Cortex XSIAM by Palo Alto Networks

Realm Security integrates seamlessly with Cortex XSIAM by Palo Alto Networks enabling intelligent routing and analysis of security event logs. Follow these concise steps to configure log forwarding to your Cortex XSIAM by Palo Alto Networks from Realm Security Data Fabric.

Prerequisites

• Ensure you have administrative access to your Cortex XSIAM by Palo Alto Networks instance.

Data Source Setup

1. Log in to the Cortex XSIAM by Palo Alto Networks web interface
2. Navigate to Settings > Data Sources
3. Click Add Data Source, search for Custom - HTTP Base Collector and click Add New Instance
4. In general, it is preferred to set Vendor and Product fields. To find the values to specify for Vendor and Product, go to XSIAM and XSOAR marketplace, search for the product you want to ingest, copy the values for Vendor and Product fields if specified. When forwarding data in CEF format, Vendor and Product can be inferred by Palo XSIAM.
5. Fill in the form with the intended log format (either JSON or raw) and select gzip compression. Remember which log format you selected, this value will be used to configure the Cortex XSIAM output feed in the Realm.Security console.
6. Click Save and Generate Token. Copy the generated token value, it will be used in configuring the Cortex XSIAM output feed.
7. After the Data Source has been created, select Copy API URL to retrieve the URL for the new data source. This will be used in configuring the Cortex XSIAM output feed.

Configuring Palo XSIAM Output Feed

1. Go to Destinations > Select a destination of type SIEM
2. Click Add output Feed button
3. Select type: Cortex XSIAM by Palo Alto Networks
4. Give the output feed a name and description of your choosing.
5. Copy your Cortex XSIAM Data Source's API url into the URL text box.
6. Copy your token into the Auth Token text box.
7. Select the format the Data Source is configured to receive.
8. Click Add when output feed configuration is complete.