Feb 1, 2022

Version 1.2.0

Overview
Palo Alto Networks and IBM have partnered to deliver logging extensions for Palo Alto Networks
Cortex XDR DSM for the widely used IBM® QRadar® SIEM. Integrate QRadar seamlessly with
Cortex XDR DSM through this simple extension. The Palo Alto Networks extension for Cortex
XDR DSM for Qradar enables the ability to capture alerts from your Cortex XDR instance and
process them within your Security Operations Center. It is then possible to then reduce,
prioritize, and correlate the events using QRadar.

System Requirements
● Cortex XDR version 2.5 and above.
○ See Cortex XDR Release Guide for more information
● IBM QRadar version 7.3.3 patch 7 or higher

Updates in this version

● Added more detail to ’Event Information’ under ‘Log Activity’. Alert payload now shows:
Hostname, Action, File_Hash, File_Path, Threat_Category.

Installation Steps
1. Download the Palo Alto Networks Cortex XDR DSM for Qradar extension from the IBM
App Exchange.
a. NOTE: If you already have version 1.0.0 of Cortex XDR DSM for QRadar
installed this version will upgrade to version 1.1.0.

2. Install the app on IBM QRadar using the following documentation from IBM:
a. https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/
t_cmt_importing_extensions.html

3. By default this extension will install a PrismaCloud log source. This is on purpose and
allows simple testing of your data while building your scripts from the above referenced
github site. Do not leave the extension setting as 127.0.0.1, use the syslog server IP
address from which you will be receiving the logs.

No further configuration is required. Logs sent from the Cortex XDR console will arrive in the
default syslog format, the installed log source extension will allow QRadar to automatically
identify the events.