Ingest CSV Files as Datasets

Cortex® XDR™ can receive CSV log files from a shared Windows directory, where the CSV log files must conform to specific guidelines.
Ingesting logs and data requires a Cortex® XDR™ Pro per TB license.
Cortex XDR can receive CSV log files from a shared Windows directory directly to your log repository for query and visualization purposes. After you activate the CSV Collector applet on a broker VM in your network, which includes defining the list of folders mounted to the broker VM and setting the list of CSV files to monitor and upload to Cortex XDR (using a username and password), you can ingest CSV files as datasets.
The ingested CSV log files must conform to the following guidelines:
  • Header field names must contain only letters (a-z, A-Z) or numbers (0-9) and must start with a letter. Spaces are converted to underscores (_).
  • Date values can be in either of the following formats:
    • YYYY-MM-DD (optionally including HH:MM:SS)
    • Unix Epoch time. For example, 1614858795.
After Cortex XDR begins receiving logs from the shared Windows directory, Cortex XDR automatically parses the logs and creates a dataset with the specific name you set as the target dataset when you configured the CSV Collector. The CSV Collector checks for new CSV files in the Windows directory every 10 minutes and adds them to the dataset. You can then use XQL Search queries to view logs and create new IOC or BIOC rules.
Configure Cortex XDR to receive CSV files as datasets from a shared Windows directory.
  1. Ensure that you
    share
    the applicable CSV files in your Windows directory.
  2. Activate the CSV Collector applet on a broker VM within your network.
  3. Use the XQL Search to locate and review logs.

Recommended For You