Cortex XSOAR Management Logs
Collects management audit logs from Palo Alto Cortex XSOAR security orchestration platform.
Details
This input retrieves audit management logs from the Cortex XSOAR API, providing visibility into user actions, system events, and configuration changes within your XSOAR instance. Key features include:
- Incremental sync with state management
- Tracks user activities, authentication events, and configuration changes
- Captures incident management, playbook execution, and integration activities
Prerequisites
- A Cortex XSOAR instance with API access
- API Key and API Key ID generated from your XSOAR instance
- Domain name (FQDN) of your Cortex XSOAR instance
Setup Instructions
- Log in to your Cortex XSOAR instance
- Generate an API Key following Palo Alto Networks' API documentation
- Note down both the API Key and its corresponding API Key ID
- Identify your instance's fully qualified domain name (FQDN)
- Format:
https://{YOUR-DOMAIN}/xsoar/public/v1/
- Format:
- Configure the input using the API Key, API Key ID, and domain name
Related Articles
Configuration
Settings
| Field | Description | Type | Required |
|---|---|---|---|
| api_key_id | The API Key ID for authentication | string | Yes |
| domain_name | The domain name of your Cortex XSOAR instance (FQDN) | string | Yes |
| backfill_start_time | The date to start fetching data from. If not specified, a full sync is fetched on the first sync. All syncs after that will be incremental. | string | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Field | Description | Type | Required |
|---|---|---|---|
| api_key | The API Key for authentication | string | Yes |
Note on Collection Behavior
The input follows an incremental collection pattern:
- First run: Collects all available audit logs from the specified backfill start time (or all available logs if not specified)
- Subsequent runs: Collects only new audit logs since the last successful run
- Implements state management to track the last collection timestamp
- Automatically handles pagination for large result sets
Troubleshooting
Common issues and their solutions:
-
Authentication failures
- Verify API Key and API Key ID are correct and match
- Ensure the API key has not expired
- Check that the API key has appropriate permissions for audit log access
- Confirm the API credentials were generated for the correct XSOAR instance
-
Connection issues
- Verify the domain name (FQDN) is correct and accessible
- Ensure the domain name includes the full path:
https://{YOUR-DOMAIN}/xsoar/public/v1/ - Check network connectivity and firewall rules
- Verify proper SSL/TLS configuration
-
Missing data
- Check the backfill_start_time configuration
- Verify that audit logging is enabled in your XSOAR instance
- Ensure the API user has permissions to access audit logs
Sample Record
{
"AUDIT_ID": 742856,
"AUDIT_OWNER_NAME": "John Smith",
"AUDIT_OWNER_EMAIL": "john.smith@example.com",
"AUDIT_ASSET_JSON": "{}",
"AUDIT_ASSET_NAMES": "asset-server-01",
"AUDIT_HOSTNAME": "xsoar-server-01",
"AUDIT_RESULT": "SUCCESS",
"AUDIT_REASON": "",
"AUDIT_DESCRIPTION": "User logged in successfully",
"AUDIT_ENTITY": "AUTH",
"AUDIT_ENTITY_SUBTYPE": "Login",
"AUDIT_SESSION_ID": 856234719284,
"AUDIT_CASE_ID": 394857261,
"AUDIT_INSERT_TIME": 1744456299142,
"AUDIT_SEVERITY": "SEV_010_INFORMATIONAL",
"AUDIT_LINK": null,
"AUDIT_SOURCE_IP": "203.0.113.45",
"AUDIT_USER_AGENT": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36",
"AUDIT_USER_ROLES": [
"Security Analyst"
],
"AUDIT_ADDITIONAL_INFORMATION": {
"endpoint_names": [
"WIN-server01"
],
"endpoint_count": 5
},
"AUDIT_OBJECT_ID": null
}