Collect Palo Alto Cortex XDR alerts logs
This document describes how you can collect Palo Alto Cortex XDR alerts logs by setting up a Google Security Operations feed.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the CORTEX_XDR
ingestion label.
Configure Palo Alto Cortex XDR alerts
To configure Palo Alto Cortex XDR alerts, complete the following tasks:
- Get the Palo Alto Cortex XDR alerts API key.
- Get the Palo Alto Cortex XDR alerts API key ID.
- Get the fully qualified domain name (FQDN).
Get the Palo Alto Cortex XDR alerts API key
- Sign in to the Cortex XDR portal.
- In the Settings menu, click Settings.
- Select +New key.
- In the Security level section, select Advanced.
- In the Roles section, select Viewer.
- Click Generate.
- Copy the API key, and then click Done. The API key represents your unique authorization key and is displayed only at the time of creation. It is required when you configure the Google Security Operations feed.
Get the Palo Alto Cortex XDR alerts API key ID
In the Configurations section, navigate to API keys > ID. Note your
corresponding ID number, which represents the x-xdr-auth-id:{key_id}
token.
Get FQDN
- Navigate to API keys.
- Click Copy URL. Save the URL, which is required when you configure the Google Security Operations feed.
Configure a feed in Google Security Operations to ingest Palo Alto Cortex XDR alerts logs
- Go to SIEM Settings > Feeds.
- Click Add New.
- Enter a unique name for the Field Name.
- Select Third party API as the Source Type.
- Select Palo Alto Cortex XDR Alerts as the Log Type.
- Click Next.
- Configure the following mandatory input parameters:
- Authentication HTTP headers: provide the authorization key and authorization key ID that you obtained previously.
- API hostname: provide the URL that you obtained previously.
- Endpoint: specify the endpoint.
- Click Next and then click Submit.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.
If you encounter issues when you create feeds, contact Google Security Operations support.
Field mapping reference
This parser extracts security logs from Palo Alto Networks Cortex XDR in either JSON or SYSLOG (key-value) format, normalizes fields, and maps them to the UDM. It handles both JSON and key-value formats, performs date extraction, enriches the data with metadata, and structures the output for ingestion into Google SecOps.
Enable REST API requests on Cortex XDR and configure a Google SecOps feed
This guide provides step-by-step instructions for enabling REST API requests on Cortex XDR and configuring a corresponding feed in Google SecOps.
Part 1: Enable REST API requests on Cortex XDR
Cortex XDR uses API keys for authentication. Follow these steps to generate an API key:
- Log in to the Cortex XDR management console.
- Go to Settings.
- Access API Keys.
- Generate a new key.
- Provide a key name (for example, "SecOps Integration").
- Assign the API key the necessary permissions to access the required data. This is crucial for security and ensures the key only has access to what it needs. Consult the Cortex XDR documentation for the specific permissions required for your use case.
- Securely store the API key. You will need it for the Google SecOps feed configuration. This is the only time you will see the full key, so make sure to copy it now.
- (Optional) Configure an expiration date for the API key for enhanced security.
Part 2: Configure the feed in Google SecOps
After you generate the API key, configure the feed in Google SecOps to receive data from Cortex XDR:
- Go to SIEM Settings > Feeds.
- Click Add new.
- Select Third Party API as the Source type.
- Select the required log type that corresponds to the data you want to ingest from Cortex XDR.
- Click Next.
- Configure the following input parameters:
- API Endpoint: Enter the base URL for the Cortex XDR API. This can be found in the Cortex XDR API documentation.
- API Key: Paste the API key that you generated earlier.
- Other Parameters: Depending on the specific Cortex XDR API that you are using, you might need to provide additional parameters, such as specific data filters or time ranges. Refer to the Cortex XDR API documentation for details.
- Click Next and then click Submit.
Important considerations:
- Rate limiting: Be aware of any rate limits imposed by the Cortex XDR API. Configure the feed accordingly to avoid exceeding these limits.
- Error handling: Implement proper error handling in your Google SecOps configuration to manage situations where the Cortex XDR API is unavailable or returns errors.
- Security: Securely store the API key and follow security best practices. Regularly rotate API keys to minimize the impact of potential compromises.
- Documentation: Refer to the official Cortex XDR API documentation for detailed information on available endpoints, parameters, and data formats.
UDM Mapping Table
Log Field | UDM Mapping | Logic |
---|---|---|
action |
security_result.action |
If action contains "BLOCKED", set to "BLOCK". |
action |
security_result.action_details |
If act is not empty, null or "none", use the value of act . Otherwise, if action is not "BLOCKED", use the value of action . |
action_country |
security_result.about.location.country_or_region |
Direct mapping. Also used in nested events field. |
action_file_path |
target.resource.attribute.labels |
Creates a label with key "action_file_path" and value from the log field. |
action_file_sha256 |
target.file.sha256 |
Converts to lowercase. |
action_local_port |
principal.port |
Converts to integer. |
action_remote_ip |
target.ip |
Merged into the target.ip array. |
action_remote_ip |
target.asset.ip |
Merged into the target.asset.ip array. |
action_remote_port |
target.port |
Converts to integer. |
act |
security_result.action_details |
Used if not empty, null, or "none". |
agent_data_collection_status |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
agent_device_domain |
target.administrative_domain |
Direct mapping. |
agent_fqdn |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
agent_install_type |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
agent_is_vdi |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
agent_os_sub_type |
target.platform_version |
Direct mapping. |
agent_os_type |
target.platform |
If "Windows", set to "WINDOWS". |
agent_version |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
alert_id |
security_result.rule_id |
Direct mapping. |
app |
target.application |
Direct mapping. |
cat |
security_result.category_details |
Merged into the security_result.category_details field. |
category |
security_result.category |
If "Malware", set to "SOFTWARE_MALICIOUS". |
category |
security_result.category_details |
Merged into the security_result.category_details field. |
cn1 |
network.session_id |
Direct mapping. |
cn1Label |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
contains_featured_host |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
contains_featured_ip |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
contains_featured_user |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
creation_time |
metadata.event_timestamp |
Converted to timestamp. |
cs1 |
security_result.rule_name |
Concatenated with cs1Label to form the security_result.rule_name . |
cs1Label |
security_result.rule_name |
Concatenated with cs1 to form the security_result.rule_name . |
cs2 |
additional.fields |
Creates a key-value pair in additional.fields with key from cs2Label and string value from cs2 . |
cs2Label |
additional.fields |
Used as the key for the cs2 value in additional.fields . |
cs3 |
additional.fields |
Creates a key-value pair in additional.fields with key from cs3Label and string value from cs3 . |
cs3Label |
additional.fields |
Used as the key for the cs3 value in additional.fields . |
cs4 |
additional.fields |
Creates a key-value pair in additional.fields with key from cs4Label and string value from cs4 . |
cs4Label |
additional.fields |
Used as the key for the cs4 value in additional.fields . |
cs5 |
additional.fields |
Creates a key-value pair in additional.fields with key from cs5Label and string value from cs5 . |
cs5Label |
additional.fields |
Used as the key for the cs5 value in additional.fields . |
cs6 |
additional.fields |
Creates a key-value pair in additional.fields with key from cs6Label and string value from cs6 . |
cs6Label |
additional.fields |
Used as the key for the cs6 value in additional.fields . |
CSPaccountname |
additional.fields |
Creates a key-value pair in additional.fields with key "CSPaccountname" and string value from the log field. |
description |
metadata.description |
Direct mapping. Also used for security_result.description if event_type is not GENERIC_EVENT. |
destinationTranslatedAddress |
target.ip |
Merged into the target.ip array. |
destinationTranslatedAddress |
target.asset.ip |
Merged into the target.asset.ip array. |
destinationTranslatedPort |
target.port |
Converted to integer if not empty or -1. |
deviceExternalId |
security_result.about.asset_id |
Prefixed with "Device External Id: ". |
dpt |
target.port |
Converted to integer if destinationTranslatedPort is empty or -1. |
dst |
target.ip |
Merged into the target.ip array. |
dst |
target.asset.ip |
Merged into the target.asset.ip array. |
dst_agent_id |
target.ip |
Converted to IP address and merged into the target.ip array if valid IP. |
dst_agent_id |
target.asset.ip |
Converted to IP address and merged into the target.asset.ip array if valid IP. |
dvchost |
principal.hostname |
Direct mapping. |
dvchost |
principal.asset.hostname |
Direct mapping. |
endpoint_id |
target.process.product_specific_process_id |
Prefixed with "cor:". |
event_id |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
event_sub_type |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
event_timestamp |
metadata.event_timestamp |
Converted to timestamp. Also used in nested events field. |
event_type |
metadata.event_type |
Mapped to a UDM event type based on logic. Also used in nested events field. |
event_type |
metadata.product_event_type |
Direct mapping. |
event_type |
security_result.threat_name |
Direct mapping. |
events |
Nested Events | Fields within the events array are mapped to corresponding UDM fields within nested events objects. See individual field mappings for details. |
external_id |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fileId |
target.resource.attribute.labels |
Creates a label with key "fileId" and value from the log field. |
fileHash |
target.file.sha256 |
Converted to lowercase. Sets metadata.event_type to FILE_UNCATEGORIZED. |
filePath |
target.file.full_path |
Direct mapping. Sets metadata.event_type to FILE_UNCATEGORIZED. |
fw_app_category |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_app_id |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_app_subcategory |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_app_technology |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_device_name |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_email_recipient |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_email_sender |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_email_subject |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_interface_from |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_interface_to |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_is_phishing |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_misc |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_rule |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_rule_id |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_serial_number |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_url_domain |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_vsys |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
fw_xff |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
host_ip |
principal.ip |
Split by comma and merged into the principal.ip array. |
host_ip |
principal.asset.ip |
Split by comma and merged into the principal.asset.ip array. |
host_name |
principal.hostname |
Direct mapping. |
host_name |
principal.asset.hostname |
Direct mapping. |
hosts |
target.hostname |
Extracts hostname from the first element of the hosts array. |
hosts |
target.asset.hostname |
Extracts hostname from the first element of the hosts array. |
hosts |
target.user.employee_id |
Extracts user ID from the first element of the hosts array. |
incident_id |
metadata.product_log_id |
Direct mapping. |
is_whitelisted |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
local_insert_ts |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
mac |
principal.mac |
Split by comma and merged into the principal.mac array. |
matching_status |
Not Mapped | Although present in the raw log, this field is not mapped to the IDM object in the final UDM. |
metadata.description |
security_result.description |
Used if event_type is GENERIC_EVENT. |
metadata.event_type |
metadata.event_type |
Set based on logic using event_type , host_ip , and other fields. |
metadata.log_type |
metadata.log_type |
Set to "CORTEX_XDR". |
metadata.product_name |
metadata.product_name |
Set to "Cortex". |
metadata.vendor_name |
metadata.vendor_name |
Set to "Palo Alto Networks". |
msg |
security_result.description |
Direct mapping. |
name |
security_result.summary |
Direct mapping. |
PanOSDGHierarchyLevel1 |
security_result.detection_fields |
Creates a key-value pair in security_result.detection_fields with key "PanOSDGHierarchyLevel1" and value from the log field. |
PanOSDestinationLocation |
target.location.country_or_region |
Direct mapping. |
PanOSDynamicUserGroupName |
principal.group.group_display_name |
Direct mapping if not empty or "-". |
PanOSSourceLocation |
principal.location.country_or_region |
Direct mapping. |
PanOSThreatCategory |
security_result.category_details |
Merged into the security_result.category_details field. |
PanOSThreatID |
security_result.threat_id |
Direct mapping. |
principal.asset.attribute.labels |
principal.asset.attribute.labels |
Creates a label with key "Source" and value from the source field. |
proto |
network.ip_protocol |
Converted to uppercase. Sets metadata.event_type to NETWORK_CONNECTION. |
request |
network.http.referral_url |
Direct mapping. |
rt |
metadata.event_timestamp |
Converted to timestamp. |
security_result.severity |
security_result.severity |
Set to uppercase value of severity . |
severity |
security_result.severity |
Converted to uppercase. |
shost |
principal.hostname |
Direct mapping. Sets metadata.event_type to STATUS_UPDATE. |
shost |
principal.asset.hostname |
Direct mapping. Sets metadata.event_type to STATUS_UPDATE. |
source |
principal.asset.attribute.labels |
Used as the value for the "Source" label. |
source |
security_result.summary |
Used if not_json and grok filter matches. |
sourceTranslatedAddress |
principal.ip |
Merged into the principal.ip array. |
sourceTranslatedAddress |
principal.asset.ip |
Merged into the principal.asset.ip array. |
sourceTranslatedPort |
principal.port |
Converted to integer if not empty or -1. |
spt |
principal.port |
Converted to integer. |
sr_summary |
security_result.summary |
Used if not_json and grok filter matches. |
src |
principal.ip |
Merged into the principal.ip array. |
src |
principal.asset.ip |
Merged into the principal.asset.ip array. |
suser |
principal.user.user_display_name |
Direct mapping. |
tenantCDLid |
additional.fields |
Creates a key-value pair in additional.fields with key "tenantCDLid" and string value from the log field. |
tenantname |
additional.fields |
Creates a key-value pair in additional.fields with key "tenantname" and string value from the log field. |
users |
target.user.userid |
Uses the first element of the users array. |
xdr_url |
metadata.url_back_to_product |
Direct mapping. |
Changes
2024-07-05
- Mapped "isInteractive" to "security_result.detection_fields".
2024-04-02
- Mapped "properties.createdDateTime" to "metadata.event_timestamp".
- Mapped "properties.resourceServicePrincipalId" and "resourceServicePrincipalId" to "target.resource.attribute.labels".
- Mapped "properties.authenticationProcessingDetails", "authenticationProcessingDetails", and "properties.networkLocationDetails" to "additional.fields".
- Mapped "properties.userAgent" to "network.http.user_agent" and "network.http.parsed_user_agent".
- Mapped "properties.authenticationRequirement" to "additional.fields".
2024-04-17
- Mapped "action_local_port" to "principal.port".
- Mapped "dst_agent_id" to "principal.ip".
- Mapped "action_remote_ip" to "target.ip".
- Mapped "action_remote_port" to "target.ip".
- Added check if "target_device" is present prior setting "metadata.event_type" to "NETWORK_CONNECTION".
2024-03-15
- Added a Grok to retrieve "source" and "sr_summary" from the message header.
- Mapped "sr_summary" to "security_result.summary".
2024-03-11
- Added support for CEF format logs.
- Mapped "rt" to "metadata.event_timestamp".
- Mapped "category" and "cat" to "security_result.category_details".
- Mapped "cs2Label", "cs2", "tenantname", "tenantCDLid", and "CSPaccountname" to "additional.fields".
- Mapped "shost" to "principal.hostname" and "principal.asset.hostname".
- Mapped "spt" to "principal.port".
- Mapped "src" to "principal.ip" and "principal.asset.ip".
- Mapped "suser" to "principal.user.user_display_name".
- Mapped "dpt" to "target.port".
- Mapped "dst" to "target.ip" and "target.asset.ip".
- Mapped "fileHash" to "target.file.sha256".
- Mapped "filePath" to "target.file.full_path".
- Mapped "request" to "network.http.referral_url".
- Mapped "msg" to "security_result.description".
2024-01-18
- Changed "action_file_path" mapping from "target.file.full_path" to "target.resource.attribute.labels".
- Mapped "domain" to "target.asset.hostname".
- Mapped "destinationTranslatedAddress" to "target.asset.ip".
- Mapped "host_name" to "principal.asset.hostname".
- Mapped "dvchost" to "principal.asset.hostname".
- Mapped "ip" to "principal.asset.ip".
- Mapped "sourceTranslatedAddress" to "principal.asset.ip".
2023-11-10
- When "event_type" is "RPC Call", then mapped "metadata.event_type" to "STATUS_UPDATE".
- Mapped "events.action_country" to "security_result.about.location.country_or_region".
- Mapped "events.actor_process_command_line" to "target.process.command_line".
- Mapped "events.actor_process_image_md5" to "target.file.md5".
- Mapped "events.actor_process_image_path" to "target.file.full_path".
- Mapped "events.actor_process_image_sha256" to "target.file.sha256".
- Mapped "events.actor_process_instance_id" to "target.process.pid".
- Mapped "events.os_actor_process_command_line" to "principal.process.command_line".
- Mapped "events.os_actor_process_image_path" to "principal.file.full_path".
- Mapped "events.os_actor_process_image_sha256" to "principal.file.sha256".
- Mapped "events.os_actor_process_instance_id" to "principal.process.pid".
- Mapped "events.causality_actor_process_command_line" to "intermediary.process.command_line".
- Mapped "events.causality_actor_process_image_path" to "intermediary.file.full_path".
- Mapped "events.causality_actor_process_image_sha256" to "intermediary.file.sha256".
- Mapped "events.causality_actor_process_instance_id" to "intermediary.process.pid".
- Mapped "events.causality_actor_process_image_md5" to "intermediary.file.md5".
- Mapped "events.event_type" to "metadata.product_event_type".
- Mapped "events.user_name" to "principal.user.user_display_name".
2023-10-16
- Mapped "source" to "principal.asset.attribute.labels".
- Set "metadata.event_type" to "NETWORK_CONNECTION" if "event_type" in "Network Connections" or "Network Event".
2022-11-03
- Mapped "PanOSConfigVersion" to "security_result.detection_fields".
- Mapped "PanOSContentVersion" to "security_result.detection_fields".
- Mapped "PanOSDGHierarchyLevel1" to "security_result.detection_fields".
- Mapped "PanOSDestinationLocation" to "target.location.country_or_region".
- Mapped "PanOSDynamicUserGroupName" to "principal.group.group_display_name".
- Mapped "PanOSSourceLocation" to "principal.location.country_or_region".
- Mapped "PanOSThreatCategory" to "security_result.category_details".
- Mapped "PanOSThreatID" to "security_result.threat_id".
- Mapped "app" to "target.application".
- Mapped "cs1" to "additional.fields".
- Mapped "cs3" to "additional.fields".
- Mapped "cs4" to "additional.fields".
- Mapped "cs5" to "additional.fields".
- Mapped "cs6" to "additional.fields".
- Mapped "cn1" to "additional.fields".
- Mapped "sourceTranslatedPort" to "principal.port".
- Mapped "sourceTranslatedAddress" to "principal.ip".
- Mapped "destinationTranslatedAddress" to "target.ip".
- Mapped "destinationTranslatedPort" to "target.port".
- Mapped "act" to "security_result.action_details".
- Mapped "deviceExternalId" to "security_result.about.asset_id".
- Mapped "dvchost" to "principal.hostname".
- Mapped "proto" to "network.ip_protocol".
- Mapped "fileId" to "target.resource.attribute.labels".