1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR Pro Administrator’s Guide
    5. External Data Ingestion
    6. Additional Log Ingestion Methods for Cortex XDR
    7. Ingest CSV Files as Datasets

    Ingest CSV Files as Datasets

    Cortex XDR can receive CSV log files from a shared Windows directory, where the CSV log files must conform to specific guidelines.
    Ingesting logs and data requires a
    Cortex
    XDR
     Pro per TB license.
    Cortex
    XDR
     can receive CSV log files from a shared Windows directory directly to your log repository for query and visualization purposes. After you activate the CSV Collector applet on a broker VM in your network, which includes defining the list of folders mounted to the broker VM and setting the list of CSV files to monitor and upload to
    Cortex
    XDR
     (using a username and password), you can ingest CSV files as datasets.
    The ingested CSV log files must conform to the following guidelines:
    • Header field names must contain only letters (a-z, A-Z) or numbers (0-9) and must start with a letter. Spaces are converted to underscores (_).
    • Date values can be in either of the following formats:
      • YYYY-MM-DD (optionally including HH:MM:SS)
      • Unix Epoch time. For example, 1614858795.
    After
    Cortex
    XDR
     begins receiving logs from the shared Windows directory,
    Cortex
    XDR
     automatically parses the logs and creates a dataset with the specific name you set as the target dataset when you configured the CSV Collector. The CSV Collector checks for any changes in the configured CSV files, as well as any new CSV files added to the configuration folders, in the Windows directory every 10 minutes and replaces the data in the dataset with the data from those files. You can then use XQL Search queries to view logs and create new Correlation Rules.
    Configure
    Cortex
    XDR
     to receive CSV files as datasets from a shared Windows directory.
    1. Ensure that you
      share
       the applicable CSV files in your Windows directory.
    2. Activate the CSV Collector applet on a broker VM within your network.
    3. Use the XQL Search to locate and review logs.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo