edr.paloalto
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
The tags beginning with edr.paloalto identify events generated by Palo Alto Cortex XDR services.
Tag structure
The full tag must have three levels. The first two are fixed as edr.paloalto. The third level identifies the type of event sent and can be set either to cortex_xdr or cortex_xdr_agent:
Technology | Brand | Type |
|---|---|---|
edr | paloalto |
|
Therefore, the valid tags and tables include:
edr.paloalto.cortex_xdr
edr.paloalto.cortex_xdr_agent
How is the data sent to Devo?
You can send your events to Devo using the Devo Relay and configuring the following rules. Learn how to configure rules for your relay in Defining a relay rule.
Relay rule 1 - edr.paloalto.cortex_xdr events
After setting up your relay, define a new rule using the following configuration:
Parameter | Value |
|---|---|
Source port | 13005 |
Source data | (CEF:[^\|]*\|[^\|]*\|Cortex XDR\|.*)$ |
Target message | \\D1 |
Target tag | edr.paloalto.cortex_xdr |
Stop processing | ✓ |
Send without syslog tag | ✓ |
Relay rule 2 - edr.paloalto.cortex_xdr_agent events
After setting up your relay, define a new rule using the following configuration:
Parameter | Value |
|---|---|
Source port | 13005 |
Source data | (CEF:[^\|]*\|[^\|]*\|Cortex XDR Agent\|.*)$ |
Target message | \\D1 |
Target tag | edr.paloalto.cortex_xdr_agent |
Stop processing | ✓ |
Send without syslog tag | ✓ |
