Ingest NetFlow Flow Records as Datasets

Routers and switches that support NetFlow send flow records, which must conform to specific guidelines, to Cortex® XDR™.
Ingesting logs and data requires a Cortex® XDR™ Pro per TB license.
Cortex XDR can receive NetFlow flow records and IPFIX from a UDP port directly to your log repository for query and visualization purposes. After you activate the NetFlow Collectorapplet on a broker VM in your network, which includes configuring your NetFlow Collector settings, you can ingest NetFlow flow records and IPFIX as datasets.
The ingested NetFlow flow record format must include, at the very least:
  • Source and Destination IP addresses
  • TCP/UDP source and destination port numbers
After Cortex XDR begins receiving flow records from the UDP port, Cortex XDR automatically parses the flow records and creates a dataset with the specific name you set as the target dataset when you configured the NetFlow Collector. The NetFlow Collector adds the flow records to the dataset. You can then use XQL Search queries to view those flow records and create new IOC, BIOC, and Correlation Rules.
Configure Cortex XDR to receive NetFlow flow records as datasets from the routers and switches that support NetFlow.
  1. Set up your NetFlow exporter to forward flow records to the IP address of the broker that runs the NetFlow collector applet.
  2. Activate the NetFlow Collector applet on a broker VM within your network.
  3. Use the XQL Search to query your flow records, using your designated dataset.

Recommended For You