Forward Logs from Cortex Data Lake to an Email Server

Sign In
to the hub at https://apps.paloaltonetworks.com/.
Select the Cortex Data Lake instance that you want to configure for email forwarding.
If you have multiple Cortex Data Lake instances, hover over the Cortex Data Lake tile and then select an instance from the list of available instances.
Configure email forwarding.
You cannot add your SMTP server to Cortex Data Lake currently.
Select
Log Forwarding
Add
to add a new email forwarding profile.

Enter a descriptive
Name
for the profile.
Enter the email address of the administrator
To
whom you want to send email.
You can enter up to ten additional email addresses, separated by commas, to add as
BCC
.
Enter the
Email Subject
to clearly identify the purpose of the notification.
Select the logs you want to forward.
Add
a new log filter.

Select the
Log Type
.

(Optional)
Create a log filter to forward only the logs that are most critical to you.
You can either write your own queries from scratch or use the query builder. You can also select the query field to choose from among a set of common predefined queries.
Log filters function like queries in Explore, with the following differences:
No double quotes (
“”
).
No subnet masks. To return IP addresses with subnets, use the
LIKE
operator. Example:
src_ip.value LIKE “192.1.1.%”
.
If you want to forward all logs of the type you selected, do not enter a query. Instead, proceed to the next step.
Save
your changes.
Add other log types for which you’d like to receive email notifications.
Save
your changes.
Email forwarding is rate limited to allow 10 emails per second.
Verify that the
Status
of your email forwarding profile is
Running
( ).