Powered by

# Update Splunk Index

The index definition is set by a search macro.

Macro Default Description
sa_cortex_xdr_index index=pan_endpoints Index definition for Palo Alto Networks Cortex XDR index.

Update the index definition to the correct index that contains the cortex:xdr:endpoints sourcetype.

# How to update

  1. (In Splunk Enterprise Security) Navigate to Configure > General > General Settings.
  2. From the "App" dropdown select SA-CortexXDRDevices.
  3. Update the SA-CortexXDRDevices Index definition and click "Save."
  1. Navigate to Settings > Advanced Search > Search Macros.
  2. From the "App" dropdown choose SA-CortexXDRDevices.
  3. Set the "Owner" dropdown to any.
  4. Click the macro named sa_cortex_xdr_index to update the index definition.