Palo Alto Networks Cortex Data Lake client library


This Palo Alto Networks Cloud NodeJS library was created to assist developers with programmatically interacting with the Palo Alto Networks Cortex Data Lake API's.


Incorporate the pan-cortex-data-lake NodeJS package in your project with the following bash command:

npm i @paloaltonetworks/pan-cortex-data-lake

You can also install the package from its GITHUB repo

npm i git://

You can now import the package into your NodeJS code.

const cortex = require('@paloaltonetworks/pan-cortex-data-lake');

Source code is written in TypeScript and the build process productes type definition files which means you can leverage strongly type and code auto-complete features.

import * as cortex from '@paloaltonetworks/pan-cortex-data-lake'


There are two options to get your application authorized to access customer data using the Cortex Data Lake API:

  • Getting a client certificate (platform applications)
  • Publishing your application in Cortex hub and using the code grant OAuth2 flow

Use the QueryServiceClient.factory() to create an object instance in any of the previous cases:

Example of a mTLS object instance

async init() {
    const mtlsCert = readFileSync(CERTIFICATE_FILE);
    const mtlsKey = readFileSync(KEY_FILE);
    const qsc = await QueryServiceClient.factory({ cert: mtlsCert, key: mtlsKey });

Example using OAuth2 credentials (JWT)

async function init() {
    const credentials = {
        getToken: () => Promise.resolve(ACCESS_TOKEN),
        getEntryPoint: () => ''
    const qsc = cortex.QueryServiceClient.factory({
        cortexDefCredentials: credentials

Take a look to the complementary repo pan-cortex-hub-nodejs with a collection of compatible credential objects as well as full secret repositories (CortexCredentialProvider) and building blocks for a SaaS component to interface with Cortex hub.

Getting started with QueryService

Using stream readable interface

function main() {
    const queryStream ="SELECT * from `" + INSTANCE_ID + ".firewall.traffic` LIMIT 10");
    return new Promise((res, rej) => {
        queryStream.on('error', rej);
        queryStream.on('end', res);
        // each object emitted corresponds to a page of results (any[])
        queryStream.on('data', console.log);

Using async iterable interface (introduced in ES2018)

async function main() {
    for await (const page of qsc.iterator("SELECT * from `" + INSTANCE_ID + ".firewall.traffic` LIMIT 10")) {

Code snippets

Review the folder /examples for quick starting code

Running the integration tests

  1. Optional: run npm run build:test to build the mocha integration test (/test directory)
    1. set the CORTEX_TEST_GOODCERT environmental variable to the path to load good client-side certificates. The test suite will try to load a file named process.env[CORTEX_TEST_GOODCERT]+'.cert' and a file named process.env[CORTEX_TEST_GOODCERT]+'.key'
    2. set the environmental variables CORTEX_TEST_BASEFQDN and CORTEX_TEST_TENANTID to map to the Apollo 2.0 environment and tenant you'll be testing
    3. Run npm run test to execute the integration tests

Developer Sites


Copyright © 2024 Palo Alto Networks, Inc. All rights reserved.