Set up an HTTP Log Collector to Receive Logs

You can set up Cortex® XDR™ to receive logs from third-party sources, and automatically parse and process these logs.
Ingesting logs and data requires a Cortex XDR Pro per TB license.
In addition to logs from supported vendors (see External Data Ingestion Vendor Support), you can set up a custom HTTP log collector to receive logs in JSON or text format.
After Cortex XDR begins receiving logs from the third-party source, Cortex XDR automatically parses the logs and creates a dataset with the name
<vendor>
_
<product>
_raw
. You can then use XQL Search queries to view logs and create new IOC or BIOC rules.
To set up an HTTP log collector to receive logs from an external source:
  1. Create an HTTP Log collector in Cortex XDR:
    1. Select
      Settings ( )
      Configurations
      Custom Collections
      .
    2. In the HTTP configuration, click the
      here
      link.
    3. Enter a descriptive
      Name
      for your HTTP log collection configuration.
    4. Enter the
      Vendor
      and
      Product
      for the type of logs you are ingesting.
      The vendor and product are used to define the name of your XQL dataset (
      <vendor>
      _
      <product>
      _raw
      ). If you do not define a vendor or product, Cortex XDR examines the log header to identify the type and uses that to define the vendor and product in the dataset. For example, if the type is Acme and you opt to let Cortex XDR determine the values, the dataset name would be
      acme_acme_raw
      .
    5. Choose the data object
      Compression
      , either gzip or uncompressed.
    6. Choose the
      Log Format
      , either
      JSON
      or
      Text
      .
    7. Save & Generate Token
      .
      Click the copy icon next to the key and record it somewhere safe. You will need to provide this key when you configure your HTTP POST request. If you forget to record the key and close the window you will need to generate a new key and repeat this process.
      Click
      Done
      when finished.
  2. Send data to your Cortex XDR HTTP log collector:
    1. Send an HTTP POST request to the URL for your HTTP Log Collector.
      For a sample curl or python request, click
      View Example
      .
    2. Substitute the values specific to your configuration.
      • url
        —You can copy the URL for your HTTP log collector from the
        Custom Collectors
        page. For example: https://api-{tenant external URL}/logs/v1/event.
      • api_key
        —API key you previously recorded for your HTTP log collector.
      • Content-Type
        —Depending on the data object format you selected during setup, this will be
        application/json
        for JSON format or
        text/plain
        for Text format.
      • Body
        —The body contains the records you want to send to Cortex XDR. Separate records with a
        \n
        (new line) delimiter. The request body can contain up to 10Mib records although 1 Mib is recommended. In the case of a curl command, the records are contained in the
        -d ‘
        <records>
        parameter.
  3. Monitor your HTTP Log Collection integration.
    You can return to the
    Settings ( )
    Configurations
    Custom Collectors
    page to monitor the status of your HTTP Log Collection configuration. For each instance, Cortex XDR displays the number of logs received in the last hour, day, and week. You can also use the Data Ingestion Dashboard to view general statistics about your data ingestion configurations.
  4. After Cortex XDR begins receiving logs, use the XQL Search to search your logs.

Recommended For You