Cortex XDR is supported starting with App/Add-on 7.0.0.
IoT Security is cloud-hosted so logs are retrieved by Splunk using the IoT Security logging API. Logs are pulled down in JSON format with sourcetype="pan:iot_alert", sourcetype="pan:iot_device" and eventtype="pan_iot_device", eventtype="pan_iot_alert".
Create API Key in Cortex XDR
Use the instruction in the Cortex XDR Getting Started Guide to gain API access:
Use these values to generate the API key:
This action will provide you a Key and Key ID. The Key be shown only once, so make sure to record it or you'll need to re-create the Key.
Create Cortex XDR Input and add Key to Splunk
In Splunk, navigate to the Palo Alto Networks Add-on.
Within the Add-on, click the Input tab at the top left. Then click Create New Input and select Cortex XDR.
In the dialog window, enter the following:
|Name||Any friendly name (eg. "cortex_xdr")|
|Interval||Frequency in seconds to check for new logs (60 seconds recommended)|
|Index||The index in which to put the Cortex XDR incidents|
|Tenant Name||Found in the hostname when accessing Cortex XDR. (eg. https:// <tenantname>.xdr. <tenantregion>.paloaltonetworks.com)|
|API Key ID||Enter Key ID|
|API Key||Enter Key|
Then click Add to save the modular input.
After waiting the interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:
You should see some JSON formatted logs show up. If nothing shows up, wait a little longer, ensure there is activity in Cortex XDR to generate logs, and try the Troubleshooting Guide.