Configure Data Security input for the Splunk Add-on for Palo Alto Networks¶
Overview¶
Data Security is cloud-hosted so logs are retrieved by Splunk using the Data Security API’s. Logs are pulled down in JSON format with sourcetype=”pan:data:security”.
Create Data Security input¶
If you plan to use the Data Security input, perform the following steps:
- In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
- Go to the Inputs page and select Create New Input > Data Security.
-
In window that opened, enter the following values:
Field Value Description Name String Name that will be used for input. Interval Positive integer Frequency in seconds to check for new logs. Index Selection The index in which to put the Cortex XDR logs. The default is main. Region Selection Select region from which collect data from. Data Security Account Selection Select Data Security account used to pull data from. -
Select Add to save the modular input.
Verify data ingestion¶
After waiting the appropriate interval time, check that logs are coming into Splunk by clicking Search at the top and entering the following search:
sourcetype="pan:data:security"