Activate NetFlow Collector - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn more about activating a Broker VM with a NetflFlow Collector applet.

Notice

Ingesting records from external sources requires a Cortex XDR Pro per GB license.

To receive NetFlow flow records from an external source, you must first set up the NetFlow Collector applet on a Broker VM within your network. NetFlow versions 5, 9, and IPFIX are supported.

To increase the log ingestion rate, you can add additional CPUs to the Broker VM. The NetFlow Collector listens for flow records on specific ports either from any, or from specific IP addresses.

After the NetFlow Collector is activated, the NetFlow Exporter sends flow records to the NetFlow Collector, which receives, stores, and pre-processes that data for later analysis.

  1. Select SettingsConfigurationsData BrokerBroker VMs.

  2. Do one of the following:

    • On the Brokers tab, find the Broker VM, and in the APPS column, left-click AddNetFlow Collector.

    • On the Clusters tab, find the Broker VM, and in the APPS column, left-click AddNetFlow Collector.

  3. Click +Add New.

  4. Configure your NetFlow Collector.

  5. (Optional) Make additional changes to the NetFlow Collector data sources.

    • You can make additional changes to the Port by right-clicking the applicable UDP port and selecting the following:

      • Edit: To change the UDP Port, Source Network, Vendor, or Product defined.

      • Remove: To delete a Port.

    • You can make additional changes to the Source Network by right-clicking on the Source Network value.

      Note

      The options available change, according to the set Source Network value.

      Option

      Description

      Edit

      To change the UDP Port, Source Network, Vendor, or Product defined.

      Remove

      To delete a Port.

      Copy entire row

      To copy the Source Network, Product, and Vendor information.

      Open IP View

      To view network operations and to view any open incidents on this IP within a defined period. This option is only available when the Source Network value is a specific IP address or CIDR.

      Open in Quick Launcher

      To search for information using the Quick Launcher shortcut . This option is only available when the Source Network value is a specific IP address or CIDR.

    • To prioritize the order of the NetFlow formats listed for the configured data source, drag and drop the rows to change their order.

  6. Activate the NetFlow collector applet.

    After successful activation, the APPS field displays NetFlow with a green dot indicating a successful connection.

  7. (Optional) To view NetFlow Collector metrics, left-click the NetFlow connection in the APPS field for your Broker VM.

    Cortex XDR displays the following information:

    Option

    Description

    Connectivity Status

    Whether the applet is connected to Cortex XDR.

    Logs Received and Logs Sent

    Number of logs that the applet received and sent per second over the last 24 hours. If there are more logs received than sent, this can indicate a connectivity issue.

    Resources

    Displays the amount of CPU, Memory, and Disk space the applet uses.

  8. Manage the NetFlow Collector.

    After you activate the NetFlow Collector, you can make additional changes. To modify a configuration, left-click the NetFlow connection in the APPS column to display the NetFlow Collector settings, and select:

    • Configure to redefine the NetFlow Collector configurations.

    • Deactivate to disable the NetFlow Collector.