Versions Compared

Version Old Version 1 New Version 2
Changes made by

Juan Tomás Alonso Nieto (Deactivated)

Juan Tomás Alonso Nieto (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel2
maxLevel2
typeflat

Overview

Cortex XDR is a cybersecurity platform developed by Palo Alto Networks that integrates multiple security functions into a single platform. It is designed to detect, investigate, and respond to advanced threats across endpoints, networks, and cloud environments. Extended Detection and Response (XDR) integrates data from various sources, including endpoints, networks, cloud environments, and third-party products, to provide comprehensive threat detection and response capabilities.

Integration overview

The data is collected using a Devo collector that can be run on the Devo Collector server or stand alone in a Docker container. The data is sent and stored in the Devo platform in these tables:

...

Cortex exposes REST API resources to extract data such as:

Resource type

Definition

Devo table

Incidents

Get a list of incidents filtered by a list of incident IDs, modification time, or creation time.

  • The response is concatenated using the AND condition (OR is not supported).

  • The maximum result set size is >100.

  • Offset is the zero-based number of incidents from the start of the result set.

Note

You can request to retrieve all or filtered results.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

  • edr.cortex_xdr.incidents

Note

You can override this intagin the incident module definition.

Incidents

Get extra data fields of a specific incident including alerts and key artifacts.

  • Cortex XDR displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet.

Note

The API includes a limit rate of 10 API requests per minute.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

  • edr.cortex_xdr.alerts

Note

You can override this in alert_tagin the incident module definition.

Alert multi-events

Get a list of alerts with multiple events.

  • Response is concatenated using AND condition (OR is not supported).

  • The maximum result set size is 100.

  • Offset is the zero-based number of alerts from the start of the result set.

  • Cortex XDR displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet.

Note

You can request to retrieve either all or filtered results.

Required license: ​Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

  • edr.cortex_xdr.alerts_multi

  • edr.cortex_xdr.alerts_multi_event

Note

You can override this in alert_tag and event_tagin the alert module definition.

Vendor configuration

To pull the logs from the Cortex XDR endpoint you need this information:

Parameter

Description

URL API FQDN

The service address of the Cortex XDR installation

API_KEY

Your API Key

API_ID

Your API Key ID

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Rw ui tabs macro
Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block
<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml
Note

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

image-20240528-122729.png
Note

Replace <product_name> with the proper value.

Editing the config.yaml file

Code Block
globals:
  debug: false
  id: not_used
  name: cortex_xdr
  persistence:
    type: filesystem
    config:
      directory_name: state

outputs:
  console_1:
    type: console

inputs:
  cortex_xdr:
    id: <short_unique_id>
    enabled: true
    credentials:
      api_key: <api_key_value>
      api_key_id: <api_key_id_value>
    services:
      incidents:
        request_period_in_seconds : <request_period_in_seconds_value>
        api_fqdn: <api_fqdn_value>
        api_endpoint: <api_endpoint_value>
        incident_extra_data_endpoint: <incident_extra_data_endpoint_value>
      alerts:
        start_time: <start_time_value> # Example 2024-01-01T01:50:00Z
        request_period_in_seconds: <request_period_in_seconds_value>
        api_fqdn: <api_fqdn_value>
        api_endpoint: <api_endpoint_value>

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-cortex_xdr_if-docker-image-1.3.0

36d14118f0e5877c7da4493d2d0d00cc6ec0743d9357b895dcabb69e1a2f3cd0

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Rw tab
titleCloud collector

The Collector Server is a managed platform that allows running sets of different collectors grouped by Devo domain destinations.

To run an instance of this data collector, the next steps must be followed:

  1. In the Collector Server GUI, access the domain where you want to create this instance, click Add Collector, search for “Cortex XDR - Integrations Factory”, then click on the result.

  2. In the Version field, select the latest value.

  3. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).

  4. In the Parameters section, establish the Collector Parameters as follows below:Collector services detail

Info

Please, replace the placeholders <api_key_value>, <api_key_id_value>, and <api_fqdn_value> in the next section with the values obtained in previous sections of this document, except the <short_unique_identifier> that can have the value you choose. Do not substitute the occurrences of {api_fqdn}.

Code Block
{
  "cortex_xdr": {
    "id": 1,
    "enabled": true,
    "credentials": {
      "api_key": "<api_key_value>",
      "api_key_id": "<api_key_id_value>"
    },
    "services": {
      "incidents": {
        "request_period_in_seconds": "<request_period_in_seconds_value>",
        "api_fqdn": "<api_fqdn_value>",
        "api_endpoint": "{api_fqdn}/public_api/v1/incidents/get_incidents",
        "incident_extra_data_endpoint": "{api_fqdn}/public_api/v1/incidents/get_incident_extra_data",
        "tag": "<tag_value>",
        "alert_tag": "<alert_tag_value>"
      },
      "alerts": {
        "request_period_in_seconds": "<request_period_in_seconds_value>",
        "start_time": "<start_time>",
        "api_fqdn": "<api_fqdn_value>",
        "api_endpoint": "{api_fqdn}/public_api/v1/alerts/get_alerts_multi_events",
        "alert_tag": "<alert_tag_value>",
        "event_tag": "<event_tag_value>"
        }
    }
  }
}
Info

The value chosen for the id field will be used internally for having independent persistence areas.This section is intended to explain how to proceed with specific actions for services.

Change log

Release

Released on

Release type

Details

Recommendations

v1.3.0

Status
colourYellow
titleIMPROVEMENT

Improvements:

  • Upgrade DC SDK to the latest version 1.11.1

  • Upgrade the Docker base image to 1.2.0

Recommended version

v1.2.0

Status
colourYellow
titleIMPROVEMENT

Improvements:

  • Added 'start_time' in config file for alerts service

  • Added logs

 Initial version