Paloalto Cortex XDR dashboard into Grafana?

Hello, I don’t know if I’m in the right place…

I would like to integrate our Cortex XDR dashboard into Grafana. I know this is possible via an API, but which connection do I choose in Grafana? ‘Websocket API’?

Have somebody already done that? Are there instructions for this?

Basically I would like to create a dashboard in Grafana that shows the incidents from XDR.

It would be nice if someone could help me. Thanks.

check the infinity datasource plugin, it allows you to connect to an api, and render the results in grafana

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Get-Started-with-APIs

OK thanks. I have just generated the API key in Cortex XDR as an ‘Advanced-Key’.
Now I don’t know how I can integrate the whole thing as data sources in the ‘Infinity Datasource Plugin’. Which authentication type do I have to select there??

I defined the role for the API key in Cortex-XDR as a viewer, is that correct?

Can you maybe help me with that???

Check the docu out

There are 11 different authentication options.
I assume that I have to set up the “Basic Authentication” and the “Bearer Token” mode, right?
Can you please explain to me in more detail.

Thanks

1 Like

Depends what authentication Cortex offers

With token infinity is limited if it needs to be refreshed often

morning, I created the token using these instructions: Palo Alto Networks documentation portal .
I created an “Advanced-Security Level” token and the role would be “Viewer”
Do I then only need the token to integrate with Grafana?

Does the palo alto token require refresh ttl

unfortunately I don’t know

so now you can implement the endpoint using the data source and the details for token etc. But before using it withing grafana I would vet out this rest api endpoint from paloalto using curl or tools like postman or insomnia or thunderclient to see if it works.

hi, now I was finally able to establish the connection.
I would like to create the same representation of the incidents as in Cortex XDR in Grafana, but unfortunately I can’t get any further here.

You can see what I managed in the pictures.

I would like to recreate something like that:


How can I create something like that?

Thanks

Please post the actual text of the data result (json) and not a tiny image of it?

Good morning,
Here is the data result (I shortened it a bit, so not 33) in json from postman.

{
    "reply": {
        "total_count": 33,
        "result_count": 33,
        "incidents": [
            {
                "incident_id": "30",
                "incident_name": null,
                "creation_time": 1712756171234,
                "modification_time": 1712914085414,
                "detection_time": null,
                "status": "resolved_known_issue",
                "severity": "high",
                "description": "'Keylogger - 2577420806' generated by XDR Agent detected on host nb3230 involving user xxx-xx\\ina",
                "assigned_user_mail": "xxx@xxx.xxx",
                "assigned_user_pretty_name": "ansler OPT-1",
                "alert_count": 1,
                "low_severity_alert_count": 0,
                "med_severity_alert_count": 0,
                "high_severity_alert_count": 1,
                "critical_severity_alert_count": 0,
                "user_count": 1,
                "host_count": 1,
                "notes": null,
                "resolve_comment": null,
                "resolved_timestamp": 1712914085414,
                "manual_severity": null,
                "manual_description": null,
                "xdr_url": "https://xxxxxxx.paloaltonetworks.com/incident-view?caseId=30",
                "starred": false,
                "starred_manually": false,
                "hosts": [
                    "nb3230:x9fe47b26d75446f2b96f91551c27bbebe"
                ],
                "users": [
                    "xxx-xx\\ina"
                ],
                "incident_sources": [
                    "XDR Agent"
                ],
                "rule_based_score": null,
                "predicted_score": 21,
                "manual_score": null,
                "aggregated_score": null,
                "wildfire_hits": 0,
                "alerts_grouping_status": "Disabled",
                "mitre_tactics_ids_and_names": [
                    "TA0006 - Credential Access",
                    "TA0009 - Collection"
                ],
                "mitre_techniques_ids_and_names": [
                    "T1056.001 - Input Capture: Keylogging"
                ],
                "alert_categories": [
                    "Malware"
                ],
                "original_tags": [
                    "DS:PANW/XDR Agent"
                ],
                "tags": [
                    "DS:PANW/XDR Agent"
                ]
            },
            {
                "incident_id": "33",
                "incident_name": null,
                "creation_time": 1712843261308,
                "modification_time": 1712843261308,
                "detection_time": null,
                "status": "new",
                "severity": "low",
                "description": "'Large Upload (Generic)' generated by XDR Analytics detected on host nb3362 involving user xxx-xx\\sif",
                "assigned_user_mail": null,
                "assigned_user_pretty_name": null,
                "alert_count": 1,
                "low_severity_alert_count": 1,
                "med_severity_alert_count": 0,
                "high_severity_alert_count": 0,
                "critical_severity_alert_count": 0,
                "user_count": 1,
                "host_count": 1,
                "notes": null,
                "resolve_comment": null,
                "resolved_timestamp": null,
                "manual_severity": null,
                "manual_description": null,
                "xdr_url": "https://xxxxxxx.paloaltonetworks.com/incident-view?caseId=30",
                "starred": false,
                "starred_manually": false,
                "hosts": [
                    "nb3362:x57b863ac72f84cax3b87be4f9313c771f7"
                ],
                "users": [
                    "xxx-xx\\sif"
                ],
                "incident_sources": [
                    "XDR Analytics"
                ],
                "rule_based_score": null,
                "predicted_score": 5,
                "manual_score": null,
                "aggregated_score": null,
                "wildfire_hits": 0,
                "alerts_grouping_status": "Enabled",
                "mitre_tactics_ids_and_names": [
                    "TA0010 - Exfiltration"
                ],
                "mitre_techniques_ids_and_names": [
                    "T1048 - Exfiltration Over Alternative Protocol"
                ],
                "alert_categories": [
                    "Exfiltration"
                ],
                "original_tags": [
                    "DS:PANW/XDR Agent"
                ],
                "tags": [
                    "DS:PANW/XDR Agent"
                ]
            },
            {
                "incident_id": "32",
                "incident_name": null,
                "creation_time": 1712824031673,
                "modification_time": 1712824031673,
                "detection_time": null,
                "status": "new",
                "severity": "low",
                "description": "'Suspicious port scan' generated by XDR Analytics detected on host nb3314 involving user xxx-xx\\kne",
                "assigned_user_mail": null,
                "assigned_user_pretty_name": null,
                "alert_count": 1,
                "low_severity_alert_count": 1,
                "med_severity_alert_count": 0,
                "high_severity_alert_count": 0,
                "critical_severity_alert_count": 0,
                "user_count": 1,
                "host_count": 1,
                "notes": null,
                "resolve_comment": null,
                "resolved_timestamp": null,
                "manual_severity": null,
                "manual_description": null,
                "xdr_url": "https://xxxxxxx.paloaltonetworks.com/incident-view?caseId=30",
                "starred": false,
                "starred_manually": false,
                "hosts": [
                    "nb3314:5b04fxdb5cb3d45378d465992374d4b5ed4d0"
                ],
                "users": [
                    " xxx-xx\\kne"
                ],
                "incident_sources": [
                    "XDR Analytics"
                ],
                "rule_based_score": null,
                "predicted_score": 5,
                "manual_score": null,
                "aggregated_score": null,
                "wildfire_hits": 0,
                "alerts_grouping_status": "Enabled",
                "mitre_tactics_ids_and_names": [
                    "TA0007 - Discovery"
                ],
                "mitre_techniques_ids_and_names": [
                    "T1046 - Network Service Discovery"
                ],
                "alert_categories": [
                    "Discovery"
                ],
                "original_tags": [
                    "DS:PANW/XDR Agent"
                ],
                "tags": [
                    "DS:PANW/XDR Agent"
                ]
            },
			{
                "incident_id": "5",
                "incident_name": null,
                "creation_time": 1706799303286,
                "modification_time": 1707317797038,
                "detection_time": null,
                "status": "resolved_false_positive",
                "severity": "medium",
                "description": "'Local Analysis Malware' generated by XDR Agent detected on host nb3182 involving user xxx-xx\\eig",
                "assigned_user_mail": "xxx@xxx.com",
                "assigned_user_pretty_name": "xxxx",
                "alert_count": 1,
                "low_severity_alert_count": 0,
                "med_severity_alert_count": 1,
                "high_severity_alert_count": 0,
                "critical_severity_alert_count": 0,
                "user_count": 1,
                "host_count": 1,
                "notes": null,
                "resolve_comment": "TimeAs Zeiterfassung wird benötigt (Allow list)",
                "resolved_timestamp": 1707317797038,
                "manual_severity": null,
                "manual_description": null,
                "xdr_url": "https://xxxxxxx.paloaltonetworks.com/incident-view?caseId=30",
                "starred": false,
                "starred_manually": false,
                "hosts": [
                    "nb3182:6e7eb89e32d2945de5ba99fffe2743012f"
                ],
                "users": [
                    "xxx-xx\\eig"
                ],
                "incident_sources": [
                    "XDR Agent"
                ],
                "rule_based_score": null,
                "predicted_score": null,
                "manual_score": null,
                "aggregated_score": null,
                "wildfire_hits": 0,
                "alerts_grouping_status": "Disabled",
                "mitre_tactics_ids_and_names": null,
                "mitre_techniques_ids_and_names": null,
                "alert_categories": [
                    "Malware"
                ],
                "original_tags": [
                    "DS:PANW/XDR Agent"
                ],
                "tags": [
                    "DS:PANW/XDR Agent"
                ]
            }
        ],
        "restricted_incident_ids": []
    }
}
1 Like

uql: UQL

1 Like