Ingest logs from Corelight Zeek - Extend Cortex Cloud visibility into logs from Corelight Zeek. - Administrator Guide - Cortex CLOUD

Cortex Cloud Runtime Security Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Runtime Security
Creation date
2024-12-24
Last date published
2026-06-04
Category
Administrator Guide
Abstract

Extend Cortex Cloud visibility into logs from Corelight Zeek.

Notice

Requires the Data Collection add-on.

If you use Corelight Zeek sensors for network monitoring, you can still take advantage of Cortex Cloud investigation and detection capabilities by forwarding your network connection logs to Cortex Cloud. This enables Cortex Cloud to examine your network traffic to detect anomalous behavior. Cortex Cloud can use Corelight Zeek logs as the sole data source, but can also use logs in conjunction with Palo Alto Networks or third-party firewall logs. For additional endpoint context, you can also use Cortex Cloud to collect and alert on endpoint data.

As soon as Cortex Cloud starts to receive logs, the app can begin stitching network connection logs with other logs to form network stories. Cortex Cloud can also analyze your logs to generate Analytics issues, and can apply IOC, BIOC, and Correlation Rule matching. You can also use queries to search your network connection logs.

To integrate your logs, you first need to set up an applet in a Broker VM within your network to act as a Syslog Collector. You then configure forwarding on your Corelight Zeek sensors (using the default Syslog export option of RFC5424 over TCP) to send logs to the Syslog Collector.

  1. Activate the Syslog Collector.

    During activation, you define the Listening Port over which you want the Syslog Collector to receive logs. You must also set TCP as the transport Protocol and Corelight as the Syslog Format.

  2. Increase log storage for Corelight Zeek logs.

    For proper sizing calculations, test the log sizes and log rates produced by your Corelight Zeek Sensors. Then adjust your Cortex Cloud log storage. For more information, see Manage Your Log Storage within Cortex Cloud.

  3. Forward logs to the Syslog Collector.

    Cortex Cloud can receive logs from Corelight Zeek sensors that use the Syslog export option of RFC5424 over TCP.

    1. In the Syslog configuration of Corelight Zeek (SensorExport), specify the details for your Syslog Collector including the hostname or IP address of the Broker VM and corresponding listening port that you defined during activation of the Syslog Collector, default Syslog format (RFC5424), and any log exclusions or filters.

    2. Save your Syslog configuration to apply the configuration to your Corelight Zeek Sensors.

    For full setup instructions, see the Corelight Zeek documentation.