Skip to main content
The Cortex XSIAM destination plugin (name: http, alias: paloaltocortex) lets you configure your telemetry pipeline to send logs to Palo Alto Networks Cortex XSIAM.

Supported telemetry types

The for Chronosphere Telemetry Pipeline supports these telemetry types:
LogsMetricsTraces

Configuration parameters

Use the parameters in this section to configure the . The Telemetry Pipeline web interface uses the items in the Name column to describe these parameters. Pipeline configuration files use the items in the Key column as YAML keys.

General

NameKeyDescriptionDefault
Cortex URLhostRequired. Specifies your Cortex XSIAM webhook URL.api-{tenant external URL}.crtx.us.paloaltonetworks.com
PortportRequired. Specifies TCP port of the target HTTP server.443
Cortex URI and InstanceuriRequired. Specifies the URI to use as part of the request./xsoar/instance/execute/my_instance_01
HeadersheaderRequired. Sets an HTTP header key/value pair. Use your ingest API token to authenticate with Cortex XSIAM.Authorization [REPLACE WITH TOKEN]

Advanced

NameKeyDescriptionDefault
FormatformatSpecifies the data format to use in the HTTP request body. Accepted values: json_lines, json, json_stream.json
CompresscompressSets the payload compression mechanism. Accepted values: gzip, none.none
HTTP ProxyproxySpecifies an HTTP proxy. The expected format of this value is http://host:port.none
JSON Date Formatjson_date_formatSets the date format. Accepted values: double, epoch, iso8601, java_sql_timestamp.iso8601
JSON Date Keyjson_date_keySpecifies the name of the date field in output._time
Body Keybody_keySpecifies the key that contains the format.none
Header Tagheader_tagSets an HTTP header whose value is the tag of the record.none
Header Keyheaders_keySpecifies the key that contains the headers.none

Security and TLS

NameKeyDescriptionDefault
TLStlsIf true, enables TLS/SSL. If false, disables TLS/SSL. Accepted values: true, false.true
TLS Certificate Validationtls.verifyIf on, and if tls is true, enables TLS/SSL certificate validation. If off, disables TLS/SSL certificate validation. Accepted values: on, off.on
TLS Debug Leveltls.debugSets TLS debug verbosity level. Accepted values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational), 4 (Verbose).1
CA Certificate File Pathtls.ca_fileAbsolute path to CA certificate file.none
Certificate File Pathtls.crt_fileAbsolute path to certificate file.none
Private Key File Pathtls.key_fileAbsolute path to private key file.none
Private Key Path Passwordtls.key_passwdPassword for private key file.none
TLS SNI Hostname Extensiontls.vhostHostname to be used for TLS SNI extension.none

Advanced Networking

NameKeyDescriptionDefault
DNS Modenet.dns.modeSelects the primary DNS connection type, which can be TCP or UDP.none
DNS Resolvernet.dns.resolverSelects the primary DNS connection type, which can be LEGACY or ASYNC.none
Prefer IPv4net.dns.prefer_ipv4Prioritizes IPv4 DNS results when trying to establish a connection. Accepted values: true, false.false
Keepalivenet.keepaliveEnables or disables Keepalive support. Accepted values: true, false.true
Keepalive Idle Timeoutnet.keepalive_idle_timeoutSets the maximum time allowed for an idle Keepalive connection.30s
Max Connect Timeoutnet.connect_timeoutSets the maximum time allowed to establish a connection, which includes the TLS handshake.10s
Max Connect Timeout Log Errornet.connect_timeout_log_errorSpecifies whether to log an error on connection timeout. When disabled, the timeout is logged as a debug message. Accepted values: true, false.true
Source Addressnet.source_addressSpecifies the network address to bind for data traffic.none
Max Keepalive Recyclenet.keepalive_max_recycleSets the maximum number of times a keepalive connection can be used before it’s retired.2000

Basic Authentication

NameKeyDescriptionDefault
HTTP Usernamehttp_userBasic auth username.none
HTTP Passwordhttp_passwdBasic auth password. Requires http_user to be set.none