Add a XDR Collector Profile

Add a Cortex® XDR™ Collector profile, which defines the data that is collected from the collector machine.
You can add a Cortex® XDR™ Collector profile, which defines the data that is collected from the collector machine for either a Windows or Linux platform. Data collection from a collector machine is configured using Elasticsearch* Filebeat in the Elasticsearch Filebeat default configuration file called
filebeat.yml
, which is included as part of the XDR Collector Profile configuration. Cortex XDR supports using Filebeat 7.14 with the different operating systems listed in the Elasticsearch Support Matrix that conform to the collector machine operating systems supported by Cortex XDR. Cortex XDR supports the various input types and modules available in Elasticsearch Filebeat. For more information on the input types supported, see Configure Filebeat Inputs in Elasticsearch. For more information on the modules supported, see Configure Filebeat Modules in Elasticsearch.
When defining data collection in a XDR Collector profile using the Elasticsearch Filebeat configuration file editor, you can configure whether the data collected undergoes follow-up processing in the backend within the
filebeat.yml
file for the following data.
  • Windows DHCP
    —You can enrich network logs with Windows DHCP data when defining data collection in a XDR Collector profile. Cortex XDR uses Windows DHCP logs to enrich your network logs with hostnames and MAC addresses that are searchable in XQL Search using the Windows DHCP XQL dataset (
    windows_dhcp_raw
    ).
    This enrichment is also available when configuring a Windows DHCP Collector for a cloud data collection integration.
The XDR Collector profile is also where you can configure whether to implement an automatic upgrade for the Cortex XDR Collector release. Once you have added an XDR Collector profile, you need to associate the profile to a particular policy for a collector machine.
For more information on Elasticsearch Filebeat, see the Elasticsearch Filebeat Overview Documentation.
  1. In Cortex XDR, select
    Settings ( )
    Configurations
    XDR Collectors
    Profiles
    .
  2. Select the platform for the collector machine that you want to create a profile for.
    • For Windows
      —Select
      +New Profile
      Windows Profile
      .
    • For Linux
      —Select
      +New Profile
      Linux Profile
      .
    The configuration settings are the same for both Windows and Linux.
  3. Configure the
    General Information
    parameters.
    • Profile Name
      —Specify a unique
      Profile Name
      to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy.
    • Add description here
      —(
      Optional
      ) To provide additional context for the purpose or business reason that explains why you are creating the profile, specify a profile description.
  4. Configure the
    Collector Upgrade
    parameters.
    You can configure an automatic upgrade for the Cortex XDR Collector release. By default, this is disabled and the
    Use Default (Disabled)
    is selected. To implement an automatic upgrade, follow these steps.
    1. Clear the
      Use Default (Disabled)
      checkbox.
    2. For the
      Collector Auto-Upgrade
      field, select
      Enabled
      .
      When configuring this field, the following additional fields are displayed for defining the scope of the automatic upgrade.
    3. You can configure the scope of the automatic upgrade to whenever a new XDR Collector release is available including maintenance releases and new features.
      • To ensure the latest XDR Collector release is used, leave the
        Use Default (Latest collector release)
        checkbox selected.
      • To configure only a particular scope, perform the following steps.
        1. Clear the
          Use Default (Latest collector release)
          checkbox.
        2. For the
          Auto Upgrade Scope
          , select one of the following options.
          -
          Latest collector release
          —Configures the scope of the automatic upgrade to whenever a new XDR Collector release is available including maintenance releases and new features.
          -
          Only maintenance release
          —Configures the scope of the automatic upgrade to whenever a new XDR Collector maintenance release is available.
          Only maintenance releases in a specific version
          —Configures the scope of the automatic upgrade to whenever a new XDR Collector maintenance release is available for a specific version. When this option is selected, you can select the specific
          Release Version
          .
  5. Configure the
    Filebeat configuration file
    .
    In the
    Filebeat configuration file
    editor, you can define the data collection for your Elasticsearch Filebeat configuration file called
    filebeat.yml
    . Cortex XDR supports the various input types and modules available in Elasticsearch Filebeat. For more information on the input types supported, see Configure Filebeat Inputs in Elasticsearch. For more information on the modules supported, see Configure Filebeat Modules in Elasticsearch.
    In addition, you can download two example
    filebeat.yml
    configuration files from the user interface, which provide an example of configuring data collection using an input or module. To download the examples, select
    Download Filebeat Module Configurations File Example
    and
    Download Filebeat Input Configurations File Example
    .
    When defining data collection in a XDR Collector profile using the Elasticsearch Filebeat configuration file editor, you can configure whether the data collected undergoes follow-up processing in the backend within the
    filebeat.yml
    file for the following data.
    • Windows DHCP
      —You can enrich network logs with Windows DHCP data when defining data collection by setting the following tagging definition.
      - add_tags: tags: [windows_dhcp] target: "xdr_log_type"
    • Cortex XDR collects all logs in either a JSON or text format that are uncompressed. Compressed files, such as in a gzip format, are unsupported
      .
    • Cortex XDR only supports logs in single line format as multiline logs are unsupported. For more information on handling messages that span multiple lines of text in Elasticsearch Filebeat, see Manage Multiline Messages.
  6. Create
    your new profile, which is listed under the applicable platform in the
    XDR Collectors Profiles
    page.
  7. You can do this in two ways. You can
    Create a new policy rule using this profile
    from the right-click menu or you can launch the new policy wizard from
    XDR Collectors
    Policies
    XDR Collectors Policies
    page.
  8. Other available options.
    As needed, you can return to the
    XDR Collectors Profiles
    page to manage your XDR Collectors profiles. To manage a specific profile, right click anywhere in the XDR Collector profile row, and select the desired action:
    • Edit
      the XDR Collector profile settings.
    • Save As New
      —Enables you to copy the existing profile with its current settings, make any modifications, and save it as a new profile by adding a unique name.
    • Delete
      the XDR Collector profile.
    • View Collector Policies
      —Opens a new tab with the
      XDR Collectors Policies
      page displayed, so you can easily see the current policies that are associated to your XDR Collector profiles.
    • Copy text to clipboard
      to copy the text from a specific field in the row of a XDR Collector profile.
    • Copy entire row
      to copy the text from the entire row of a XDR Collector profile.
Elasticsearch is a trademark of Elasticsearch B.V., registered in the U.S. and in other countries.

Recommended For You