Ingesting logs and data requires a Cortex XDR Pro per TB license.
Cortex XDR can receive logs from files and folders via FTP, FTPS, or SFTP directly to your log repository for query and visualization purposes. After you activate the FTP Collector applet on a broker VM in your network, which includes defining the connection details and settings related to the list of files to monitor and upload to Cortex XDR, you can collect files as datasets.
After Cortex XDR begins receiving logs from files and folders via FTP, FTPS, or SFTP, Cortex XDR automatically parses the logs and creates a dataset with the specific name you set as the target dataset when you configured the FTP Collector using the format
<Vendor>_<Product>_raw. The FTP Collector reads and processes the configured FTP files one by one, as well as any new FTP files added to the configured files and folders, in the FTP directory according to the execution frequency of collection that you configured, and adds the data in these files to the dataset. You can then use XQL Search queries to view logs and create new Correlation Rules.
Configure Cortex XDR to receive logs as datasets from files and folders via FTP, FTPS, or SFTP.
Activate the FTP Collector applet on a broker VM within your network.
Use the XQL Search to query and review logs.