Enhancing the security posture of your organization requires comprehensive visibility into your endpoint activities. Cortex XDR provides powerful threat detection and response capabilities, and integrating its logs with Azure Log Analytics can streamline your security operations. In this guide, we'll walk you through the process of creating a custom data connector using an Azure Function to fetch logs from Cortex XDR's API and store them in a custom table within your Log Analytics workspace.
Before diving into the implementation, ensure you have the following in place:
- Active Cortex XDR account with API url, access key ID and secret key.
- Azure subscription with Log Analytics workspace provisioned.
-
Click "Deploy To Azure"
-
Select the preferred Subscription, Resource Group and Location
-
Click on Review and deploy
-
Once the deployment succeeded, goto Configuration and provide below details:
a. WORKSPACE_ID = Azure Sentinel Workspace Id
b. SHARED_KEY = Azure Sentinel Shared Key
c. API_URL = Cortex XDR API Url
d. USER = Cortex XDR Access Key ID
e. PASSWORD = Cortex XDR Secret KeyNote: Replace with the orginal value.
-
Click on save.
-
You can see one custom table name "PaloAltoSentinel_CL" in your Log Analytics Workspace.