Skip to content

Configure Cortex XDR & Device Security (formerly IoT Security) accounts used for inputs for the Splunk Add-on for Palo Alto Networks

Prerequisites

  • In order to start collecting data, you must set up Device Security (formerly IoT Security), Cortex XDR and Data Security accounts.
  • In order to use custom search command or alert action, you must to set up Firewall/Panorama.

Set up Cortex XDR account

To set up Cortex XDR account, follow these steps:

  1. Use the instruction in the Cortex XDR Getting Started Guide to gain API access: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis.
    Use the following values to generate the API key:

    Security Level Role
    Advanced Viewer

    This procedure provides you a Key and Key ID. The Key is shown only once, so make sure to record it or you’ll need to re-create the Key.

  2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.

  3. Go to the Configuration tab and select Cortex XDR account > Add.

  4. Use the following table to complete the fields for the new account in Splunk:
Field Description
Tenant name You can find the value in Cortex XDR URL: https://**tenantname**.xdr.tenantregion.paloaltonetworks.com/.
Tenant region You can find the value in Cortex XDR URL: https://tenantname.xdr.**tenantregion**.paloaltonetworks.com/.
API Key ID API Key ID generated in step one. Also you can find it in ID column in API Keys dashboard.
API Key API Key generated in step one. Note that API key should have ‘Advanced’ security level with a role of “Viewer”.

Set up Device Security (formerly IoT Security) account

To set up a Device Security account, follow the steps:

  1. Create a service account in Strata Cloud Manager with access to the Device Security API: https://pan.dev/iot/api/iot-public-api-new/

    This procedure provides you a Client ID and Client Secret. The Client Secret is shown only once, so make sure to record it or you’ll need to re-create the service account.

  2. Note your TSG ID (Tenant Service Group ID) from Strata Cloud Manager.

  3. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
  4. Go to the Configuration tab and select IoT accounts > Add.
  5. Use the following table to complete the fields for the new account in Splunk:
Field Description
Account Name A unique name for this Device Security account.
TSG ID Tenant Service Group ID from Strata Cloud Manager.
Client ID Client ID from Strata Cloud Manager service account.
Client Secret Client Secret from Strata Cloud Manager service account.

After adding accounts for Cortex XDR and Device Security, check how to collect data from Cortex XDR and Device Security.

Set up Firewall/Panorama account

To set up Firewall/Panorama account, follow the steps:

  1. Use the instruction in the guide to set up account with API access: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/enable-api-access
  2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
  3. Go to the Configuration tab and select Firewall & Panorama accounts > Add.
  4. Use the following table to complete the fields for the new account in Splunk:
Field Description
Firewall/Panorama address IP or hostname of firewall/panorama.
Firewall/Panorama username Username for firewall/panorama account created in step 1.
Firewall/Panorama password Password for firewall/panorama account created in step 1.

After adding account for Firewall/Panorama check how to use custom search command pancontentpack and alert action pantag.

Optionally, you can create a user for Splunk on the firewall or Panorama, and reduce the user’s role to just what is required. The required permissions depend on features that are used.

Feature Permission Needed
Command: pancontentpack with PAN-OS < 8.0 Configuration.
Command: pancontentpack with PAN-OS >= 8.0 Configuration and Operational Requests.
Alert Action - Tag to Dynamic Address List User-ID Agent.

Set up Data Security account

To set up Data Security account, follow the steps:

  1. Use the instruction in the guide to set up account with API access: https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security-api/syslog-and-api-integration/api-client-integration/add-your-api-client-app#idd6102853-02a3-48b2-b5ca-7aeca3822a4f
  2. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
  3. Go to the Configuration tab and select Data Security accounts > Add.
  4. Use the following table to complete the fields for the new account in Splunk:
Field Description
Account Name Unique name for the Data Security account.
Client ID Client ID created in Data Security dashboard in step 1.
Region Region to collect data from.
Client Secret Client Secret created in Data Security dashboard in step 1.