Log Forwarding Filters for Cortex XDR Alerts
The Cortex XDR app can send logs to Cortex Data Lake. You can then use the Log Forwarding app to send the logs stored in Cortex Data Lake to a Syslog or email destination. If you want to forward a subset of Cortex XDR alert logs (instead of all logs), you can use log forwarding filters to specify which logs you want to send.
Cortex XDR - Analytics Alerts
When you enable forwarding for Cortex XDR - Analytics alerts, the Log Forwarding app sends all Cortex XDR Analytics alert logs to the Syslog or email destination you specify ( learn more about log fields and formats). Log forwarding filters are not available for Cortex XDR - Analytics alerts.
Cortex XDR Alerts
The Log Forwarding app provides both predefined and custom log forwarding filters for (non-Analytics) Cortex XDR alerts. Predefined Log Filters are built-in to the Log Forwarding app, so that you can easily start forwarding Cortex XDR alerts based on severity, alert source (a BIOC or IOC rule), and alert category.
- Severity—The alert severity levels you can filter on are informational, low, medium, high, and unknown.
- Alert Source—This is the type of Cortex XDR - Investigation and Response alert. BIOCs identify specific network, process, file, or registry activity that indicates a threat; IOCs are known artifacts—SHA256 hashes, IP addresses, domains, file names—that are considered malicious or suspicious.
- Alert Category—The alert categories listed are different for BIOC and IOC alerts, and allow you to further narrow the types of logs you want to forward based on the detected threat artifact or behavior. BIOC alert categories include exfiltration, credential access, and tampering; IOC alert categories include hash, file name, IP address, and domain name.
High severity BIOC and IOC alerts
(severity eq SEV_040_HIGH)
BIOC alerts for unusual credential usage
(alert_category eq CREDENTIAL_ACCESS)
Alerts of all severities except for informational alerts
(severity neq SEV_010_INFO)
High severity IOC alerts for suspicious file names or SHA-256 hashes
(severity eq SEV_040_HIGH) and ((alert_category eq FILENAME) or (alert_category eq HASH))