Ingest External Alerts

For a more complete and detailed picture of the activity involved in an incident, Cortex XDR can ingest alerts from any external source.
For a more complete and detailed picture of the activity involved in an incident,
Cortex
XDR
can ingest alerts from any external source.
Cortex
XDR
stitches the external alerts together with relevant endpoint data and displays alerts from external sources in relevant incidents and alerts tables. You can also see external alerts and related artifacts and assets in Causality views.
To ingest alerts from an external source, you configure your alert source to forward alerts (in
Auto-Detect
(default),
CEF
,
LEEF
,
CISCO
,
CORELIGHT
, or
RAW
format) to the syslog collector. You can also ingest alerts from external sources using the Cortex XDR API.
After
Cortex
XDR
begins receiving external alerts, you must map the following required fields to the
Cortex
XDR
format.
  • TIMESTAMP
  • SEVERITY
  • ALERT NAME
In addition, these optional fields are available, if you want to map them to the
Cortex
XDR
format.
  • SOURCE IP
  • SOURCE PORT
  • DESTINATION IP
  • DESTINATION PORT
  • DESCRIPTION
  • DIRECTION
  • EXTERNAL ID
  • CATEGORY
  • ACTION
  • PROCESS COMMAND LINE
  • PROCESS SHA256
  • DOMAIN
  • PROCESS FILE PATH
  • HOSTNAME
  • USERNAME
If you send pre-parsed alerts using the
XDR
API, additional mapping is not required.
Storage of external alerts is determined by your
Cortex
XDR
tenant retention policy. For more information, see Dataset Management.
To ingest external alerts.
  1. Send alerts from an external source to
    Cortex
    XDR
    .
    There are two ways to send alerts:
    • Cortex XDR API—Use the insert_cef_alerts API to send the raw syslog alerts or use the insert_parsed_alerts API to convert the syslog alerts to the
      Cortex
      XDR
      format before sending them to
      Cortex
      XDR
      . If you use the API to send logs, you do not need to perform the additional mapping step in
      Cortex
      XDR
      .
    • Activate Syslog collector—Activate the syslog collector and then configure the alert source to forward alerts to the syslog collector. Then configure an alert mapping rule as follows.
  2. In
    Cortex
    XDR
    , select
    Settings ( )
    Configurations
    External Alerts Mapping
    .
  3. Right-click the
    Vendor Product
    for your alerts and select
    Filter and Map
    .
  4. Use the filters at the top of the table to narrow the results to only the alerts you want to map.
    Cortex
    XDR
    displays a limited sample of results during the mapping rule creation. As you define your filters,
    Cortex
    XDR
    applies the filter to the limited sample but does not apply the filters across all alerts. As a result, you might not see any results from the alert sample during the rule creation.
  5. Click
    Next
    to begin a new mapping rule.
    On the left, configure the following.
    1. Rule Information
      -Define the
      NAME
      and optional
      DESCRIPTION
      to identify your mapping rule.
    2. Alerts Field
      -Map each required and any optional
      Cortex
      XDR
      field to a field in your alert source.
      If needed, use the field converter ( ) to translate the source field to the
      Cortex
      XDR
      syntax.
      For example, if you use a different severity system, you need to use the converter to map your severities fields to the
      Cortex
      XDR
      risks of Critical, High, Medium, and Low.
      You can also use regex to convert the fields to extract the data to facilitate matching with the
      Cortex
      XDR
      format. For example, say you need to map the port but your source field contains both IP address and port (
      192.168.1.200:8080
      ). To extract everything after the
      :
      , use the following regex:
      ^[^:]*_
      For additional context when you are investigating an incident, you can also map additional optional fields to fields in your alert source.
  6. Submit
    your alert filter and mapping rule when finished.

Recommended For You