Skip to content

Configure Cortex XDR & IoT Security accounts used for inputs for the Splunk Add-on for Palo Alto Networks

Overview

  • In order to start collecting data, first you need to set up IoT Security, Cortex XDR and Data Security accounts.
  • In order to use custom search command or alert action, first you need to set up Firewall/Panorama.

Set up Cortex XDR account

To set up Cortex XDR account, follow these steps:

  1. Use the instruction in the Cortex XDR Getting Started Guide to gain API access: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis.
    Use the following values to generate the API key:

    Security Level Role
    Advanced Viewer

    This action will provide you a Key and Key ID. The Key is shown only once, so make sure to record it or you’ll need to re-create the Key.

  2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.

  3. Go to the Configuration tab and select Cortex XDR account > Add.

  4. Use the following table to complete the fields for the new account in Splunk:
Field Description
Tenant name Value can be found in Cortex XDR URL: https://tenantname.xdr.tenantregion.paloaltonetworks.com/.
Tenant region Value can be found in Cortex XDR URL: https://tenantname.xdr.tenantregion.paloaltonetworks.com/.
API Key ID API Key ID generated in step one. Also could be found in ID column in API Keys dashboard.
API Key API Key generated in step one. Note that API key should have ‘Advanced’ security level with a role of ‘Viewer’.

Set up IoT Security account

To set up IoT Security account, follow the steps:

  1. Use the instruction in the IoT Security Administrator’s Guide to gain API access: https://docs.paloaltonetworks.com/iot/iot-security-api-reference/iot-security-api-overview/get-started-with-the-iot-security-api.html

    This action will provide you a Secret Access Key and Access Key ID. The Secret Access Key is shown only once, so make sure to record it or you’ll need to re-create the Secret Access Key.

  2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.

  3. Go to the Configuration tab and select IoT Security account > Add.
  4. Use the following table to complete the fields for the new account in Splunk:
Field Description
Customer ID Found in the hostname when accessing IoT Security. (eg. https://customer-id.iot.paloaltonetworks.com).
Access Key ID Secret Access Key ID created in IoT security dashboard.
Secret Access Key Secret Access Key generated in step one.

After adding accounts for Cortex XDR and IoT security, check how to collect data from Cortex XDR and IoT Security.

Set up Firewall/Panorama account

To set up Firewall/Panorama account, follow the steps:

  1. Use the instruction in the guide to set up account with API access: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/enable-api-access
  2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
  3. Go to the Configuration tab and select Firewall & Panorama accounts > Add.
  4. Use the following table to complete the fields for the new account in Splunk:
Field Description
Firewall/Panorama address IP or hostname of firewall/panorama.
Firewall/Panorama username Username for firewall/panorama account created in step 1.
Firewall/Panorama password Password for firewall/panorama account created in step 1.

After adding account for Firewall/Panorama check how to use custom search command pancontentpack and alert action pantag.

Optionally, you can create a user for Splunk on the firewall or Panorama, and reduce the user’s role to just what is required. The required permissions depend on features that will be used.

Feature Permission Needed
Command: pancontentpack with PAN-OS < 8.0 Configuration.
Command: pancontentpack with PAN-OS >= 8.0 Configuration and Operational Requests.
Alert Action - Tag to Dynamic Address List User-ID Agent.

Set up Data Security account

To set up Data Security account, follow the steps:

  1. Use the instruction in the guide to set up account with API access: https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security-api/syslog-and-api-integration/api-client-integration/add-your-api-client-app#idd6102853-02a3-48b2-b5ca-7aeca3822a4f
  2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
  3. Go to the Configuration tab and select Data Security accounts > Add.
  4. Use the following table to complete the fields for the new account in Splunk:
Field Description
Account Name Unique name for the Data Security account.
Client ID Client ID created in Data Security dashboard in step 1.
Region Region to collect data from
Client Secret Client Secret created in Data Security dashboard in step 1.