Configure notification forwarding - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn how to create a forwarding configuration that specifies the log type you want to forward.

After you integrate with an external service such as Slack or a syslog receiver, create a forwarding configuration that specifies the log type you want to forward. You can configure notifications for alerts, agent audit logs, and management audit logs. To receive notifications about reports, see Create a report from scratch.

Danger

Before you can select a syslog receiver or a Slack channel, you need to integrate these external services with Cortex XDR.

For more information, see:

How to configure notifications
  1. Select SettingsConfigurationsGeneral Notifications.

  2. Click + Add Forwarding Configuration.

  3. Enter a name and description for the configuration.

  4. Select the log type you want to forward:

    • Alerts: Send notifications for specific alert types (for example, XDR Agent or BIOC.

    • Agent Audit Logs: Send notifications for audit logs reported by your Cortex XDR agents.

    • Management Audit Logs: Send notifications for audit logs about events related to your Cortex XDR tenant.

  5. Click Next, and under Scope, filter the type of information you want included in a notification.

    For example, for a filter set to Severity = Medium, Alert Source = XDR Agent, Cortex XDR sends the alerts or events matching this filter as a notification.

  6. Click Next.

  7. (Optional) Define your email configuration:

    1. In the Distribution List, add the email addresses to which you want to send email notifications.

    2. In the Grouping Timeframe, define the time frame, in minutes, to specify how often Cortex XDR sends notifications. Every 20 alerts or 20 events aggregated within this time frame are sent together in one notification, sorted according to the severity. To send a notification when one alert or event is generated, set the time frame to 0.

    3. Choose whether you want Cortex XDR to provide an auto-generated subject.

    4. If you previously used log forwarding and want to continue forwarding logs in the same format, select Use Legacy Log Format. For more information, see Log format for IOC and BIOC alerts.

  8. Depending on the notification integrations supported by the log type, configure the Slack channel or syslog receiver notification settings. For a list of log types supported in each notification type, see Forward logs from Cortex XDR to external services.

    • Enter the Slack channel name and select from the list of available channels. Slack channels are managed independently of Cortex XDR in your Slack workspace. After integrating your Slack account with your Cortex XDR tenant, Cortex XDR displays a list of specific Slack channels associated with the integrated Slack workspace.

    • Select a syslog receiver. Cortex XDR displays the list of receivers integrated with your Cortex XDR tenant.

  9. Click Done to create the forwarding configuration.