Note
Ingesting logs from Cortex Data Lakes requires a Cortex XDR Pro per TB license.
To streamline the connection and management of all Palo Alto Networks generated logs across products in Cortex XDR with a Cortex Data Lake, Cortex XDR can ingest detection data from Cortex Data Lakes in a more flexible manner using the Cortex Data Lake data collector.
You can configure the Cortex Data Lake data collector to take logs from other Palo Alto Networks products already logging to 1 or more existing Cortex Data Lakes.
For stitched raw data, use the XQL query xdr_data dataset or any preset designated for stitched data, such as network_story. For query examples, refer to the in-app XQL Library. Cortex XDR can also raise Cortex XDR alerts (Analytics, Correlation Rules, IOC, and BIOC only) when relevant from Cortex Data Lake detection data. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.
Note
IOC and BIOC alerts are applicable on stitched data only and are not available on raw data.
To ingest detection data from Cortex Data Lakes.
Activate the Cortex Data Lake.
You can configure Cortex XDR to take Palo Alto generated firewall logs from other Palo Alto Networks products already logging to an existing Cortex Data Lake.
Select → → → .
In the Cortex Data Lake configuration, click Add Instance to begin a new configuration.
Select Data Lake Instance.
Select one or more existing Cortex Data Lakes that you want to connect to this Cortex Data Lake instance.
Save your Cortex Data Lake configuration.
Once events start to come in, a green check mark appears underneath the Cortex Data Lake configuration.
(Optional) Manage your Cortex Data Lake Collector.
After you create the Cortex Data Lake Collector, you can make additional changes, as needed.
Delete the Cortex Data Lake Collector.
After Cortex XDR begins receiving data from a Cortex Data Lake, you can use XQL Search to search for specific data, using the
xdr_datadataset.