Cortex XDR - fetch_incident_details in input_module_cortex_xdr.py

[iivvss]

Hi Team,

We are using the Palo Alto Networks Add-on for Splunk and it's working fine. We are also pulling the Cortex XDR incidents through API. The incidents hold a fair amount of data but we miss some fields that would be avalable using the get_incident_extra_data API method.

I saw something was implemented in the input_module_cortex_xdr.py but the function calls are commented:

# Uncomment this section if we decide to capture incident details.
# if helper.get_arg("XDR_GET_DETAILS") == "True":
    # get_details = True

As I am using splunkcloud, i don't have access to the .py files and can't uncomment this. Do you plan to release a way to enable / disable this through the add-on configuration menu ?

Kind regards,

Yves

[Bish0p404]

Hi iivvss,

Did you get any feedback about this?

Best Regards.

[thasteve]

Hi Team,

I'm having this same issue. Splunk is fantastic for correlating data. To correlate with XDR, we must have the get_incident_extra_data to pull information. I have a ticket open with Palo Alto proper and they referred me here.