Log Forwarding Filters for Cortex XDR Alerts
The Cortex XDR - Analytics and Cortex XDR - Investigation and Response apps can both send logs to Cortex Data Lake. You can then use the Log Forwarding app to send the logs stored in Cortex Data Lake to a Syslog or email destination. If you want to forward a subset of Cortex XDR alert logs (instead of all logs), you can use log forwarding filters to specify which logs you want to send.
Cortex XDR - Analytics Alerts
When you enable forwarding for Cortex XDR - Analytics alerts, the Log Forwarding app sends all alert logs to the Syslog or email destination you specify (learn more about log fields and formats). Log forwarding filters are not available for Cortex XDR - Analytics alerts.
Cortex XDR - Investigation and Response Alerts
The Log Forwarding app provides both predefined and custom log forwarding filters for Cortex XDR - Investigation and Response alerts. Predefined Log Filters are built-in to the Log Forwarding app, so that you can easily start forwarding Cortex XDR Investigation and Response alerts based on severity, alert source (a BIOC or IOC rule), and alert category.
- Severity—The alert severity levels you can filter on are informational, low, medium, high, and unknown.
- Alert Source—This is the type of Cortex XDR - Investigation and Response alert. BIOCs identify specific network, process, file, or registry activity that indicates a threat; IOCs are known artifacts—SHA256 hashes, IP addresses, domains, file names—that are considered malicious or suspicious.
- Alert Category—The alert categories listed are different for BIOC and IOC alerts, and allow you to further narrow the types of logs you want to forward based on the detected threat artifact or behavior. BIOC alert categories include exfiltration, credential access, and tampering; IOC alert categories include hash, file name, IP address, and domain name.
Additionally, you can build custom log filters to forward logs based on any Cortex XDR - Investigation and Response alert log fields. For more details on custom filters, including supported operators, see Custom Log Filters. Here are some examples of custom filters for Cortex XDR - Investigation and Response alerts.
High severity BIOC and IOC alerts
(severity eq SEV_040_HIGH)
BIOC alerts for unusual credential usage
(alert_category eq CREDENTIAL_ACCESS)
Alerts of all severities except for informational alerts
(severity neq SEV_010_INFO)
High severity IOC alerts for suspicious file names or SHA-256 hashes
(severity eq SEV_040_HIGH) and ((alert_category eq FILENAME) or (alert_category eq HASH))
Configure Log Forwarding for BIOC and IOC Alerts
Using the Log Forwarding app, you can forward Cortex XDR BIOC and IOC alerts to an external syslog or email. ...
Configure Log Forwarding
Using the Log Forwarding app, you can forward Cortex XDR – Investigation and Response BIOC and IOC alerts to an external syslog or email. ...
The Log Forwarding app enables you to easily forward logs stored in the Cortex Data Lake to an external syslog receiver or email. ...
Features Introduced in 2019
Introducing new features in the Cortex XDR – Investigation and Response by month during 2019. ...
The Log Forwarding app enables you to easily forward Cortex XDR alerts to an external syslog receiver or email. ...
Features Introduced in the Log Forwarding App
Stay updated on what’s new in the Log forwarding app. ...