External Data Ingestion Vendor Support

To augment your Cortex XDR data, you can set up Cortex XDR to ingest data from a variety of external third-party sources.

Ingesting logs and data requires a Cortex XDR Pro per TB license.

To provide you with a more complete and detailed picture of the activity involved in an incident, you can ingest data from a variety of external, third-party sources in Cortex XDR.

Log /Data Type	Vendor Support
`Network Connections`	Amazon S3 (flow logs) Azure Event Hub Azure Network Watcher (flow logs) Check Point FW1/VPN1 Cisco ASA Corelight Zeek Fortinet Fortigate Google Cloud Platform (flow logs) Okta Windows DHCP using Elasticsearch Filebeat Zscaler Cloud Firewall
`Authentication Services/Audit Logs`	Amazon S3 (audit logs) Azure Event Hub (audit logs) Google Cloud Platform (audit logs) Google Workspace Microsoft Office 365 Okta PingFederate PingOne for Enterprise
`Operation and System Loggers`	Amazon S3 (generic logs) AWS CloudTrail and Amazon CloudWatch (generic logs) Azure Event Hub Google Kubernetes Engine Google Cloud Platform Okta Prisma Cloud (alerts) Prisma Cloud Compute (alerts)
`Endpoint Logs`	Activate the Windows Event Collector
`Cloud Assets`	AWS Google Cloud Platform Microsoft Azure
`Custom External Sources`	Any vendor sending CEF or LEEF formatted Syslog Any vendor CSV files on a shared Windows directory Any vendor logs stored in a database Any vendor logs stored in files on a network share Any vendor logs from a third party source over FTP, FTPS, or SFTP Any vendor sending NetFlow flow records Any vendor sending logs over HTTP Apache Kafka BeyondTrust Privilege Management Cloud ElasticSearch Filebeat Forcepoint DLP PAN IoT Security Proofpoint Targeted Attack Protection ServiceNow CMDB Workday Any vendor sending alerts

Cortex XDR can receive logs or both logs and alerts from the source. Depending on the data source, Cortex XDR can provide visibility into your external data in the form of.

Log stitching with other logs such as to create network or authentication stories.

Raw data in queries from XQL Search.

Alerts reported by the vendor throughout Cortex XDR, such as in the Alerts table, incidents, and views.

Alerts raised by Cortex XDR on log data such as Analytics alerts

For more information, see Visibility of Logs and Alerts from External Sources in Cortex XDR.

To ingest data, you must set up the Syslog Collector applet on a Broker VM within your network.

Document:Cortex® XDR Pro Administrator’s Guide

External Data Ingestion Vendor Support

External Data Ingestion Vendor Support

Recommended For You

Document:Cortex® XDR Pro Administrator’s Guide

External Data Ingestion Vendor Support

External Data Ingestion Vendor Support

Recommended For You

Recommended Videos