Extend Cortex XDR visibility into logs from Corelight
logs and data requires a
Pro per TB license.
If you use Corelight Zeek sensors
for network monitoring, you can still take advantage of
investigation and detection
capabilities by forwarding your network connection logs to
. This enables
to examine your network
traffic to detect anomalous behavior.
can use Corelight Zeek logs as the
sole data source, but can also use logs in conjunction with Palo
Alto Networks or third-party firewall logs. For additional endpoint
context, you can also use
to collect and alert on endpoint
As soon as
starts to receive logs, the app can begin
stitching network connection logs with other logs to form network
also analyze your logs to raise Analytics alerts and can apply IOC
BIOC, and Correlation Rule matching. You can also use queries to
search your network connection logs.
To integrate your logs,
you first need to set up an applet in a broker VM within your network
to act as a Syslog Collector. You then configure forwarding on your Corelight
Zeek sensors (using the default Syslog export option of RFC5424
over TCP) to send logs to the Syslog Collector.
over which you want the Syslog Collector to receive
logs. You must also set TCP as the transport
Corelight as the
Forward logs to the Syslog Collector.
receive logs from Corelight Zeek sensors that use the Syslog export
option of RFC5424 over TCP.
In the syslog configuration of Corelight
specify the details for your Syslog Collector including the hostname
or IP address of the broker VM and corresponding listening port
that you defined during activation of the Syslog Collector, default
Syslog format (RFC5424), and any log exclusions or filters.
Save your syslog configuration to apply the configuration
to your Corelight Zeek Sensors.
For full setup instructions, see the Corelight Zeek documentation.