Configure Notification Forwarding

Navigate to

Settings
Notifications
.
+ Add Forwarding Configuration
.
Define the configuration
Name
and
Description
.
Select the
Log Type
you want to forward, one of the following:
Alerts
—Send notifications for specific alert types (for example, XDR Agent
or BIOC
).
Agent Audit Logs
—Send notifications for audit logs reported by your Cortex XDR agents.
Management Audit Logs
—Send notifications for audit logs about events related to your Cortex XDR management console.
In the
Configuration Scope
,
Filter
the type of information you want included in a notification.
For example, set a filter
Severity = Medium, Alert Source = XDR Agent
. Cortex XDR sends the alerts or events matching this filter as a notification.
Define your
Email Configuration
.
In
Email Distribution
, add the email addresses to which you want to send email notifications.
Define the
Email Grouping Time Frame
, in minutes, to specify how often Cortex XDR sends notifications. Every 30 alerts
or 30 events
aggregated within this time frame are sent together in one notification, sorted according to the severity. To send a notification when one alert
or event
is generated, set the time frame to
0
.
Choose whether you want Cortex XDR to provide an auto-generated subject.
If you previously used the Log Forwarding app and want to continue forwarding logs in the same format, you can
Use Legacy Log Format
. See Cortex XDR Log Notification Formats.
Configure additional forwarding options:
Depending on the notification integrations supported by the Log Type, configure the desired notification settings.
Slack notification—Select a
Slack
channel.
Before you can select a Slack channel, you must integrate Cortex XDR with Slack.
Syslog receiver—Select a
Syslog
receiver.
Before you can select a Syslog server, you must Integrate a Syslog Receiver in Cortex XDR app.
(
Optional
) To later modify a saved forwarding configuration, right-click the configuration, and
Edit
,
Disable
, or
Delete
it.