Recently, Cortex XDR by Palo Alto updated their api endpoint URLs from v1 to v2. This small change prevents data from entering our Elasticstack. So far, I have attempted to change elastic-agent.yml and change the httpjson.yml.hbs file to reflect the new url, and I have even uninstall and reinstalled the package after the changes. The agent still reverts to the v1 version of the url.
The agents make a call to /public_api/v1/alerts/get_alerts_multi_events when they should make a call to /public_api/v2/alerts/get_alerts_multi_events.
We need either an update (1.33.0) on the Cortex XDR integration package or a walk through so that we can change the API endpoint URL to v2.
I tried the uninstall and reinstall with no change in the asset tab view. I looked under ingest pipelines and I can still see the cortex pipelines however the data coming in isn't being parsed properly. I'm using an offline EPR for pulling in packages since my cluster is air gapped.
After careful testing, I have determined the issue to be with Security Onion's implementation of the ELK Stack. When installing a proper ELK stack, the assets/pipelines work fine. So, I'll start a discussion on their forum. Thanks again for the help.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.