Configure Cortex XDR & IoT Security accounts used for inputs for the Splunk Add-on for Palo Alto Networks¶
Overview¶
In order to start collecting data, IoT Security and Cortex XDR accounts should be set up prior.
Set up Cortex XDR account¶
To set up Cortex XDR account, please follow these steps:
- Use the instruction in the Cortex XDR Getting Started Guide to gain API access: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis Use these values to generate the API key:
Security Level | Role |
---|---|
Advanced | Viewer |
This action will provide you a Key and Key ID. The Key be shown only once, so make sure to record it or you’ll need to re-create the Key. 2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks. Go to “Configuration” tab, click on “Cortex XDR account” and then click on “Add” 3. Use the following table to complete the fields for the new account in Splunk:
Field | Description |
---|---|
Tenant name | Value can be found in Cortex XDR URL: https://tenantname.xdr.tenantregion.paloaltonetworks.com/. |
Tenant region | Value can be found in Cortex XDR URL: https://tenantname.xdr.tenantregion.paloaltonetworks.com/. |
API Key ID | API Key ID generated in step one. Also could be found in ID column in API Keys dashboard. |
API Key | API Key generated in step one. Note that API key should have ‘Advanced’ security level with a role of ‘Viewer’. |
Set up IoT Security account¶
To set up IoT Security account, please follow these steps:
- Use the instruction in the IoT Security Administrator’s Guide to gain API access: https://docs.paloaltonetworks.com/iot/iot-security-api-reference/iot-security-api-overview/get-started-with-the-iot-security-api.html
This action will provide you a Secret Access Key and Access Key ID. The Secret Access Key be shown only once, so make sure to record it or you’ll need to re-create the Secret Access Key. 2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks. Go to “Configuration” tab, click on “IoT Security account” and then click on “Add” 3. Use the following table to complete the fields for the new account in Splunk:
Field | Description |
---|---|
Customer ID | Found in the hostname when accessing IoT Security. (eg. https://customer-id.iot.paloaltonetworks.com). |
Access Key ID | Secret Access Key ID created in IoT security dashboard. |
Secret Access Key | Secret Access Key generated in step one. |
After adding accounts for Cortex XDR and IoT security check how to collect data from Cortex XDR and IoT Security