Ingest External Alerts - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-10-14
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

For a more complete and detailed picture of the activity involved in an incident, Cortex XDR can ingest alerts from any external source.

For a more complete and detailed picture of the activity involved in an incident, Cortex XDR can ingest alerts from any external source. Cortex XDR stitches the external alerts together with relevant endpoint data and displays alerts from external sources in relevant incidents and alerts tables. You can also see external alerts and related artifacts and assets in Causality views.

To ingest alerts from an external source, you configure your alert source to forward alerts (in Auto-Detect (default), CEF, LEEF, CISCO, or CORELIGHT format) to the Syslog collector. You can also ingest alerts from external sources using the Cortex XDR APIs.

After Cortex XDR begins receiving external alerts, you must map the following required fields to the Cortex XDR format.

  • TIMESTAMP

  • SEVERITY

  • ALERT NAME

In addition, these optional fields are available, if you want to map them to the Cortex XDR format.

  • SOURCE IP

  • SOURCE PORT

  • DESTINATION IP

  • DESTINATION PORT

  • DESCRIPTION

  • DIRECTION

  • EXTERNAL ID

  • CATEGORY

  • ACTION

  • PROCESS COMMAND LINE

  • PROCESS SHA256

  • DOMAIN

  • PROCESS FILE PATH

  • HOSTNAME

  • USERNAME

Note

If you send pre-parsed alerts using the Cortex XDR API, additional mapping is not required.

Storage of external alerts is determined by your Cortex XDR tenant retention policy. For more information, seeDataset Management.

To ingest external alerts.

  1. Send alerts from an external source to Cortex XDR.

    There are two ways to send alerts:

    • API—Use the Insert CEF Alerts API to send the raw Syslog alerts or use the Insert Parsed Alerts API to convert the Syslog alerts to the Cortex XDR format before sending them to Cortex XDR. If you use the API to send logs, you do not need to perform the additional mapping step in Cortex XDR.

    • Activate the Syslog collector and then configure the alert source to forward alerts to the Syslog collector. Then configure an alert mapping rule as follows.

  2. In Cortex XDR, select Settings ConfigurationsExternal Alerts Mapping .

  3. Right-click the Vendor Product for your alerts and select Filter and Map.

  4. Use the filters at the top of the table to narrow the results to only the alerts you want to map.

    Cortex XDR displays a limited sample of results during the mapping rule creation. As you define your filters, Cortex XDR applies the filter to the limited sample but does not apply the filters across all alerts. As a result, you might not see any results from the alert sample during the rule creation.

  5. Click Next to begin a new mapping rule.

    On the left, configure the following.

    1. Rule Information-Define the NAME and optional DESCRIPTION to identify your mapping rule.

    2. Alerts Field-Map each required and any optional Cortex XDR field to a field in your alert source.

      If needed, use the field converter (field-converter.png) to translate the source field to the Cortex XDR syntax.

      For example, if you use a different severity system, you need to use the converter to map your severities fields to the Cortex XDR risks of Critical, High, Medium, and Low.

      You can also use regex to convert the fields to extract the data to facilitate matching with the Cortex XDR format. For example, say you need to map the port but your source field contains both the IP address and port (192.168.1.200:8080). To extract everything after the :, use the following regex:

      ^[^:]*_

      For additional context when you are investigating an incident, you can also map additional optional fields to fields in your alert source.

  6. Submit your alert filter and mapping rule when finished.