Visibility of Logs and Alerts from External Sources in Cortex XDR

Cortex XDR provides visibility into your external logs. The availability of logs and alerts varies by the data source.
Where you can view information ingested from external sources depends on the data source. The following table describes the visibility of each vendor and device type. A indicates support where a dash (—) indicates the feature is not supported.
Vendor and Device Type
Raw Data Visibility
Stitched Log Visibility
Cortex XDR Alert Visibility
Vendor Alert Visibility
Network
Raw data is searchable in XQL Search.
Logs with
sessionid = 0
are dropped.
Network stories that include Check Point network connection logs are searchable in the Query Builder and in XQL Search.
Logs with
sessionid = 0
are dropped.
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, and BIOC) when relevant from logs.
Alerts from Check Point firewalls are raised throughout Cortex XDR when relevant.
Raw data is searchable in XQL Search.
Network stories that include Corelight Zeek network connection logs are searchable in the Query Builder and in XQL Search.
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, and BIOC) when relevant from logs.
Raw data is searchable in XQL Search.
Network stories that include Cisco network connection logs are searchable in the Query Builder and in XQL Search.
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, and BIOC) when relevant from logs.
Raw data is searchable in XQL Search.
Network stories that include Fortinet network connection logs are searchable in the Query Builder and in XQL Search.
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, and BIOC) when relevant from logs.
Alerts from Fortinet firewalls are raised throughout Cortex XDR when relevant.
Raw data is searchable in XQL Search.
Cortex XDR uses Windows DHCP logs to enrich your network logs with hostnames and MAC addresses that are searchable in XQL Search.
Raw data is searchable in XQL Search.
Network stories that include Zscaler Cloud Firewall network connection and firewall logs are searchable in the Query Builder and in XQL Search.
Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, and BIOC) when relevant from logs.
Authentication Services
Logs and stories are searchable in XQL Search
Logs stitched with authentication stories are searchable in the Query Builder.
Cortex XDR can raise Cortex XDR alerts (IOC and BIOC only) when relevant from logs.
Logs and stories are searchable in XQL Search
Logs stitched with authentication stories are searchable in the Query Builder.
Cortex XDR can raise Cortex XDR alerts (IOC and BIOC only) when relevant from logs.
Logs and stories are searchable in XQL Search
Logs stitched with authentication stories are searchable in the Query Builder.
Cortex XDR can raise Cortex XDR alerts (IOC and BIOC only) when relevant from logs.
Logs and stories are searchable in XQL Search
Logs stitched with authentication stories are searchable in the Query Builder.
Cortex XDR can raise Cortex XDR alerts (IOC and BIOC only) when relevant from logs.
Operation and System Logs from Cloud Providers
Raw data is searchable in XQL Search.
Cortex XDR can raise Cortex XDR alerts (IOC and BIOC only) when relevant from logs.
Raw data is searchable in XQL Search.
Cortex XDR can raise Cortex XDR alerts (IOC and BIOC only) when relevant from logs.
Raw data is searchable in XQL Search.
Cortex XDR can raise Cortex XDR alerts (IOC and BIOC only) when relevant from logs.
Endpoint Logs
Windows event logs are available with agent EDR data and are searchable in XQL Search.
Windows event logs are stitched with agent EDR data and are searchable in the Query Builder.
Cortex XDR can raise Cortex XDR alerts (IOC and BIOC only) when relevant from logs.
Custom External Sources
Raw data is searchable in XQL Search.
Cortex XDR can raise Cortex XDR alerts (IOC and BIOC only) when relevant from logs.
To enable Cortex XDR to display alerts from other vendors, you must map your alert fields to the Cortex XDR field format (see Ingest External Alerts).
Raw data is searchable in XQL Search.
Cortex XDR can raise Cortex XDR alerts (IOC and BIOC only) when relevant from logs.
Raw data is searchable in XQL Search.
Cortex XDR can raise Cortex XDR alerts (IOC and BIOC only) when relevant from logs.
To enable Cortex XDR to display alerts from other vendors, you must map your alert fields to the Cortex XDR field format (see Ingest External Alerts).
Any vendor sending alerts
Alerts are surfaced throughout Cortex XDR when relevant. To enable Cortex XDR to display your alerts, you must map your alert fields to the Cortex XDR field format (see Ingest External Alerts).
When ingesting data from an external source, Cortex XDR creates a dataset that you can query using XQL. Datasets created in this way use the following naming convention:
<vendor_name>
_
<product_name>
_raw
For example: cisco_asa_raw
The datatypes used for the fields in an imported dataset are automatically assigned based on the input content. Fields can have a datatype of
string
,
int
,
float
,
array
,
time
, or
boolean
. All other fields are ingested as a JSON object.

Recommended For You