Configure Cortex XDR & IoT Security accounts used for inputs for the Splunk Add-on for Palo Alto Networks¶
Overview¶
- In order to start collecting data, first you need to set up IoT Security, Cortex XDR and Data Security accounts.
- In order to use custom search command or alert action, first you need to set up Firewall/Panorama.
Set up Cortex XDR account¶
To set up Cortex XDR account, follow these steps:
-
Use the instruction in the Cortex XDR Getting Started Guide to gain API access: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis.
Use the following values to generate the API key:Security Level Role Advanced Viewer This action will provide you a Key and Key ID. The Key is shown only once, so make sure to record it or you’ll need to re-create the Key.
-
In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
-
Go to the Configuration tab and select Cortex XDR account > Add.
- Use the following table to complete the fields for the new account in Splunk:
Field | Description |
---|---|
Tenant name | Value can be found in Cortex XDR URL: https://tenantname.xdr.tenantregion.paloaltonetworks.com/. |
Tenant region | Value can be found in Cortex XDR URL: https://tenantname.xdr.tenantregion.paloaltonetworks.com/. |
API Key ID | API Key ID generated in step one. Also could be found in ID column in API Keys dashboard. |
API Key | API Key generated in step one. Note that API key should have ‘Advanced’ security level with a role of ‘Viewer’. |
Set up IoT Security account¶
To set up IoT Security account, follow the steps:
-
Use the instruction in the IoT Security Administrator’s Guide to gain API access: https://docs.paloaltonetworks.com/iot/iot-security-api-reference/iot-security-api-overview/get-started-with-the-iot-security-api.html
This action will provide you a Secret Access Key and Access Key ID. The Secret Access Key is shown only once, so make sure to record it or you’ll need to re-create the Secret Access Key.
-
In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
- Go to the Configuration tab and select IoT Security account > Add.
- Use the following table to complete the fields for the new account in Splunk:
Field | Description |
---|---|
Customer ID | Found in the hostname when accessing IoT Security. (eg. https://customer-id.iot.paloaltonetworks.com). |
Access Key ID | Secret Access Key ID created in IoT security dashboard. |
Secret Access Key | Secret Access Key generated in step one. |
After adding accounts for Cortex XDR and IoT security, check how to collect data from Cortex XDR and IoT Security.
Set up Firewall/Panorama account¶
To set up Firewall/Panorama account, follow the steps:
- Use the instruction in the guide to set up account with API access: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/enable-api-access
- In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
- Go to the Configuration tab and select Firewall & Panorama accounts > Add.
- Use the following table to complete the fields for the new account in Splunk:
Field | Description |
---|---|
Firewall/Panorama address | IP or hostname of firewall/panorama. |
Firewall/Panorama username | Username for firewall/panorama account created in step 1. |
Firewall/Panorama password | Password for firewall/panorama account created in step 1. |
After adding account for Firewall/Panorama check how to use custom search command pancontentpack and alert action pantag.
Optionally, you can create a user for Splunk on the firewall or Panorama, and reduce the user’s role to just what is required. The required permissions depend on features that will be used.
Feature | Permission Needed |
---|---|
Command: pancontentpack with PAN-OS < 8.0 | Configuration. |
Command: pancontentpack with PAN-OS >= 8.0 | Configuration and Operational Requests. |
Alert Action - Tag to Dynamic Address List | User-ID Agent. |
Set up Data Security account¶
To set up Data Security account, follow the steps:
- Use the instruction in the guide to set up account with API access: https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security-api/syslog-and-api-integration/api-client-integration/add-your-api-client-app#idd6102853-02a3-48b2-b5ca-7aeca3822a4f
- In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
- Go to the Configuration tab and select Data Security accounts > Add.
- Use the following table to complete the fields for the new account in Splunk:
Field | Description |
---|---|
Account Name | Unique name for the Data Security account. |
Client ID | Client ID created in Data Security dashboard in step 1. |
Region | Region to collect data from |
Client Secret | Client Secret created in Data Security dashboard in step 1. |