cloud infrastructure. These alerts contain detailed information about the detected threat, including the type of threat, the affected system or device, and the severity level.
Cortex XDR Get Incidents API. It is an endpoint that allows you to retrieve incident data from the Cortex XDR Get Incidents API. Incidents are created by the Cortex XDR application when multiple related alerts are detected, indicating a potential attack or security incident.

The integration consumes alert data by default and provides the option to select incident data. The polling interval is set for 600 seconds by default; you can adjust it based on your needs.

Metadata Fields

Metadata fields will be set, if the integration is configured with the SIEM forward option. See Metadata Fields table below:

Fields	Value
`_siemVendor`	Palo Alto Networks
`_siemProduct`	Cortex XDR
`_siemFormat`	JSON
`_siemEventID`	{category}

States

A Palo Alto Cortex XDR Source tracks errors, reports its health, and start-up progress. You’re informed, in real-time, if the Source is having trouble connecting, if there's an error requiring user action, or if it is healthy and collecting by utilizing Health Events.

A Palo Alto Cortex XDR Source goes through the following states when created:

Pending. Once the Source is submitted, it is validated, stored, and placed in a Pending state.
Started. A collection task is created on the Hosted Collector.
Initialized. The task configuration is complete in Sumo Logic.
Authenticated. The Source successfully authenticated with Palo Alto Cortex XDR.
Collecting. The Source is actively collecting data from Palo Alto Cortex XDR.

If the Source has any issues during any one of these states, it is placed in an Error state. When you delete the Source, it is placed in a Stopping state. When it has successfully stopped, it is deleted from your Hosted Collector.

On the Collection page, the Health and Status for Sources is displayed. Use Health Events to investigate issues with collection.
Cortex XDR error.png

Hover your mouse over the status icon to view a tooltip with a count of the detected errors and warnings.

You can click on the status icon to open a Health Events panel with details on each detected issue.

Setup & Configuration

In this configuration, you will set up a Cortex XDR source account and configure it to be authorized and authenticated to use device logs and alerts from the Cortex XDR API. The Palo Alto Cortex XDR Source requires you to provide an API Key, API Key ID, and an FQDN (excluding protocol and trailing slash). These are needed to use the Cortex XDR API.

Getting Cortex XDR API key

To authenticate to the Cortex XDR APIs, follow the steps below:

Access the Cortex XDR application.
Enter your login credentials, including your email ID and password, to log in. You will be directed to the application dashboard.
On the left-hand panel of the dashboard, locate the Settings option and click on it. Then select Configurations.
In the Configurations panel, navigate to the Integrations option and select API keys.
Click button to add a new API key.
You will be directed to a page to generate the key. Fill in the required information, then click Save.
info
Make sure to assign the API key the Standard security level.
Copy the generated API key and save it to your personal folder for later use when creating the Cortex XDR source.
Click Close to exit the API keys configuration panel.

Getting Cortex XDR API ID

Once you have obtained the API key, you can retrieve the associated API ID.
To do so, navigate to the API keys page, where you can view all of the created APIs. Your API ID can be found next to the API key you generated.

Getting Cortex XDR FQDN

Once you have obtained the API key and ID, the next step is to retrieve your FQDN.
Navigate to the API Keys page where you can view all the APIs you have created. Right-click on the API ID you have generated and select View Examples from the options that appear. From the API keys page, you can see all the APIs created. Right click on the API ID you have generated, click View Examples from the options that appear.
The API Example window will appear, and your FQDN can be found in the Curl example that starts from sumologic-partner.xdr.us.paloaltonetworks.com

note

To learn more about the Cordex XDR APIs, refer to the Get Started with Cortex XDR APIs section.

Create a Palo Alto Cortex XDR Source

When you create a Palo Alto Cortex XDR Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.

To configure a Palo Alto Cortex XDR Source:

In Sumo Logic, select Manage Data > Collection > Collection.
On the Collectors page, click Add Source next to a Hosted Collector.
Select Palo Alto Cortex XDR.
Enter a Name to display for the Source in the Sumo Logic web application. The description is optional.
(Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called _sourceCategory.
Forward to SIEM. Check the checkbox to forward your data to Cloud SIEM Enterprise. When configured with the Forward to SIEM option the following metadata fields are set:
- _siemVendor: Palo Alto
- siemProduct: Cortex
- siemFormat: JSON
- siemEventID: <category>
(Optional) Fields. Click the +Add Field link to define the fields you want to associate, each field needs a name (key) and value.
- A green circle with a check mark is shown when the field exists in the Fields table schema.
- An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
API Key. Enter the API Key that you generated and secured in step 7 of the API Key section.
API ID. Enter the API ID that you generated and secured in step 2 of the API ID section.
Tenant FQDN. Enter the FQDN that you obtained when you generated the API Key and API ID, as explained in the FQDN section. The FQDN is a unique host and domain name associated with each tenant.
Ingest Associated Events. It enables the ingestion of all events associated with an alert as a separate set of log lines. Each alert will have all events ingested as individual log lines, each enriched with the original alert ID.
Duplicate Alerts for each alert host IP. It simplifies the analysis of incoming alerts by flattening the host IP field and generating a duplicate alert for each unique host IP. The duplicates are identical except for the flattened host IP field, making it easier to work with the alerts and create rules or searches to detect potential security threats.
Ingested Incident Events. It allows the ingestion of all events associated with an alert as individual log lines, each with the original alert ID enrichment.
Polling Interval. It is set for 600 seconds by default, you can adjust it based on your needs. This sets how often the Source checks for new data.
When you are finished configuring the Source, click Submit.

note

To ensure accurate and effective display of all alerts, we recommend enabling duplicate alerts for each alert host IP. This prevents any host IP array flattening.

Error types

When Sumo Logic detects an issue it is tracked by Health Events. The following table shows the three possible error types, the reason the error would occur, if the Source attempts to retry, and the name of the event log in the Health Event Index.

Type	Reason	Retries	Retry Behavior	Health Event Name
ThirdPartyConfig	Normally due to an invalid configuration. You'll need to review your Source configuration and make an update.	No retries are attempted until the Source is updated.	Not applicable	ThirdPartyConfigError
ThirdPartyGeneric	Normally due to an error communicating with the third party service APIs.	Yes	The Source will retry for up to 90 minutes, after which retries will be attempted every 60 minutes.	ThirdPartyGenericError
FirstPartyGeneric	Normally due to an error communicating with the internal Sumo Logic APIs.	Yes	The Source will retry for up to 90 minutes, after which retries will be attempted every 60 minutes.	FirstPartyGenericError

Restarting your Source

If your Source encounters ThirdPartyConfig errors, you can restart it from either the Sumo Logic UI or Sumo Logic API.

UI

To restart your source in the Sumo Logic platform, follow the steps below:

Open the Collection page, and go to Manage Data > Collection > Collection.
Select the source and click the information icon on the right side of the row.
The API usage information popup is displayed. Click the Restart Source button on the bottom left.
Click Confirm to send the restart request.
The bottom left of the platform will provide a notification informing you the request was successful.

API

To restart your source using the Sumo Management API, follow the instructions below:

Method: POST

Example endpoint:

https://api.sumologic.com/api/v1/collectors/{collector_id}/sources/{source_id}/action/restart

Sumo Logic endpoints like api.sumologic.com are different in deployments outside us1. For example, an API endpoint in Europe would begin api.eu.sumologic.com. A service endpoint in us2 (Western U.S.) would begin service.us2.sumologic.com. For more information, see Sumo Logic Endpoints.

JSON configuration

Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See how to use JSON to configure Sources for details.

Parameter	Type	Required	Description	Access
config	JSON Object	Yes	Contains the configuration parameters for the Source.
schemaRef	JSON Object	Yes	Use `{"type":"Palo Alto Cortex XDR"}` for a Palo Alto Cortex XDR Source.	not modifiable
sourceType	String	Yes	Use `Universal` for a Palo Alto Cortex XDR Source.	not modifiable

The following table shows the config parameters for a Palo Alto Cortex XDR Source.

Parameter	Type	Required?	Default	Description	Access
`name`	String	Yes		Type a desired name of the Source. The name must be unique per Collector. This value is assigned to the metadata field `_source`.	modifiable
`description`	String	No	null	Type a description of the Source.	modifiable
`category`	String	No	null	Type a category of the source. This value is assigned to the metadata field `_sourceCategory`. See best practices for details.	modifiable
`fields`	JSON Object	No		JSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field _siemForward to enable forwarding to SIEM.	modifiable
`api_key`	String	Yes		Provide the API Key you want to use to authenticate collection requests.	modifiable
`api_id`	String	Yes		Provide the API ID for the API Key that you want to use to authenticate collection requests.	modifiable
`fqdn`	String	Yes		The FQDN is a unique host and domain name associated with each tenant. When you generate the API Key and Key ID, you are assigned an individual FQDN.	modifiable
`ingest_events`	Boolean	No	False	When true, the ingestion of all events associated with an alert as a separate set of log lines. Each alert will have all events ingested as individual log lines, each enriched with the original alert ID.	modifiable
`dup_alerts`	Boolean	No	False	When true, it takes all inbound alerts and flatten the host IP field in the alert data structure. Then a duplicate alert is ingested for each, which will be identical except for the host IP field that is flattened from an array. This simplifies working with the alert and the generation of rules or searches based on alert content.	modifiable
`collect_incidents`	Boolean	No	False	If true, it collects incidents.	modifiable
`polling_interval`	Integer	No	600	This sets how often the Source checks for new data.	modifiable

Palo Alto Cortex XDR Source JSON example:

{
    "api.version": "v1",
    "source": {
        "schemaRef": {
            "type": "Palo Alto Cortex XDR"
        },
        "config": {
            "name": "Cortex XDR",
            "fields": {
                "_siemForward": false
            },
            "api_key": "***********",
            "api_id": "*",
            "fqdn": "palo-test.com",
            "polling_interval": 600,
            "ingest_events": true,
            "dup_alerts": true,
            "collect_incidents": true
        },
        "sourceType": "Universal"
    }
}

Data sources​

Metadata Fields​

States​

Setup & Configuration​

Getting Cortex XDR API key​

Getting Cortex XDR API ID​

Getting Cortex XDR FQDN​

Create a Palo Alto Cortex XDR Source​

Error types​

Restarting your Source​

UI

API

JSON configuration​