Ingest External Alerts

For a more complete and detailed picture of the activity involved in an incident, Cortex XDR can ingest alerts from any external source.

For a more complete and detailed picture of the activity involved in an incident, Cortex XDR can ingest alerts from any external source. Cortex XDR stitches the external alerts together with relevant endpoint data and displays alerts from external sources in relevant incidents and alerts tables. You can also see external alerts and related artifacts and assets in Causality views.

To ingest alerts from an external source, you configure your alert source to forward alerts (in

Auto-Detect

(default),

CEF

LEEF

CISCO

CORELIGHT

, or

RAW

format) to the syslog collector. You can also ingest alerts from external sources using the Cortex XDR API.

After Cortex XDR begins receiving external alerts, you must map the following required fields to the Cortex XDR format.

TIMESTAMP

SEVERITY

ALERT NAME

In addition, these optional fields are available, if you want to map them to the Cortex XDR format.

SOURCE IP

SOURCE PORT

DESTINATION IP

DESTINATION PORT

DESCRIPTION

DIRECTION

EXTERNAL ID

CATEGORY

ACTION

PROCESS COMMAND LINE

PROCESS SHA256

DOMAIN

PROCESS FILE PATH

HOSTNAME

USERNAME

If you send pre-parsed alerts using the XDR API, additional mapping is not required.

Storage of external alerts is determined by your Cortex XDR tenant retention policy. For more information, see Dataset Management.

To ingest external alerts.

Send alerts from an external source to Cortex XDR.

There are two ways to send alerts:

Cortex XDR API—Use the insert_cef_alerts API to send the raw syslog alerts or use the insert_parsed_alerts API to convert the syslog alerts to the Cortex XDR format before sending them to Cortex XDR. If you use the API to send logs, you do not need to perform the additional mapping step in Cortex XDR.

Activate Syslog collector—Activate the syslog collector and then configure the alert source to forward alerts to the syslog collector. Then configure an alert mapping rule as follows.

In Cortex XDR, select

Settings (

)

Configurations

External Alerts Mapping

Right-click the

Vendor Product

for your alerts and select

Filter and Map

Use the filters at the top of the table to narrow the results to only the alerts you want to map.

Cortex XDR displays a limited sample of results during the mapping rule creation. As you define your filters, Cortex XDR applies the filter to the limited sample but does not apply the filters across all alerts. As a result, you might not see any results from the alert sample during the rule creation.

Click

to begin a new mapping rule.

On the left, configure the following.

Rule Information

-Define the

NAME

and optional

DESCRIPTION

to identify your mapping rule.

Alerts Field

-Map each required and any optional Cortex XDR field to a field in your alert source.

If needed, use the field converter (

) to translate the source field to the Cortex XDR syntax.

For example, if you use a different severity system, you need to use the converter to map your severities fields to the Cortex XDR risks of Critical, High, Medium, and Low.

You can also use regex to convert the fields to extract the data to facilitate matching with the Cortex XDR format. For example, say you need to map the port but your source field contains both IP address and port (

192.168.1.200:8080

). To extract everything after the

, use the following regex:

^[^:]*_

For additional context when you are investigating an incident, you can also map additional optional fields to fields in your alert source.

Submit

your alert filter and mapping rule when finished.

Document:Cortex® XDR Pro Administrator’s Guide

Ingest External Alerts

Ingest External Alerts

Recommended For You

Document:Cortex® XDR Pro Administrator’s Guide

Ingest External Alerts

Ingest External Alerts

Recommended For You

Recommended Videos