Configure Cortex XDR input for the Splunk Add-on for Palo Alto Networks¶
Overview¶
Cortex XDR is cloud-hosted so logs are retrieved by Splunk using the Cortex XDR API’s. Logs are pulled down in JSON format with sourcetype=”pan:xdr_incident”.
Create Cortex XDR input¶
If you plan to use the Cortex XDR input, you must perform the following steps:
- In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
- Go to Inputs page and select Create New Input and then select Cortex XDR.
In the opened window, input these values:
| Field | Value | Description |
|---|---|---|
| Name | String | Name that is used for input. |
| Interval | Positive integer | Frequency in seconds to check for new logs (60 seconds recommended). |
| Index | Selection | The index in which to put the Cortex XDR logs. The default is main. |
| Incident details | Tick box | If selected detailed events are pulled from Cortex XDR API. |
| Cortex XDR account to use | Selection | Select Cortex XDR account used to pull data from. |
- Save the modular input by selecting Add.
Verify data ingestion¶
After waiting the appropriate interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:
Search
sourcetype=”pan:xdr*”
Some JSON formatted logs show up. If nothing shows up, wait a little longer, ensure there is activity in Cortex XDR to generate logs, and try the Troubleshooting Guide.