Skip to content

Configure Cortex XDR & IoT Security accounts used for inputs for the Splunk Add-on for Palo Alto Networks

Prerequisites

  • In order to start collecting data, you must set up IoT Security, Cortex XDR and Data Security accounts.
  • In order to use custom search command or alert action, you must to set up Firewall/Panorama.

Set up Cortex XDR account

To set up Cortex XDR account, follow these steps:

  1. Use the instruction in the Cortex XDR Getting Started Guide to gain API access: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis.
    Use the following values to generate the API key:

    Security Level Role
    Advanced Viewer

    This procedure provides you a Key and Key ID. The Key is shown only once, so make sure to record it or you’ll need to re-create the Key.

  2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.

  3. Go to the Configuration tab and select Cortex XDR account > Add.

  4. Use the following table to complete the fields for the new account in Splunk:
Field Description
Tenant name You can find the value in Cortex XDR URL: https://**tenantname**.xdr.tenantregion.paloaltonetworks.com/.
Tenant region You can find the value in Cortex XDR URL: https://tenantname.xdr.**tenantregion**.paloaltonetworks.com/.
API Key ID API Key ID generated in step one. Also you can find it in ID column in API Keys dashboard.
API Key API Key generated in step one. Note that API key should have ‘Advanced’ security level with a role of “Viewer”.

Set up IoT Security account

To set up IoT Security account, follow the steps:

  1. Use the instruction in the IoT Security Administrator’s Guide to gain API access: https://pan.dev/iot/api/iot-public-api-new/

    This procedure provides you a Secret Access Key and Access Key ID. The Secret Access Key is shown only once, so make sure to record it or you’ll need to re-create the Secret Access Key.

  2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.

  3. Go to the Configuration tab and select IoT Security account > Add.
  4. Use the following table to complete the fields for the new account in Splunk:
Field Description
Customer ID Found in the hostname when accessing IoT Security (for example https://customer-id.iot.paloaltonetworks.com).
Access Key ID Secret Access Key ID created in IoT security dashboard.
Secret Access Key Secret Access Key generated in step one.

After adding accounts for Cortex XDR and IoT security, check how to collect data from Cortex XDR and IoT Security.

Set up Firewall/Panorama account

To set up Firewall/Panorama account, follow the steps:

  1. Use the instruction in the guide to set up account with API access: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/enable-api-access
  2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
  3. Go to the Configuration tab and select Firewall & Panorama accounts > Add.
  4. Use the following table to complete the fields for the new account in Splunk:
Field Description
Firewall/Panorama address IP or hostname of firewall/panorama.
Firewall/Panorama username Username for firewall/panorama account created in step 1.
Firewall/Panorama password Password for firewall/panorama account created in step 1.

After adding account for Firewall/Panorama check how to use custom search command pancontentpack and alert action pantag.

Optionally, you can create a user for Splunk on the firewall or Panorama, and reduce the user’s role to just what is required. The required permissions depend on features that are used.

Feature Permission Needed
Command: pancontentpack with PAN-OS < 8.0 Configuration.
Command: pancontentpack with PAN-OS >= 8.0 Configuration and Operational Requests.
Alert Action - Tag to Dynamic Address List User-ID Agent.

Set up Data Security account

To set up Data Security account, follow the steps:

  1. Use the instruction in the guide to set up account with API access: https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security-api/syslog-and-api-integration/api-client-integration/add-your-api-client-app#idd6102853-02a3-48b2-b5ca-7aeca3822a4f
  2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
  3. Go to the Configuration tab and select Data Security accounts > Add.
  4. Use the following table to complete the fields for the new account in Splunk:
Field Description
Account Name Unique name for the Data Security account.
Client ID Client ID created in Data Security dashboard in step 1.
Region Region to collect data from.
Client Secret Client Secret created in Data Security dashboard in step 1.