Learn how to forward logs and data from Cortex XDR to external third-party services such as email, Slack, syslog, and Splunk.
You can forward logs, cases, and issues from Cortex XDR to an external service. By forwarding logs and data, you can manage alerts and investigations in external systems and meet data retention requirements. Available services include the following:
Slack channel and/or syslog receiver: Configure the external application with Cortex XDR. After the application is configured, configure notification forwarding, specifying the data/log type you want to forward.
Email distribution list: Configure notification forwarding, specifying the data/log type you want to forward.
Splunk, Amazon SQS, Amazon S3, and Webhook: Only cases and issues can be forwarded to these services. The external application must be configured in Cortex XDR and egress configured in the Cortex Gateway before forwarding to these services.
The following table shows the log types supported for each notification type:
Data/log type | Slack | Syslog | Splunk, Amazon SQS, Amazon S3, Webhook | |
|---|---|---|---|---|
Issues | ✓ | ✓ | ✓ | ✓ |
Cases | ✓ | ✓ | — | ✓ |
Agent Audit Logs NoticeRequires Cortex XDR Pro per Endpoint | ✓ | — | ✓ | — |
Management Audit Logs | ✓ | — | ✓ | — |