Ingest Detection Data from Cortex Data Lakes - Administrator Guide - Cortex XDR - Cortex - Security Operations

To streamline the connection and management of all Palo Alto Networks generated logs across products in Cortex XDR with a Cortex Data Lake, Cortex XDR can ingest detection data from Cortex Data Lakes in a more flexible manner using the Cortex Data Lake data collector.

You can configure the Cortex Data Lake data collector to take logs from other Palo Alto Networks products already logging to 1 or more existing Cortex Data Lakes.

Cortex XDR supports streaming data directly from Prisma Access accounts and New-Generation Firewalls (NGFW) and Panorama devices to your Cortex XDR tenants using the Cortex Native Data Lake. Existing integrations should be migrated to the Cortex Native Data Lake. Make sure you select all your devices to connect directly to Cortex XDR. Integrations not migrated manually will be migrated automatically 2 weeks before the end of the contract with Cortex Data Lake.

For stitched raw data, use the XQL query xdr_data dataset or any preset designated for stitched data, such as network_story. For query examples, refer to the in-app XQL Library. Cortex XDR can also raise Cortex XDR alerts (Analytics, Correlation Rules, IOC, and BIOC only) when relevant from Cortex Data Lake detection data. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.

To ingest detection data from Cortex Data Lakes.