Skip to main content

Cortex XDR

Cortex XDR is supported starting with App/Add-on 7.0.0.

Cortex XDR is cloud-hosted so logs are retrieved by Splunk using the Cortex XDR API's. Logs are pulled down in JSON format with sourcetype="pan:xdr_incident".

Create API Key in Cortex XDR

Use the instruction in the Cortex XDR Getting Started Guide to gain API access:

Use these values to generate the API key:

Security LevelRole

This action will provide you a Key and Key ID. The Key be shown only once, so make sure to record it or you'll need to re-create the Key.

Create Cortex XDR Input and add Key to Splunk

In Splunk, navigate to the Palo Alto Networks Add-on.


Within the Add-on, click the Input tab at the top left. Then click Create New Input and select Cortex XDR.


In the dialog window, enter the following:

NameAny friendly name (eg. "cortex_xdr")
IntervalFrequency in seconds to check for new logs (60 seconds recommended)
IndexThe index in which to put the Cortex XDR incidents
Tenant NameFound in the hostname when accessing Cortex XDR. (eg. https:// <tenantname>.xdr. <tenantregion>
API Key IDEnter Key ID
API KeyEnter Key

Then click Add to save the modular input.


After waiting the interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:


You should see some JSON formatted logs show up. If nothing shows up, wait a little longer, ensure there is activity in Cortex XDR to generate logs, and try the Troubleshooting Guide.