IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Integrate logs from Palo Alto Cortex XDR

    Posted Thu August 26, 2021 08:14 AM

    Hello,

    we are going to integrate logs from Palo Alto Cortex XDR.

    We have already installed the app extension; now we want to collect the logs from the Cortex instance and send them to our event collector.

    The issue is due to our collector having a private IP address, I noticed that on Cortex admin panel we can select only public log forwarding IP (for example, 34.90.202.186 for EU region).

    Does some specific ports need to be open between our collector and this IP address? Can you explain me how the collector connects to this IP address to retrieve the event logs?

    Best Regards

    Davide



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Integrate logs from Palo Alto Cortex XDR

    Posted Fri August 27, 2021 07:12 PM

    I'm not super familiar with Cortex logs, but they should support LEEF, which is a native QRadar event format. I would review these docs and see if you can configure Syslog.

    For review

    https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html#id186BM029099



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Integrate logs from Palo Alto Cortex XDR

    Posted Mon August 30, 2021 10:34 AM

    Hello Jonathan,

    thanks for your response..anyway is possible to forward event logs from Cortex Data Lake to a syslog server (in our case it will be Qradar event collector) which has a private IP address? This is the point which is not clear to me, has someone already implemented this solution?

    B Regards

    Davide



    #QRadar
    #Support
    #SupportMigration