Visibility of Logs and Alerts from External Sources in Cortex XDR
Cortex
XDR
Cortex XDR provides visibility into your external logs.
The availability of logs and alerts varies by the data source.
Where you can view
information ingested from external sources depends on the data source.
The following table describes the visibility of each vendor and
device type. A
indicates
support where a dash (—) indicates the feature is not supported.
indicates
support where a dash (—) indicates the feature is not supported. Vendor and Device Type | Raw Data Visibility | Normalized Log Visibility | Cortex XDR Alert Visibility | Vendor Alert Visibility |
|---|---|---|---|---|
Network | ||||
|
Raw
data is searchable in XQL Search. |
Option
to ingest network flow logs as Cortex XDR network connection stories that are searchable
in the Query Builder and in XQL Search. |
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC,
and Correlation Rules) when relevant from logs.Analytics Alerts
are only raised on normalized logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules,
IOC, and BIOC) when relevant from flow logs. | — | |
|
Raw
data is searchable in XQL Search. |
Option
to ingest network flow logs as Cortex XDR network connection stories that are searchable
in the Query Builder and in XQL Search. |
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC,
and Correlation Rules) when relevant from flow logs.Analytics Alerts
are only raised on normalized logs. | — | |
|
Raw
data is searchable in XQL Search. Logs with sessionid = 0 are dropped. |
Network stories
that include Check Point network connection logs are searchable
in the Query Builder and in XQL Search. Logs with sessionid = 0 are dropped. |
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC,
and Correlation Rules) when relevant from logs. |
Alerts
from Check Point firewalls are raised throughout Cortex XDR when relevant. | |
|
Raw
data is searchable in XQL Search. |
Network stories
that include Corelight Zeek network connection logs are searchable
in the Query Builder and in XQL Search. |
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules)
when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. |
Network stories
that include Cisco network connection logs are searchable in the
Query Builder and in XQL Search. |
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC,
and Correlation Rules) when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. |
Network stories
that include Fortinet network connection logs are searchable in the
Query Builder and in XQL Search. |
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC,
and Correlation Rules) when relevant from logs. |
Alerts
from Fortinet firewalls are raised throughout Cortex XDR when relevant. | |
|
Raw
data is searchable in XQL Search. |
Option
to ingest network flow logs as Cortex XDR network connection stories that are searchable
in the Query Builder and in XQL Search. |
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC,
and Correlation Rules) when relevant from logs.Analytics Alerts
are only raised on normalized logs. | — | |
|
Raw
data is searchable in XQL Search. | — | Cortex XDR can raise Cortex XDR alerts (IOC, BIOC, and Correlation Rules only) when relevant
from logs.IOCs and BIOCs are only raised for these event
types: sso and session_start . | — | |
|
Raw
data is searchable in XQL Search. |
Cortex XDR uses Windows DHCP logs to enrich your
network logs with hostnames and MAC addresses that are searchable
in XQL Search. | — | — | |
|
Raw data is searchable in XQL Search. |
Network stories that include Zscaler Cloud Firewall network connection
and firewall logs are searchable in the Query Builder and in XQL Search. |
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules)
when relevant from logs.Analytics, IOCs and BIOCs are
only raised on the Firewall data. | — | |
Authentication Services/Audit
Logs | ||||
|
Logs
and stories are searchable in XQL Search |
Option
to stitch audit logs with authentication stories that are searchable
in the Query Builder and XQL Search. |
Cortex XDR can raise Cortex XDR alerts (IOC, BIOC, and Correlation
Rules only) when relevant from logs. | — | |
|
Logs
and stories are searchable in XQL Search |
Option
to stitch audit logs with authentication stories that are searchable
in the Query Builder and XQL Search. |
Cortex XDR can raise Cortex XDR alerts (IOC, BIOC, and Correlation
Rules only) when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. |
Option
to stitch audit logs with authentication stories that are searchable
in the Query Builder and XQL Search. |
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC,
and Correlation Rules) when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
For
all logs, Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. | — | |
|
Logs
and stories (Azure AD authentication and audit logs only) are searchable
in XQL Search |
Azure
AD authentication logs normalized into authentication stories. Azure
AD audit logs normalized to cloud audit logs stories. Both are searchable
in the Query Builder. |
For
Azure AD authentication and audit logs only, Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation
Rules only) when relevant from logs. For all other logs, Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. | — | |
|
Logs
and stories are searchable in XQL Search |
Logs stitched
with authentication stories are searchable in the Query Builder. |
Cortex XDR can raise Cortex XDR alerts (IOC, BIOC, and Correlation
Rules only) when relevant from logs.IOCs and BIOCs
are only raised for these event types: sso and session_start . | — | |
|
Logs
and stories are searchable in XQL Search |
Logs stitched
with authentication stories are searchable in the Query Builder. |
Cortex XDR can raise Cortex XDR alerts (IOC, BIOC, and Correlation
Rules only) when relevant from logs. | — | |
|
Logs
and stories are searchable in XQL Search |
Logs stitched
with authentication stories are searchable in the Query Builder. |
Cortex XDR can raise Cortex XDR alerts (IOC, BIOC, and Correlation
Rules only) when relevant from logs. | — | |
Operation and System Logs
from Cloud Providers | ||||
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. | — | Cortex XDR can raise Cortex XDR alerts (IOC, BIOC, and Correlation Rules only) when relevant
from logs. | — | |
|
Raw
data is searchable in XQL Search. |
Prisma Cloud
alerts are stitched with Cloud Provider logs when relevant. |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. |
Alerts
from Prisma Cloud are raised throughout Cortex XDR when relevant. | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. |
Alerts
from Prisma Cloud Compute are raised throughout Cortex XDR when relevant. | |
Endpoint Logs | ||||
|
Windows event
logs are available with agent EDR data and are searchable in XQL
Search. |
Windows event
logs are stitched with agent EDR data and are searchable in the Query
Builder. |
Cortex XDR can raise Cortex XDR alerts (IOC, BIOC, and Correlation
Rules only) when relevant from logs. | — | |
Cloud Assets | ||||
Custom External Sources | ||||
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (IOC, BIOC, and Correlation
Rules only) when relevant from logs. |
Cortex XDR to display
alerts from other vendors, you must map your alert fields to the Cortex XDR field format (see Ingest External Alerts). | |
|
Raw data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs. | — | |
|
Raw data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs. | — | |
|
Raw data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs. | — | |
|
Raw data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs. | — | |
|
Raw data is searchable in XQL Search. |
NetFlow events
are stitched with the Agent’s EDR data and other Network products to
a Session Story, and are searchable in the Query Builder and in
XQL. |
Cortex XDR can raise Cortex XDR alerts (IOC, BIOC, and Correlation Rules only) when relevant
from logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. |
Cortex XDR to display
alerts from other vendors, you must map your alert fields to the Cortex XDR field format (see Ingest External Alerts). | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. | Cortex XDR uses PAN IOT Security information to improve analytics detection
and assets management information. |
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC,
and Correlation Rules) when relevant from logs.Analytics Alerts
are only raised on normalized logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only)
when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs. | — | |
|
Raw
data is searchable in XQL Search. | — |
Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs. | — | |
Any vendor sending alerts | — | — | — |
Cortex XDR when relevant. To enable Cortex XDR to display your alerts, you must map your alert fields
to the Cortex XDR field format
(see Ingest External Alerts). |
When ingesting
data from an external source,
Cortex
XDR
creates a dataset that you can query using XQL.
Datasets created in this way use the following naming convention.<vendor_name>_<product_name>_raw
For example: cisco_asa_raw
The datatypes used
for the fields in an imported dataset are automatically assigned
based on the input content. Fields can have a datatype of
string
, int
, float
, array
, time
,
or boolean
. All other fields are ingested
as a JSON object. 