IBM QRadar

Hello

i need a help with integration between Palo Alto corteXDR and Qradar.

i noticed that there is 2 types of logs that can come from CorteXDR  which is Alerts and Incidents

i succeeded to create a logsource for CorteXDR Alerts logs but the incidents is not part of them

i read at Palo that it can be done By API but i dont see how i can create the log source based on that

according to IBM Support the only Supported Protocols are Syslog and TLS Syslog, 

the thing is that product is in the Cloud Saas.

willl be glad if anyone know any other way to pull those incidents logs by API into Qradar

------------------------------
Max Paykin
------------------------------

If I understood correctly, you managed to create a log source and get the logs through syslog ? 

Now, I am not familiar with Palo Alto's solution,  but it kind of sounds like you would need to create a custom log source and use the Universal Cloud REST API protocol (https://community.ibm.com/community/user/security/blogs/sophia-sampath1/2020/10/05/introducing-the-universal-cloud-connector)

Hi Max,

See if installing this app in your QRadar instance will help to achieve your integration:

https://exchange.xforce.ibmcloud.com/hub/extension/d12c3794f142ee334b4bbdc83d10347f

Note: It is vendor (Palo Alto) supported not IBM Supported, so post to their Cortex community forum if you run into any problems or have questions.