log_data/ingested
subscribe onLogDataIngested
Raw log data ingested into XSIAM
Event channel for raw log data ingestion. Logs are submitted to the XSIAM HTTP collector endpoint as structured JSON batches. Each log entry must include dataset, vendor, product, log_type, and raw_log fields to route the data to the correct parsing pipeline. The XSIAM ingestion engine parses, normalizes, and indexes the log data into the appropriate dataset for analytics and correlation.
event_data/ingested
subscribe onEventDataIngested
Structured event data ingested into XSIAM
Event channel for structured event data ingestion. Pre-parsed events with normalized field mappings are submitted directly to the XSIAM data lake, bypassing the raw log parsing pipeline. Each event must include dataset, vendor, product, log_type, and timestamp metadata along with the normalized event fields. Used when the source system has already normalized data into XSIAM-compatible field mappings.
xdr_data/forwarded
subscribe onXdrDataForwarded
XDR data forwarded from a Palo Alto Networks product
Event channel for XDR data forwarding from integrated Palo Alto Networks products including PAN-OS firewalls, Prisma Access, Cortex XDR agents, and other Strata products. Forwarded XDR data is automatically normalized and correlated within XSIAM for unified threat detection and investigation across the Palo Alto Networks security platform.
asyncapi: 2.6.0
info:
title: Cortex XSIAM Data Ingestion
version: 1.0.0
description: >
Cortex XSIAM Data Ingestion provides streaming log and event ingestion
endpoints for collecting security telemetry from external data sources
into the XSIAM data lake. The ingestion service accepts data via HTTPS
with streaming support, enabling high-throughput log collection for SIEM
replacement and XDR-native data lake consolidation. Supported ingestion
methods include Syslog forwarding over TCP/UDP/TLS, HTTPS log forwarding
via REST endpoints, and XDR data forwarding from integrated Palo Alto
Networks products. Ingested data is processed by the XSIAM correlation
and analytics engines for threat detection, investigation, and automated
response. Each ingestion event results in normalized data being indexed
into the appropriate XSIAM dataset identified by vendor, product, and
log type.
contact:
name: Palo Alto Networks Developer Support
url: https://pan.dev/
email: [email protected]
license:
name: Proprietary
url: https://www.paloaltonetworks.com/legal
servers:
xsiam-collector:
url: 'https://api-{fqdn}/logs/v1/event'
protocol: https
description: >
Cortex XSIAM HTTP log collector endpoint for streaming log and event
data ingestion. The FQDN is specific to the XSIAM tenant and is
found in Settings > Configurations > Data Collection > HTTP Collectors.
All requests require API key authentication using the x-xdr-auth-id
header (key ID) and the Authorization header (API key value). Payloads
may be gzip-compressed using the Content-Encoding: gzip header for
improved throughput efficiency.
variables:
fqdn:
description: >
The XSIAM tenant fully qualified domain name, such as
xsiam-tenant.xdr.us.paloaltonetworks.com.
security:
- apiKeyAuth: []
syslog-receiver:
url: '{syslogHost}:{syslogPort}'
protocol: tcp
description: >
Syslog receiver endpoint for forwarding logs from external systems
using Syslog over TCP, UDP, or TLS. Configure the source system to
forward Syslog messages (RFC 3164 or RFC 5424) to this endpoint.
TLS encryption is supported for secure log forwarding.
variables:
syslogHost:
description: Hostname or IP address of the XSIAM Syslog receiver.
syslogPort:
description: Port number for Syslog ingestion (default 514 for UDP/TCP, 6514 for TLS).
tags:
- name: ingestion
description: Log and event data ingestion into the XSIAM data lake
- name: logs
description: Raw log data submission and forwarding events
- name: xsiam
description: Cortex XSIAM platform data collection events
- name: streaming
description: High-throughput streaming data ingestion operations
defaultContentType: application/json
channels:
log_data/ingested:
description: >
Event channel for raw log data ingestion. Logs are submitted to the
XSIAM HTTP collector endpoint as structured JSON batches. Each log
entry must include dataset, vendor, product, log_type, and raw_log
fields to route the data to the correct parsing pipeline. The XSIAM
ingestion engine parses, normalizes, and indexes the log data into
the appropriate dataset for analytics and correlation.
subscribe:
operationId: onLogDataIngested
summary: Raw log data ingested into XSIAM
description: >
Fired when raw log data is submitted to the XSIAM log ingestion
endpoint. The payload conforms to the XSIAM HTTP collector schema
with dataset routing metadata and raw log content.
message:
$ref: '#/components/messages/LogDataIngested'
bindings:
http:
method: POST
event_data/ingested:
description: >
Event channel for structured event data ingestion. Pre-parsed events
with normalized field mappings are submitted directly to the XSIAM
data lake, bypassing the raw log parsing pipeline. Each event must
include dataset, vendor, product, log_type, and timestamp metadata
along with the normalized event fields. Used when the source system
has already normalized data into XSIAM-compatible field mappings.
subscribe:
operationId: onEventDataIngested
summary: Structured event data ingested into XSIAM
description: >
Fired when pre-normalized event data is submitted to the XSIAM
event ingestion endpoint for direct indexing into the data lake
without additional parsing.
message:
$ref: '#/components/messages/EventDataIngested'
bindings:
http:
method: POST
xdr_data/forwarded:
description: >
Event channel for XDR data forwarding from integrated Palo Alto
Networks products including PAN-OS firewalls, Prisma Access, Cortex
XDR agents, and other Strata products. Forwarded XDR data is
automatically normalized and correlated within XSIAM for unified
threat detection and investigation across the Palo Alto Networks
security platform.
subscribe:
operationId: onXdrDataForwarded
summary: XDR data forwarded from a Palo Alto Networks product
description: >
Fired when telemetry data is forwarded from an integrated XDR-enabled
product. The payload includes product identification, tenant context,
event identification, and the forwarded log content.
message:
$ref: '#/components/messages/XdrDataForwarded'
bindings:
http:
method: POST
components:
messages:
LogDataIngested:
name: LogDataIngested
title: Log Data Ingested
summary: >
Raw log data submitted to the XSIAM HTTP log collector for parsing
and ingestion into the data lake
contentType: application/json
headers:
type: object
properties:
x-xdr-auth-id:
type: string
description: >
API key identifier for authenticating requests to the XSIAM
HTTP collector. Provided as a numeric string.
Authorization:
type: string
description: >
API key value for authenticating requests to the XSIAM HTTP
collector. Provided as a Bearer token or raw key string.
Content-Encoding:
type: string
description: >
Content encoding of the request body. Use 'gzip' for
compressed payloads to improve ingestion throughput.
enum:
- gzip
- identity
payload:
$ref: '#/components/schemas/LogDataPayload'
examples:
- name: FirewallTrafficLogIngestion
summary: Batch of PAN-OS firewall traffic logs ingested via HTTP collector
payload:
dataset: firewall_traffic_raw
vendor: Palo Alto Networks
product: PAN-OS
log_type: traffic
raw_log: >-
Nov 15 10:32:01 PA-3260 1,2024/01/15 10:32:01,012345678901,TRAFFIC,end,
2049,2024/01/15 10:32:01,10.0.1.100,10.0.2.200,0.0.0.0,0.0.0.0,
allow-web,,,web-browsing,vsys1,trust,untrust,ethernet1/1,ethernet1/2,
default,2024/01/15 10:32:01,12345,1,54321,80,0,0,0x19,tcp,allow,1500,800,700
timestamp: '2024-01-15T10:32:01.000Z'
tenant_id: xsiam-tenant-001
event_id: evt-20240115-103201-001
x-microcks-default: true
EventDataIngested:
name: EventDataIngested
title: Event Data Ingested
summary: >
Structured and normalized event data submitted directly to the XSIAM
data lake for indexing without additional parsing
contentType: application/json
payload:
$ref: '#/components/schemas/EventDataPayload'
examples:
- name: AuthenticationEventIngestion
summary: Normalized authentication event submitted directly to data lake
payload:
dataset: authentication_events
vendor: Microsoft
product: Active Directory
log_type: authentication
raw_log: '{"EventID":4625,"AccountName":"jsmith","LogonType":3,"FailureReason":"Unknown user name or bad password"}'
timestamp: '2024-01-15T10:28:00.000Z'
tenant_id: xsiam-tenant-001
event_id: evt-20240115-102800-002
x-microcks-default: true
XdrDataForwarded:
name: XdrDataForwarded
title: XDR Data Forwarded
summary: >
Telemetry data forwarded from a Palo Alto Networks XDR-enabled
product to XSIAM for unified detection and correlation
contentType: application/json
payload:
$ref: '#/components/schemas/XdrDataPayload'
examples:
- name: CortexXdrAgentForwarding
summary: Endpoint telemetry forwarded from Cortex XDR agent
payload:
dataset: xdr_agent_raw
vendor: Palo Alto Networks
product: Cortex XDR Agent
log_type: xdr_data
raw_log: '{"type":"PROCESS_EVENT","hostname":"WORKSTATION-042","pid":4821,"process_name":"powershell.exe","command_line":"powershell.exe -enc base64encodedcommand","user":"DOMAIN\\jsmith"}'
timestamp: '2024-01-15T10:35:00.000Z'
tenant_id: xsiam-tenant-001
event_id: evt-20240115-103500-003
x-microcks-default: true
schemas:
LogDataPayload:
type: object
description: >
The payload structure for raw log data ingestion via the XSIAM HTTP
collector. Contains routing metadata to direct the log to the correct
parsing pipeline, the raw log content, and optional event
identification fields.
required:
- dataset
- vendor
- product
- log_type
- raw_log
- timestamp
- tenant_id
- event_id
properties:
dataset:
type: string
description: >
The target XSIAM dataset name that this log data should be
indexed into. Dataset names correspond to XSIAM data lake
tables and determine the schema applied during normalization.
example: firewall_traffic_raw
vendor:
type: string
description: >
The name of the vendor that produced the log data. Used in
combination with product and log_type to identify the correct
parsing rule for normalizing the raw log content.
example: Palo Alto Networks
product:
type: string
description: >
The name of the specific product or component that generated the
log. Used in combination with vendor and log_type to route the
log to the appropriate XSIAM parsing pipeline.
example: PAN-OS
log_type:
type: string
description: >
The log type identifier that classifies the nature of the log
content, such as traffic, threat, authentication, or syslog.
Used to select the correct normalization schema.
example: traffic
raw_log:
type: string
description: >
The raw log content in its original format as produced by the
source system. May be a syslog message, CSV line, JSON string,
CEF record, or any other log format supported by the configured
XSIAM parsing rules.
example: 'Nov 15 10:32:01 PA-3260 1,2024/01/15...'
timestamp:
type: string
format: date-time
description: >
The ISO 8601 date-time string indicating when this log event
occurred at the source. If not provided, the ingestion receipt
time is used as the event timestamp.
example: '2024-01-15T10:32:01.000Z'
tenant_id:
type: string
description: >
The XSIAM tenant identifier that this log data belongs to.
Used for multi-tenant environments to route data to the correct
tenant data lake partition.
example: xsiam-tenant-001
event_id:
type: string
description: >
A unique identifier for this individual log event, generated by
the submitting system or the XSIAM ingestion service. Used for
deduplication and event correlation tracking.
example: evt-20240115-103201-001
EventDataPayload:
type: object
description: >
The payload structure for pre-normalized event data ingestion directly
into the XSIAM data lake. Contains all required routing metadata plus
the normalized event content for direct dataset indexing.
required:
- dataset
- vendor
- product
- log_type
- raw_log
- timestamp
- tenant_id
- event_id
properties:
dataset:
type: string
description: >
The target XSIAM dataset name for direct indexing. Must match an
existing dataset schema in the XSIAM data lake.
example: authentication_events
vendor:
type: string
description: >
The vendor that produced the source event data.
example: Microsoft
product:
type: string
description: >
The product that generated the source event.
example: Active Directory
log_type:
type: string
description: >
The log type or event category identifier for schema selection
during indexing.
example: authentication
raw_log:
type: string
description: >
The original raw event content from the source system, preserved
alongside normalized fields for audit and reprocessing purposes.
example: '{"EventID":4625,"AccountName":"jsmith",...}'
timestamp:
type: string
format: date-time
description: >
The ISO 8601 date-time string indicating when the original event
occurred at the source system.
example: '2024-01-15T10:28:00.000Z'
tenant_id:
type: string
description: >
The XSIAM tenant identifier for multi-tenant data routing.
example: xsiam-tenant-001
event_id:
type: string
description: >
A unique identifier for this event record used for deduplication
and correlation reference.
example: evt-20240115-102800-002
XdrDataPayload:
type: object
description: >
The payload structure for XDR data forwarding from integrated Palo
Alto Networks products. Contains product identification, tenant
context, event identification, and the forwarded telemetry content
for correlation in the XSIAM unified data lake.
required:
- dataset
- vendor
- product
- log_type
- raw_log
- timestamp
- tenant_id
- event_id
properties:
dataset:
type: string
description: >
The target XSIAM dataset name for the forwarded XDR data.
example: xdr_agent_raw
vendor:
type: string
description: >
The Palo Alto Networks product vendor designation for the
forwarding source. Typically 'Palo Alto Networks'.
example: Palo Alto Networks
product:
type: string
description: >
The specific Palo Alto Networks product forwarding XDR data,
such as Cortex XDR Agent, PAN-OS, Prisma Access, or
Strata Logging Service.
example: Cortex XDR Agent
log_type:
type: string
description: >
The XDR data type or telemetry category being forwarded
(e.g., xdr_data, endpoint_event, network_event).
example: xdr_data
raw_log:
type: string
description: >
The raw XDR telemetry content as serialized JSON from the
forwarding product. Contains all available event fields from
the source product's data model.
example: '{"type":"PROCESS_EVENT","hostname":"WORKSTATION-042",...}'
timestamp:
type: string
format: date-time
description: >
The ISO 8601 date-time string indicating when the XDR event
was captured by the source product.
example: '2024-01-15T10:35:00.000Z'
tenant_id:
type: string
description: >
The XSIAM tenant identifier to which this XDR data belongs.
Ensures forwarded data is routed to the correct tenant
environment in multi-tenant deployments.
example: xsiam-tenant-001
event_id:
type: string
description: >
A unique identifier for this forwarded XDR event, used for
deduplication, correlation, and audit trail tracking.
example: evt-20240115-103500-003
securitySchemes:
apiKeyAuth:
type: httpApiKey
description: >
API key authentication for XSIAM HTTP collector endpoints. Requires
two headers: x-xdr-auth-id containing the API key ID (numeric), and
Authorization containing the API key value. Both are generated in
XSIAM Settings > Configurations > Integrations > API Keys.
name: Authorization
in: header