Cortex® XDR™ can receive CSV log files from a shared
Windows directory, where the CSV log files must conform to specific
Ingesting logs and data requires a Cortex®
XDR™ Pro per TB license.
Cortex XDR can receive CSV
log files from a shared Windows directory directly to your log repository
for query and visualization purposes. After you activate the CSV Collector applet
on a broker VM in your network, which includes defining the list
of folders mounted to the broker VM and setting the list of CSV
files to monitor and upload to Cortex XDR (using a username and
password), you can ingest CSV files as datasets.
CSV log files must conform to the following guidelines:
field names must contain only letters (a-z, A-Z) or numbers (0-9)
and must start with a letter. Spaces are converted to underscores
Date values can be in either of the following formats:
YYYY-MM-DD (optionally including HH:MM:SS)
Unix Epoch time. For example, 1614858795.
Cortex XDR begins receiving logs from the shared Windows directory,
Cortex XDR automatically parses the logs and creates a dataset with
the specific name you set as the target dataset when you configured
the CSV Collector. The CSV Collector checks for new CSV files
in the Windows directory every 10 minutes and adds them to the dataset.
You can then use XQL Search queries to view logs and create new
IOC or BIOC rules.
Configure Cortex XDR to receive CSV files
as datasets from a shared Windows directory.
Ensure that you
applicable CSV files in your Windows directory.