Extend Cortex XDR visibility into logs from Corelight
logs and data requires a Cortex XDR Pro per TB license.
you use Corelight Zeek sensors for network monitoring, you can still
take advantage of Cortex XDR investigation and detection capabilities
by forwarding your network connection logs to Cortex XDR. This enables
Cortex XDR to examine your network traffic to detect anomalous behavior.
Cortex XDR can use Corelight Zeek logs as the sole data source,
but can also use logs in conjunction with Palo Alto Networks or
third-party firewall logs. For additional endpoint context, you
can also use Cortex XDR to collect and alert on endpoint data.
soon as Cortex XDR starts to receive logs, the app can begin stitching
network connection logs with other logs to form network stories.
Cortex XDR can also analyze your logs to raise Analytics alerts
and can apply IOC and BIOC rule matching. You can also use queries
to search your network connection logs.
To integrate your
logs, you first need to set up an applet in a broker VM within your
network to act as a Syslog Collector. You then configure forwarding
on your Corelight Zeek sensors (using the default Syslog export
option of RFC5424 over TCP) to send logs to the Syslog Collector.
over which you want the Syslog Collector to receive logs.
You must also set TCP as the transport
Corelight as the
Forward logs to the Syslog Collector.
Cortex XDR can receive logs from Corelight Zeek sensors
that use the Syslog export option of RFC5424 over TCP.
In the syslog configuration of Corelight
enter the details for your Syslog Collector including the hostname
or IP address of the broker VM and corresponding listening port
that you defined during activation of the Syslog Collector, default
Syslog format (RFC5424), and any log exclusions or filters.
Save your syslog configuration to apply the configuration
to your Corelight Zeek Sensors.
For full setup instructions, see the Corelight Zeek documentation.