Cortex XDR collector

Overview

Cortex XDR is a cybersecurity platform developed by Palo Alto Networks that integrates multiple security functions into a single platform. It is designed to detect, investigate, and respond to advanced threats across endpoints, networks, and cloud environments. Extended Detection and Response (XDR) integrates data from various sources, including endpoints, networks, cloud environments, and third-party products, to provide comprehensive threat detection and response capabilities.

Integration overview

The data is collected using a Devo collector that can be run on the Devo Collector server or stand alone in a Docker container. The data is sent and stored in the Devo platform in these tables:

edr.cortex_xdr.incidents
edr.cortex_xdr.alerts
edr.cortex_xdr.alerts_multi
edr.cortex_xdr.alerts_multi_event

Cortex exposes REST API resources to extract data such as:

Resource type

Definition

Devo table

Incidents

Get a list of incidents filtered by a list of incident IDs, modification time, or creation time.

The response is concatenated using the AND condition (OR is not supported).
The maximum result set size is >100.
Offset is the zero-based number of incidents from the start of the result set.

You can request to retrieve all or filtered results.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

URL: https://api-yourfqdn
Endpoint: /public_api/v1/incidents/get_incidents
Documentation: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-all-Incidents

edr.cortex_xdr.incidents

You can override this in tag in the incident module definition.

Alerts

Get extra data fields of a specific incident including alerts and key artifacts.

Cortex XDR displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet.

The API includes a limit rate of 10 API requests per minute.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

URL: https://api-yourfqdn
Endpoint: /public_api/v1/incidents/get_incident_extra_data
Documentation: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-Extra-Incident-Data

edr.cortex_xdr.alerts

You can override this in alert_tag in the incident module definition.

Alert multi-events

Get a list of alerts with multiple events.

Response is concatenated using AND condition (OR is not supported).
The maximum result set size is 100.
Offset is the zero-based number of alerts from the start of the result set.
Cortex XDR displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet.

You can request to retrieve either all or filtered results.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

URL: https://api-yourfqdn
Endpoint: /public_api/v1/alerts/get_alerts_multi_events
Documentation: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-REST-API/Get-Alerts-Multi-Events-v1

edr.cortex_xdr.alerts_multi
edr.cortex_xdr.alerts_multi_event

You can override this in alert_tag and event_tag in the alert module definition.

Vendor configuration

To pull the logs from the Cortex XDR endpoint you need this information:

Parameter	Description
`URL API FQDN`	The service address of the Cortex XDR installation
`API_KEY`	Your API Key
`API_ID`	Your API Key ID

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Change log

Release

Released on

Release type

Details

Recommendations

v1.4.0

23 Aug 2024

IMPROVEMENT

Improvements:

Added start_time as an optional parameters for both of the services.
Added deduplication logic for both services
Updated Docker image base to version v1.3.0 in Dockerfile
Updated DCSDK from v1.11.1 to v1.12.4
- Added new sender for relay in house + TLS
- Added persistence functionality for gzip sending buffer
- Added Automatic activation of gzip sending
- Improved behaviour when persistence fails
- Upgraded DevoSDK dependency
- Fixed console log encoding
- Restructured python classes
- Improved behaviour with non-utf8 characters
- Decreased defaut size value for internal queues (Redis limitation, from 1GiB to 256MiB)
- New persistence format/structure (compression in some cases)
- Removed dmesg execution (It was invalid for docker execution)
- Applied changes to make DCSDK compatible with MacOS
- Improved behavior with non-utf8 characters
- Decreased defaut size value for internal queues (Redis limitation, from 1GiB to 256MiB)
- New persistence format/structure (compression in some cases)
- Removed dmesg execution (It was invalid for docker execution)
- DevoSDK has been updated to version 5.4.0

Recommended version

v1.3.0

23 May 2024

IMPROVEMENT

Improvements:

Upgrade DC SDK to the latest version 1.11.1
Upgrade the Docker base image to 1.2.0

Upgrade

v1.2.0

20 Mar 2024

IMPROVEMENT

Improvements:

Added 'start_time' in config file for alerts service
Added logs

Initial version