Routers and switches that support NetFlow send flow records,
which must conform to specific guidelines, to Cortex® XDR™.
Ingesting logs and data requires a Cortex®
XDR™ Pro per TB license.
Cortex XDR can receive NetFlow
flow records and IPFIX from a UDP port directly to your log repository
for query and visualization purposes. After you activate the NetFlow
Collectorapplet on a broker VM in your network, which includes
configuring your NetFlow Collector settings, you can ingest NetFlow
flow records and IPFIX as datasets.
The ingested NetFlow flow
record format must include, at the very least:
and Destination IP addresses
TCP/UDP source and destination port numbers
Cortex XDR begins receiving flow records from the UDP port, Cortex
XDR automatically parses the flow records and creates a dataset
with the specific name you set as the target dataset when you configured
the NetFlow Collector. The NetFlow Collector adds the flow records
to the dataset. You can then use XQL Search queries to view those
flow records and create new IOC, BIOC, and Correlation Rules.
Cortex XDR to receive NetFlow flow records as datasets from the
routers and switches that support NetFlow.
Set up your NetFlow exporter to forward flow records
to the IP address of the broker that runs the NetFlow collector applet.