Ingest Data from External Sources

To augment your network data, you can set up Cortex XDR to ingest data from a variety of external third-party sources.
To provide you with a more complete and detailed picture of the activity involved in an incident, you can ingest data from a variety of external, third-party sources in Cortex XDR. Depending on the source, Cortex XDR can receive logs or both logs and alerts from the source. Cortex XDR can stitch the logs together with other logs and can raise provided alerts in relevant incidents.
To ingest data, you must set up the syslog collector applet on a broker VM within your network. The applet can receive logs and alerts from your external sources.
on-prem-broker.png
Cortex XDR supports log and alert ingestion from the following external sources:
Vendor and Device Type
Operating System Version
Format Requirements
Visibility
Firewalls
  • R77.30
  • R80.10
  • R80.20
  • R80.30
  • R80.40
CEF format using Log Exporter
  • Network connection logs are available in the Query Builder.
    Logs with
    sessionid=0
    are dropped.
  • Alerts from Check Point firewalls are also raised in Cortex XDR incidents when relevant.
6.2.1 and above
timestamp
must be in nanoseconds
  • Network connection logs are available in the Query Builder.
  • Alerts from Check Point firewalls are also raised in Cortex XDR incidents when relevant.
  • Syslog in Cisco-ASA format
  • Must include
    timestamps
  • Only supports messages: 302013, 302014, 302015, 302016
Network connection logs are available in the Query Builder.
Authentication Services
Cloud API
Secret needed
Authentication logs are available in the Query Builder.
Cloud API
Token needed
Authentication logs are available in the Query Builder.
Cloud API
Account ID and Subscription ID needed
Authentication logs are available in the Query Builder.
Endpoint Logs
WEC
Windows event logs are available in the Query Builder.
Alerts from Additional External Sources
To ingest alerts from external sources, you can use the Cortex XDR ingestion API or set up a syslog collector applet on a broker VM inside your network.
To enable Cortex XDR to display your alerts, you must also map your alert fields to the Cortex XDR field format.

Recommended For You