{ "name": "panw_cortex_xdr", "title": "Palo Alto Cortex XDR", "version": "2.5.2", "release": "ga", "description": "Collect logs from Palo Alto Cortex XDR with Elastic Agent.", "type": "integration", "download": "/epr/panw_cortex_xdr/panw_cortex_xdr-2.5.2.zip", "path": "/package/panw_cortex_xdr/2.5.2", "icons": [ { "src": "/img/icon-cortex.svg", "path": "/package/panw_cortex_xdr/2.5.2/img/icon-cortex.svg", "title": "Palo Alto", "size": "216x216", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.4 || ~9.0.7 || ^9.1.4" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "edr_xdr" ], "signature_path": "/epr/panw_cortex_xdr/panw_cortex_xdr-2.5.2.zip.sig", "format_version": "3.4.0", "readme": "/package/panw_cortex_xdr/2.5.2/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/panw_cortex_xdr-alerts.png", "path": "/package/panw_cortex_xdr/2.5.2/img/panw_cortex_xdr-alerts.png", "title": "Alerts Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/panw_cortex_xdr-events.png", "path": "/package/panw_cortex_xdr/2.5.2/img/panw_cortex_xdr-events.png", "title": "Events Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/panw_cortex_xdr-incidents.png", "path": "/package/panw_cortex_xdr/2.5.2/img/panw_cortex_xdr-incidents.png", "title": "Incidents Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/panw_cortex_xdr/2.5.2/LICENSE.txt", "/package/panw_cortex_xdr/2.5.2/changelog.yml", "/package/panw_cortex_xdr/2.5.2/manifest.yml", "/package/panw_cortex_xdr/2.5.2/docs/README.md", "/package/panw_cortex_xdr/2.5.2/img/icon-cortex.svg", "/package/panw_cortex_xdr/2.5.2/img/panw_cortex_xdr-alerts.png", "/package/panw_cortex_xdr/2.5.2/img/panw_cortex_xdr-events.png", "/package/panw_cortex_xdr/2.5.2/img/panw_cortex_xdr-incidents.png", "/package/panw_cortex_xdr/2.5.2/kibana/tags.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/alerts/manifest.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/alerts/sample_event.json", "/package/panw_cortex_xdr/2.5.2/data_stream/event/manifest.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/event/sample_event.json", "/package/panw_cortex_xdr/2.5.2/data_stream/incidents/manifest.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/incidents/sample_event.json", "/package/panw_cortex_xdr/2.5.2/kibana/dashboard/panw_cortex_xdr-10c6821e-1f7c-4ea6-acf8-e667ab0f03ce.json", "/package/panw_cortex_xdr/2.5.2/kibana/dashboard/panw_cortex_xdr-a349f1e6-6762-4a54-9512-e22b32acb9d9.json", "/package/panw_cortex_xdr/2.5.2/kibana/dashboard/panw_cortex_xdr-acba7c6a-e721-46ea-9263-1d0d8cc61922.json", "/package/panw_cortex_xdr/2.5.2/data_stream/alerts/fields/agent.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/alerts/fields/base-fields.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/alerts/fields/beats.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/alerts/fields/fields.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/event/fields/base-fields.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/event/fields/beats.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/event/fields/fields.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/event/fields/gcs.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/incidents/fields/agent.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/incidents/fields/base-fields.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/incidents/fields/beats.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/incidents/fields/fields.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/alerts/agent/stream/cel.yml.hbs", "/package/panw_cortex_xdr/2.5.2/data_stream/alerts/agent/stream/httpjson.yml.hbs", "/package/panw_cortex_xdr/2.5.2/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/alerts/elasticsearch/ingest_pipeline/v1_pipeline.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/alerts/elasticsearch/ingest_pipeline/v2_pipeline.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/event/agent/stream/gcs.yml.hbs", "/package/panw_cortex_xdr/2.5.2/data_stream/event/elasticsearch/ingest_pipeline/default.yml", "/package/panw_cortex_xdr/2.5.2/data_stream/incidents/agent/stream/httpjson.yml.hbs", "/package/panw_cortex_xdr/2.5.2/data_stream/incidents/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "xdr", "title": "Palo Alto Cortex XDR API", "description": "Collect logs from Palo Alto Cortex XDR API", "inputs": [ { "type": "httpjson", "title": "Collect logs from Palo Alto Cortex XDR using HTTPJSON input", "description": "Collect logs from Palo Alto Cortex XDR using HTTPJSON input" }, { "type": "cel", "title": "Collect logs from Palo Alto Cortex XDR using CEL input", "description": "Collect logs from Palo Alto Cortex XDR using CEL input" }, { "type": "gcs", "title": "Collect logs from Palo Alto Cortex XDR using GCS (Google Cloud Storage)", "description": "Collect logs from Palo Alto Cortex XDR using GCS (Google Cloud Storage)" } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "panw_cortex_xdr.alerts", "title": "Palo Alto Cortex XDR Alerts API", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "url", "type": "text", "title": "Palo Alto Cortex XDR API Domain", "description": "The URL hosting the API endpoint.", "multi": false, "required": true, "show_user": true, "default": "https://test.xdr.eu.paloaltonetworks.com" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false }, { "name": "api_token", "type": "password", "title": "Palo Alto Cortex XDR API Token", "description": "API token from the XDR UI.", "multi": false, "required": true, "show_user": true }, { "name": "token_id", "type": "text", "title": "Palo Alto Cortex XDR API Token ID", "description": "The token ID related to the above API token", "multi": false, "required": true, "show_user": true, "default": 1 }, { "name": "advanced_sec_level", "type": "bool", "title": "Advanced security level", "description": "Whether the API tokeny was issued with an 'Advanced' security level.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "request_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": false, "show_user": true, "default": "30s" }, { "name": "interval", "type": "text", "title": "Interval", "description": "How often the API is polled for new alerts. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back in time to look for alerts the first time running. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "ssl", "type": "yaml", "title": "SSL", "description": "i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details.", "multi": false, "required": false, "show_user": true, "default": "#certificate: \"/etc/server/cert.pem\"\n#key: \"/etc/server/key.pem\"\n" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "multi": false, "required": false, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "panw_cortex_xdr" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve mimecast SIEM logs fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Palo Alto Cortex XDR Alerts from v1 API - Deprecated", "description": "Palo Alto Cortex XDR Alerts from v1 API. This API is deprecated. Please use v2 API instead.", "enabled": false, "ingestion_method": "API" }, { "input": "cel", "vars": [ { "name": "url", "type": "text", "title": "Palo Alto Cortex XDR API Domain", "description": "The URL hosting the API endpoint.", "multi": false, "required": true, "show_user": true, "default": "https://test.xdr.eu.paloaltonetworks.com" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false }, { "name": "api_token", "type": "password", "title": "Palo Alto Cortex XDR API Token", "description": "API token from the XDR UI.", "multi": false, "required": true, "show_user": true }, { "name": "token_id", "type": "text", "title": "Palo Alto Cortex XDR API Token ID", "description": "The token ID related to the above API token", "multi": false, "required": true, "show_user": true, "default": 1 }, { "name": "advanced_sec_level", "type": "bool", "title": "Advanced security level", "description": "Whether the API tokeny was issued with an 'Advanced' security level.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "request_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": false, "show_user": true, "default": "30s" }, { "name": "interval", "type": "text", "title": "Interval", "description": "How often the API is polled for new alerts. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back in time to look for alerts the first time running. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "ssl", "type": "yaml", "title": "SSL", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details.", "multi": false, "required": false, "show_user": true, "default": "#certificate: \"/etc/server/cert.pem\"\n#key: \"/etc/server/key.pem\"\n" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "multi": false, "required": false, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "panw_cortex_xdr" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve mimecast SIEM logs fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Palo Alto Cortex XDR Alerts from v2 API", "description": "Collect Palo Alto Cortex XDR Alerts from v2 API.", "enabled": true, "ingestion_method": "API" } ], "package": "panw_cortex_xdr", "path": "alerts" }, { "type": "logs", "dataset": "panw_cortex_xdr.event", "title": "Event", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "gcs", "vars": [ { "name": "project_id", "type": "text", "title": "Project ID", "description": "It is a required parameter to collect logs via GCS.", "multi": false, "required": true, "show_user": true, "default": "my-project-id" }, { "name": "service_account_key", "type": "password", "title": "Service Account Key", "description": "The json service account credentials string, which can be generated from the google cloud console, ref [Service Account Keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys).\nThis should be the entire JSON object that is present in the credentials.json file. Required if a Service Account Credentials File is not provided.\n", "multi": false, "required": false, "show_user": true }, { "name": "service_account_file", "type": "text", "title": "Service Account Credentials File", "description": "Path to a file containing the service account key text to authenticate to the data store, which can be generated from the google cloud console, ref [Service Account Keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys).\nRequired if a Service Account Key is not provided.\n", "multi": false, "required": false, "show_user": true }, { "name": "data_stream.dataset", "type": "text", "title": "Dataset name", "description": "Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html).\n", "multi": false, "required": true, "show_user": true, "default": "panw_cortex_xdr.event" }, { "name": "alternative_host", "type": "text", "title": "Alternative Host", "description": "Used to override the default host for the storage client (default is storage.googleapis.com)", "multi": false, "required": false, "show_user": false }, { "name": "number_of_workers", "type": "integer", "title": "Maximum number of workers", "description": "Determines how many workers are spawned per bucket.", "multi": false, "required": false, "show_user": true, "default": 3 }, { "name": "poll", "type": "bool", "title": "Polling", "description": "Determines if the bucket will be continuously polled for new documents.", "multi": false, "required": false, "show_user": true, "default": true }, { "name": "poll_interval", "type": "text", "title": "Polling interval", "description": "Determines the time interval between polling operations.", "multi": false, "required": false, "show_user": true, "default": "15s" }, { "name": "retry", "type": "yaml", "title": "Retry", "description": "This attribute can be used to configure a list of sub attributes that directly control how the input should behave when a download for a file/object fails or gets interrupted.\nFor more information about each attribute, please see the relevant [Documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-gcs#attrib-retry-gcs).\n", "multi": false, "required": false, "show_user": false, "default": "# You can change values for below attributes.\n\nmax_attempts: 3\ninitial_backoff_duration: 1s\nmax_backoff_duration: 30s\nbackoff_multiplier: 2\n" }, { "name": "buckets", "type": "yaml", "title": "Buckets", "description": "This attribute contains the details about a specific bucket like name, max_workers, poll and poll_interval. The attribute name is specific to a bucket as it describes the bucket name, while the fields max_workers, poll and poll_interval can exist both at the bucket level and the root level. \nIt is internally represented as an array, so multiple buckets can be provided.\nFor more information about each attribute, please see the relevant [Documentation](https://www.elastic.co/guide/en/beats/filebeat/8.18/filebeat-input-gcs.html#attrib-buckets).\n", "multi": false, "required": true, "show_user": true, "default": "# You can define as many buckets as you want here.\n\n- name: event_logs\n- name: event_logs_2\n\n# The config below is an example of how to override the global config.\n\n#- name: event_logs_3\n# number_of_workers: 3\n# poll: true\n# poll_interval: 10s\n" }, { "name": "file_selectors", "type": "yaml", "title": "[GCS] File Selectors", "description": "If the GCS bucket will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which is made up of regex patters. The regex should match the GCS bucket filepath. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.", "multi": false, "required": false, "show_user": false, "default": "# - regex: \"event/\"\n" }, { "name": "timestamp_epoch", "type": "integer", "title": "Timestamp Epoch", "description": "Defines the epoch time in seconds, which is used to filter out objects/files that are older than the specified timestamp.", "multi": false, "required": false, "show_user": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve panw_cortex_xdr.event fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "panw_cortex_xdr-event" ] } ], "template_path": "gcs.yml.hbs", "title": "Event logs", "description": "Collect Palo Alto Cortex XDR endpoint logs using Event Forwarding.", "enabled": false, "ingestion_method": "Google Cloud Storage" } ], "package": "panw_cortex_xdr", "path": "event" }, { "type": "logs", "dataset": "panw_cortex_xdr.incidents", "title": "Palo Alto Cortex XDR Incidents API", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "url", "type": "text", "title": "Palo Alto Cortex XDR API Domain", "description": "The URL hosting the API endpoint.", "multi": false, "required": true, "show_user": true, "default": "https://test.xdr.eu.paloaltonetworks.com" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false }, { "name": "api_token", "type": "password", "title": "Palo Alto Cortex XDR API Token", "description": "API token from the XDR UI.", "multi": false, "required": true, "show_user": true }, { "name": "token_id", "type": "text", "title": "Palo Alto Cortex XDR API Token ID", "description": "The token ID related to the above API token", "multi": false, "required": true, "show_user": true, "default": 1 }, { "name": "advanced_sec_level", "type": "bool", "title": "Advanced security level", "description": "Whether the API tokeny was issued with an 'Advanced' security level.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "request_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": false, "show_user": true, "default": "30s" }, { "name": "interval", "type": "text", "title": "Interval", "description": "How often the API is polled for new incidents. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back in time to look for incidents the first time running. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "ssl", "type": "yaml", "title": "SSL", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details.", "multi": false, "required": false, "show_user": true, "default": "#certificate: \"/etc/server/cert.pem\"\n#key: \"/etc/server/key.pem\"\n" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "multi": false, "required": false, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "panw_cortex_xdr" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Palo Alto Cortex XDR Incidents", "description": "Palo Alto Cortex XDR Incidents API", "enabled": true, "ingestion_method": "API" } ], "package": "panw_cortex_xdr", "path": "incidents" } ] }