Ingest External Alerts

For a more complete and detailed picture of the activity involved in an incident, Cortex XDR can ingest alerts from any external source. Cortex XDR stitches the external alerts together with relevant endpoint data and displays alerts from external sources in relevant incidents and alerts tables. You can also see external alerts and related artifacts and assets in Causality views.
To ingest alerts from an external source, you configure your alert source to forward alerts (in CEF format) to the syslog collector. You can also ingest alerts from external sources using the Cortex XDR API.
After Cortex XDR begins receiving external alerts, you must map the following required fields to the Cortex XDR format:
  • Timestamp
  • Severity
  • Source IP address
  • Source port
  • Destination IP address
  • Destination port
If you send pre-parsed alerts using the Cortex XDR API, additional mapping is not required.
Storage of external alerts is determined by your Cortex Data Lake data retention policy.
To ingest external alerts:
  1. Send alerts from an external source to Cortex XDR.
    There are two ways to send alerts:
    • Cortex XDR API—Use the insert_cef_alerts API to send the raw CEF syslog alerts or use the insert_parsed_alerts API to convert the CEF syslog alerts to the Cortex XDR format before sending them to Cortex XDR. If you use the API to send logs, you do not need to perform the additional mapping step in Cortex XDR.
    • Activate Syslog collector— Activate the syslog collector and then configure the alert source to forward alerts in CEF format to the syslog collector. Then configure an alert mapping rule as follows.
  2. In Cortex XDR, select
    gear.png
    Settings
    External Alerts
    .
  3. Right-click the
    Vendor Product
    for your alerts and select
    Filter and Map
    .
    external-alerts-mapping-table.png
  4. Use the filters at the top of the table to narrow the results to only the alerts you want to map.
    Cortex XDR displays a limited sample of results during the mapping rule creation. As you define your filters, Cortex XDR applies the filter to the limited sample but does not apply the filters across all alerts. As a result, you might not see any results from the alert sample during the rule creation.
  5. Click
    Next
    to begin a new mapping rule.
    1. On the left, define a
      Name
      and optional
      Description
      to identify your mapping rule.
    2. Map each required Cortex XDR field to a field in your alert source.
      alert-field-mapping-required.png
      If needed, use the field converter ( field-converter.png ) to translate the source field to the Cortex XDR syntax.
      For example, if you use a different severity system, you need to use the converter to map your severities fields to the Cortex XDR risks of High, Medium, and Low.
      alert-field-mapping-converter.png
      You can also use regex to convert the fields to extract the data to facilitate matching with the Cortex XDR format. For example, say you need to map the port but your source field contains both IP address and port (
      192.168.1.200:8080
      ). To extract everything after the
      :
      , use the following regex:
      ^[^:]*_
      For additional context when you are investigating an incident, you can also map additional optional fields to fields in your alert source.
  6. Submit
    your alert filter and mapping rule when finished.

Recommended For You