Manage Logging Storage for Traps
The Cortex Data Lake provides granular control over quota allocation for each type of log it receives. After you activate Traps management service, you must define how the service allocates log storage for Traps. If your Cortex Data Lake instance receives logs from other apps or services, you will need to consider how to allocate storage across all services and apps.
- Sign In to the Cortex Hub at https://apps.paloaltonetworks.com/.
- Select your Cortex Data Lake instance.If you have multiple Cortex Data Lake instances, hover over the Cortex Data Lake tile and then select the Cortex Data Lake instance from the list of available instances associated with your account.
- Select Configuration to define
logging storage settings for Traps.The Cortex Data Lake displays the total storage allocated for the apps and services associated with the Cortex Data Lake instance. The Cortex Data Lake displays this information graphically and adjusts the graphic based on the storage policy you define below. The Cortex Data Lake storage policy specifies the distribution of your total storage allocated to each app or service and the minimum retention warning (not supported with Traps management service).
- Adjust the quota allocated for each type of Traps logs.You cannot exceed 100% log storage allocation.
- Select the total size you want to allocate
to Traps logs.If your total allocated quota is already at 100% for non-Traps apps and services, reduce the quota for available log types to free up storage for Traps management service.Use the arrows to increment or decrement existing allocations or enter a new quota percentage.
- Expand the Traps allocation and adjust the storage
allocated for each type of Traps log.The following table describes the different record types for Traps. While the distribution of Traps logs depends on your storage needs, a good starting point is to allocate Traps logs as indicated. It’s recommended to review the status of your Cortex Data Lake instance after about two weeks of data collection and make adjustments as needed.
Record Type Description Recommended Allocation ThreatIncludes information regarding all security events logged by Traps. This includes events such as malware and exploit preventions, post-detection events, and restriction notifications. 2% ConfigAudit logs recorded by Traps management service. This includes policy events—such as changes to the Traps security policy, exception management, and profile management. Audit logs also include other configuration changes such as device management, distribution management, and system management. 1% SystemOn-going monitoring of Traps management service system and agent events. Examples include changes or updates to license management, agent registration, user authentication, agent monitoring, agent upgrade, and agent protection status. System logs are often required for day-to-day operations, as well as support and troubleshooting activities. 14% AnalyticLogs from the hourly hash execution report from every Traps agent. Provides visibility on tracking attempted malware executions in your protected environment, hash exception policy changes, and forensics. File analytics reports consume a considerable share of Traps storage space. 83% (Optional) Endpoint DataIf you enable Traps to monitor and collect endpoint events for use by apps on the Cortex platform, you must allocate at least 1 TB of storage for endpoint data and adjust the quota allocation.
To see the record type for a specific Traps log, see Log Types and Severity Levels.
- Threat 0.1%,
- Config 0.1%
- System 0.8%
- Analytics 4%
- Endpoint Data 95%
- Select the total size you want to allocate to Traps logs.
- Apply your changes.
Manage Logging Storage for Cortex XDR
Cortex XDR – Analytics licenses are based on Cortex Data Lake capacity. To view your licensed capacity, use the Customer Support Portal. ...
Configure Log Storage Quota on the Cortex Data Lake
Configure Log Storage Quota on the Cortex Data Lake You must set the log storage quota for each log type on the Cortex Hub. By ...
View Cortex Data Lake Status
View Cortex Data Lake Status The Cortex Hub allows you to confirm that your service is provisioned in the region you chose when you activated ...
Set Up Traps
Set Up Traps Also available with Cortex XDR are Traps agents and Traps management service. If you choose to use Traps to monitor and collect ...
Activate the Traps Management Service
Activate the Traps Management Service After you purchase Traps licenses, you will receive an email with an Auth code that you can use to activate ...
Cortex XDR Configuration Overview With Cortex XDR you can use a variety of sensors to integrate all your network, endpoint, and cloud data. For the ...
Activate Cortex Data Lake on the Cortex Hub
Activate Cortex Data Lake on the Cortex Hub If are using the Traps management service to secure your endpoints, all logs generated by the Traps components are ...
Cortex Data Lake License Activation
Determine whether to you need to activate your Cortex Data Lake (formerly called the Logging Service) license on the CSP or on the Cloud Services ...
Plan Your Traps Management Service Deployment
Plan Your Traps Management Service Deployment Before you get started with the Traps management service, plan your deployment: Use the Cortex Data Lake Calculator to ...