External data ingestion vendor support - To augment your Cortex XDR data, you can set up Cortex XDR to ingest data from a variety of external third-party sources. - Administrator Guide - Cortex XDR - Cortex

External data ingestion vendor support - To augment your Cortex XDR data, you can set up Cortex XDR to ingest data from a variety of external third-party sources. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation

Product

Cortex XDR

License

Prevent

Pro

Creation date

2024-03-06

Last date published

2025-11-10

Note

New Cortex XDR licenses that are purchased from October 1st, 2025 and onwards will no longer support the data collectors marked with an asterisk (*). For comprehensive data collector support, consider upgrading to an XSIAM license.

To provide you with a more complete and detailed picture of the activity involved in an incident, you can ingest data from a variety of external, third-party sources into Cortex XDR.

Cortex XDR can receive logs, or both logs and alerts, from the source. Depending on the data source, Cortex XDR can provide visibility into your external data in the form of:

Log stitching with other logs in order to create network or authentication stories.
Raw data in queries from XQL Search.
Alerts reported by the vendor throughout Cortex XDR, such as in the alerts table, incidents, and views.
Alerts raised by Cortex XDR on log data, such as analytics alerts.

To ingest data, you must set up the Syslog Collector applet on a Broker VM within your network.

The following table summarizes the vendor data that can be ingested, according to log or data type.

Log/Data Type	Vendor Support
Network Connections	Amazon S3 (flow logs) Amazon S3 (Route 53 logs) Azure Event Hub Azure Network Watcher (flow logs) Check Point FW1/VPN1 Cisco ASA and Cisco AnyConnect VPN Corelight Zeek Fortinet Fortigate Google Cloud Platform (flow logs, DNS logs) Okta Prisma Access Browser Windows DHCP via Elasticsearch Filebeat Zscaler Internet Access (ZIA) Zscaler Private Access (ZPA)
Authentication Services/Audit Logs	Amazon S3 (audit logs) Azure Event Hub (audit logs, AKS logs) Google Cloud Platform (audit logs, GKE logs) Google Workspace Microsoft 365 (email) Microsoft Office 365 Okta OneLogin PingFederate* PingOne for Enterprise
Operation and System Logs from Cloud Providers	Amazon S3 (generic logs) Amazon CloudWatch (generic logs, EKS logs) Azure Event Hub Google Cloud Platform Google Kubernetes Engine Okta Prisma Cloud (alerts) Prisma Cloud Compute (alerts)
Endpoint Logs	Windows Event Collector
Cloud Assets	AWS Google Cloud Platform Microsoft Azure
Custom External Sources	Any Vendor Sending CEF, LEEF, CISCO, CORELIGHT, or RAW formatted Syslog* Any vendor CSV files on a shared Windows directory* Any vendor logs stored in a database* Any vendor logs stored in files on a network share* Any vendor logs from a third party source over FTP, FTPS, or SFTP* Any vendor sending NetFlow flow records* Any vendor sending logs over HTTP* Apache Kafka* BeyondTrust Privilege Management Cloud* Box Dropbox Elasticsearch Filebeat Forcepoint DLP* IoT Security Strata Logging Service Workday Any vendor sending alerts*