What’s New in Cortex Data Lake

Here are the new features in Cortex Data Lake.
Feature
Description
Log Forwarding Integration
November 2020
You can now forward logs from within the Cortex Data Lake app, enabling you to conveniently manage onboarding, storage, and log transmission in a single application. In moving to the Cortex Data Lake app, the log forwarding interface now has a new, simplified design that makes it easier to begin configuring Syslog and email profiles to forward your Cortex Data Lake log data.
Log Filter Query Support
November 2020
When creating your log forwarding profiles in Cortex Data Lake, you can now use the same query language from Explore to define precise log filters based on time, device serial number, IP address, and more.
LEEF Format Support for IBM QRadar
November 2020
You can now forward logs in Log Extended Event Format (LEEF) for use with IBM QRadar SIEM.
Combined Log Types
November 2020
To simplify the list of available log types for log forwarding, the
tunnel
log type now includes
GTP
logs, and
Threat
logs now include
WildFire
logs.
Because log forwarding profiles can only include one filter per log type, if you had a log forwarding profile with a log filter for both of the formerly separate log types, you will now see a new log forwarding profile. This profile contains the log filter that could not be duplicated in the original profile.
For example, a log forwarding profile with filters for both
tunnel
and
GTP
logs now appears as two profiles, each with a
tunnel
filter. One of the profiles will continue filtering
tunnel
logs and the other will filter
GTP
logs, which are now included in tunnel logs. The new profile will be called
<
original name
> - GTP
or, in the case of
Threat
and
WildFire
,
<
original name
> - WildFire
.
Non-Editable Log Forwarding Filters
November 2020
Some log filters created in the previous Log Forwarding app can no longer be edited. If you would like to change such filters, you must delete them and create new ones.
Because some fields in the migrated filters are no longer available, you may not be able to recreate an identical filter if you delete it.
Japan Regional Support
September 2020
To comply with data privacy regulations that require you to keep data within Japanese regional boundaries, you can now select Japan as a host region when you activate Cortex Data Lake.
Canada Regional Support
July 2020
To comply with data privacy regulations that require you to keep data within Canadian regional boundaries, you can now select Canada as a host region when you activate Cortex Data Lake.
To choose Canada as your host region, select
Canada
at activation. The
Americas
region represents the United States only.
Proxy Support
July 2020
(
PAN-OS 10.0 or later
) You can now configure the firewall to forward logs to Cortex Data Lake through a proxy server. This enables you to send log data to Cortex Data Lake from a network without a default gateway.
UK and Singapore Regional Support
July 2020
For compliance with regulations that require you to keep data within regional boundaries, you can now select the UK or Singapore as a host region when you activate Cortex Data Lake.
Quota Manager Enhancements
June 2020
The quota manager now features a detailed breakdown of firewall log types and a simpler method of allocating remaining storage to help you more easily manage your Cortex Data Lake log storage.
Instead of a single Detailed log type, the quota manager now displays the firewall log types individually. The Infrastructure & Audit log type now appears as System and Config logs.
To allocate all remaining storage to one or more log types, you can now leave the quota percentage of log types blank and the quota manager will automatically assign them the unallocated space.
New Quota Manager UI
April 2020
To help you more easily allocate log storage and visualize the data you're storing in Cortex Data Lake, the Cortex Data Lake app now features a completely redesigned quota manager.
The quota manager now visually displays your total storage capacity as a bar, with color-coded segments representing different log sources so you can instantly identify how much storage a service uses and adjust if necessary.
New Minimum PAN-OS Version for Cortex Data Lake Without Panorama
March 2020
To authenticate using the new G2 certificate chain, firewalls that you want to onboard to Cortex Data Lake without using Panorama must now run PAN-OS 9.0.6 or later.
Cortex Data Lake Without Panorama
July 2019
Until PAN-OS 9.0.3, Panorama was required to onboard firewalls to Cortex Data Lake, and to view logs stored in Cortex Data Lake. Now, firewalls running PAN-OS 9.0.3 and later can securely connect and log to Cortex Data Lake, without Panorama. The new app, Explore, allows you to see and interact with the log data stored in Cortex Data Lake.
New App-ID for Palo Alto Networks Shared Services
May 2019
For better application visibility and control, you now have a new App-ID for paloalto-shared-services, in addition to the App-ID for the palo-alto-logging-service. The paloalto-shared-services App-ID identifies traffic for any shared services that are used by Palo Alto Networks including Directory Sync Service, Logging Service, and Magnifier; any paloalto-shared-services traffic that was earlier identified as ssl, web-browsing will now be identified as paloalto-shared-services.
If you have a Palo Alto Networks next-generation firewall between the Panorama appliance and the internet, you must add a security policy rule on the firewall to allow the paloalto-logging-service and paloalto-shared-services App-IDs from the Panorama appliance to the internet. These applications allow SSL-secured communication to the Cortex Data Lake that the Panorama appliance uses to query logs, and enable communication to the shared services and the Cortex Data Lake for performing certificate status and revocation checks.
Connection Status Reporting Improvements
September 2018
To help with visibility on the status and connectivity to the Cortex Data Lake, the Cloud Services plugin 1.2 provides details on the connection status between Panorama and the Cortex Data Lake. On
Panorama
Cloud Services
Status
Status
, you can now verify that Panorama appliance was able to successfully retrieve the Logging Service certificate, view the Customer Identification number and the region in which your Cortex Data Lake instance is deployed, and confirm that the Panorama appliance is connected to the Logging Service. If any of these checks fail, the Status is reported as an error.
logging-service-detailed-status.png
New App-ID for Palo Alto Networks Shared Services
September 2018
For better application visbility and control, you now have a new App-ID for paloalto-shared-services, in addition to the App-ID for the palo-alto-logging-service. The paloalto-shared-services App-ID identifies traffic for any shared services that are used by Palo Alto Networks including Directory Sync Service, Logging Service, and Magnifier; any paloalto-shared-services traffic that was earlier identified as ssl, web-browsing will now be identified as paloalto-shared-services.
If you have a Palo Alto Networks next-generation firewall between the Panorama appliance and the internet, you must add a security policy rule on the firewall to allow the paloalto-logging-service and paloalto-shared-services App-IDs from the Panorama appliance to the internet. These applications allow SSL-secured communication to the Cortex Data Lake that the Panorama appliance uses to query logs, and enable communication to the shared services and the Cortex Data Lake for performing certificate status and revocation checks.
Expand Log Storage Capacity for Traps Logs
April 2018
You can now activate the Cortex Data Lake Auth code from the cloud services portal to upgrade the Traps Included Storage of 100GB to a Cortex Data Lake license with larger storage capacity.
Log Quota Management on the hub
March 2018
Starting March 19, 2018, you must use the cloud services portal to manage the log quota for logs stored on the Cortex Data Lake.
Log in to the cloud services portal using your Customer Support Portal credentials, and then refer to the Logging Service Getting Started Guide for instructions on activating licenses and deploying this service.

Recommended For You