Palo Alto Cortex XDR Update

Recently, Cortex XDR by Palo Alto updated their api endpoint URLs from v1 to v2. This small change prevents data from entering our Elasticstack. So far, I have attempted to change elastic-agent.yml and change the httpjson.yml.hbs file to reflect the new url, and I have even uninstall and reinstalled the package after the changes. The agent still reverts to the v1 version of the url.

The agents make a call to /public_api/v1/alerts/get_alerts_multi_events when they should make a call to /public_api/v2/alerts/get_alerts_multi_events.

We need either an update (1.33.0) on the Cortex XDR integration package or a walk through so that we can change the API endpoint URL to v2.

Hi @x_deee Welcome to the community and thanks for reporting this
I pinged internally to the correct folks. Let's see what they come back with.

Thank you for the quick response. The v1 url came online again today, so I'll work with that until the update.

Also, the alerts pipeline/mappings seem to be missing for the current version. We are working around that as well. Thanks again.

Hmmmm perhaps reload the assets you should have all these
I just installed / reloaded and they are all there

2 Likes

Interesting. I'm going to double check things on my end. This was a massive help. Thank you.

2 Likes

I also have the same issue. I tired reinstalling the package through the settings tab but nothing shows up in the assets tab. Any suggestions?

Try uninstall then reinstall?

You can also go check if the assets are actually there.. manually

There may be a glitch where they're just not showing up there in that list.

You can use my image from above

One note

logs@custom may not really be there. It's a placeholder


I tried the uninstall and reinstall with no change in the asset tab view. I looked under ingest pipelines and I can still see the cortex pipelines however the data coming in isn't being parsed properly. I'm using an offline EPR for pulling in packages since my cluster is air gapped.

Hello again.

After careful testing, I have determined the issue to be with Security Onion's implementation of the ELK Stack. When installing a proper ELK stack, the assets/pipelines work fine. So, I'll start a discussion on their forum. Thanks again for the help.