Palo Alto Cortex XSIAM
Forward database audit events to Palo Alto Cortex XSIAM for AI-powered security operations. Leverage XQL queries and XSOAR playbooks for automated threat detection and response.
AI-Powered Analytics
Machine learning models detect anomalous database activity patterns automatically.
XQL Queries
Powerful query language for cross-dataset analysis and threat hunting.
XSOAR Playbooks
Trigger automated response playbooks on database security incidents.
Configuration Reference
1 Connection Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique name for this SIEM connection (e.g., "cortex-xsiam-prod") |
| provider | select | Yes | cortex-xsiam | SIEM provider - select "Palo Alto Cortex XSIAM" |
| enabled | boolean | No | true | Enable or disable event forwarding |
| api_url | string | Yes | - | Cortex XSIAM API endpoint (e.g., "https://api-{tenant}.xdr.{region}.paloaltonetworks.com") |
| api_key | password | Yes | - | XSIAM API key with log ingestion permissions |
| api_key_id | string | Yes | - | API key ID associated with the API key |
2 XSIAM-Specific Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| vendor | string | No | DBaudit | Vendor name for XDM mapping |
| product | string | No | Database Audit | Product name for XDM mapping |
| log_type | string | No | database_audit | Log type identifier for parsing rules |
| compress | boolean | No | true | Enable gzip compression for API requests |
3 Event Filtering
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| event_types | multiselect | No | all | Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings |
| severity_filter | multiselect | No | all | Filter by severity: critical, warning, info |
| database_filter | array | No | - | Limit to specific databases (empty = all databases) |
4 Batching & Reliability
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| batch_size | number | No | 100 | Number of events per batch (1-1000) |
| flush_interval_seconds | number | No | 30 | Maximum time between flushes (5-300 seconds) |
| retry_attempts | number | No | 3 | Number of retry attempts on failure |
Setup Instructions
1
Create API Key
Create an API key in Cortex XSIAM with log ingestion permissions.
# Create API Key in Cortex XSIAM:
# 1. Navigate to Settings → Configurations → API Keys
# 2. Click "+ New Key"
# 3. Enter a name (e.g., "dbaudit-integration")
# 4. Select Security Level: Standard or Advanced
# 5. Select Role: Instance Administrator or custom role with:
# - Log ingestion permissions
# - Dataset access
# 6. Copy the API Key and Key ID
# API Key format:
# API Key: xxxxxxxxxxxxxxxxxxxxxxxxxxx
# API Key ID: 1234
# API URL format depends on your region:
# US: https://api-{tenant}.xdr.us.paloaltonetworks.com
# EU: https://api-{tenant}.xdr.eu.paloaltonetworks.com
# UK: https://api-{tenant}.xdr.uk.paloaltonetworks.com
2
Create Parsing Rule
Create a parsing rule to map DB Audit events to the XDM schema.
// Cortex XSIAM Parsing Rule for DB Audit events
// Data Management → Parsing Rules → Add Rule
[INGEST:vendor="DBaudit", product="Database Audit", target_dataset="dbaudit_raw"]
filter _raw_log ~= "event_type"
| alter
xdm.event.type = json_extract_scalar(_raw_log, "$.event_type"),
xdm.source.user.username = json_extract_scalar(_raw_log, "$.actor.user"),
xdm.source.ipv4 = json_extract_scalar(_raw_log, "$.actor.client_ip"),
xdm.target.resource.name = json_extract_scalar(_raw_log, "$.action.object"),
xdm.database.name = json_extract_scalar(_raw_log, "$.source.database"),
xdm.event.outcome = json_extract_scalar(_raw_log, "$.severity"),
xdm.event.description = json_extract_scalar(_raw_log, "$.action.statement");
Note: Parsing rules ensure proper field extraction and enable advanced XQL queries on your data.
3
Test API Connection
Verify the API key and endpoint are working correctly.
# Test Cortex XSIAM API connectivity
curl -X POST "https://api-{tenant}.xdr.us.paloaltonetworks.com/public_api/v1/datasets/query" \
-H "Content-Type: application/json" \
-H "x-xdr-auth-id: YOUR_API_KEY_ID" \
-H "Authorization: YOUR_API_KEY" \
-d '{
"request_data": {
"query": "dataset = dbaudit_raw | limit 1"
}
}'
# Test log ingestion
curl -X POST "https://api-{tenant}.xdr.us.paloaltonetworks.com/logs/v1/xsiam" \
-H "Content-Type: application/json" \
-H "x-xdr-auth-id: YOUR_API_KEY_ID" \
-H "Authorization: YOUR_API_KEY" \
-d '[{"message": "test event", "vendor": "DBaudit", "product": "Database Audit"}]'
4
Configure in DB Audit
Add the Cortex XSIAM integration in the DB Audit dashboard.
- Navigate to Integrations → SIEM in DB Audit
- Click Add SIEM Integration
- Select Palo Alto Cortex XSIAM as the provider
- Enter your API URL, API Key, and API Key ID
- Configure vendor and product names for XDM mapping
- Select event types to forward
- Test the connection and save
Event Format
Events are sent to XSIAM in JSON format compatible with the log ingestion API.
{
"timestamp": "2024-01-15T10:30:45.123Z",
"event_type": "audit_event",
"severity": "warning",
"source": {
"database": "production-postgres",
"db_type": "postgresql",
"host": "db.example.com"
},
"actor": {
"user": "app_user",
"client_ip": "10.0.1.50",
"application": "backend-api"
},
"action": {
"type": "SELECT",
"object": "customers",
"schema": "public",
"statement": "SELECT * FROM customers WHERE...",
"rows_affected": 1500
},
"classification": {
"contains_pii": true,
"data_types": ["email", "phone"]
}
}
Sample XQL Queries
Use these XQL queries to analyze DB Audit events in Cortex XSIAM.
// XQL Query - All DB Audit events
dataset = dbaudit_raw
| fields _time, event_type, actor_user, action_type, database
// Filter by severity
dataset = dbaudit_raw
| filter severity = "critical"
| fields _time, actor_user, action_type, database, statement
// Large data access detection
dataset = dbaudit_raw
| filter action_type = "SELECT" and rows_affected > 10000
| comp count() as query_count by actor_user, database
| sort desc query_count
// User activity timeline
dataset = dbaudit_raw
| filter actor_user = "specific_user"
| fields _time, action_type, object, rows_affected
| sort asc _time
// Failed authentication analysis
dataset = dbaudit_raw
| filter event_type = "auth_failure"
| comp count() as failures by client_ip
| filter failures > 5
// PII access monitoring
dataset = dbaudit_raw
| filter contains_pii = true
| comp count() as pii_access by actor_user, database
| sort desc pii_access
// Join with endpoint data
dataset = dbaudit_raw
| join type = inner (
dataset = xdr_data
| filter event_type = PROCESS
) as endpoint on client_ip = agent_ip
| fields _time, actor_user, database, endpoint.process_name
Sample Correlation Rule
Create correlation rules to detect suspicious database activity patterns.
// XSIAM Correlation Rule - Suspicious Database Activity
// Detection → Correlation Rules → New Rule
Rule Name: Suspicious Database Data Exfiltration
Description: Detects queries returning large amounts of potentially sensitive data
XQL Query:
dataset = dbaudit_raw
| filter action_type = "SELECT"
| filter rows_affected > 10000
| filter contains_pii = true
| comp count() as events by actor_user, client_ip, database
Threshold: events > 0
Time Window: 1 hour
Severity: High
MITRE ATT&CK:
- Tactic: Collection
- Technique: Data from Information Repositories
Troubleshooting
Authentication failed (401)
Verify both the API Key and API Key ID are correct. Ensure the API key hasn't expired.
Permission denied (403)
Check that the API key has log ingestion permissions. Contact your XSIAM administrator to verify role assignments.
Events not parsing correctly
Verify the parsing rule matches the event JSON structure. Check the Data Management section for parsing errors.
Wrong API URL
Ensure the API URL matches your XSIAM tenant region (US, EU, UK). The tenant name should match your console URL.
Ready to Integrate with Cortex XSIAM?
Start forwarding database audit events to XSIAM in minutes.