Overview

Cortex XDR is a cybersecurity platform developed by Palo Alto Networks that integrates multiple security functions into a single platform. It is designed to detect, investigate, and respond to advanced threats across endpoints, networks, and cloud environments. Extended Detection and Response (XDR) integrates data from various sources, including endpoints, networks, cloud environments, and third-party products, to provide comprehensive threat detection and response capabilities.

Integration overview

The data is collected using a Devo collector that can be run on the Devo Collector server or stand alone in a Docker container. The data is sent and stored in the Devo platform in these tables:

Cortex exposes REST API resources to extract data such as:

Resource type

Definition

Devo table

Incidents

Get a list of incidents filtered by a list of incident IDs, modification time, or creation time.

  • The response is concatenated using the AND condition (OR is not supported).

  • The maximum result set size is >100.

  • Offset is the zero-based number of incidents from the start of the result set.

You can request to retrieve all or filtered results.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

  • edr.cortex_xdr.incidents

You can override this in tag in the incident module definition.

Alerts

Get extra data fields of a specific incident including alerts and key artifacts.

  • Cortex XDR displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet.

The API includes a limit rate of 10 API requests per minute.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

  • edr.cortex_xdr.alerts

You can override this in alert_tag in the incident module definition.

Alert multi-events

Get a list of alerts with multiple events.

  • Response is concatenated using AND condition (OR is not supported).

  • The maximum result set size is 100.

  • Offset is the zero-based number of alerts from the start of the result set.

  • Cortex XDR displays in the API response whether a PAN NGFW type alert contains a PCAP triggering packet.

You can request to retrieve either all or filtered results.

Required license: ​Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

  • edr.cortex_xdr.alerts_multi

  • edr.cortex_xdr.alerts_multi_event

You can override this in alert_tag and event_tag in the alert module definition.

Vendor configuration

To pull the logs from the Cortex XDR endpoint you need this information:

Parameter

Description

URL API FQDN

The service address of the Cortex XDR installation

API_KEY

Your API Key

API_ID

Your API Key ID

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

The Collector Server is a managed platform that allows running sets of different collectors grouped by Devo domain destinations.

To run an instance of this data collector, the next steps must be followed:

  1. In the Collector Server GUI, access the domain where you want to create this instance, click Add Collector, search for “Cortex XDR - Integrations Factory”, then click on the result.

  2. In the Version field, select the latest value.

  3. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).

  4. In the Parameters section, establish the Collector Parameters as follows below:Collector services detail

Please, replace the placeholders <api_key_value>, <api_key_id_value>, and <api_fqdn_value> in the next section with the values obtained in previous sections of this document, except the <short_unique_identifier> that can have the value you choose. Do not substitute the occurrences of {api_fqdn}.

{
  "cortex_xdr": {
    "id": 1,
    "enabled": true,
    "credentials": {
      "api_key": "<api_key_value>",
      "api_key_id": "<api_key_id_value>"
    },
    "services": {
       "incidents": {
        "api_fqdn": "<api_fqdn_value>",
        "api_endpoint": "{api_fqdn}/public_api/v1/incidents/get_incidents",
        "incident_extra_data_endpoint": "{api_fqdn}/public_api/v1/incidents/get_incident_extra_data",
        "tag": "<opt_tag_value>",
        "alert_tag": "<opt_alert_tag_value>",
         "request_period_in_seconds": "<opt_request_period_in_seconds_value>",
        "start_time": "<opt_start_time>"
      },
      "alerts": {
        "api_fqdn": "<api_fqdn_value>",
        "api_endpoint": "{api_fqdn}/public_api/v1/alerts/get_alerts_multi_events",
        "alert_tag": "<opt_alert_tag_value>",
        "event_tag": "<opt_event_tag_value>",
        "request_period_in_seconds": "<opt_request_period_in_seconds_value>",
        "start_time": "<opt_start_time>"
        }
    }
  }
}

The value chosen for the id field will be used internally for having independent persistence areas.This section is intended to explain how to proceed with specific actions for services.

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

image-20240528-122729.png

Replace <product_name> with the proper value.

Editing the config.yaml file

globals:
  debug: false
  id: not_used
  name: cortex_xdr
  persistence:
    type: filesystem
    config:
      directory_name: state

outputs:
  devo_1:
    type: devo_platform
    config:
      address: collector-us.devo.io
      port: 443
      type: SSL
      chain: chain.crt
      cert: <devo_domain>.crt
      key: <devo_domain>.key
  console_1:
    type: console

inputs:
  cortex_xdr:
    id: <short_unique_id>
    enabled: true
    credentials:
      api_key: <api_key_value>
      api_key_id: <api_key_id_value>
    services:
      incidents:
        request_period_in_seconds : <request_period_in_seconds_value> #optional
        start_time: <start_time> #optional
        api_fqdn: <api_fqdn_value>
        api_endpoint: <api_endpoint_value>
        incident_extra_data_endpoint: <incident_extra_data_endpoint_value>
      alerts:
        start_time: <start_time_value> # Example 2024-01-01T01:50:00Z
        request_period_in_seconds: <request_period_in_seconds_value> #optional
        api_fqdn: <api_fqdn_value>
        api_endpoint: <api_endpoint_value>

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-cortex_xdr_if-docker-image-1.4.0

84f0a7a60aa6c771d103e577070494d39068dc73c9f1d962aebce92f9db7c248

Use the following command to add the Docker image to the system:

gunzip -c <image_file>-<version>.tgz | docker load

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

IMAGE_VERSION=<version> docker-compose up -d

Replace <product_name>, <image_name> and <version> with the proper values.

Change log

Release

Released on

Release type

Details

Recommendations

v1.4.0

Improvements:

  • Added start_time as an optional parameters for both of the services.

  • Added deduplication logic for both services

  • Updated Docker image base to version v1.3.0 in Dockerfile

  • Updated DCSDK from v1.11.1 to v1.12.4

    • Added new sender for relay in house + TLS

    • Added persistence functionality for gzip sending buffer

    • Added Automatic activation of gzip sending

    • Improved behaviour when persistence fails

    • Upgraded DevoSDK dependency

    • Fixed console log encoding

    • Restructured python classes

    • Improved behaviour with non-utf8 characters

    • Decreased defaut size value for internal queues (Redis limitation, from 1GiB to 256MiB)

    • New persistence format/structure (compression in some cases)

    • Removed dmesg execution (It was invalid for docker execution)

    • Applied changes to make DCSDK compatible with MacOS

    • Improved behavior with non-utf8 characters

    • Decreased defaut size value for internal queues (Redis limitation, from 1GiB to 256MiB)

    • New persistence format/structure (compression in some cases)

    • Removed dmesg execution (It was invalid for docker execution)

    • DevoSDK has been updated to version 5.4.0

Recommended version

v1.3.0

Improvements:

  • Upgrade DC SDK to the latest version 1.11.1

  • Upgrade the Docker base image to 1.2.0

Upgrade

v1.2.0

Improvements:

  • Added 'start_time' in config file for alerts service

  • Added logs

 Initial version